如需解决问题请直接跳转到下文处:
dashboard配置ssl过程中出现错误解决
1、创建CA及Controller证书(控制节点执行)
1.1 创建CA自签名证书
① 在目录/home/cslabs/Documents创建目录(可自由选择目录)
② 拷贝openssl配置文件openssl.cnf到/home/cslabs/Documents/ssl
③ 编辑openssl.cnf的[ CA_default ]段,进行如下设置
# vim openssl.cnf
④ 在ssl中创建子目录certs, crl, newcerts及文件index.txt和serial,其中index.txt为空文件,serial中设置任意数值,如1024
⑤ 为CA创建自签名证书
1.2 为controller创建证书
① 产生公私钥对
② 创建证书签名请求(Certificate Signing Request, CSR)
注:Common Name 请选择与域名一致,本文为controller③ CA为controller创建证书
###2 Horizon HTTPS配置
2.1 HTTPS服务器及证书设置
① 编辑/etc/openstack-dashboard/local_settings配置文件,添加以下部分
② 编辑openstack-dashboard.conf并添加ssl部分
# vim /etc/httpd/conf.d/openstack-dashboard.conf
# openstack-dashboard.conf文件详细内容如下:
<VirtualHost *:80>
ServerName controller-zjb
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
<IfModule !mod_rewrite.c>
RedirectPermanent / https://controller-zjb/
</IfModule>
</VirtualHost>
<VirtualHost *:443>
ServerName controller-zjb
SSLEngine On
# Remember to replace certificates and keys with valid paths in your environment
SSLCertificateFile /home/cslabs/Documents/ssl/controller-zjb.crt
SSLCertificateKeyFile /home/cslabs/Documents/ssl/controller-zjb.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# HTTP Strict Transport Security (HSTS) enforces that all communications
# with a server go over SSL. This mitigates the threat from attacks such
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
# and potentially allowing an attacker to view confidential information on the
# wire
#Header add Strict-Transport-Security "max-age=15768000"
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
Options All
AllowOverride All
Require all granted
</Directory>
<Directory /usr/share/openstack-dashboard/static>
Options All
AllowOverride All
Require all granted
</Directory>
## Logging
ErrorLog "/var/log/httpd/horizon_error.log"
ServerSignature Off
CustomLog "/var/log/httpd/horizon_access.log" combined
## RedirectMatch rules
RedirectMatch permanent ^/$ /dashboard
WSGIDaemonProcess dashboard user=apache group=apache
WSGIProcessGroup dashboard
WSGIScriptAlias /dashboard "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi"
Alias /dashboard/static /usr/share/openstack-dashboard/static
</VirtualHost>
dashboard配置ssl过程中出现错误解决:
1、
syntax error on line xx of /etc/httpd/conf.d/openstack-dashboard.conf这种情况如果图省事,直接把上面贴出的配置文件代码ctrl + v 为自己的文件(注意修改证书文件位置、域名)
2、journalctl -xe查看无法启动原因
Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration解决:
# yum -y install mod_ssl
3、
# 报错: AH00543:httpd:bad user name horizon
解决:
到http.conf找到User、Group名称填入
4、
在确认证书私钥的pass phrase绝对正确的情况下,无法通过该pass phrase重启httpd说明可能是该pass phrase与证书私钥无法匹配。
解决:
修改httpd的ssl模块的配置为自身准备好的相应证书文件:
# vim /etc/httpd/conf.d/ssl.conf
参考来源:
1、学院老师文档
2、https://stackoverflow.com/questions/24027220/error-ah00543-httpd-bad-user-name-xampp-apache
3、http://linuxhostingsupport.net/blog/invalid-command-sslengine-perhaps-misspelled-or-defined-by-a-module-not-included
4、https://blog.csdn.net/liujiong63/article/details/70941625
5、https://docs.openstack.org/horizon/rocky/admin/customize-configure.html
