ssl 證書不適用於 www

簡短描述： http ://example.com正確重定向到https://example.com並載入。 http://www.example.com>不會重定向到<https://www.example.com。直接載入失敗並出現證書錯誤。

我使用 certbot 安裝了 SSL 證書。當我向 certbot 查詢證書列表時，我得到：

Found the following certs:
 Certificate Name: example.com-0004
   Domains: example.com www.example.com
   Expiry Date: 2020-05-17 21:13:21+00:00 (VALID: 89 days)
   Certificate Path: /etc/letsencrypt/live/example.com-0004/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/example.com-0004/privkey.pem

在我的 Apache Config 中，我有：

<VirtualHost *:80>
   ServerName example.com
   RewriteEngine on
   RewriteCond %{HTTPS} off
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R]
</VirtualHost>

<VirtualHost *:80>
   ServerName www.example.com
   RewriteEngine on
   RewriteCond %{HTTPS} off
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R]
</VirtualHost>

<IfModule mod_ssl.c>
   NameVirtualHost *:443
   Include /etc/httpd/conf/httpd-le-ssl.conf
</IfModule>

在 httpd-le-ssl.conf 我有：

<IfModule mod_ssl.c>
   <VirtualHost *:443>
       ServerName example.com
       DocumentRoot /var/www/html
       Include /etc/letsencrypt/options-ssl-apache.conf
       SSLCertificateFile /etc/letsencrypt/live/example.com-0004/cert.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0004/privkey.pem
       SSLCertificateChainFile /etc/letsencrypt/live/example.com-0004/chain.pem
   </VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
   <VirtualHost *:443>
       ServerName www.example.com
       DocumentRoot /var/www/html
       Include /etc/letsencrypt/options-ssl-apache.conf
       SSLCertificateFile /etc/letsencrypt/live/example.com-0004/cert.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0004/privkey.pem
       SSLCertificateChainFile /etc/letsencrypt/live/example.com-0004/chain.pem
   </VirtualHost>
</IfModule>

我有兩個問題。為什麼 www 的重定向不起作用？為什麼證書不被 www 辨識？鉻告訴我：

This server could not prove that it is www.ncprepswimming.com; 
its security certificate is not trusted by your computer's operating system. 
This may be caused by a misconfiguration or an attacker intercepting your connection.

我的證書和配置有什麼問題？apachectl -S 的輸出是：

VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
        default server www.example.com (/etc/httpd/conf.d/ssl.conf:76)
        port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:76)
        port 443 namevhost example.com (/etc/httpd/conf/httpd-le-ssl.conf:2)
        port 443 namevhost www.example.com (/etc/httpd/conf/httpd-le-ssl.conf:12)
*:80                   is a NameVirtualHost
        default server www.example.com (/etc/httpd/conf/httpd.conf:1006)
        port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1006)
        port 80 namevhost db.example.com (/etc/httpd/conf/httpd.conf:1086)
                alias www.db.example.com
        port 80 namevhost example.com (/etc/httpd/conf/httpd.conf:1092)
        port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1099)
        port 80 namevhost svn.example.com (/etc/httpd/conf/httpd.conf:1106)
                alias www.svn.example.com
Syntax OK

如果您通過訪問 www 和非 www URL 檢查提供的證書，您會發現 www 版本沒有使用相同的證書。這應該告訴您，您可能在某處有重複/錯誤的配置指向不正確的證書。

apachectl -S 的輸出清楚地顯示了埠 443 上的多個 www.example.com 配置（假設這裡的混淆是正確的）：

VirtualHost configuration:
        default server www.example.com (/etc/httpd/conf.d/ssl.conf:76)
        port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:76)
        port 443 namevhost www.example.com (/etc/httpd/conf/httpd-le-ssl.conf:12)

您需要自己查看配置以確定哪些是正確的，哪些不是，但很可能您只需要刪除 ssl.conf （或註釋掉一些行）並重新啟動。

引用自：https://serverfault.com/questions/1003567