浏览器警告证书无效但正确重定向

tag-icon tag-icon amazon-web-services apache-2.4 virtualhost ssl-certificate
浏览器警告证书无效但正确重定向

我在 AWS 实例上运行 apache httpd 2.4。我有以下 httpd 配置:

<VirtualHost *:443>
    ServerName jenkins.example.com
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

    SSLCertificateFile      /var/lib/jenkins/secrets/test-cert.pem
    SSLCertificateKeyFile   /var/lib/jenkins/secrets/test-key.pem
    JkMount /* ajp13
</VirtualHost>

<VirtualHost *:80>
    ServerName jenkins.example.com
    Redirect / https://jenkins.example.com/
</VirtualHost>

<VirtualHost *:80>
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName backoffice.another-example.com
    SSLEngine on
    SSLProxyEngine On
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

    SSLCertificateFile      /etc/certificates/backoffice.another-example.com/cert.pem
    SSLCertificateChainFile /etc/certificates/backoffice.another-example.com/chain.pem
    SSLCertificateKeyFile   /etc/certificates/backoffice.another-example.com/privkey.pem

    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off

    Timeout 600
    ProxyTimeout 600
    ProxyRequests off
    ProxyPreserveHost On
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    <Location />
        ProxyPass https://localhost:15678/
        ProxyPassReverse https://localhost:15678/
    </Location>
</VirtualHost>

<VirtualHost *:443>
        ServerName another-example.com
        ServerAlias another-example.com

        RewriteEngine on
        RewriteRule (.*) https://www.another-example.com%{REQUEST_URI} [R,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName another-example.com
    ServerAlias *.another-example.com
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

    SSLCertificateFile      /etc/certificates/another-example.com/cert.pem
    SSLCertificateChainFile /etc/certificates/another-example.com/chain.pem
    SSLCertificateKeyFile   /etc/certificates/another-example.com/privkey.pem

    ProxyRequests off
    ProxyPreserveHost On
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    <Location />
        ProxyPass http://localhost:20001/ retry=1 acquire=3000 timeout=600 Keepalive=On
        ProxyPassReverse http://localhost:20001/
        AuthType Basic
        AuthName "Test Servers"
        AuthBasicProvider file
        AuthUserFile /var/www/passwords
        Require user example
    </Location>    
</VirtualHost>

然后,三份证书:

  • another-example.com
  • backoffice.another-example.com
  • jenkins.example.com (自签名)

这就是问题所在:当我去http://another-example.com或者https://another-example.com,我因 NET::ERR_CERT_AUTHORITY_INVALID 收到警告,浏览器向我显示自签名证书。然后,如果我点击“继续访问 another-example.com(不安全)”,它会将 mt 转到 another-example.com(并要求我提供身份验证凭据),地址栏会显示一个绿色的锁图标,并告诉我证书有效且私密。

如果我删除 jenkins.example.com 的两个部分

<VirtualHost *:443>
    ServerName jenkins.example.com
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

    SSLCertificateFile      /var/lib/jenkins/secrets/test-cert.pem
    SSLCertificateKeyFile   /var/lib/jenkins/secrets/test-key.pem
    JkMount /* ajp13
</VirtualHost>

<VirtualHost *:80>
    ServerName jenkins.example.com
    Redirect / https://jenkins.example.com/
</VirtualHost>

我仍然收到另一个警告,NET::ERR_CERT_COMMON_NAME_INVALID,浏览器向我显示了 backoffice.another-example.com 的证书。因此,它显然是在获取它出现的第一个 VirtualHost 的证书,但随后它会重定向到正确的域。如果我输入http://www.another-example.com或者https://www.another-example.com

发生了什么事?如何避免显示第一次无效域名证书警告?

答案1

盯着它看,直到你发现问题。

<VirtualHost *:443>
        ServerName another-example.com
        ServerAlias another-example.com

        <!-- conspicuous hole -->

        RewriteEngine on
        RewriteRule (.*) https://www.another-example.com%{REQUEST_URI} [R,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName another-example.com
    ServerAlias *.another-example.com
...

<VirtualHost *:443>with 的SSL 证书配置在哪里ServerAlias another-example.com

我对 Apache 不太熟悉,但这种情况看起来确实是一种缺失配置指令被文件中更高层不相关的数据隐式填充的情况。这肯定不是第一次发生这种情况,并且可以完美地解释为什么删除自签名证书会改变错误——不同的不相关的配置数据正在被替换。

上一节中的所有SSL*配置都需要复制到上一节中。至少在我看来是这样的。

当 SNI 设置为 another-example.com 时,会提供错误的 SSL 证书,因为您基本上没有告诉它在这种情况下要提供哪个证书。

相关内容