我终于从一个权威机构获得了证书,并且正在努力工作。 我创build了合适的组合证书(个人+中间+根),nginx指向它。 我有一个弹性的IP,并将其连接到我的EC2实例。 我的DNSlogging指向该IP。 但是当我把浏览器指向主机名时,我得到了标准的“连接不可信”位,和ssl_error_bad_cert_domain。 端口443是开放的 – 我可以通过https访问该网站,如果我忽略警告。 奇怪的是,在技术细节下,它列出了我试图访问的域有效!
当我尝试用ssltesting网站进行诊断时,他们甚至没有检测到证书!
我在这里错过了什么?
域名是yanlj.coinculture.info。 注意我在家庭服务器上运行了一个没有专用IP地址的文件,同样的问题,但是一旦我想到这个问题,我会把它移动到同一个EC2实例上。 我以为弹性知识产权可以解决问题,但事实并非如此
Nginxconfiguration:
server { listen 443; server_name localhost; ssl on; ssl_certificate /home/ubuntu/certs/startssl/ssl-unified.crt; ssl_certificate_key /home/ubuntu/certs/startssl/ssl.key; keepalive_timeout 70; #ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; #ssl_ciphers HIGH:!aNULL:!MD5; #ssl_prefer_server_ciphers on; root /home/ubuntu/programming/YanlJ; index index.php index.html; location / { #try_files $uri $uri/ /index.php; # this line was causing the index.php file to be loaded twice... } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini # With php5-cgi alone: #fastcgi_pass 127.0.0.1:9000; # With php5-fpm: fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi.conf; } try_files $uri $uri.php $uri.html =404; } 和curl的结果-kv https:// ELASTIC_IP:
* Rebuilt URL to: https:// 54.186.114.3/ * Hostname was NOT found in DNS cache * Trying 54.186.114.3... * Connected to 54.186.114.3 (54.186.114.3) port 443 (#0) * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using TLSv1.0 / DHE-RSA-AES256-SHA * Server certificate: * subject: C=CA; ST=Ontario; L=Guelph; O=Ethan Buchman; CN=blog.coinculture.info; [email protected] * start date: 2014-05-29 15:10:52 GMT * expire date: 2016-05-29 10:44:27 GMT * issuer: C=IL; O=StartCom Ltd.; OU=Secure Digital Certificate Signing; CN=StartCom Class 2 Primary Intermediate Server CA * SSL certificate verify ok.
我看到, coinculture.info有五个权威的DNS服务器。 其中三人拒绝解决yanlj.coinculture.info ,另外两人给我的IP地址是184.168.221.12 。 这看起来不像EC2的IP地址。 该IP地址已注册到GoDaddy,并且在该地址前面出现了一个破损的防火墙。 尝试连接到端口443时,我会超时。