我花了很多时间研究这个问题,在我采取诸如重新进行所有相关配置之类的激烈措施之前,我想寻求帮助。
我是一所大学的学生系统管理员,我们托管的网站出现了问题。访问该网站时会显示“安全证书不受信任”警告。查看证书后发现它是默认的自签名服务器证书,而不是我们购买的、应该提供服务的证书。
当我们尝试将此域从指向“常规”站点切换到新的 Drupal 站点时,我们首次注意到了这个问题。最初,domain.flavor.name.edu 和 domain.name.edu 都指向同一个常规站点。我们希望 domain.flavor.name.edu 保持指向旧站点,并将 domain.name.edu 指向新的 Drupal 站点,因此我从 vhosts.d 中删除了 domain.name.edu.conf 文件。可以理解的是,出现了 SSL 错误,但由于我从未见过任何其他站点具有有效的 SSL,所以我并没有多想。然而,老板坚持说 SSL 以前工作正常。为了回溯,我移回了已删除的文件,但我认为这并没有解决问题(抱歉,我有点糊涂,距离第一次发生这种情况已经过去了几个星期,其他系统管理员可能也做了一些更改)。无论如何,这可能意味着问题实际上只是出在 vhosts.d 中的 .confs 上,因为 domain.name.edu 仍然指向新的 Drupal 站点,而不是指向旧站点。我已经多次重启 apache,包括正常重启和常规重启。
服务器(运行 Gentoo)设置了基于名称的虚拟主机,全部位于同一 IP 上。据我了解,我们应该能够通过 SNI 拥有多个具有不同 SSL 证书的站点。error_log 确认我们已设置 SNI(Init:基于名称的 SSL 虚拟主机仅适用于...)。
其中 /etc/apache2/vhosts.d/有:
00_default_vhost.conf
00_ssl_domain.name.edu.conf
05_default_ssl_vhost.conf
blah blah more .confs
我记得读过如果 Apache 首先读取了 vhosts.d 中的错误 .conf 并且它没有进一步查看就执行了那里的所有内容或类似操作,则可能会发生某种冲突,但我认为数字应该可以解决这个问题,按顺序 00_ssl_domain.name.edu 应该位于默认值之前。
在 00_ssl_domain.name.edu.conf 中,
...
SSLCertificateFiles /etc/ssl/apache2/domain.name.edu.crt
...
SSLCertificateKeyFile /etc/ssl/apache2/domain.name.edu.key
...
SSLCertificateChainFile /etc/ssl/apache2/geotrust.crt
...
证书和中间证书都应该很好,我甚至挖出了今年春天早些时候我们获得证书时的电子邮件并重新复制了它们。openssl verify -CAfile geotrust.crt domain.name.edu.crt返回 OK。
也许这是 Drupal 的问题,也许我把某些事情搞砸了,但如果能提供任何帮助我将不胜感激。
*免责声明:抱歉,文章太长了,而且我在这个岗位上只干了一年,而且从这个学期开始才开始担任这个职务。之前负责这里所有工作的系统管理员已经离开了这个学期。所以基本上我没有设置这些服务器和安装 apache 等。
编辑1:在 Windows 7 上使用 Firefox 15、Chrome 22 和 IE 9 进行测试均得到相同的结果
编辑2:相关的vhosts.d 00_ssl_domain.name.edu.conf
<IfDefine SSL>
#<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
# see bug #178966 why this is in here
# When we also provide SSL we have to listen to the HTTPS port
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
Listen 128.220.29.244:443
#Added so that the ServerName directive works
NameVirtualHost 128.220.29.244:443
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
<VirtualHost 128.220.29.244:443>
ServerName domain.name.edu
#Include /etc/apache2/vhosts.d/default_vhost.include
Include /etc/apache2/vhosts.d/domain.include
<IfModule log_config_module>
TransferLog /var/log/apache2/ssl_access_domain.name.edu
</IfModule>
## SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
#SSLLog /var/log/apache2/ssl_engine_log
LogLevel debug
## SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
## Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If the certificate
# is encrypted, then you will be prompted for a pass phrase. Note that a
# kill -HUP will prompt again. Keep in mind that if you have both an RSA
# and a DSA certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
SSLCertificateFile /etc/ssl/apache2/domain.name.edu.crt
## Server Private Key:
# If the key is not combined with the certificate, use this directive to
# point at the key file. Keep in mind that if you've both a RSA and a DSA
# private key you can configure both in parallel (to also allow the use of
# DSA ciphers, etc.)
SSLCertificateKeyFile /etc/ssl/apache2/domain.name.edu.key
## Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the concatenation of
# PEM encoded CA certificates which form the certificate chain for the
# server certificate. Alternatively the referenced file can be the same as
# SSLCertificateFile when the CA certificates are directly appended to the
# server certificate for convinience.
SSLCertificateChainFile /etc/ssl/apache2/geotrust.crt
#SSLCertificateChainFile /etc/ssl/test-certs/geotrust.crt
## Certificate Authority (CA):
# Set the CA certificate verification path where to find CA certificates
# for client authentication or alternatively one huge file containing all
# of them (file must be PEM encoded).
# Note: Inside SSLCACertificatePath you need hash symlinks to point to the
# certificate files. Use the provided Makefile to update the hash symlinks
# after changes.
#SSLCACertificatePath /etc/ssl/apache2/ssl.crt
#SSLCACertificateFile /etc/ssl/apache2/ca-bundle.crt
## Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client authentication
# or alternatively one huge file containing all of them (file must be PEM
# encoded).
# Note: Inside SSLCARevocationPath you need hash symlinks to point to the
# certificate files. Use the provided Makefile to update the hash symlinks
# after changes.
#SSLCARevocationPath /etc/ssl/apache2/ssl.crl
#SSLCARevocationFile /etc/ssl/apache2/ca-bundle.crl
## Client Authentication (Type):
# Client certificate verification type and depth. Types are none, optional,
# require and optional_no_ca. Depth is a number which specifies how deeply
# to verify the certificate issuer chain before deciding the certificate is
# not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
## Access Control:
# With SSLRequire you can do per-directory access control based on arbitrary
# complex boolean expressions containing server variable checks and other
# lookup directives. The syntax is a mixture between C and Perl. See the
# mod_ssl documentation for more details.
#<Location />
# #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
## SSL Engine Options:
# Set various options for the SSL engine.
## FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that the
# standard Auth/DBMAuth methods can be used for access control. The user
# name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
## ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the server
# (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates into
# CGI scripts.
## StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the exportation
# for CGI and SSI requests only.
## StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even under
# a "Satisfy any" situation, i.e. when it applies access is denied and no
# other module can change it.
## OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/localhost/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
## SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait
# for the close notify alert from client. When you need a different
# shutdown approach you can use one of the following variables:
## ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates the
# SSL/TLS standard but is needed for some brain-dead browsers. Use this when
# you receive I/O errors because of the standard approach where mod_ssl
# sends the close notify alert.
## ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation works
# correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
SSLOptions +StdEnvVars
</Directory>
## SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait
# for the close notify alert from client. When you need a different
# shutdown approach you can use one of the following variables:
## ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates the
# SSL/TLS standard but is needed for some brain-dead browsers. Use this when
# you receive I/O errors because of the standard approach where mod_ssl
# sends the close notify alert.
## ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation works
# correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
## Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a compact
# non-error SSL logfile on a virtual host basis.
<IfModule log_config_module>
CustomLog /var/log/apache2/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</IfModule>
</VirtualHost>
</IfModule>
#</IfDefine>
</IfDefine>
# vim: ts=4 filetype=apache
编辑 3:apache2 -S 的输出
[Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Thu Oct 25 11:02:02 2012] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80 domain1.edu (/etc/apache2/vhosts.d/10_domain1.edu.conf:38)
*:80 domain2.edu (/etc/apache2/vhosts.d/10_domain2.edu.conf:38)
*:80 domain3.edu (/etc/apache2/vhosts.d/10_domain3.edu.conf:38)
*:80 domain4.edu (/etc/apache2/vhosts.d/10_domain4.edu.conf:38)
*:80 domain5.edu (/etc/apache2/vhosts.d/10_domain5.edu.conf:38)
*:80 domain6.edu (/etc/apache2/vhosts.d/10_domain6.edu.conf:38)
*:80 domain7.edu (/etc/apache2/vhosts.d/10_domain7.edu.conf:38)
*:80 domain8.edu (/etc/apache2/vhosts.d/10_domain8.edu.conf:38)
*:80 domain9.edu (/etc/apache2/vhosts.d/10_domain9.edu.conf:38)
*:80 domain10.edu (/etc/apache2/vhosts.d/10_domain10.edu.conf:38)
*:80 domain11.edu (/etc/apache2/vhosts.d/10_domain11.edu.conf:38)
Syntax OK
我访问任何网站都没有问题,只是有 SSL 错误
答案1
您没有配置任何 SSL vhosts;请验证 ssl 配置文件是否确实包含在主配置中。
您还需要定义NameVirtualHost *:80任何虚拟主机的外部,否则所有请求都将转到第一个,正如输出告诉您的那样。