Apache-2.4
Apache HTTPD 偶爾提供舊的/過期的證書
我在同一台伺服器上有三台主機(單個 IP):
domain1.com
domain2.com
domain3.com
他們每個人都應該使用最近於 2017 年 4 月發布的 Let’s Encrypt 證書。
但是,有時伺服器似乎提供舊的(過期的)證書。如果是
domain1.com
,則提供實際上仍然有效的 StartSSL 證書(07.2016 - 07-2017),而其他兩個主機提供自 2017 年 1 月起過期的 Let’s Encrypt 證書。以下是為 certbot 設置這些主機的基本方式(當然,使用不同的主機名):
<VirtualHost *:443> ServerName domain1.com ServerAlias www.domain1.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequire SSLCertificateFile /etc/letsencrypt/live/domain1.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/domain1.com/privkey.pem DocumentRoot /opt/lucee/tomcat/webapps/domain1.com/ <IfModule mod_headers.c> RequestHeader set HTTPS "1" </IfModule> <IfModule mod_proxy.c> ProxyPassMatch ^/(.*)$ http://127.0.0.1:8500/$1 </IfModule> CustomLog ${APACHE_LOG_DIR}/access.log custom_access </VirtualHost>
fullchain.pem
並且是符號連結,指向每個主機文件夾privkey.pem
中的最新文件(最高索引) 。archive
我解決了連結,看起來很好。#apache2ctl -S
VirtualHost configuration: *:80 is a NameVirtualHost default server localhost (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost localhost (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost domain1.com (/etc/apache2/sites-enabled/000-default.conf:8) alias www.domain1.com port 80 namevhost domain2.com (/etc/apache2/sites-enabled/000-default.conf:17) alias www.domain2.com port 80 namevhost domain3.com (/etc/apache2/sites-enabled/000-default.conf:26) alias www.domain3.com port 80 namevhost www.domain2.com (/etc/apache2/sites-enabled/000-default.conf:35) alias domain2.com port 80 namevhost forum.domain2.com (/etc/apache2/sites-enabled/000-default.conf:44) port 80 namevhost downloads.domain2.com (/etc/apache2/sites-enabled/000-default.conf:69) port 80 namevhost images.domain2.com (/etc/apache2/sites-enabled/000-default.conf:82) *:443 is a NameVirtualHost default server domain1.com (/etc/apache2/sites-enabled/001-domain1.com.conf:3) port 443 namevhost domain1.com (/etc/apache2/sites-enabled/001-domain1.com.conf:3) alias www.domain1.com port 443 namevhost www.domain2.com (/etc/apache2/sites-enabled/002-www.domain2.com.conf:3) alias domain2.com port 443 namevhost domain3.com (/etc/apache2/sites-enabled/003-domain3.com.conf:3) alias www.domain3.com ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www/html" Main ErrorLog: "/var/log/apache2/error.log" Mutex default: dir="/var/lock/apache2" mechanism=fcntl Mutex mpm-accept: using_defaults Mutex watchdog-callback: using_defaults Mutex rewrite-map: using_defaults Mutex ssl-stapling-refresh: using_defaults Mutex ssl-stapling: using_defaults Mutex proxy: using_defaults Mutex ssl-cache: using_defaults PidFile: "/var/run/apache2/apache2.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name="www-data" id=33 Group: name="www-data" id=33
#certbot 證書
------------------------------------------------------------------------------- Found the following certs: Certificate Name: www.domain2.com Domains: www.domain2.com Expiry Date: 2017-07-02 23:03:00+00:00 (VALID: 75 days) Certificate Path: /etc/letsencrypt/live/www.domain2.com/fullchain.pe m Private Key Path: /etc/letsencrypt/live/www.domain2.com/privkey.pem Certificate Name: domain3.com Domains: domain3.com Expiry Date: 2017-07-02 23:01:00+00:00 (VALID: 75 days) Certificate Path: /etc/letsencrypt/live/domain3.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/domain3.com/privkey.pem Certificate Name: domain1.com Domains: domain1.com Expiry Date: 2017-07-02 23:03:00+00:00 (VALID: 75 days) Certificate Path: /etc/letsencrypt/live/domain1.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/domain1.com/privkey.pem -------------------------------------------------------------------------------
這裡可能是什麼問題?我一直認為伺服器會因為 SNI 而返回多個證書,但為什麼 Apache HTTPD 會混淆不同的證書呢?這些甚至是從哪裡來的?(是的,我重新啟動並重新載入了 Apache 幾次。)
我找到了原因。我執行了多個 Apache 實例。通過終端重新啟動/重新載入只會重新啟動其中的一些。這就解釋了為什麼有時會提供舊證書,有時會提供新證書。我不得不殺死所有程序來獲取新證書,現在它又可以工作了。