Apache-2.4

Apache HTTPD 偶爾提供舊的/過期的證書

  • March 16, 2022

我在同一台伺服器上有三台主機(單個 IP):

  • domain1.com
  • domain2.com
  • domain3.com

他們每個人都應該使用最近於 2017 年 4 月發布的 Let’s Encrypt 證書。

但是,有時伺服器似乎提供舊的(過期的)證書。如果是domain1.com,則提供實際上仍然有效的 StartSSL 證書(07.2016 - 07-2017),而其他兩個主機提供自 2017 年 1 月起過期的 Let’s Encrypt 證書。

以下是為 certbot 設置這些主機的基本方式(當然,使用不同的主機名):

<VirtualHost *:443>

   ServerName  domain1.com
   ServerAlias www.domain1.com

   SSLEngine           on
   SSLProtocol         all -SSLv2 -SSLv3
   SSLCipherSuite      ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
   SSLHonorCipherOrder on
   SSLCompression      off

   SSLOptions +StrictRequire

   SSLCertificateFile /etc/letsencrypt/live/domain1.com/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/domain1.com/privkey.pem

   DocumentRoot /opt/lucee/tomcat/webapps/domain1.com/

   <IfModule mod_headers.c>
       RequestHeader set HTTPS "1"
   </IfModule>
   <IfModule mod_proxy.c>
       ProxyPassMatch ^/(.*)$ http://127.0.0.1:8500/$1
   </IfModule>

   CustomLog ${APACHE_LOG_DIR}/access.log custom_access

</VirtualHost>

fullchain.pem並且是符號連結,指向每個主機文件夾privkey.pem中的最新文件(最高索引) 。archive我解決了連結,看起來很好。

#apache2ctl -S

VirtualHost configuration:
*:80                   is a NameVirtualHost
        default server localhost (/etc/apache2/sites-enabled/000-default.conf:1)
        port 80 namevhost localhost (/etc/apache2/sites-enabled/000-default.conf:1)
        port 80 namevhost domain1.com (/etc/apache2/sites-enabled/000-default.conf:8)
                alias www.domain1.com
        port 80 namevhost domain2.com (/etc/apache2/sites-enabled/000-default.conf:17)
                alias www.domain2.com
        port 80 namevhost domain3.com (/etc/apache2/sites-enabled/000-default.conf:26)
                alias www.domain3.com
        port 80 namevhost www.domain2.com (/etc/apache2/sites-enabled/000-default.conf:35)
                alias domain2.com
        port 80 namevhost forum.domain2.com (/etc/apache2/sites-enabled/000-default.conf:44)
        port 80 namevhost downloads.domain2.com (/etc/apache2/sites-enabled/000-default.conf:69)
        port 80 namevhost images.domain2.com (/etc/apache2/sites-enabled/000-default.conf:82)
*:443                  is a NameVirtualHost
        default server domain1.com (/etc/apache2/sites-enabled/001-domain1.com.conf:3)
        port 443 namevhost domain1.com (/etc/apache2/sites-enabled/001-domain1.com.conf:3)
                alias www.domain1.com
        port 443 namevhost www.domain2.com (/etc/apache2/sites-enabled/002-www.domain2.com.conf:3)
                alias domain2.com
        port 443 namevhost domain3.com (/etc/apache2/sites-enabled/003-domain3.com.conf:3)
                alias www.domain3.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

#certbot 證書

-------------------------------------------------------------------------------
Found the following certs:
 Certificate Name: www.domain2.com
   Domains: www.domain2.com
   Expiry Date: 2017-07-02 23:03:00+00:00 (VALID: 75 days)
   Certificate Path: /etc/letsencrypt/live/www.domain2.com/fullchain.pe                                                  m
   Private Key Path: /etc/letsencrypt/live/www.domain2.com/privkey.pem
 Certificate Name: domain3.com
   Domains: domain3.com
   Expiry Date: 2017-07-02 23:01:00+00:00 (VALID: 75 days)
   Certificate Path: /etc/letsencrypt/live/domain3.com/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/domain3.com/privkey.pem
 Certificate Name: domain1.com
   Domains: domain1.com
   Expiry Date: 2017-07-02 23:03:00+00:00 (VALID: 75 days)
   Certificate Path: /etc/letsencrypt/live/domain1.com/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/domain1.com/privkey.pem
-------------------------------------------------------------------------------

這裡可能是什麼問題?我一直認為伺服器會因為 SNI 而返回多個證書,但為什麼 Apache HTTPD 會混淆不同的證書呢?這些甚至是從哪裡來的?(是的,我重新啟動並重新載入了 Apache 幾次。)

我找到了原因。我執行了多個 Apache 實例。通過終端重新啟動/重新載入只會重新啟動其中的一些。這就解釋了為什麼有時會提供舊證書,有時會提供新證書。我不得不殺死所有程序來獲取新證書,現在它又可以工作了。

引用自:https://serverfault.com/questions/845107