Centos7 apache使用freeipa pki提供证书
安装apache和mod_nss
sudo yum install httpd mod_nss -y
配置mod_nss
sudo sh -c "echo 'Listen 443' >> /etc/httpd/conf.d/nssconfig.conf"
sudo sh -c "echo 'NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha' >> /etc/httpd/conf.d/nssconfig.conf"
sudo sh -c "echo 'NSSCertificateDatabase /etc/httpd/alias' >> /etc/httpd/conf.d/nssconfig.conf"
从/etc/httpd/conf.d/nss.conf中删除默认虚拟主机
获取证书
ipa-getcert request -d /etc/httpd/alias -n 'alianame' -K HTTP/'hostname' -D 'FQDN.com'
配置https虚拟主机
<VirtualHost *:443>
ServerName FQDN
NSSEngine on
NSSNickname alianame
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>