[更新] - 我把它发到了错误的网站,所以我会把这个主题复制粘贴到 Unix/Linux 社区。所以请删除这个主题!
我已经在我的网络服务器上安装了 SSL 证书,并启用了所有 http 请求到 https 的重定向。到目前为止,当我尝试打开 www.example.com 时,此方法有效,但对于 example.com 则无效。仅供参考,我已将 domain.com 更改为 example.com。我检查了我的access_log和error.log,当我尝试在浏览器中打开 example.com 时,它们均未显示任何新条目。
curl https://example.com
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
当我对 www.example.com 执行相同的 curl 命令时,我进入了我的网站。我正在使用
-bash-4.2$ hostname
example
-bash-4.2$ hostname -f
example.com
我的主机名/etc/sysconfig/network是示例。我还使用 vhost 文件:
cat /etc/httpd/sites-available/example.conf
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/html
ErrorLog /var/www/html/error.log
CustomLog /var/www/html/requests.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
并在 httpd.conf 中我已设置为从中加载配置文件/etc/httpd/sites-available/*.conf
另一个问题是,当我尝试安装 Cpanel 时,它出现以下错误:
2017-03-15 14:10:39 501 ( INFO): Validating that the system hostname ('example') is a FQDN...
2017-03-15 14:10:39 507 (ERROR):
2017-03-15 14:10:39 508 (ERROR): ********************* ERROR *********************
2017-03-15 14:10:39 509 (ERROR):
2017-03-15 14:10:39 510 (ERROR): Your hostname (example) is invalid, and must be
2017-03-15 14:10:39 511 (ERROR): set to a fully qualified domain name before installing cPanel.
2017-03-15 14:10:39 512 (ERROR):
2017-03-15 14:10:39 513 (ERROR): A fully qualified domain name must contain two dots, and consists of two parts: the hostname and the domain name.
2017-03-15 14:10:39 514 (ERROR): You can update your hostname by running `hostname your-hostname.example.com`, then re-running the installer.
2017-03-15 14:10:39 516 (ERROR): ********************* ERROR *********************
2017-03-15 14:10:39 517 (FATAL): Exiting...
Removing /root/installer.lock.
这是我的 SSL VHOST 文件,由 let's encrypt 自动生成:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/html
ErrorLog /var/www/html/error.log
CustomLog /var/www/html/requests.log combined
RewriteEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>
</IfModule>
更多调试信息:
curl -l example.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://example.com/">here</a>.</p>
</body></html>
curl https://example.com
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
curl -l www.example.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://www.example.com/">here</a>.</p>
</body></html>
当我运行时,curl -l https://www.example.com我的网站正在加载,这意味着它正在通过 SSL 证书检查,问题只出在 example.com 证书上。所以我猜我的 VHOST 文件完全乱了。我尝试重新安装它们,但我认为没有用。
答案1
经过深入调查,问题似乎在于对 example.com 的请求使用了在 中定义的默认 ssl 证书/etc/httpd/conf.d/ssl.conf,因此我注释了包含密钥、证书本身和链文件的三行,并添加了 let's encrypt 证书的路径
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
然后我重新加载了 httpd 服务并使用以下命令检查状态:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
您还可以使用以下方法检查您的 SSL 证书:
openssl rsa -in privateKey.key -check
openssl x509 -in certificate.crt -text -noout
您可以使用以下方法检查您的 SSL 证书:
openssl s_client -connect www.example.com:443
openssl s_client -connect example.com:443
因此,当我比较两个证书时,我发现 example.com 正在使用 localhost.crt 证书,然后我发出了一个 find 命令来查找此证书的配置位置,并发现它仅在 ssl.conf 文件中配置,所以这就是我解决问题的方法。