我有一个在子域上运行的服务器,配置如下:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name x.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
<ssl configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=no&profile=modern>
ssl_client_certificate /etc/ssl/certs/root-ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
root /var/www/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}
目前,我使用自己的根 CA 进行客户端验证,并将其作为服务器的主证书。我想过渡到使用 Let's Encrypt 证书,但这会带来一个问题,因为 Let's Encrypt 验证过程需要访问x.example.com/.well-known并且没有匹配的客户端证书。
我尝试按照建议添加第二个服务器块这里,但我还没能让它工作:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name x.example.com;
<same Mozilla configuration--I've got it stored as a snippet>
ssl_verify_client off;
root /var/www/html;
index index.html index.htm;
location /.well-known {
try_files $uri $uri/ =404;
}
}
什么是适当的方法来做到这一点?
答案1
Let's Encrypt 不会在 HTTPS 上寻找挑战,因此您可以简单地设置如下内容:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name x.example.com;
location /.well-known {
try_files $uri $uri/ =404;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
<ssl configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=no&profile=modern>
ssl_client_certificate /etc/ssl/certs/root-ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
root /var/www/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}