瀏覽器警告無效證書但正確重定向
我在 AWS 實例上執行 apache httpd 2.4。我有以下 httpd 配置:
<VirtualHost *:443> ServerName jenkins.example.com SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /var/lib/jenkins/secrets/test-cert.pem SSLCertificateKeyFile /var/lib/jenkins/secrets/test-key.pem JkMount /* ajp13 </VirtualHost> <VirtualHost *:80> ServerName jenkins.example.com Redirect / https://jenkins.example.com/ </VirtualHost> <VirtualHost *:80> RewriteEngine on RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] </VirtualHost> <VirtualHost *:443> ServerName backoffice.another-example.com SSLEngine on SSLProxyEngine On SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLCertificateFile /etc/certificates/backoffice.another-example.com/cert.pem SSLCertificateChainFile /etc/certificates/backoffice.another-example.com/chain.pem SSLCertificateKeyFile /etc/certificates/backoffice.another-example.com/privkey.pem SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off Timeout 600 ProxyTimeout 600 ProxyRequests off ProxyPreserveHost On <Proxy *> Order deny,allow Allow from all </Proxy> <Location /> ProxyPass https://localhost:15678/ ProxyPassReverse https://localhost:15678/ </Location> </VirtualHost> <VirtualHost *:443> ServerName another-example.com ServerAlias another-example.com RewriteEngine on RewriteRule (.*) https://www.another-example.com%{REQUEST_URI} [R,L] </VirtualHost> <VirtualHost *:443> ServerName another-example.com ServerAlias *.another-example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLCertificateFile /etc/certificates/another-example.com/cert.pem SSLCertificateChainFile /etc/certificates/another-example.com/chain.pem SSLCertificateKeyFile /etc/certificates/another-example.com/privkey.pem ProxyRequests off ProxyPreserveHost On <Proxy *> Order deny,allow Allow from all </Proxy> <Location /> ProxyPass http://localhost:20001/ retry=1 acquire=3000 timeout=600 Keepalive=On ProxyPassReverse http://localhost:20001/ AuthType Basic AuthName "Test Servers" AuthBasicProvider file AuthUserFile /var/www/passwords Require user example </Location> </VirtualHost>
然後,三個證書:
- another-example.com
- backoffice.another-example.com
- jenkins.example.com(自簽名)
這就是問題所在:當我訪問http://another-example.com>或<https://another-example.com時,由於 NET::ERR_CERT_AUTHORITY_INVALID 而收到警告,並且瀏覽器會顯示自簽名證書. 然後,如果我點擊“Proceed to another-example.com(不安全)”,它確實需要 mt 到 another-example.com(並要求我提供身份驗證憑據),並且地址欄顯示一個快樂的綠色鎖圖示並告訴我認為證書是有效且私密的。
如果我刪除 jenkins.example.com 的兩個部分
<VirtualHost *:443> ServerName jenkins.example.com SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /var/lib/jenkins/secrets/test-cert.pem SSLCertificateKeyFile /var/lib/jenkins/secrets/test-key.pem JkMount /* ajp13 </VirtualHost> <VirtualHost *:80> ServerName jenkins.example.com Redirect / https://jenkins.example.com/ </VirtualHost>
我仍然收到另一個警告,NET::ERR_CERT_COMMON_NAME_INVALID,並且瀏覽器向我顯示了 backoffice.another-example.com 的證書。所以它顯然是為它出現的第一個 VirtualHost 獲取證書,但隨後它重定向到正確的域。如果我輸入http://www.another-example.com或https://www.another-example.com,這不會發生
這是怎麼回事?如何避免顯示無效域證書的第一個警告?
盯著這個直到你發現問題。
<VirtualHost *:443> ServerName another-example.com ServerAlias another-example.com <!-- conspicuous hole --> RewriteEngine on RewriteRule (.*) https://www.another-example.com%{REQUEST_URI} [R,L] </VirtualHost> <VirtualHost *:443> ServerName another-example.com ServerAlias *.another-example.com ...
<VirtualHost *:443>
with的 SSL 證書配置在哪裡ServerAlias another-example.com
?我對 Apache 有點生疏,但看起來這是一個缺少配置指令的情況,其中隱含地填充了來自文件更高層的不相關數據。這肯定不是第一次發生,並且可以完美地解釋為什麼刪除自簽名證書會改變錯誤——不同的不相關配置數據被替換。
上一部分的所有
SSL*
配置都需要在上面的部分中複製。至少,在我看來,這就是它的樣子。當 SNI 設置為 another-example.com 時,會提供錯誤的 SSL 證書,因為您基本上沒有告訴它在這種情況下要提供哪個證書。