我花了几个小时研究这个问题,在做一些像重做所有相关configuration的东西之前,我想我会寻求帮助。
我是一所大学的学生系统pipe理员,我们一直在与我们托pipe的网站存在问题。 访问网站提供了“安全证书不可信警告”。 查看证书显示它是默认的自签名服务器证书,而不是我们购买的服务器证书,应该是服务器证书。
当我们试图将这个域名从指向一个“常规”站点切换到一个新的Drupal站点时,这个问题首先引起了我们的注意。 最初domain.flavor.name.edu和domain.name.edu都指向同一个常规站点。 我们希望将domain.flavor.name.edu指向旧的并将domain.name.edu指向新的Drupal站点,所以我从vhosts.d中删除了domain.name.edu.conf文件。 可以理解的是,SSL错误来了,但因为我从来没有见过任何其他有效的SSL网站,我没有想太多。 但是,老板坚持认为SSL以前工作正常。 为了回溯,我移回了我已经移除的文件,但是我不认为解决了这个问题(对不起,我在这里有点朦胧,从第一次发生起就有几个星期了,另一个系统pipe理员可能已经改变了有些东西)。 无论如何,也许这意味着问题实际上只是与vhosts.d中的.confs,因为domain.name.edu仍然指向新的Drupal站点,而不是回到旧的。 我已经做了几次重新启动的Apache,优雅和定期重新启动。
服务器(运行Gentoo)使用基于名称的虚拟主机进行设置,全部使用相同的IP。 据我所知,我们应该能够通过SNI拥有不同SSL证书的多个站点。 error_log证实我们已经build立了SNI(Init:基于名称的SSL虚拟主机只适用于…)。
在/etc/apache2/vhosts.d/有:
00_default_vhost.conf
00_ssl_domain.name.edu.conf
05_default_ssl_vhost.conf
blah blah more .confs
我记得如果Apache在vhosts.d中读取错误的.conf文件,可能会出现某种冲突,并且在没有进一步查看的情况下执行任何操作,但是我认为这些数据应该是照顾的, 00_ssl_domain.name.edu应该在默认值之前。
在00_ssl_domain.name.edu.conf中
...
SSLCertificateFiles /etc/ssl/apache2/domain.name.edu.crt
...
SSLCertificateKeyFile /etc/ssl/apache2/domain.name.edu.key
...
SSLCertificateChainFile /etc/ssl/apache2/geotrust.crt
...
证书和中间人都应该是好的,我甚至从今年spring拿到证书并复写了他们的openssl verify -CAfile geotrust.crt domain.name.edu.crt返回OK。
也许这是一个Drupal的问题,也许我已经搞糟了一些东西,但任何帮助将非常感激。
*免责声明:对于长文本抱歉,我也只在我的职位一年,只有在这个学期开始以来的任何能力。 以前的系统pipe理员谁做了这里的一切离开了这一点。 所以基本上我没有设置这些服务器和Apache安装等
编辑1:在Windows 7上使用Firefox 15,Chrome 22和IE 9进行testing都会得到相同的结果
编辑2:相关的vhosts.d 00_ssl_domain.name.edu.conf
<IfDefine SSL> #<IfDefine SSL_DEFAULT_VHOST> <IfModule ssl_module> # see bug #178966 why this is in here # When we also provide SSL we have to listen to the HTTPS port # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" Listen 128.220.29.244:443 #Added so that the ServerName directive works NameVirtualHost 128.220.29.244:443 # Go ahead and accept connections for these vhosts # from non-SNI clients SSLStrictSNIVHostCheck off <VirtualHost 128.220.29.244:443> ServerName domain.name.edu #Include /etc/apache2/vhosts.d/default_vhost.include Include /etc/apache2/vhosts.d/domain.include <IfModule log_config_module> TransferLog /var/log/apache2/ssl_access_domain.name.edu </IfModule> ## SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on #SSLLog /var/log/apache2/ssl_engine_log LogLevel debug ## SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL ## Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If the certificate # is encrypted, then you will be prompted for a pass phrase. Note that a # kill -HUP will prompt again. Keep in mind that if you have both an RSA # and a DSA certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /etc/ssl/apache2/domain.name.edu.crt ## Server Private Key: # If the key is not combined with the certificate, use this directive to # point at the key file. Keep in mind that if you've both a RSA and a DSA # private key you can configure both in parallel (to also allow the use of # DSA ciphers, etc.) SSLCertificateKeyFile /etc/ssl/apache2/domain.name.edu.key ## Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the concatenation of # PEM encoded CA certificates which form the certificate chain for the # server certificate. Alternatively the referenced file can be the same as # SSLCertificateFile when the CA certificates are directly appended to the # server certificate for convinience. SSLCertificateChainFile /etc/ssl/apache2/geotrust.crt #SSLCertificateChainFile /etc/ssl/test-certs/geotrust.crt ## Certificate Authority (CA): # Set the CA certificate verification path where to find CA certificates # for client authentication or alternatively one huge file containing all # of them (file must be PEM encoded). # Note: Inside SSLCACertificatePath you need hash symlinks to point to the # certificate files. Use the provided Makefile to update the hash symlinks # after changes. #SSLCACertificatePath /etc/ssl/apache2/ssl.crt #SSLCACertificateFile /etc/ssl/apache2/ca-bundle.crt ## Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client authentication # or alternatively one huge file containing all of them (file must be PEM # encoded). # Note: Inside SSLCARevocationPath you need hash symlinks to point to the # certificate files. Use the provided Makefile to update the hash symlinks # after changes. #SSLCARevocationPath /etc/ssl/apache2/ssl.crl #SSLCARevocationFile /etc/ssl/apache2/ca-bundle.crl ## Client Authentication (Type): # Client certificate verification type and depth. Types are none, optional, # require and optional_no_ca. Depth is a number which specifies how deeply # to verify the certificate issuer chain before deciding the certificate is # not valid. #SSLVerifyClient require #SSLVerifyDepth 10 ## Access Control: # With SSLRequire you can do per-directory access control based on arbitrary # complex boolean expressions containing server variable checks and other # lookup directives. The syntax is a mixture between C and Perl. See the # mod_ssl documentation for more details. #<Location /> # #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> ## SSL Engine Options: # Set various options for the SSL engine. ## FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that the # standard Auth/DBMAuth methods can be used for access control. The user # name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. ## ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the server # (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates into # CGI scripts. ## StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the exportation # for CGI and SSI requests only. ## StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even under # a "Satisfy any" situation, ie when it applies access is denied and no # other module can change it. ## OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/var/www/localhost/cgi-bin"> SSLOptions +StdEnvVars </Directory> ## SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait # for the close notify alert from client. When you need a different # shutdown approach you can use one of the following variables: ## ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, ie no # SSL close notify alert is send or allowed to received. This violates the # SSL/TLS standard but is needed for some brain-dead browsers. Use this when # you receive I/O errors because of the standard approach where mod_ssl # sends the close notify alert. ## ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, ie a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation works # correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround SSLOptions +StdEnvVars </Directory> ## SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait # for the close notify alert from client. When you need a different # shutdown approach you can use one of the following variables: ## ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, ie no # SSL close notify alert is send or allowed to received. This violates the # SSL/TLS standard but is needed for some brain-dead browsers. Use this when # you receive I/O errors because of the standard approach where mod_ssl # sends the close notify alert. ## ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, ie a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation works # correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. <IfModule setenvif_module> BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </IfModule> ## Per-Server Logging: # The home of a custom SSL log file. Use this when you want a compact # non-error SSL logfile on a virtual host basis. <IfModule log_config_module> CustomLog /var/log/apache2/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </IfModule> </VirtualHost> </IfModule> #</IfDefine> </IfDefine> # vim: ts=4 filetype=apache
编辑3:输出apache2 -S
[Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: *:80 domain1.edu (/etc/apache2/vhosts.d/10_domain1.edu.conf:38) *:80 domain2.edu (/etc/apache2/vhosts.d/10_domain2.edu.conf:38) *:80 domain3.edu (/etc/apache2/vhosts.d/10_domain3.edu.conf:38) *:80 domain4.edu (/etc/apache2/vhosts.d/10_domain4.edu.conf:38) *:80 domain5.edu (/etc/apache2/vhosts.d/10_domain5.edu.conf:38) *:80 domain6.edu (/etc/apache2/vhosts.d/10_domain6.edu.conf:38) *:80 domain7.edu (/etc/apache2/vhosts.d/10_domain7.edu.conf:38) *:80 domain8.edu (/etc/apache2/vhosts.d/10_domain8.edu.conf:38) *:80 domain9.edu (/etc/apache2/vhosts.d/10_domain9.edu.conf:38) *:80 domain10.edu (/etc/apache2/vhosts.d/10_domain10.edu.conf:38) *:80 domain11.edu (/etc/apache2/vhosts.d/10_domain11.edu.conf:38) Syntax OK
我访问任何网站没有任何问题,只是SSL错误
您没有configuration任何SSL虚拟主机; validationsslconfiguration文件实际上包含在主configuration中。
您还需要在任何虚拟主机之外定义一个NameVirtualHost *:80 ,否则所有的请求都将转到第一个请求,正如输出告诉您的。