Ssl
ssl 證書不適用於 www
簡短描述: http ://example.com正確重定向到https://example.com並載入。 http://www.example.com>不會重定向到<https://www.example.com。直接載入失敗並出現證書錯誤。
我使用 certbot 安裝了 SSL 證書。當我向 certbot 查詢證書列表時,我得到:
Found the following certs: Certificate Name: example.com-0004 Domains: example.com www.example.com Expiry Date: 2020-05-17 21:13:21+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/example.com-0004/fullchain.pem Private Key Path: /etc/letsencrypt/live/example.com-0004/privkey.pem
在我的 Apache Config 中,我有:
<VirtualHost *:80> ServerName example.com RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R] </VirtualHost> <VirtualHost *:80> ServerName www.example.com RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R] </VirtualHost> <IfModule mod_ssl.c> NameVirtualHost *:443 Include /etc/httpd/conf/httpd-le-ssl.conf </IfModule>
在 httpd-le-ssl.conf 我有:
<IfModule mod_ssl.c> <VirtualHost *:443> ServerName example.com DocumentRoot /var/www/html Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/example.com-0004/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0004/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/example.com-0004/chain.pem </VirtualHost> </IfModule> <IfModule mod_ssl.c> <VirtualHost *:443> ServerName www.example.com DocumentRoot /var/www/html Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/example.com-0004/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0004/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/example.com-0004/chain.pem </VirtualHost> </IfModule>
我有兩個問題。為什麼 www 的重定向不起作用?為什麼證書不被 www 辨識?鉻告訴我:
This server could not prove that it is www.ncprepswimming.com; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.
我的證書和配置有什麼問題?apachectl -S 的輸出是:
VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: *:443 is a NameVirtualHost default server www.example.com (/etc/httpd/conf.d/ssl.conf:76) port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:76) port 443 namevhost example.com (/etc/httpd/conf/httpd-le-ssl.conf:2) port 443 namevhost www.example.com (/etc/httpd/conf/httpd-le-ssl.conf:12) *:80 is a NameVirtualHost default server www.example.com (/etc/httpd/conf/httpd.conf:1006) port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1006) port 80 namevhost db.example.com (/etc/httpd/conf/httpd.conf:1086) alias www.db.example.com port 80 namevhost example.com (/etc/httpd/conf/httpd.conf:1092) port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1099) port 80 namevhost svn.example.com (/etc/httpd/conf/httpd.conf:1106) alias www.svn.example.com Syntax OK
如果您通過訪問 www 和非 www URL 檢查提供的證書,您會發現 www 版本沒有使用相同的證書。這應該告訴您,您可能在某處有重複/錯誤的配置指向不正確的證書。
apachectl -S 的輸出清楚地顯示了埠 443 上的多個 www.example.com 配置(假設這裡的混淆是正確的):
VirtualHost configuration: default server www.example.com (/etc/httpd/conf.d/ssl.conf:76) port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:76) port 443 namevhost www.example.com (/etc/httpd/conf/httpd-le-ssl.conf:12)
您需要自己查看配置以確定哪些是正確的,哪些不是,但很可能您只需要刪除 ssl.conf (或註釋掉一些行)並重新啟動。