服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Nginx SNI和Letsencrypt在FreeBSD上; 错误的证书?
Intereting Posts
更好的签名pipe理(Exchange-bound?) 如何Telnet到Pop3服务器? MySQL的根密码 – 它应该存储在哪里? Web服务的入站出站networkingpath不同 随机工作站重新启动 IIS上的应用程序防火墙 solaris要求的柱面超出了BIOS几何的范围 Nginx不启动Passenger / Nodejs JFS:在大文件系统上很长的fsck时间? Windows Server 2003上的DNS正向查找 Squid在8080端口出现。可能的Rootkit? ASA 5510 – 接口之间的路由 正确的http状态拒绝客户端视图图像与无效的引用网页 我可以在cygwin下编译mutt吗? RewriteCond在.htaccess文件给我坏标志分隔符

Nginx SNI和Letsencrypt在FreeBSD上; 错误的证书?

我有一个VPS有14个域名,我设置了letkencrypt自动为每个包含所有子域名的域名检索一个单独的证书。 所以,我有14个证书。 很显然,将所有域名放在同一个证书中是不可取的,因为很快我将为Letsencrypt的每个证书创build最多100个域/子域。

所以,我很高兴一个月,直到我发现nginx为除了一个(它自动提取 – 或者我将设置 – 作为端口443的默认服务器)之外的所有域提供错误的证书。 经过很多头痛之后,我发现每个SSL证书都必须有自己的IP,而不是共享的IP。 然后我也发现有SNI作为解决这个问题的方法。 

$ nginx -V TLS SNI support enabled

所以长话短说; 问题是不pipe我做什么nginx固执地服务了错误的cert: 

 $ curl --insecure -v https://babaei.net 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }' * Server certificate: * subject: CN=babaei.net * start date: Aug 28 13:30:00 2016 GMT * expire date: Nov 26 13:30:00 2016 GMT * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3 * SSL certificate verify ok. * Connection #0 to host babaei.net left intact $ curl --insecure -v https://learnmyway.net 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }' * Server certificate: * subject: CN=babaei.net * start date: Aug 28 13:30:00 2016 GMT * expire date: Nov 26 13:30:00 2016 GMT * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3 * SSL certificate verify ok. * Connection #0 to host learnmyway.net left intact $ curl --insecure -v https://3rr0r.org 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }' * Server certificate: * subject: CN=babaei.net * start date: Aug 28 13:30:00 2016 GMT * expire date: Nov 26 13:30:00 2016 GMT * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3 * SSL certificate verify ok. * Connection #0 to host 3rr0r.org left intact

而且,不要误解我认为实际的证书是他们应该是的: 

 $ openssl x509 -noout -subject -in /path/to/certs/babaei.net.pem subject= /CN=babaei.net $ openssl x509 -noout -subject -in /path/to/certs/learnmyway.net.pem subject= /CN=learnmyway.net $ openssl x509 -noout -subject -in /path/to/certs/3rr0r.org.pem subject= /CN=3rr0r.org

所以,假设我们有两个域alpha.com和omega.com。 你将如何configuration启用SNI的nginx为每个服务提供正确的SSL证书? 

 server { server_tokens off; listen 443 ssl http2; listen [::]:443 ssl http2; server_name www.alpha.com; ssl on; ssl_certificate /path/to/alpha.com/cert.pem; ssl_certificate_key /path/to/alpha.com/key.pem; } server { server_tokens off; listen 443 ssl http2; listen [::]:443 ssl http2; server_name www.omega.com; ssl on; ssl_certificate /path/to/omega.com/cert.pem; ssl_certificate_key /path/to/omega.com/key.pem; }

谢谢

更新 :这是原来的configuration: 

 server { server_tokens off; listen 80; listen [::]:80; server_name learnmyway.net; location / { return 301 https://www.$server_name$request_uri; # enforce https / www } # Error Pages include /path/to/snippets/error; # Anti-DDoS include /path/to/snippets/anti-ddos; # letsencrypt acme challenges include /path/to/snippets/letsencrypt-acme-challenge; } server { server_tokens off; listen 80; listen [::]:80; server_name *.learnmyway.net; location / { return 301 https://$host$request_uri; # enforce https } # Error Pages include /path/to/snippets/error; # Anti-DDoS include /path/to/snippets/anti-ddos; # letsencrypt acme challenges include /path/to/snippets/letsencrypt-acme-challenge; } server { server_tokens off; listen 443 ssl http2; listen [::]:443 ssl http2; server_name www.learnmyway.net; # Hardened SSL include /path/to/snippets/hardened-ssl; ssl_certificate /path/to/certs/learnmyway.net.pem; ssl_certificate_key /path/to/keys/learnmyway.net.pem; ssl_trusted_certificate /path/to/certs/learnmyway.net.pem; #error_log /path/to/learnmyway.net/log/www_error_log; #access_log /path/to/learnmyway.net/log/www_access_log; root /path/to/learnmyway.net/www/; index index.html; # Error Pages include /path/to/snippets/error; # Anti-DDoS include /path/to/snippets/anti-ddos; # letsencrypt acme challenges include /path/to/snippets/letsencrypt-acme-challenge; # Compression include /path/to/snippets/compression; # Static Resource Caching include /path/to/snippets/static-resource-caching; }

看起来@AlexeyTen是对的。 添加以下服务器块解决了问题: 

 server { server_tokens off; listen 443 ssl http2; listen [::]:443 ssl http2; server_name learnmyway.net; # Hardened SSL include /path/to/snippets/hardened-ssl; ssl_certificate /path/to/certs/learnmyway.net.pem; ssl_certificate_key /path/to/keys/learnmyway.net.pem; ssl_trusted_certificate /path/to/certs/learnmyway.net.pem; return 301 https://www.$server_name$request_uri; # enforce www }

我的错误:由于*是通配符,所以我认为* .learnmyway.net也会parsinglearnmyway.net。 看来我错了。