Category Archives: Web

php with Apache tips

1. If you found sometimes you cannot see any data from server and you see the log below:

[Thu Jul 18 18:08:30 2013] [notice] child pid 24544 exit signal Segmentation fault (11)

That means your apache and php doesn’t work well together, you need to try to make another installation

2. If you find you cannot start apache with php, get alert like this:

httpd: Syntax error on line 53 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/libphp5.so into server: ld.so.1: httpd: fatal: relocation error: file /usr/local/apache2/modules/libphp5.so: symbol sapi_module: referenced symbol not found

Maybe you can install a lower version of php and apache to fix it.

 

Apache/Tomcat tips

1. Apache httpd单地址多域名设置/Apache multi-name based on single IP
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443

<VirtualHost *:443>
DocumentRoot /www/example1
ServerName www.example.com

# Other directives here

</VirtualHost>

<VirtualHost *:443>
DocumentRoot /www/example2
ServerName www.example.org

# Other directives here

</VirtualHost>

一定注意红色这一句,否则你会出现这个错误,第二个virtualhost不生效/Without the red instruction, the second virtualhost definition wont take effect:

[Fri Jun 21 15:20:54 2013] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

2. 如果你定义了ProxyPass /,你会发现其他的定义都覆盖了
ProxyPass / will override other definition under / unless if you put into a virtualhost section
3. 定义LogLevel 为debug可以检查问题
Change LogLovel directive to debug can be used for debug

SSL证书申请相关/Tips of SSL certificate

1. 生成CSR

felix@jira [~/ssl] $ keytool -genkey -alias tomcat -keyalg RSA -keystore xyz.keystore
Enter keystore password: xxxxxx
What is your first and last name?
[Unknown]: www.xyz.com
What is the name of your organizational unit?
[Unknown]: Networks
What is the name of your organization?
[Unknown]: Xyz aps
What is the name of your City or Locality?
[Unknown]: New York
What is the name of your State or Province?
[Unknown]: German
What is the two-letter country code for this unit?
[Unknown]:UK
Is CN=www.xyz.com, OU=Networks, O=Xyz aps, L=New York, ST=German, C=UK correct?
[no]: yes

Enter key password for
(RETURN if same as keystore password): xxxxxx

felix@jira [~/ssl] $ keytool -certreq -alias tomcat -file xyz.csr -keystore xyz.keystore
Enter keystore password: xxxxxx
felix@jira [~/ssl] $ ls
xyz.csr xyz.keystore mms.csr request.csr sms.csr sp.keystore tamms.keystore tasms.keystore
felix@jira [~/ssl] $ more xyz.csr
—–BEGIN NEW CERTIFICATE REQUEST—–
MIIBvTCCASYCAQAwfTELMAkGA1UEBhMCREsxEDAOBgNVBAgTB0Rlbm1hcmsxETAPBgNVBAcTCEJp
cmtlcm9kMREwDwYDVQQKEwhNYWNoIGFwczEcMBoGA1UECwwTU2VjdXJpdHkgJiBOZXR3b3JrczEY

tw1PNsTrUrGrdwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAiAELgjNFZb4mu8ekFi9vYtiX2Rh+
a9xgqwqK8lxVtVVSOfeo29nnyUeteBn4vp9fuZr+JiH9awh2SUDVXIrosdGEeSfF+BJfSrmKJJIe
d1ro4glwnNt9x+ffDojRvfvRJCY8yMyUN+zvB30QYtga8YMg4KitlTr+D0b9FQe8lrs=
—–END NEW CERTIFICATE REQUEST—–
felix@jira [~/ssl] $ keytool -list -v -keystore xyz.keystore
Enter keystore password: xxxxxx

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Oct 12, 2009
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=www.xyz.com, OU= Networks, O=Xyz aps, L=Birkerod, ST=Denmark, C=DK
Issuer: CN=www.xyz.com, OU= Networks, O=Xyz aps, L=Birkerod, ST=Denmark, C=DK
Serial number: 4ad2f589
Valid from: Mon Oct 12 17:23:21 CST 2009 until: Sun Jan 10 17:23:21 CST 2010
Certificate fingerprints:
MD5: EA:AF:BB:B8:…:C5:E4:B5:BF:C3:74
SHA1: EE:A6:CD:F6:….:A3:54:05:4A:BA:BA:7C:64:FD:E3

*******************************************
*******************************************

需要注意的是:发给客户这个CSR时,要同时告诉客户用的是tomcat,需要java的keystore格式的certificate

2. 导入正常回来的certificate

felix@jira [~/ssl] $ keytool -import -trustcacerts -file sms.cert -keystore tasms.keystore -storepass xxxxxx -alias tomcat
Certificate reply was installed in keystore
felix@jira [~/ssl] $ keytool -list -v -keystore tasms.keystore -storepass xxxxxx

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Oct 15, 2009
Entry type: keyEntry
Certificate chain length: 2
Certificate[1]:
…Serial number: 1
Valid from: Thu Aug 01 08:00:00 CST 1996 until: Fri Jan 01 07:59:59 CST 2021
Certificate fingerprints:
MD5: 06:9F:69:…:8C:8C:A2:C3:07:6F:3A
SHA1: 62:7F:…0:44:C9:FE:B3:F3:3E:FA:9A

*******************************************
*******************************************

3. 导入为Apache生成的X.509格式的certificate

虽然我们是用keytool生成的CSR,但是有时候客户说不能生成tomcat需要的java keystore格式的certificate,这时候也是可以导入的,不过有些区别

3.1 导出keystore的private key
参考URL:http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips
下载KeyTool-IUI, 地址是:http://yellowcat1.free.fr/index_ktl.html,使用这个java的图形化工具,导出keystore里边的private key为PEM格式

3.2 把PEM格式的private key和x.509的证书生成一个pcks12格式的keystore
felix@jira [~/ssl/xyz] $ openssl pkcs12 -export -out xyz.p12 -inkey m.pem -in xyz.cert
Enter Export Password:
Verifying – Enter Export Password:

felix@jira [~/ssl/xyz] $ keytool -list -v -keystore xyz.p12 -storetype pkcs12
Enter keystore password: xxxxxx

Keystore type: pkcs12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: 2
Creation date: Oct 15, 2009
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=www.xyz.com, OU= Networks, O=Xyz aps, L=New York, ST=German, C=UK
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign …1:82:D1:01:FC:DC:DC
SHA1: 92:7A:15:99:69:62:A7:DC:67:ED:6F:A0:40:3A:AF:E9:2B:08:36:4A

*******************************************
*******************************************

3.3 在tomcat的配置文件里配置
clientAuth=”false” sslProtocol=”TLS” keystoreFile=”/usr/local/tomcat/ssl/xyz.p12″ keystorePass=”xxxxxx” keystoreTyp
e=”pkcs12″ />

把tomcat(keystore)的SSL证书转换成apache格式

首先这是参考的原文:

http://www.zimbra.com/forums/administrators/9832-exporting-private-key-keystore-use-postfix-apache.html

需求:我们申请了一个网站证书,申请的时候是tomcat格式,现在需要转换成apache的格式。tomcat用的是keystore的格式(keytool)生成,apache是用的private key+crt格式。

1. 首先下载ExportPrivateKey.zip,这个在http://www.anandsekar.com/wp-content/uploads/2006/01/ExportPrivateKey.zip,或者team的目录里也有下载好的
2. 使用下载的文件导出private key:
java -jar ExportPrivateKey.zip {keystore_path} JKS {keystore_password} {alias} exported-pkcs8.key
3. 使用openssl把pkcs #8的格式转换成apache需要的格式:
openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key
4. 使用这个exported.key和返回来的证书,就可以让apache使用了

the URL rewrite in Apache 2.2.x

1. mod_rewrite is built-in feature in Apache2.2.x. We don’t need to LoadModule directive to load it.

2. AllowOverride default is ‘All’, .htaccess needs ‘All’

3. An example in .htaccess in the html directory:

Good one:

RewriteEngine On
Rewritebase /
RewriteRule ^test.html$ index.html
RewriteRule ^(.*).html$ cms.php?catname=$1

Bad one:

RewriteEngine On
RewriteRule ^/(.*).html$ /cms.php?catname=$1

I don’t know the reason.