Certbot https不适用于example.com,仅适用于www.example.com

[更新] – 我把它贴到了错误的网站上,所以我会把这个主题复制到Unix / Linux社区。 所以请删除这个话题!

我在我的networking服务器上安装了SSL证书,并启用了将所有http请求redirect到https。 到目前为止,当我尝试打开www.example.com而不是使用example.com时,这是有效的。 只是为了logging,我用example.com更改了我的domain.com。 我已经检查了我的access_logerror.log ,当我尝试在浏览器中打开example.com时,它们都不显示任何新条目。

 curl https://example.com curl: (60) Issuer certificate is invalid. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. 

当我用www.example.com执行相同的curl命令时,我进入了我的网站。 我在用

 -bash-4.2$ hostname example -bash-4.2$ hostname -f example.com 

我在/etc/sysconfig/network主机名就是例子。 我也在使用vhost文件:

 cat /etc/httpd/sites-available/example.conf <VirtualHost *:80> ServerName www.example.com ServerAlias example.com DocumentRoot /var/www/html ErrorLog /var/www/html/error.log CustomLog /var/www/html/requests.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =www.example.com [OR] RewriteCond %{SERVER_NAME} =example.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] </VirtualHost> 

并在httpd.conf中设置了从/etc/httpd/sites-available/*.conf加载configuration文件

另一个问题是,当我尝试安装Cpanel时,它给了我以下错误:

 2017-03-15 14:10:39 501 ( INFO): Validating that the system hostname ('example') is a FQDN... 2017-03-15 14:10:39 507 (ERROR): 2017-03-15 14:10:39 508 (ERROR): ********************* ERROR ********************* 2017-03-15 14:10:39 509 (ERROR): 2017-03-15 14:10:39 510 (ERROR): Your hostname (example) is invalid, and must be 2017-03-15 14:10:39 511 (ERROR): set to a fully qualified domain name before installing cPanel. 2017-03-15 14:10:39 512 (ERROR): 2017-03-15 14:10:39 513 (ERROR): A fully qualified domain name must contain two dots, and consists of two parts: the hostname and the domain name. 2017-03-15 14:10:39 514 (ERROR): You can update your hostname by running `hostname your-hostname.example.com`, then re-running the installer. 2017-03-15 14:10:39 516 (ERROR): ********************* ERROR ********************* 2017-03-15 14:10:39 517 (FATAL): Exiting... Removing /root/installer.lock. 

这是我自己生成encryption的SSL VHOST文件:

  <IfModule mod_ssl.c> <VirtualHost *:443> ServerName www.example.com ServerAlias example.com DocumentRoot /var/www/html ErrorLog /var/www/html/error.log CustomLog /var/www/html/requests.log combined RewriteEngine on SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem </VirtualHost> </IfModule> 

多一点debugging信息:

 curl -l example.com <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://example.com/">here</a>.</p> </body></html> curl https://example.com curl: (60) Issuer certificate is invalid. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. curl -l www.example.com <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://www.example.com/">here</a>.</p> </body></html> 

而当我运行curl -l https://www.example.com我的网站正在加载,这意味着它正在通过SSL证书检查,问题只是与example.com证书。 所以我想我的VHOST文件是完全搞砸了。 我试图重新安装它们,但我认为它不起作用。

经过深入调查,似乎问题是对example.com的请求使用了/etc/httpd/conf.d/ssl.conf中定义的默认SSL证书,所以我已经评论了包含密钥的三行,证书本身和链文件,并添加了让我们encryption证书的path

 SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem 

然后我重新加载了httpd服务,并使用以下命令检查状态:

https://www.ssllabs.com/ssltest/analyze.html?d=example.com https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com

您也可以使用以下方式检查您的SSL证书:

 openssl rsa -in privateKey.key -check openssl x509 -in certificate.crt -text -noout 

您可以使用以下方式检查您的SSL证书:

 openssl s_client -connect www.example.com:443 openssl s_client -connect example.com:443 

所以当我比较这两个证书时,我看到example.com正在使用localhost.crt证书,然后我发出一个find命令来查找证书的configuration位置,发现它只在configuration好的ssl.conf文件中,所以这是我如何解决这个问题。