Apache HTTPD 偶尔会提供旧的或过期的证书

tag-icon tag-icon apache-2.4 ssl-certificate lets-encrypt
Apache HTTPD 偶尔会提供旧的或过期的证书

我在同一台服务器上有三台主机(单个IP):

  • domain1.com
  • domain2.com
  • domain3.com

他们每个人都应该使用最近于 2017 年 4 月颁发的 Let's Encrypt 证书。

然而,偶尔该服务器似乎提供旧的(已过期)证书。在 的情况下domain1.com,它提供的是实际上仍然有效的 StartSSL 证书(2016 年 7 月 - 2017 年 7 月),而其他两台主机提供的是自 2017 年 1 月起已过期的 Let's Encrypt 证书。

以下是为 certbot 设置每个主机的基本方式(当然,使用不同的主机名):

<VirtualHost *:443>

    ServerName  domain1.com
    ServerAlias www.domain1.com

    SSLEngine           on
    SSLProtocol         all -SSLv2 -SSLv3
    SSLCipherSuite      ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    SSLHonorCipherOrder on
    SSLCompression      off

    SSLOptions +StrictRequire

    SSLCertificateFile /etc/letsencrypt/live/domain1.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain1.com/privkey.pem

    DocumentRoot /opt/lucee/tomcat/webapps/domain1.com/

    <IfModule mod_headers.c>
        RequestHeader set HTTPS "1"
    </IfModule>
    <IfModule mod_proxy.c>
        ProxyPassMatch ^/(.*)$ http://127.0.0.1:8500/$1
    </IfModule>

    CustomLog ${APACHE_LOG_DIR}/access.log custom_access

</VirtualHost>

fullchain.pemprivkey.pem是符号链接,指向每个主机文件夹中的最新文件(最高索引)archive。我解析了链接,看起来没问题。

#apache2ctl -S

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server localhost (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost localhost (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost domain1.com (/etc/apache2/sites-enabled/000-default.conf:8)
                 alias www.domain1.com
         port 80 namevhost domain2.com (/etc/apache2/sites-enabled/000-default.conf:17)
                 alias www.domain2.com
         port 80 namevhost domain3.com (/etc/apache2/sites-enabled/000-default.conf:26)
                 alias www.domain3.com
         port 80 namevhost www.domain2.com (/etc/apache2/sites-enabled/000-default.conf:35)
                 alias domain2.com
         port 80 namevhost forum.domain2.com (/etc/apache2/sites-enabled/000-default.conf:44)
         port 80 namevhost downloads.domain2.com (/etc/apache2/sites-enabled/000-default.conf:69)
         port 80 namevhost images.domain2.com (/etc/apache2/sites-enabled/000-default.conf:82)
*:443                  is a NameVirtualHost
         default server domain1.com (/etc/apache2/sites-enabled/001-domain1.com.conf:3)
         port 443 namevhost domain1.com (/etc/apache2/sites-enabled/001-domain1.com.conf:3)
                 alias www.domain1.com
         port 443 namevhost www.domain2.com (/etc/apache2/sites-enabled/002-www.domain2.com.conf:3)
                 alias domain2.com
         port 443 namevhost domain3.com (/etc/apache2/sites-enabled/003-domain3.com.conf:3)
                 alias www.domain3.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

#certbot 证书

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: www.domain2.com
    Domains: www.domain2.com
    Expiry Date: 2017-07-02 23:03:00+00:00 (VALID: 75 days)
    Certificate Path: /etc/letsencrypt/live/www.domain2.com/fullchain.pe                                                  m
    Private Key Path: /etc/letsencrypt/live/www.domain2.com/privkey.pem
  Certificate Name: domain3.com
    Domains: domain3.com
    Expiry Date: 2017-07-02 23:01:00+00:00 (VALID: 75 days)
    Certificate Path: /etc/letsencrypt/live/domain3.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/domain3.com/privkey.pem
  Certificate Name: domain1.com
    Domains: domain1.com
    Expiry Date: 2017-07-02 23:03:00+00:00 (VALID: 75 days)
    Certificate Path: /etc/letsencrypt/live/domain1.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/domain1.com/privkey.pem
-------------------------------------------------------------------------------

这里可能存在什么问题?我一直认为服务器由于 SNI 而返回多个证书,但为什么 Apache HTTPD 会混淆不同的证书?这些证书是从哪里来的?(是的,我多次重新启动并重新加载了 Apache。)

答案1

我找到了原因。我运行了多个 Apache 实例。通过终端重新启动/重新加载只会重新启动其中一些。这解释了为什么有时会提供旧证书,有时会提供新证书。我不得不终止所有进程以获取新证书,现在它又可以正常工作了。

相关内容