www 證書未正確提取 - nginx 和 certbot

我正在使用帶有 nginx 和 certbot 的 docker 堆棧。我的域託管在Google域上。

我希望只能通過 example.tld 訪問域：

• 將所有http重定向到https
• 將 www 重定向到非 www

這是我的 nginx 配置：

server {
   listen      80;
   listen      [::]:80;
   access_log  off;
   error_log   off;
   server_name example.tld www.example.tld;
   return      301 https://example.tld$request_uri;
}

server {
   listen      443 ssl http2;
   listen      [::]:443 ssl http2;
   access_log  off;
   error_log   off;
   server_name www.example.tld;
   return      301 https://example.tld$request_uri;
}

server {
   listen      443 ssl http2;
   listen      [::]:443 ssl http2;
   server_name example.tld;

   root        /var/www/example.tld;

   index       index.html index.htm index.php;

   location / {
       try_files $uri $uri/ /index.php?/$request_uri;
   }

   location ~* ^/(assets|files|robots\.txt) { }

   location ~ \.php$ {
       include fastcgi-php.conf;
       fastcgi_pass phpfpm:9000;
   }

   location ~ /\.ht {
       deny all;
   }

   ssl_certificate     /etc/letsencrypt/live/example.tld/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
   include             /etc/letsencrypt/options-ssl-nginx.conf;
   ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
   add_header          Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

我成功創建了證書

certbot certonly --preferred-challenges=dns --cert-name example.tld -d example.tld,www.example.tld

• http://example.tld > https://example.tld ☑️
• https://example.tld ☑️
• http://www.example.tld ❌
• https://www.example.tld ❌

當我打開 www url 時，Safari 會告訴我Safari can't open the page "http(s)://www.example.tld" because Safari can't establish a secure connection to the server "www.example.tld"

但有效的是：

curl -iL http://www.example.tld/ 
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 11 Jun 2022 11:17:05 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://example.tld/
X-Frame-Options: SAMEORIGIN

HTTP/2 200 

什麼不起作用：

curl -iL https://example.tld/
curl: (60) SSL: no alternative certificate subject name matches target host name 'www.example.tld'

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

設置了 example.tld 和www.example.tld的A / AAA 記錄。

這是錯誤的，它不應該工作。Nginx 應該在錯誤日誌中抱怨此虛擬主機的配置不完整：

server {
   listen      443 ssl http2;
   listen      [::]:443 ssl http2;
   access_log  off;
   error_log   off;
   server_name www.example.tld;
   return      301 https://example.tld$request_uri;
}

任何 SSL 虛擬主機都需要有證書。即使它所做的只是重定向到某個地方。因為它只會在建立安全連接後發出重定向。

server {
   listen      443 ssl http2;
   listen      [::]:443 ssl http2;
   access_log  off;
   error_log   off;
   server_name www.example.tld;
   return      301 https://example.tld$request_uri;

   ssl_certificate     /etc/letsencrypt/live/example.tld/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
   include             /etc/letsencrypt/options-ssl-nginx.conf;
   ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
   add_header          Strict-Transport-Security "max-age=31536000 includeSubDomains" always;
}

像這樣的東西。但證書也應該是有效的；您可以創建一個同時具有有效名稱example.tld和www.example.tld有效名稱的證書（通過將它們都放入subjectAlternativeName欄位中），當您一次性創建證書並在其中指定多個域時，Let’s Encrypt 會執行此操作：

certbot --nginx -d example.tld -d www.example.tld

引用自：https://serverfault.com/questions/1103045