Debian 伺服器 SSL 證書配置返回 err_ssl_protocol_error
我在 Debian 伺服器上執行的站點上配置 HTTPS 時遇到問題。
Google瀏覽器顯示的錯誤是:
err_ssl_protocol_error
這是我的配置:
/etc/apache2/ports.conf
NameVirtualHost *:80 Listen 80 <IfModule mod_ssl.c> Listen 443 http </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule>
/etc/apache2/enabled-sites/000-default
<VirtualHost *:443> ## Anything matching this host should be silently ignored. <Location /> Order Allow,Deny Allow from all </Location> </VirtualHost>
/etc/apache2/enabled-sites/site
<VirtualHost *:80> ServerName domain.be ServerAlias domain.be www.domain.be www.domain.eu test.domain.be ServerAdmin webmaster@localhost DocumentRoot /var/www/htdocs/site <Directory /> Options FollowSymLinks AllowOverride none </Directory> <Directory /var/www/htdocs/mds> Options FollowSymLinks MultiViews AllowOverride all Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined <IfModule mpm_itk_module> AssignUserId domain domain </IfModule> </VirtualHost>
/etc/apache2/enabled-sites/site-ssl
<IfModule mod_ssl.c> NameVirtualHost *:443 <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName www.domain.be ServerAlias *.domain.be DocumentRoot /var/www/htdocs/site <Directory /> Options FollowSymLinks AllowOverride none </Directory> <Directory /var/www/htdocs/mds> Options FollowSymLinks MultiViews AllowOverride all Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCompression off SSLCipherSuite AES128+EECDH:AES128+EDH SSLCertificateFile /etc/ssl/apache/certs/domain2.crt SSLCertificateKeyFile /etc/ssl/apache/private/domain2.key SSLCertificateChainFile /etc/ssl/apache/certs/global.crt <FilesMatch "\.(cgi|shtml|phtml|php)$"> #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLOptions +StdEnvVars </FilesMatch> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown <IfModule mpm_itk_module> AssignUserId mds mds </IfModule> </VirtualHost> <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName www.domain.eu ServerAlias *.domain.eu DocumentRoot /var/www/htdocs/mds <Directory /> Options FollowSymLinks AllowOverride none </Directory> <Directory /var/www/htdocs/mds> Options FollowSymLinks MultiViews AllowOverride all Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCompression off SSLCipherSuite AES128+EECDH:AES128+EDH SSLCertificateFile /etc/ssl/apache/certs/domain2.crt SSLCertificateKeyFile /etc/ssl/apache/private/domain2.key SSLCertificateChainFile /etc/ssl/apache/certs/global.crt #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown <IfModule mpm_itk_module> AssignUserId mds mds </IfModule> </VirtualHost> </IfModule>
我在日誌中也有這些錯誤:
[Wed May 30 12:03:13 2018] [warn] Init: (Server.domain.local:443) You configured HTTP(80) on the standard HTTPS(443) port! [Wed May 30 12:03:13 2018] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Wed May 30 12:03:14 2018] [notice] Apache/2.2.22 (Debian) PHP/5.4.45-0+deb7u14 mod_ssl/2.2.22 OpenSSL/1.0.1t configured -- resuming normal operations
我的問題可能出在哪裡?
來自伺服器的日誌消息顯示了問題的原因:
…
$$ warn $$…您在標準 HTTPS(443) 埠上配置了 HTTP(80)!
這意味著瀏覽器中的呼叫
https://...
將通過 TCP 連接到埠 443(HTTPS 的預設值),然後嘗試通過啟動 SSL 握手來啟動 HTTPS 請求。握手將失敗,因為您的伺服器只希望在此埠上使用純 HTTP 而不是 HTTPS,因此不需要 SSL 握手,因此將放棄握手或發送一些純 HTTP“錯誤請求”作為響應。這再次是客戶端意外的,然後在瀏覽器中顯示 SSL 問題。這種錯誤配置的原因可能是您
/etc/apache2/enabled-sites/000-default
在埠 443 上有一些偵聽器,但沒有為其啟用 SSL。在啟用 SSL的情況下,您在埠 443 上擁有另一個偵聽器並沒有幫助,/etc/apache2/enabled-sites/site-ssl
因為您只能在同一 IP 相同埠上擁有 SSL(即 HTTPS)或沒有 SSL(即純 HTTP),而不能同時擁有兩者。您可能需要做的是啟用 SSL
/etc/apache2/enabled-sites/000-default
並在那裡添加一些證書(您可能使用特定於站點的證書)。