服务器:Ubuntu,nginx。
example.com我在 namecheap.com 注册了一个域名,并在 DigitalOcean 进行了配置。我有子域名CNAME的记录www:
www.example.com. 1800 IN CNAME example.com.
这是我的/etc/nginx/sites-enabled/default文件内容:
# HTTP - redirect all requests to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
}
# HTTPS - serve HTML from /usr/share/nginx/html, proxy requests to /parse/
# through to Parse Server
server {
listen 80;
server_name www.example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443;
server_name example.com;
root /home/example/website;
index index.html index.htm;
ssl on;
# Use certificate and key provided by Let's Encrypt:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# Config (http://www.westphahl.net/blog/2012/01/03/setting-up-https-with-nginx-and-startssl/)
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;
# Pass requests for /parse/ to Parse Server instance at localhost:1337
location /parse/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:1337/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
location / {
try_files $uri $uri/ =404;
}
}
但是,当我尝试打开www.example.comFirefox 时显示SSL_ERROR_BAD_CERT_DOMAIN“您的连接不安全”错误。
如何修复?
回答:感谢所有建议者,向www子域名颁发 SSL 证书已解决问题。
以下是 Let's Encrypt 的命令:
./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
答案1
Chrome 警告页面的输出
该服务器无法证明它是www.example.com;其安全证书来自示例.com。这可能是由于配置错误或攻击者拦截您的连接造成的。
证书已颁发给顶级域名 ,example.com但尚未颁发给子域名www.exmample.com。
如果 SSL 发行机构表示他们应该向您提供 www,请向他们查询更多信息。
请注意,此警告出现在 SSL 握手级别,并且是在请求到达 nginx 服务器进行处理之前。