An error is reported after the ssl certificate is installed, indicating that there is no common algorithm for both parties.

1. Follow the article http://www.williamlong.info/a., and the result shows an error: replacement of a new ssl certificate still shows an error.

the following is the httpd-ssl.conf code, file path / opt/lampp/etc/extra/httpd-ssl.conf 

This is the Apache server configuration file providing SSL support.
-sharp It contains the configuration directives to instruct the server how to
-sharp serve pages over an https connection. For detailed information about these 
-sharp directives see <URL:http://httpd.apache.org/docs/trunk/mod/mod_ssl.html>
-sharp 
-sharp Do NOT simply read the instructions in here without understanding
-sharp what they do.  They"re here only as hints or reminders.  If you are unsure
-sharp consult the online docs. You have been warned.  
-sharp
-sharp Required modules: mod_log_config, mod_setenvif, mod_ssl,
-sharp          socache_shmcb_module (for default value of SSLSessionCache)

-sharp
-sharp Pseudo Random Number Generator (PRNG):
-sharp Configure one or more sources to seed the PRNG of the SSL library.
-sharp The seed data should be of good random quality.
-sharp WARNING! On some platforms /dev/random blocks if not enough entropy
-sharp is available. This means you then cannot use the /dev/random device
-sharp because it would lead to very long connection times (as long as
-sharp it requires to make more entropy available). But usually those
-sharp platforms additionally provide a /dev/urandom device which doesn"t
-sharp block. So, if available, use this one instead. Read the mod_ssl User
-sharp Manual for more details.
-sharp
-sharpSSLRandomSeed startup file:/dev/random  512
-sharpSSLRandomSeed startup file:/dev/urandom 512
-sharpSSLRandomSeed connect file:/dev/random  512
-sharpSSLRandomSeed connect file:/dev/urandom 512


-sharp
-sharp When we also provide SSL we have to listen to the 
-sharp standard HTTP port (see above) and to the HTTPS port
-sharp
-sharp Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
-sharp       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
-sharp
Listen 443

-sharp-sharp
-sharp-sharp  SSL Global Context
-sharp-sharp
-sharp-sharp  All SSL configuration in this context applies both to
-sharp-sharp  the main server and all SSL-enabled virtual hosts.
-sharp-sharp

-sharp   SSL Cipher Suite:
-sharp   List the ciphers that the client is permitted to negotiate.
-sharp   See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

-sharp   Speed-optimized SSL Cipher configuration:
-sharp   If speed is your main concern (on busy HTTPS servers e.g.),
-sharp   you might want to force clients to specific, performance
-sharp   optimized ciphers. In this case, prepend those ciphers
-sharp   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
-sharp   Caveat: by giving precedence to RC4-SHA and AES128-SHA
-sharp   (as in the example below), most connections will no longer
-sharp   have perfect forward secrecy - if the server"s key is
-sharp   compromised, captures of past or future traffic must be
-sharp   considered compromised, too.
-sharpSSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-sharpSSLHonorCipherOrder on 

SSLProtocol TLS1.1 TLS1.2

-sharp   Pass Phrase Dialog:
-sharp   Configure the pass phrase gathering process.
-sharp   The filtering dialog program (`builtin" is an internal
-sharp   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

-sharp   Inter-Process Session Cache:
-sharp   Configure the SSL Session Cache: First the mechanism 
-sharp   to use and second the expiring timeout (in seconds).
-sharpSSLSessionCache         "dbm:/opt/lampp/logs/ssl_scache"
SSLSessionCache        "shmcb:/opt/lampp/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

-sharp-sharp
-sharp-sharp SSL Virtual Host Context
-sharp-sharp

<VirtualHost _default_:443>

-sharp   General setup for the virtual host
DocumentRoot "/opt/lampp/htdocs/wordp"
ServerName www.architect.wang:443
ServerAlias architect.wang:443
-sharp ServerAlias www.architect.wang:443
-sharp ServerAdmin you@example.com
ErrorLog "/opt/lampp/logs/error_log"
TransferLog "/opt/lampp/logs/access_log"

-sharp   SSL Engine Switch:
-sharp   Enable/Disable SSL for this virtual host.
SSLEngine on

-sharp   Server Certificate:
-sharp   Point SSLCertificateFile at a PEM encoded certificate.  If
-sharp   the certificate is encrypted, then you will be prompted for a
-sharp   pass phrase.  Note that a kill -HUP will prompt again.  Keep
-sharp   in mind that if you have both an RSA and a DSA certificate you
-sharp   can configure both in parallel (to also allow the use of DSA
-sharp   ciphers, etc.)
-sharp   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
-sharp   require an ECC certificate which can also be configured in
-sharp   parallel.
SSLCertificateFile "/etc/letsencrypt/live/wang2/www.architect.wang.crt"
-sharpSSLCertificateFile "/opt/lampp/etc/ssl.crt/server.crt"
-sharpSSLCertificateFile "/opt/lampp/etc/server-dsa.crt"
-sharpSSLCertificateFile "/opt/lampp/etc/server-ecc.crt"

-sharp   Server Private Key:
-sharp   If the key is not combined with the certificate, use this
-sharp   directive to point at the key file.  Keep in mind that if
-sharp   you"ve both a RSA and a DSA private key you can configure
-sharp   both in parallel (to also allow the use of DSA ciphers, etc.)
-sharp   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "/etc/letsencrypt/live//wang2/www.architect.wang.key"
-sharpSSLCertificateKeyFile "/opt/lampp/etc/ssl.key/server.key"
-sharpSSLCertificateKeyFile "/opt/lampp/etc/server-dsa.key"
-sharpSSLCertificateKeyFile "/opt/lampp/etc/server-ecc.key"

-sharp   Server Certificate Chain:
-sharp   Point SSLCertificateChainFile at a file containing the
-sharp   concatenation of PEM encoded CA certificates which form the
-sharp   certificate chain for the server certificate. Alternatively
-sharp   the referenced file can be the same as SSLCertificateFile
-sharp   when the CA certificates are directly appended to the server
-sharp   certificate for convenience.
-sharpSSLCertificateChainFile "chain.pem"
-sharpSSLCertificateChainFile "/opt/lampp/etc/server-ca.crt"

-sharp   Certificate Authority (CA):
-sharp   Set the CA certificate verification path where to find CA
-sharp   certificates for client authentication or alternatively one
-sharp   huge file containing all of them (file must be PEM encoded)
-sharp   Note: Inside SSLCACertificatePath you need hash symlinks
-sharp         to point to the certificate files. Use the provided
-sharp         Makefile to update the hash symlinks after changes.
-sharpSSLCACertificatePath "/opt/lampp/etc/ssl.crt"
SSLCACertificateFile "/etc/letsencrypt/live//wang2/www.architect.wang.key"
-sharpSSLCACertificateFile "/opt/lampp/etc/ssl.crt/ca-bundle.crt"

-sharp   Certificate Revocation Lists (CRL):
-sharp   Set the CA revocation path where to find CA CRLs for client
-sharp   authentication or alternatively one huge file containing all
-sharp   of them (file must be PEM encoded).
-sharp   The CRL checking mode needs to be configured explicitly
-sharp   through SSLCARevocationCheck (defaults to "none" otherwise).
-sharp   Note: Inside SSLCARevocationPath you need hash symlinks
-sharp         to point to the certificate files. Use the provided
-sharp         Makefile to update the hash symlinks after changes.
-sharpSSLCARevocationPath "/opt/lampp/etc/ssl.crl"
-sharpSSLCARevocationFile "/opt/lampp/etc/ssl.crl/ca-bundle.crl"
-sharpSSLCARevocationCheck chain

-sharp   Client Authentication (Type):
-sharp   Client certificate verification type and depth.  Types are
-sharp   none, optional, require and optional_no_ca.  Depth is a
-sharp   number which specifies how deeply to verify the certificate
-sharp   issuer chain before deciding the certificate is not valid.
-sharpSSLVerifyClient require
-sharpSSLVerifyDepth  10

-sharp   Access Control:
-sharp   With SSLRequire you can do per-directory access control based
-sharp   on arbitrary complex boolean expressions containing server
-sharp   variable checks and other lookup directives.  The syntax is a
-sharp   mixture between C and Perl.  See the mod_ssl documentation
-sharp   for more details.
-sharp<Location />
-sharpSSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-sharp            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-sharp            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-sharp            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-sharp            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-sharp           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-sharp</Location>

-sharp   SSL Engine Options:
-sharp   Set various options for the SSL engine.
-sharp   o FakeBasicAuth:
-sharp     Translate the client X.509 into a Basic Authorisation.  This means that
-sharp     the standard Auth/DBMAuth methods can be used for access control.  The
-sharp     user name is the `one line" version of the client"s X.509 certificate.
-sharp     Note that no password is obtained from the user. Every entry in the user
-sharp     file needs this password: `xxj31ZMTZzkVA".
-sharp   o ExportCertData:
-sharp     This exports two additional environment variables: SSL_CLIENT_CERT and
-sharp     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-sharp     server (always existing) and the client (only existing when client
-sharp     authentication is used). This can be used to import the certificates
-sharp     into CGI scripts.
-sharp   o StdEnvVars:
-sharp     This exports the standard SSL/TLS related `SSL_*" environment variables.
-sharp     Per default this exportation is switched off for performance reasons,
-sharp     because the extraction step is an expensive operation and is usually
-sharp     useless for serving static content. So one usually enables the
-sharp     exportation for CGI and SSI requests only.
-sharp   o StrictRequire:
-sharp     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
-sharp     under a "Satisfy any" situation, i.e. when it applies access is denied
-sharp     and no other module can change it.
-sharp   o OptRenegotiate:
-sharp     This enables optimized SSL connection renegotiation handling when SSL
-sharp     directives are used in per-directory context. 
-sharpSSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/opt/lampp/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

-sharp   SSL Protocol Adjustments:
-sharp   The safe and default but still SSL/TLS standard compliant shutdown
-sharp   approach is that mod_ssl sends the close notify alert but doesn"t wait for
-sharp   the close notify alert from client. When you need a different shutdown
-sharp   approach you can use one of the following variables:
-sharp   o ssl-unclean-shutdown:
-sharp     This forces an unclean shutdown when the connection is closed, i.e. no
-sharp     SSL close notify alert is sent or allowed to be received.  This violates
-sharp     the SSL/TLS standard but is needed for some brain-dead browsers. Use
-sharp     this when you receive I/O errors because of the standard approach where
-sharp     mod_ssl sends the close notify alert.
-sharp   o ssl-accurate-shutdown:
-sharp     This forces an accurate shutdown when the connection is closed, i.e. a
-sharp     SSL close notify alert is send and mod_ssl waits for the close notify
-sharp     alert of the client. This is 100% SSL/TLS standard compliant, but in
-sharp     practice often causes hanging connections with brain-dead browsers. Use
-sharp     this only for browsers where you know that their SSL implementation
-sharp     works correctly. 
-sharp   Notice: Most problems of broken clients are also related to the HTTP
-sharp   keep-alive facility, so you usually additionally want to disable
-sharp   keep-alive for those clients, too. Use variable "nokeepalive" for this.
-sharp   Similarly, one has to force some clients to use HTTP/1.0 to workaround
-sharp   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
-sharp   "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

-sharp   Per-Server Logging:
-sharp   The home of a custom SSL log file. Use this when you want a
-sharp   compact non-error SSL logfile on a virtual host basis.
CustomLog "/opt/lampp/logs/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>
Ssl-Certificate apache
Mar.05,2021
< H1 > https fragment < / H1 >

server 

{
    listen 443 ssl http2;
    server_name xxxx.com
    root  /www/wwww;

    index index.html index.htm index.php default.html default.htm default.php;
-sharproot  /home/wwwroot/xxxx.com;
    -sharpssl on;
    ssl_certificate /usr/local/nginx/conf/ssl/xxxx.com/fullchain.cer;
    ssl_certificate_key /usr/local/nginx/conf/ssl/xxxx.com/xxxx.com.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
    ssl_session_cache builtin:1000 shared:SSL:10m;
    -sharp openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
    ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

    include rewrite/other.conf;
    -sharperror_page   404   /404.html;
   include rewrite/other.conf;
    -sharperror_page   404   /404.html;

    -sharp Deny access to PHP files in specific directory
    -sharplocation ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

    include enable-php-pathinfo.conf;

    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
        expires      30d;
       }

    location ~ .*\.(js|css)?$
    {
    expires      12h;
    }

    location ~ /.well-known {
        allow all;
    }

    location ~ /\.
    {
        deny all;
    }
add_header  Strict-Transport-Security "max-age=15552000;includeSubdomains;preload";
    access_log  /home/wwwlogs/$subdomain.xxxx.com.log;
    access_log  /home/wwwlogs/$subdomain.xxxx.com.log;

    -sharpcookie,
    add_header Set-Cookie "HttpOnly";
    add_header Set-Cookie "Secure";
    add_header X-Frame-Options "DENY";

}

Previous: RandomUtils problem of java

Next: If the rsync file is not Synchronize, what should I do?

css mysql arrays josn react html typescript webpack npm sass R objective-c .net sql-server jquery python-3.x angularjs django angular excel regex iphone ajax linux xml pandas vba spring database wordpress string wpf xcode windows bash postgresql oracle multithreading eclipse list firebase algorithm macos forms image scala visual-studio azure bootstrap spring-boot react-native python-2.7 docker performance function winforms matlab powershell apache dataframe api sqlite numpy rest shell selenium flutter dart maven loops qt swing android-studio csv express file class tensorflow sorting codeigniter perl
© 2021 CodesHelper
Advertising Contact us About us
Menu