我有一个域名ambroise-rabier.fr,并且想添加一个域名analytics.ambroise-rabier.fr,也是在 https 中。
在 Chrome 上我得到了隐私错误,除非我ambroise-rabier.fr在每个 server_name 键中重复值。但是nginx 投诉和conflicting server name "ambroise-rabier.fr"。
配置如下:
server {
listen 80;
listen [::]:80;
server_name ambroise-rabier.fr www.ambroise-rabier.fr analytics.ambroise-rabier.fr;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ambroise-rabier.fr www.ambroise-rabier.fr;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/ambroise-rabier.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ambroise-rabier.fr/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
location / {
# ...
}
root /var/www/html/blog-front/dist/blog-front;
index index.html index.htm index.nginx-debian.html;
}
# See also https://www.digitalocean.com/community/tutorials/how-to-secure-a-containerized-node-js-application-with-nginx-let-s-encrypt-and-docker-compose
# Se also https://github.com/matomo-org/matomo-nginx/blob/master/sites-available/matomo.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ambroise-rabier.fr analytics.ambroise-rabier.fr;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/ambroise-rabier.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ambroise-rabier.fr/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
root /var/www/html/matomo;
index index.php;
# make sure outgoing links don't show the URL to the Matomo instance
add_header Referrer-Policy origin;
location / {
# ...
}
}
# vim: filetype=nginx
同样,如果我ambroise-rabier.fr从中删除server_name ambroise-rabier.fr analytics.ambroise-rabier.fr;,nginx 配置不会抛出任何警告。但我得到了隐私错误在 Chrome 上(情况更糟)。使用我当前的解决方法,我怀疑某些资源可能analytics.ambroise-rabier.fr由于重复的 server_name 而无法正常加载。而且应该有一个正确的方法来实现这一点。
我正在使用 docker 和 Let's Encrypt 证书(遵循数字海洋教程),我使用此命令:。certonly --webroot --webroot-path=/var/www/html --email [email protected] --agree-tos --no-eff-email --force-renewal -d ambroise-rabier.fr -d www.ambroise-rabier.fr -d analytics.ambroise-rabier.fr
该命令的输出:
ambroise@vps318592:~/node_project$ docker-compose up certbot
db is up-to-date
nodejs is up-to-date
webserver is up-to-date
Recreating certbot ... done
Attaching to certbot
certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot | Plugins selected: Authenticator webroot, Installer None
certbot | Renewing an existing certificate
certbot | IMPORTANT NOTES:
certbot | - Congratulations! Your certificate and chain have been saved at:
certbot | /etc/letsencrypt/live/ambroise-rabier.fr/fullchain.pem
certbot | Your key file has been saved at:
certbot | /etc/letsencrypt/live/ambroise-rabier.fr/privkey.pem
certbot | Your cert will expire on 2019-09-19. To obtain a new or tweaked
certbot | version of this certificate in the future, simply run certbot
certbot | again. To non-interactively renew *all* of your certificates, run
certbot | "certbot renew"
certbot | - If you like Certbot, please consider supporting our work by:
certbot |
certbot | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
certbot | Donating to EFF: https://eff.org/donate-le
certbot |
certbot exited with code 0
答案1
听起来像是 SSL 证书问题。您可以检查证书中是否analytics.ambroise-rabier.fr存在 SAN 吗?尝试--expand在生成证书时添加选项。
--expand 指示 Certbot 使用包含所有旧域名和一个或多个其他新域名的新证书来更新现有证书。使用 --expand 选项,使用 -d 选项指定所有现有域名和一个或多个新域名。
来源:https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates