Linux

Debian 伺服器 SSL 證書配置返回 err_ssl_protocol_error

  • May 30, 2018

我在 Debian 伺服器上執行的站點上配置 HTTPS 時遇到問題。

Google瀏覽器顯示的錯誤是:

err_ssl_protocol_error

這是我的配置:

/etc/apache2/ports.conf

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
       Listen 443 http
</IfModule>

<IfModule mod_gnutls.c>
   Listen 443
</IfModule>

/etc/apache2/enabled-sites/000-default

<VirtualHost *:443>

## Anything matching this host should be silently ignored.
<Location />
Order Allow,Deny
Allow from all
</Location>
</VirtualHost>

/etc/apache2/enabled-sites/site

<VirtualHost *:80>

ServerName domain.be
ServerAlias domain.be www.domain.be www.domain.eu  test.domain.be
ServerAdmin webmaster@localhost

   DocumentRoot /var/www/htdocs/site
   <Directory />
           Options FollowSymLinks
           AllowOverride none
   </Directory>
   <Directory /var/www/htdocs/mds>
           Options  FollowSymLinks MultiViews
           AllowOverride all
           Order allow,deny
           allow from all
   </Directory>


   ErrorLog ${APACHE_LOG_DIR}/error.log

   # Possible values include: debug, info, notice, warn, error, crit,
   # alert, emerg.
   LogLevel warn

   CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mpm_itk_module>
AssignUserId domain domain
</IfModule>
</VirtualHost>

/etc/apache2/enabled-sites/site-ssl

<IfModule mod_ssl.c>

NameVirtualHost *:443
<VirtualHost *:443>
       ServerAdmin webmaster@localhost
       ServerName www.domain.be
       ServerAlias *.domain.be

       DocumentRoot /var/www/htdocs/site
       <Directory />
               Options FollowSymLinks
               AllowOverride none
       </Directory>
       <Directory /var/www/htdocs/mds>
               Options FollowSymLinks MultiViews
               AllowOverride all
               Order allow,deny
               allow from all
       </Directory>

       ErrorLog ${APACHE_LOG_DIR}/error.log


       LogLevel warn

       CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

       SSLEngine on

       SSLProtocol all -SSLv2 -SSLv3
       SSLCompression off
       SSLCipherSuite AES128+EECDH:AES128+EDH

       SSLCertificateFile    /etc/ssl/apache/certs/domain2.crt
       SSLCertificateKeyFile   /etc/ssl/apache/private/domain2.key

         SSLCertificateChainFile /etc/ssl/apache/certs/global.crt


       <FilesMatch "\.(cgi|shtml|phtml|php)$">

#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

    SSLOptions +StdEnvVars
       </FilesMatch>
       BrowserMatch "MSIE [2-6]" \
               nokeepalive ssl-unclean-shutdown \
               downgrade-1.0 force-response-1.0

       BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<IfModule mpm_itk_module>
AssignUserId mds mds
</IfModule>
</VirtualHost>

<VirtualHost *:443>
       ServerAdmin webmaster@localhost
       ServerName www.domain.eu
       ServerAlias *.domain.eu

       DocumentRoot /var/www/htdocs/mds
       <Directory />
               Options FollowSymLinks
               AllowOverride none
       </Directory>
       <Directory /var/www/htdocs/mds>
               Options FollowSymLinks MultiViews
               AllowOverride all
               Order allow,deny
               allow from all
       </Directory>

       ErrorLog ${APACHE_LOG_DIR}/error.log


       LogLevel warn

       CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

       SSLEngine on

       SSLProtocol all -SSLv2 -SSLv3
       SSLCompression off
       SSLCipherSuite AES128+EECDH:AES128+EDH


       SSLCertificateFile    /etc/ssl/apache/certs/domain2.crt
       SSLCertificateKeyFile   /etc/ssl/apache/private/domain2.key

       SSLCertificateChainFile /etc/ssl/apache/certs/global.crt

       #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
       <FilesMatch "\.(cgi|shtml|phtml|php)$">
               SSLOptions +StdEnvVars
       </FilesMatch>
       BrowserMatch "MSIE [2-6]" \
               nokeepalive ssl-unclean-shutdown \
               downgrade-1.0 force-response-1.0

       BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<IfModule mpm_itk_module>
AssignUserId mds mds
</IfModule>
</VirtualHost>
</IfModule>

我在日誌中也有這些錯誤:

[Wed May 30 12:03:13 2018] [warn] Init: (Server.domain.local:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Wed May 30 12:03:13 2018] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed May 30 12:03:14 2018] [notice] Apache/2.2.22 (Debian) PHP/5.4.45-0+deb7u14 mod_ssl/2.2.22 OpenSSL/1.0.1t configured -- resuming normal operations

我的問題可能出在哪裡?

來自伺服器的日誌消息顯示了問題的原因:

$$ warn $$…您在標準 HTTPS(443) 埠上配置了 HTTP(80)!

這意味著瀏覽器中的呼叫https://...將通過 TCP 連接到埠 443(HTTPS 的預設值),然後嘗試通過啟動 SSL 握手來啟動 HTTPS 請求。握手將失敗,因為您的伺服器只希望在此埠上使用純 HTTP 而不是 HTTPS,因此不需要 SSL 握手,因此將放棄握手或發送一些純 HTTP“錯誤請求”作為響應。這再次是客戶端意外的,然後在瀏覽器中顯示 SSL 問題。

這種錯誤配置的原因可能是您/etc/apache2/enabled-sites/000-default在埠 443 上有一些偵聽器,但沒有為其啟用 SSL。在啟用 SSL的情況下,您在埠 443 上擁有另一個偵聽器並沒有幫助,/etc/apache2/enabled-sites/site-ssl因為您只能在同一 IP 相同埠上擁有 SSL(即 HTTPS)或沒有 SSL(即純 HTTP),而不能同時擁有兩者。

您可能需要做的是啟用 SSL/etc/apache2/enabled-sites/000-default並在那裡添加一些證書(您可能使用特定於站點的證書)。

引用自:https://serverfault.com/questions/914404