Debian 服务器 SSL 证书配置返回 err_ssl_protocol_error

tag-icon tag-icon linux debian ssl
Debian 服务器 SSL 证书配置返回 err_ssl_protocol_error

我在 Debian 服务器上运行的网站配置 HTTPS 时遇到了问题。

Google Chrome 显示的错误是:

err_ssl_protocol_error

这是我的配置:

/etc/apache2/ports.conf

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
        Listen 443 http
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

/etc/apache2/enabled-sites/000-默认

<VirtualHost *:443>

 ## Anything matching this host should be silently ignored.
<Location />
Order Allow,Deny
Allow from all
</Location>
</VirtualHost>

/etc/apache2/enabled-sites/站点

<VirtualHost *:80>

ServerName domain.be
ServerAlias domain.be www.domain.be www.domain.eu  test.domain.be
ServerAdmin webmaster@localhost

    DocumentRoot /var/www/htdocs/site
    <Directory />
            Options FollowSymLinks
            AllowOverride none
    </Directory>
    <Directory /var/www/htdocs/mds>
            Options  FollowSymLinks MultiViews
            AllowOverride all
            Order allow,deny
            allow from all
    </Directory>


    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mpm_itk_module>
AssignUserId domain domain
</IfModule>
</VirtualHost>

/etc/apache2/enabled-sites/站点 SSL

<IfModule mod_ssl.c>

NameVirtualHost *:443
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName www.domain.be
        ServerAlias *.domain.be

        DocumentRoot /var/www/htdocs/site
        <Directory />
                Options FollowSymLinks
                AllowOverride none
        </Directory>
        <Directory /var/www/htdocs/mds>
                Options FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log


        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        SSLEngine on

        SSLProtocol all -SSLv2 -SSLv3
        SSLCompression off
        SSLCipherSuite AES128+EECDH:AES128+EDH

        SSLCertificateFile    /etc/ssl/apache/certs/domain2.crt
        SSLCertificateKeyFile   /etc/ssl/apache/private/domain2.key

          SSLCertificateChainFile /etc/ssl/apache/certs/global.crt


        <FilesMatch "\.(cgi|shtml|phtml|php)$">

#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

     SSLOptions +StdEnvVars
        </FilesMatch>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0

        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<IfModule mpm_itk_module>
AssignUserId mds mds
</IfModule>
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName www.domain.eu
        ServerAlias *.domain.eu

        DocumentRoot /var/www/htdocs/mds
        <Directory />
                Options FollowSymLinks
                AllowOverride none
        </Directory>
        <Directory /var/www/htdocs/mds>
                Options FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log


        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        SSLEngine on

        SSLProtocol all -SSLv2 -SSLv3
        SSLCompression off
        SSLCipherSuite AES128+EECDH:AES128+EDH


        SSLCertificateFile    /etc/ssl/apache/certs/domain2.crt
        SSLCertificateKeyFile   /etc/ssl/apache/private/domain2.key

        SSLCertificateChainFile /etc/ssl/apache/certs/global.crt

        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0

        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<IfModule mpm_itk_module>
AssignUserId mds mds
</IfModule>
</VirtualHost>
</IfModule>

我的日志中也有这些错误:

[Wed May 30 12:03:13 2018] [warn] Init: (Server.domain.local:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Wed May 30 12:03:13 2018] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed May 30 12:03:14 2018] [notice] Apache/2.2.22 (Debian) PHP/5.4.45-0+deb7u14 mod_ssl/2.2.22 OpenSSL/1.0.1t configured -- resuming normal operations

我的问题可能出在哪里?

答案1

来自服务器的日志消息显示了问题的原因:

... [警告] ... 您在标准 HTTPS(443) 端口上配置了 HTTP(80)!

这意味着浏览器中的调用https://...将通过 TCP 连接到端口 443(HTTPS 的默认端口),然后尝试通过启动 SSL 握手来启动 HTTPS 请求。握手将失败,因为您的服务器只期望此端口上的纯 HTTP 而不是 HTTPS,因此不期望 SSL 握手,因此将放弃握手或发送一些纯 HTTP“错误请求”作为响应。这又是客户端意料之外的,然后在浏览器中显示 SSL 问题。

造成这种错误配置的原因可能是您/etc/apache2/enabled-sites/000-default在端口 443 上有一些侦听器,但没有为其启用 SSL。您在端口 443 上/etc/apache2/enabled-sites/site-ssl启用了另一个侦听器也无济于事,因为您只能在同一个 IP 同一个端口上使用 SSL(即 HTTPS)或不使用 SSL(即纯 HTTP),而不能同时使用两者。

您可能需要做的是启用 SSL/etc/apache2/enabled-sites/000-default并在其中添加一些证书(您可能使用特定于站点的证书)。

相关内容