我试图设置Apache(2.2.3)使用不同的域和IP地址运行两个SSL网站。 这两个网站运行良好的端口80,但是当我试图启用SSL的网站2我得到一个ssl_error_bad_cert_domain错误; website2拿起网站1的SSL证书。
这是我在httpd.conf中的设置:
# Website1 NameVirtualHost 192.168.10.1:80 <VirtualHost 192.168.10.1:80> DocumentRoot /var/www/html ServerName www.website1.org </VirtualHost> NameVirtualHost 192.168.10.1:443 <VirtualHost 192.168.10.1:443> SSLEngine On SSLCertificateFile conf/ssl/website1.cer SSLCertificateKeyFile conf/ssl/website1.key </VirtualHost> # Website2 NameVirtualHost 192.168.10.2:80 <VirtualHost 192.168.10.2:80> DocumentRoot /var/www/html/chart ServerName www.website2.org </VirtualHost> NameVirtualHost 192.168.10.2:443 <VirtualHost 192.168.10.2:443> SSLEngine On SSLCertificateFile conf/ssl/website2.cer SSLCertificateKeyFile conf/ssl/website2.key </VirtualHost> 更新:在回答谢恩(这不适合在评论框)这里是从apachectl -S输出:
VirtualHost configuration: 192.168.10.2:80 is a NameVirtualHost default server www.website2.org (/etc/httpd/conf/httpd.conf:1033) port 80 namevhost www.website2.org (/etc/httpd/conf/httpd.conf:1033) 192.168.10.2:443 is a NameVirtualHost default server bogus_host_without_reverse_dns (/etc/httpd/conf/httpd.conf:1040) port 443 namevhost bogus_host_without_reverse_dns (/etc/httpd/conf/httpd.conf:1040) 192.168.10.1:80 is a NameVirtualHost default server www.website1.org (/etc/httpd/conf/httpd.conf:1017) port 80 namevhost www.website1.org (/etc/httpd/conf/httpd.conf:1017) 192.168.10.1:443 is a NameVirtualHost default server bogus_host_without_reverse_dns (/etc/httpd/conf/httpd.conf:1024) port 443 namevhost bogus_host_without_reverse_dns (/etc/httpd/conf/httpd.conf:1024) wildcard NameVirtualHosts and _default_ servers: _default_:443 192.168.10.1 (/etc/httpd/conf.d/ssl.conf:81) Syntax OK
SSL虚拟主机不是NameVirtualHosts – 它们是基于IP的虚拟主机。
从configuration中删除NameVirtualHost *:443 。
请删除
NameVirtualHost 192.168.10.1:443
和
NameVirtualHost 192.168.10.2:443
激活基于名称的虚拟主机Apache的SSL / TLS连接的东西是没有意义的,或者你想使用SNI扩展。
这是我如何工作。 我不得不把SSLconfiguration从httpd.conf中移出,并在ssl.conf中设置两个虚拟主机。
httpd.conf文件
# Website1 <VirtualHost 192.168.10.1:80> DocumentRoot /var/www/html ServerName www.website1.org </VirtualHost> # Website2 <VirtualHost 192.168.10.2:80> DocumentRoot /var/www/html/chart ServerName www.website2.org </VirtualHost>
ssl.conf中
<VirtualHost 192.168.10.1:443> DocumentRoot "/var/www/html/" ServerAdmin [email protected] ServerName www.website1.org SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2: +EXP:+eNULL SSLCertificateFile /etc/httpd/conf/ssl.crt/website1.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/website1.key SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost> <VirtualHost 192.168.10.2:443> DocumentRoot "/var/www/html/chart/" ServerAdmin [email protected] ServerName www.website2.org SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2: +EXP:+eNULL SSLCertificateFile /etc/httpd/conf/ssl.crt/website2.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/website2.key SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost>
既然Apache2处理HTTP 和 HTTPS基于命名的虚拟主机,我build议您将自己的域设置为自己的configuration文件。 就像Apache现在使用“site-available / sites-enabled”configuration目录一样。 将您的http和https声明放在一个文件中,并将该文件保存到“sites-enabled”目录,或者保存到任意位置并将其链接。
像: /etc/apache2/sites-enabled/Website_ONE.com.conf:
<VirtualHost *:80> ServerName Website_ONE.com #if you want to redirect to https: Redirect permanent / https://Website_ONE.com/ DocumentRoot /WWW/Website_ONE.com/ </VirtualHost> <VirtualHost *:443> ServerName Website_ONE.com DocumentRoot /WWW/Website_ONE.com/ ### SSL Setup ### SSLEngine on SSLCertificateFile /etc/SSL_conf/Website_ONE.com/cert.pem SSLCertificateKeyFile /etc/SSL_conf/Website_ONE.com/privkey.pem SSLCertificateChainFile /etc/SSL_conf/Website_ONE.com/chain.pem </VirtualHost>
然后: /etc/apache2/sites-enabled/Website_TWO.com.conf:
<VirtualHost *:80> ServerName Website_TWO.com #if you want to redirect to https: Redirect permanent / https://Website_TWO.com/ DocumentRoot /WWW/Website_TWO.com/ </VirtualHost> <VirtualHost *:443> ServerName Website_TWO.com DocumentRoot /WWW/Website_TWO.com/ ### SSL Setup ### SSLEngine on SSLCertificateFile /etc/SSL_conf/Website_TWO.com/cert.pem SSLCertificateKeyFile /etc/SSL_conf/Website_TWO.com/privkey.pem SSLCertificateChainFile /etc/SSL_conf/Website_TWO.com/chain.pem </VirtualHost>
正如我所说,这些文件可以保存在任何地方 – 只要它们是安全的(即只有需要访问的人才能读取),并链接到启用站点的文件夹中。 和关键文件一样。 如果所有的configuration都在域名后面的文件中,它可以让IMHO更容易跟踪你的虚拟主机。 顺便说一句,我会在你的configurationvs相对使用绝对path – 就像你的答案。
尝试删除/注释掉/etc/httpd/conf.d/ssl.conf的<VirtualHost _default_:443>块。
您需要ServerName http://www.server [1 | 2} .com部分
如果你真的运行Apache 2.2.3的问题是,你不能在SSL上进行基于名称的虚拟主机,因为你的mod_ssl不支持它。
你需要Apache 2.2.12或更高版本。
但是,您可以使用基于IP的虚拟主机。 你发布的解决scheme实际上是这样做的(两个不同的ip地址上的两个站点)
除非使用称为SNI的相当新的开发,否则您不能使用带有SSL的虚拟主机。 如果您的所有顶级域名(TLD)相同,您也可以使用通配符证书(如* .myhostname.com)。
有关更多详情,请参阅: