我在AWS实例上运行apache httpd 2.4。 我有以下的httpdconfiguration:
<VirtualHost *:443> ServerName jenkins.example.com SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /var/lib/jenkins/secrets/test-cert.pem SSLCertificateKeyFile /var/lib/jenkins/secrets/test-key.pem JkMount /* ajp13 </VirtualHost> <VirtualHost *:80> ServerName jenkins.example.com Redirect / https://jenkins.example.com/ </VirtualHost> <VirtualHost *:80> RewriteEngine on RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] </VirtualHost> <VirtualHost *:443> ServerName backoffice.another-example.com SSLEngine on SSLProxyEngine On SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLCertificateFile /etc/certificates/backoffice.another-example.com/cert.pem SSLCertificateChainFile /etc/certificates/backoffice.another-example.com/chain.pem SSLCertificateKeyFile /etc/certificates/backoffice.another-example.com/privkey.pem SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off Timeout 600 ProxyTimeout 600 ProxyRequests off ProxyPreserveHost On <Proxy *> Order deny,allow Allow from all </Proxy> <Location /> ProxyPass https://localhost:15678/ ProxyPassReverse https://localhost:15678/ </Location> </VirtualHost> <VirtualHost *:443> ServerName another-example.com ServerAlias another-example.com RewriteEngine on RewriteRule (.*) https://www.another-example.com%{REQUEST_URI} [R,L] </VirtualHost> <VirtualHost *:443> ServerName another-example.com ServerAlias *.another-example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLCertificateFile /etc/certificates/another-example.com/cert.pem SSLCertificateChainFile /etc/certificates/another-example.com/chain.pem SSLCertificateKeyFile /etc/certificates/another-example.com/privkey.pem ProxyRequests off ProxyPreserveHost On <Proxy *> Order deny,allow Allow from all </Proxy> <Location /> ProxyPass http://localhost:20001/ retry=1 acquire=3000 timeout=600 Keepalive=On ProxyPassReverse http://localhost:20001/ AuthType Basic AuthName "Test Servers" AuthBasicProvider file AuthUserFile /var/www/passwords Require user example </Location> </VirtualHost> 然后,三个证书:
这是问题:当我访问http://another-example.com或https://another-example.com时 ,由于NET :: ERR_CERT_AUTHORITY_INVALID,我得到一个警告,浏览器显示我自签名证书。 然后,如果我点击“Proceed to another-example.com(unsafe)”,它会将mt移到another-example.com(并要求我input身份validation凭据),地址栏显示一个绿色的locking图标,并告诉我认为证书是有效的和私人的。
如果我删除jenkins.example.com的两个部分
<VirtualHost *:443> ServerName jenkins.example.com SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /var/lib/jenkins/secrets/test-cert.pem SSLCertificateKeyFile /var/lib/jenkins/secrets/test-key.pem JkMount /* ajp13 </VirtualHost> <VirtualHost *:80> ServerName jenkins.example.com Redirect / https://jenkins.example.com/ </VirtualHost>
我仍然收到另一个警告,NET :: ERR_CERT_COMMON_NAME_INVALID,浏览器显示backoffice.another-example.com的证书。 所以很明显,它将显示第一个VirtualHost的证书,但是它会redirect到正确的域。 如果inputhttp://www.another-example.com或https://www.another-example.com,则不会发生这种情况
这是怎么回事? 如何避免显示无效域证书的第一个警告?
盯着这个,直到你看到问题。
<VirtualHost *:443> ServerName another-example.com ServerAlias another-example.com <!-- conspicuous hole --> RewriteEngine on RewriteRule (.*) https://www.another-example.com%{REQUEST_URI} [R,L] </VirtualHost> <VirtualHost *:443> ServerName another-example.com ServerAlias *.another-example.com ...
ServerAlias another-example.com的<VirtualHost *:443>的SSL证书configuration在哪里?
我在Apache上有点生疏,但是看起来像是这样一种情况:缺lessconfiguration指令时会隐含地填充文件中较高层的不相关数据。 这当然不会是第一次发生,而且完全可以解释为什么删除自签名证书会改变错误 – 不同的不相关configuration数据正在被replace。
所有来自最后一节的SSL*configuration都需要在上面的部分进行复制。 至less,这对我来说是这样的。
当SNI被设置为another-example.com时,会提供错误的SSL证书,因为在这种情况下,您基本上没有告诉它提供哪种证书。