Amazon-Web-Services

瀏覽器警告無效證書但正確重定向

  • August 18, 2016

我在 AWS 實例上執行 apache httpd 2.4。我有以下 httpd 配置:

<VirtualHost *:443>
   ServerName jenkins.example.com
   SSLEngine on
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

   SSLCertificateFile      /var/lib/jenkins/secrets/test-cert.pem
   SSLCertificateKeyFile   /var/lib/jenkins/secrets/test-key.pem
   JkMount /* ajp13
</VirtualHost>

<VirtualHost *:80>
   ServerName jenkins.example.com
   Redirect / https://jenkins.example.com/
</VirtualHost>

<VirtualHost *:80>
   RewriteEngine on
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</VirtualHost>

<VirtualHost *:443>
   ServerName backoffice.another-example.com
   SSLEngine on
   SSLProxyEngine On
   SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

   SSLCertificateFile      /etc/certificates/backoffice.another-example.com/cert.pem
   SSLCertificateChainFile /etc/certificates/backoffice.another-example.com/chain.pem
   SSLCertificateKeyFile   /etc/certificates/backoffice.another-example.com/privkey.pem

   SSLProxyCheckPeerCN Off
   SSLProxyCheckPeerName Off

   Timeout 600
   ProxyTimeout 600
   ProxyRequests off
   ProxyPreserveHost On
   <Proxy *>
       Order deny,allow
       Allow from all
   </Proxy>

   <Location />
       ProxyPass https://localhost:15678/
       ProxyPassReverse https://localhost:15678/
   </Location>
</VirtualHost>

<VirtualHost *:443>
       ServerName another-example.com
       ServerAlias another-example.com

       RewriteEngine on
       RewriteRule (.*) https://www.another-example.com%{REQUEST_URI} [R,L]
</VirtualHost>

<VirtualHost *:443>
   ServerName another-example.com
   ServerAlias *.another-example.com
   SSLEngine on
   SSLProtocol all -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

   SSLCertificateFile      /etc/certificates/another-example.com/cert.pem
   SSLCertificateChainFile /etc/certificates/another-example.com/chain.pem
   SSLCertificateKeyFile   /etc/certificates/another-example.com/privkey.pem

   ProxyRequests off
   ProxyPreserveHost On
   <Proxy *>
       Order deny,allow
       Allow from all
   </Proxy>

   <Location />
       ProxyPass http://localhost:20001/ retry=1 acquire=3000 timeout=600 Keepalive=On
       ProxyPassReverse http://localhost:20001/
       AuthType Basic
       AuthName "Test Servers"
       AuthBasicProvider file
       AuthUserFile /var/www/passwords
       Require user example
   </Location>    
</VirtualHost>

然後,三個證書:

  • another-example.com
  • backoffice.another-example.com
  • jenkins.example.com(自簽名)

這就是問題所在:當我訪問http://another-example.com>或<https://another-example.com時,由於 NET::ERR_CERT_AUTHORITY_INVALID 而收到警告,並且瀏覽器會顯示自簽名證書. 然後,如果我點擊“Proceed to another-example.com(不安全)”,它確實需要 mt 到 another-example.com(並要求我提供身份驗證憑據),並且地址欄顯示一個快樂的綠色鎖圖示並告訴我認為證書是有效且私密的。

如果我刪除 jenkins.example.com 的兩個部分

&lt;VirtualHost *:443&gt;
   ServerName jenkins.example.com
   SSLEngine on
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

   SSLCertificateFile      /var/lib/jenkins/secrets/test-cert.pem
   SSLCertificateKeyFile   /var/lib/jenkins/secrets/test-key.pem
   JkMount /* ajp13
&lt;/VirtualHost&gt;

&lt;VirtualHost *:80&gt;
   ServerName jenkins.example.com
   Redirect / https://jenkins.example.com/
&lt;/VirtualHost&gt;

我仍然收到另一個警告,NET::ERR_CERT_COMMON_NAME_INVALID,並且瀏覽器向我顯示了 backoffice.another-example.com 的證書。所以它顯然是為它出現的第一個 VirtualHost 獲取證書,但隨後它重定向到正確的域。如果我輸入http://www.another-example.comhttps://www.another-example.com,這不會發生

這是怎麼回事?如何避免顯示無效域證書的第一個警告?

盯著這個直到你發現問題。

&lt;VirtualHost *:443&gt;
       ServerName another-example.com
       ServerAlias another-example.com

       &lt;!-- conspicuous hole --&gt;

       RewriteEngine on
       RewriteRule (.*) https://www.another-example.com%{REQUEST_URI} [R,L]
&lt;/VirtualHost&gt;

&lt;VirtualHost *:443&gt;
   ServerName another-example.com
   ServerAlias *.another-example.com
...

&lt;VirtualHost *:443&gt;with的 SSL 證書配置在哪裡ServerAlias another-example.com

我對 Apache 有點生疏,但看起來這是一個缺少配置指令的情況,其中隱含地填充了來自文件更高層的不相關數據。這肯定不是第一次發生,並且可以完美地解釋為什麼刪除自簽名證書會改變錯誤——不同的不相關配置數據被替換。

上一部分的所有SSL*配置都需要在上面的部分中複製。至少,在我看來,這就是它的樣子。

當 SNI 設置為 another-example.com 時,會提供錯誤的 SSL 證書,因為您基本上沒有告訴它在這種情況下要提供哪個證書。

引用自:https://serverfault.com/questions/797682