Apache 无法启动 err_log提示SSL Library Error: -8181 Certificate has expired

原本一直正常运行的apache服务器，今天无法正常重启，检查http.conf及其他设置并无修改，按log提示是由于SSL证书过期导致无法正常启动，处理方法如下：

查看error_log发现以下提示信息（意思是证书过期）

[Thu Feb 07 05:17:42 2013] [error] Certificate not verified: 'Server-Cert'
[Thu Feb 07 05:17:42 2013] [error] SSL Library Error: -8181 Certificate has expired
[Thu Feb 07 05:17:42 2013] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

一，处理办法

按上面信息提示，可先设置禁止检查证书，待更新证书后再取消此设置，操作方法：

在/etc/httpd/conf.d/nss.conf中加入NSSEnforceValidCerts off此行设置

但由于证书过期，我们需要处理的事情是更新证书，方法如下：

1，先查看证书是否过期

引用

# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 MD5 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Mon Dec 01 10:43:20 2008
            Not After : Sat Dec 01 10:43:20 2012

2，清除旧的证书，并更新证书

引用

# cd /etc/httpd/alias
# rm -f *.db
# /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1
# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Thu Feb 07 07:02:53 2013
            Not After : Tue Feb 07 07:02:53 2017

3，最后需要修改新的证书的权限

chown root.apache /etc/httpd/alias/*.db
chmod 0640 /etc/httpd/alias/*.db