在 Amazon EC2 上使用 nginx 安装 SSL 证书

tag-icon tag-icon nginx amazon-ec2 ssl ssl-certificate
在 Amazon EC2 上使用 nginx 安装 SSL 证书

我终于从权威机构获得了证书,正在努力让一切正常运转。我已经创建了适当的组合证书(个人证书 + 中间证书 + 根证书),并且 nginx 指向它。我获得了一个弹性 IP 并将其连接到我的 EC2 实例。我的 DNS 记录指向该 IP。但是当我将浏览器指向主机名时,我得到了标准的“连接不受信任”位,带有 ssl_error_bad_cert_domain。端口 443 已打开 - 如果我忽略警告,我可以通过 https 访问该站点。奇怪的是,在技术细节下,它将我尝试访问的域列为有效!

当我尝试使用 SSL 测试站点进行诊断时,他们甚至检测不到证书!

我在这里遗漏了什么?

域名是 yanlj.coinculture.info。注意:我的 coinculture.info 运行在一台没有专用 IP 的家庭服务器上,也遇到了同样的问题,但一旦我弄清楚了这个问题,我就会将其移动到同一个 EC2 实例上。我以为弹性 IP 可以解决问题,但事实并非如此

Nginx 配置:

server {
  listen 443;
  server_name localhost;

  ssl                  on;
  ssl_certificate      /home/ubuntu/certs/startssl/ssl-unified.crt;
  ssl_certificate_key  /home/ubuntu/certs/startssl/ssl.key;

  keepalive_timeout    70;

  #ssl_session_timeout  5m;

  ssl_protocols  SSLv2 SSLv3 TLSv1;
 #ssl_ciphers  HIGH:!aNULL:!MD5;
 #ssl_prefer_server_ciphers   on;

  root /home/ubuntu/programming/YanlJ;
  index index.php index.html;

      location / {
        #try_files $uri $uri/ /index.php;  # this line was causing the index.php file to be loaded twice...
      }

        location ~ \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-cgi alone:
                #fastcgi_pass 127.0.0.1:9000;
                # With php5-fpm:
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi.conf;
        }

  try_files $uri $uri.php $uri.html =404;
}

以及 curl -kv 的结果https:// ELASTIC_IP:

* Rebuilt URL to: https:// 54.186.114.3/ * Hostname was NOT found in DNS cache * Trying 54.186.114.3... * Connected to 54.186.114.3 (54.186.114.3) port 443 (#0) * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using TLSv1.0 / DHE-RSA-AES256-SHA * Server certificate: * subject: C=CA; ST=Ontario; L=Guelph; O=Ethan Buchman; CN=blog.coinculture.info; [email protected] * start date: 2014-05-29 15:10:52 GMT * expire date: 2016-05-29 10:44:27 GMT * issuer: C=IL; O=StartCom Ltd.; OU=Secure Digital Certificate Signing; CN=StartCom Class 2 Primary Intermediate Server CA * SSL certificate verify ok.

答案1

我看到coinculture.info有五个权威 DNS 服务器。其中三个拒绝解析yanlj.coinculture.info,另外两个给我 IP 地址184.168.221.12。这看起来不像是 EC2 IP 地址。该 IP 地址已注册到 GoDaddy,并且该地址前面似乎有一个损坏的防火墙。当我尝试连接到其上的端口 443 时超时。

  • 名称服务器:NS1.WORDPRESS.COM
  • 名称服务器:NS2.WORDPRESS.COM
  • 名称服务器:NS3.WORDPRESS.COM
  • 名称服务器:NS15.DOMAINCONTROL.COM
  • 名称服务器:NS16.DOMAINCONTROL.COM

相关内容