Linux
Nginx 提供錯誤的證書
我在使用 nginx 時遇到問題。它提供了錯誤的證書。我正在使用cent OS 7,我目前已經部署了2個工作正常的網路核心api和一個帶有紅隼的網路核心mvc。mvc 的證書有問題這是我的 conf 文件:
# * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/proxy.conf; include /etc/nginx/conf.d/*.conf; server { listen 80 default_server; listen [::]:80 default_server; server_name _ root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { add_header Access-Control-Allow-Origin *; } error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } # Settings for a TLS enabled server. # # server { # listen 443 ssl http2 default_server; # listen [::]:443 ssl http2 default_server; # server_name _; # root /usr/share/nginx/html; # # ssl_certificate "/etc/pki/nginx/server.crt"; # ssl_certificate_key "/etc/pki/nginx/private/server.key"; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 10m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # # # Load configuration files for the default server block. # include /etc/nginx/default.d/*.conf; # # location / { # } # # error_page 404 /404.html; # location = /404.html { # } # # error_page 500 502 503 504 /50x.html; # location = /50x.html { # } # } }
和我的 mvc .conf 文件:
upstream AdminMvc{ server localhost:5000; } # server { # listen 80; # server_name admin.domain.com; # return 301 https://$host$request_uri; # } server { listen 443 ssl; server_name admin.domain.com; ssl_certificate /etc/letsencrypt/live/admin.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/admin.domain.com/privkey.pem; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; #ensure your cert is capable ssl_stapling_verify on; #ensure your cert is capable add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; #Redirects all traffic location / { proxy_pass http://localhost:5000; } }
和我的 api .conf:
upstream apiNetCore{ server localhost:5200; } # server { # listen 80; # server_name api.domain.com; # return 301 https://$host$request_uri; # } server { listen 443 ssl; server_name api.domain.com; ssl_certificate /etc/letsencrypt/live/api.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/api.domain.com/privkey.pem; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; #ensure your cert is capable ssl_stapling_verify on; #ensure your cert is capable add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; #Redirects all traffic location / { proxy_pass http://localhost:5200; } }
其他 api 與之前相同。當打開 mvc 站點時顯示 ERR_CERT_COMMON_NAME_INVALID 並提供 api 證書。.conf 文件在此行導入
include /etc/nginx/conf.d/*.conf;
伺服器返回的證書與 URL 中的名稱不匹配。根據此描述,您已為 example.com 訂購了證書,但嘗試以 test.example.com 的身份訪問該站點,這不是為其頒發證書的域。
此問題可能是由於對 URL 中的域與證書的比較如何工作的錯誤理解造成的。一般來說:
- 證書僅對證書的主題備用名稱部分中明確提及的域有效(Chrome 忽略 CN)。這意味著 example.com 與 test.example.com 不匹配。
- 如果您有一個萬用字元,則只能有一個 *,它必須是最左邊的標籤,並且它只匹配域的一個部分,即 *.example.com 的證書將匹配www.example.com和 test.example。 com 但不是www.test.example.com。