Ssl

ssl 證書不適用於 www

  • February 18, 2020

簡短描述: http ://example.com正確重定向到https://example.com並載入。 http://www.example.com>不會重定向到<https://www.example.com。直接載入失敗並出現證書錯誤。

我使用 certbot 安裝了 SSL 證書。當我向 certbot 查詢證書列表時,我得到:

Found the following certs:
 Certificate Name: example.com-0004
   Domains: example.com www.example.com
   Expiry Date: 2020-05-17 21:13:21+00:00 (VALID: 89 days)
   Certificate Path: /etc/letsencrypt/live/example.com-0004/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/example.com-0004/privkey.pem

在我的 Apache Config 中,我有:

&lt;VirtualHost *:80&gt;
   ServerName example.com
   RewriteEngine on
   RewriteCond %{HTTPS} off
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R]
&lt;/VirtualHost&gt;

&lt;VirtualHost *:80&gt;
   ServerName www.example.com
   RewriteEngine on
   RewriteCond %{HTTPS} off
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R]
&lt;/VirtualHost&gt;

&lt;IfModule mod_ssl.c&gt;
   NameVirtualHost *:443
   Include /etc/httpd/conf/httpd-le-ssl.conf
&lt;/IfModule&gt;

在 httpd-le-ssl.conf 我有:

&lt;IfModule mod_ssl.c&gt;
   &lt;VirtualHost *:443&gt;
       ServerName example.com
       DocumentRoot /var/www/html
       Include /etc/letsencrypt/options-ssl-apache.conf
       SSLCertificateFile /etc/letsencrypt/live/example.com-0004/cert.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0004/privkey.pem
       SSLCertificateChainFile /etc/letsencrypt/live/example.com-0004/chain.pem
   &lt;/VirtualHost&gt;
&lt;/IfModule&gt;
&lt;IfModule mod_ssl.c&gt;
   &lt;VirtualHost *:443&gt;
       ServerName www.example.com
       DocumentRoot /var/www/html
       Include /etc/letsencrypt/options-ssl-apache.conf
       SSLCertificateFile /etc/letsencrypt/live/example.com-0004/cert.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0004/privkey.pem
       SSLCertificateChainFile /etc/letsencrypt/live/example.com-0004/chain.pem
   &lt;/VirtualHost&gt;
&lt;/IfModule&gt;

我有兩個問題。為什麼 www 的重定向不起作用?為什麼證書不被 www 辨識?鉻告訴我:

This server could not prove that it is www.ncprepswimming.com; 
its security certificate is not trusted by your computer's operating system. 
This may be caused by a misconfiguration or an attacker intercepting your connection.

我的證書和配置有什麼問題?apachectl -S 的輸出是:

VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
        default server www.example.com (/etc/httpd/conf.d/ssl.conf:76)
        port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:76)
        port 443 namevhost example.com (/etc/httpd/conf/httpd-le-ssl.conf:2)
        port 443 namevhost www.example.com (/etc/httpd/conf/httpd-le-ssl.conf:12)
*:80                   is a NameVirtualHost
        default server www.example.com (/etc/httpd/conf/httpd.conf:1006)
        port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1006)
        port 80 namevhost db.example.com (/etc/httpd/conf/httpd.conf:1086)
                alias www.db.example.com
        port 80 namevhost example.com (/etc/httpd/conf/httpd.conf:1092)
        port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1099)
        port 80 namevhost svn.example.com (/etc/httpd/conf/httpd.conf:1106)
                alias www.svn.example.com
Syntax OK

如果您通過訪問 www 和非 www URL 檢查提供的證書,您會發現 www 版本沒有使用相同的證書。這應該告訴您,您可能在某處有重複/錯誤的配置指向不正確的證書。

apachectl -S 的輸出清楚地顯示了埠 443 上的多個 www.example.com 配置(假設這裡的混淆是正確的):

VirtualHost configuration:
        default server www.example.com (/etc/httpd/conf.d/ssl.conf:76)
        port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:76)
        port 443 namevhost www.example.com (/etc/httpd/conf/httpd-le-ssl.conf:12)

您需要自己查看配置以確定哪些是正確的,哪些不是,但很可能您只需要刪除 ssl.conf (或註釋掉一些行)並重新啟動。

引用自:https://serverfault.com/questions/1003567