我在负载均衡器后面有 2 台 AWS CentOS 机器。它们都是从同一个 AMI 映像启动的,目录中的内容也都相同/etc/pki。当我运行此命令时,它们具有相同的 Apache 配置文件
openssl s_client -connect app.eventstag.com:443 -showcerts < /dev/null
在一台服务器上我收到这个响应说certificate has expired
[ec2-user@ip-10-0-1-229 ~]$ openssl s_client -connect app.eventstag.com:443 -showcerts < /dev/null
CONNECTED(00000003)
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-175-109, emailAddress = root@ip-10-35-175-109
verify error:num=18:self signed certificate
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-175-109, emailAddress = root@ip-10-35-175-109
verify error:num=10:certificate has expired
notAfter=Oct 2 15:00:28 2014 GMT
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-175-109, emailAddress = root@ip-10-35-175-109
notAfter=Oct 2 15:00:28 2014 GMT
verify return:1
---
Certificate chain
0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-175-109/emailAddress=root@ip-10-35-175-109
i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-175-109/emailAddress=root@ip-10-35-175-109
-----BEGIN CERTIFICATE-----
MIIDKzCCAp ... etc ... FnTU0pdDnlA9o9U=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-175-109/emailAddress=root@ip-10-35-175-109
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-175-109/emailAddress=root@ip-10-35-175-109
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1378 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 4E... etc ... 9FC
Session-ID-ctx:
Master-Key: B463... etc ... EE28
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 64 d6 ae 1a e2 bb d4 98-67 c0 96 a9 7b 00 85 a7 d.......g...{...
... etc ...
00b0 - 20 b4 ce b8 2e b3 a3 60-87 c1 f2 52 3d 8a ee 9b ......`...R=...
Start Time: 1523527409
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
DONE
在第二台服务器上使用完全相同的命令,我得到了这个结果,表明证书是ok
[ec2-user@ip-10-0-1-213 ~]$ openssl s_client -connect app.eventstag.com:443 -showcerts < /dev/null
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.eventstag.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.eventstag.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIF ... etc ... xIg=
-----END CERTIFICATE-----
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIE ... etc ... 8BDAB
-----END CERTIFICATE-----
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIE ... etc ... jDCm
rw==
-----END CERTIFICATE-----
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIE ... etc ... /bvZ8=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=*.eventstag.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5267 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: B8 ... etc ... 1CB
Session-ID-ctx:
Master-Key: B4 ... etc ... 5F0D
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1523535812
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
在浏览器中查看证书时也没有问题。看起来第一台服务器正在尝试使用很久以前创建的自签名证书,但我不知道它在哪里或为什么使用它,或者如何更改它?
答案1
请参阅/etc/httpd/conf.d/ssl.conf和以<VirtualHost>获取app.eventstag.comSSL 配置指令。在 AWS 上,这应该默认指向/etc/pki:
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
然而,如果这一点已经改变,证书和密钥可能会被存储在其他地方,使得内容变得/etc/pki无关紧要。
如果你不确定这是在哪里配置的,请让命令的输出sudo apachectl -S指导你:你可以看到文件和相应配置开始的行,例如
*:443 is a NameVirtualHost
default server example.com (/etc/path/to/file.conf:line)
port 443 namevhost app.example.com (/etc/path/to/file.conf:line)
答案2
事实证明,其中一台服务器上的 hosts 文件指向自身,而另一台服务器上的 hosts 文件已被注释掉。这意味着,正常工作的服务器指向负载平衡器上的证书,而另一台服务器则直接指向证书未正确设置的 localhost。