Nginx
www 證書未正確提取 - nginx 和 certbot
我正在使用帶有 nginx 和 certbot 的 docker 堆棧。我的域託管在Google域上。
我希望只能通過 example.tld 訪問域:
- 將所有http重定向到https
- 將 www 重定向到非 www
這是我的 nginx 配置:
server { listen 80; listen [::]:80; access_log off; error_log off; server_name example.tld www.example.tld; return 301 https://example.tld$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; access_log off; error_log off; server_name www.example.tld; return 301 https://example.tld$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name example.tld; root /var/www/example.tld; index index.html index.htm index.php; location / { try_files $uri $uri/ /index.php?/$request_uri; } location ~* ^/(assets|files|robots\.txt) { } location ~ \.php$ { include fastcgi-php.conf; fastcgi_pass phpfpm:9000; } location ~ /\.ht { deny all; } ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; }
我成功創建了證書
certbot certonly --preferred-challenges=dns --cert-name example.tld -d example.tld,www.example.tld
- http://example.tld > https://example.tld ☑️
- https://example.tld ☑️
- http://www.example.tld ❌
- https://www.example.tld ❌
當我打開 www url 時,Safari 會告訴我
Safari can't open the page "http(s)://www.example.tld" because Safari can't establish a secure connection to the server "www.example.tld"
但有效的是:
curl -iL http://www.example.tld/ HTTP/1.1 301 Moved Permanently Server: nginx Date: Sat, 11 Jun 2022 11:17:05 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://example.tld/ X-Frame-Options: SAMEORIGIN HTTP/2 200
什麼不起作用:
curl -iL https://example.tld/ curl: (60) SSL: no alternative certificate subject name matches target host name 'www.example.tld' curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
設置了 example.tld 和www.example.tld的A / AAA 記錄。
這是錯誤的,它不應該工作。Nginx 應該在錯誤日誌中抱怨此虛擬主機的配置不完整:
server { listen 443 ssl http2; listen [::]:443 ssl http2; access_log off; error_log off; server_name www.example.tld; return 301 https://example.tld$request_uri; }
任何 SSL 虛擬主機都需要有證書。即使它所做的只是重定向到某個地方。因為它只會在建立安全連接後發出重定向。
server { listen 443 ssl http2; listen [::]:443 ssl http2; access_log off; error_log off; server_name www.example.tld; return 301 https://example.tld$request_uri; ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; add_header Strict-Transport-Security "max-age=31536000 includeSubDomains" always; }
像這樣的東西。但證書也應該是有效的;您可以創建一個同時具有有效名稱
example.tld
和www.example.tld
有效名稱的證書(通過將它們都放入subjectAlternativeName
欄位中),當您一次性創建證書並在其中指定多個域時,Let’s Encrypt 會執行此操作:certbot --nginx -d example.tld -d www.example.tld