Qualys SSL 测试报告该域名有第二个证书,但找不到它

tag-icon tag-icon nginx ssl-certificate certbot
Qualys SSL 测试报告该域名有第二个证书,但找不到它

当我通过 Qualys 的 SSL 测试运行我的域时,它的主要问题是为该域安装的第二个 SSL 证书。但是,我查看了所有我能想到的配置,似乎无法猜测为什么发送了第二个证书。

我在 Debian 10 buster 上使用 nginx(刚刚更新到 1.16.1),我的所有证书均由 Let's Encrypt 通过 certbot 提供。

有问题的域名是 med.mydomain.de,它报告了该域名的证书(标记为受信任),以及颁发给域名 app.mydomain.de 的第二个证书(标记为不受信任)。

当我通过 SSL 测试器检查域 app.mydomain.de 本身时,它只显示一个 SSL 证书。

这是 certbot 证书的输出:

Found the following certs:
  Certificate Name: app.mydomain.de
    Domains: app.mydomain.de
    Expiry Date: 2020-04-11 12:15:31+00:00 (VALID: 77 days)
    Certificate Path: /etc/letsencrypt/live/app.mydomain.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/app.mydomain.de/privkey.pem
  Certificate Name: backend.mydomain.de
    Domains: backend.mydomain.de
    Expiry Date: 2020-04-23 13:22:39+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/backend.mydomain.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/backend.mydomain.de/privkey.pem
  Certificate Name: med.mydomain.de
    Domains: med.mydomain.de
    Expiry Date: 2020-04-11 10:45:46+00:00 (VALID: 77 days)
    Certificate Path: /etc/letsencrypt/live/med.mydomain.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/med.mydomain.de/privkey.pem
  Certificate Name: rest.mydomain.de
    Domains: rest.mydomain.de
    Expiry Date: 2020-04-11 12:15:51+00:00 (VALID: 77 days)
    Certificate Path: /etc/letsencrypt/live/rest.mydomain.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/rest.mydomain.de/privkey.pem
  Certificate Name: webhook.mydomain.de
    Domains: webhook.mydomain.de
    Expiry Date: 2020-04-11 12:15:59+00:00 (VALID: 77 days)
    Certificate Path: /etc/letsencrypt/live/webhook.mydomain.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/webhook.mydomain.de/privkey.pem

这是全局的 nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    add_header X-Frame-Options "sameorigin";
}

这是所讨论的服务器的 nginx 配置:

server {

    root /usr/share/nginx/sites/w_backend/public;
    index index.php index.html;

    server_name med.mydomain.de backend.mydomain.de;

    location / {
        try_files $uri $uri.html $uri/ @extensionless-php;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.3-fpm-w_backend.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param FULL_DIRECTORY /usr/share/nginx/sites/;
                fastcgi_param GLOBAL_CONF_PATH /srv/conf/;
        include fastcgi_params;
    }

    location @extensionless-php {
        rewrite ^(.*)$ $1.php last;
    }

    listen 443 ssl;
    listen [::]:443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/med.mydomain.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/med.mydomain.de/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = backend.mydomain.de) {
        return 301 https://med.mydomain.de$request_uri;
    } # managed by Certbot
    if ($host = med.mydomain.de) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;

    server_name med.mydomain.de backend.mydomain.de;
    return 404; # managed by Certbot


}

有人能给我一些提示吗?我可以检查哪些 certbot 选项?

答案1

可能是因为 Qualys 使用的是较旧的浏览器,这些浏览器不支持 SNI,在这种情况下,浏览器不知道哪个证书是正确的,因此会显示第二个不受信任的证书?这也可以解释为什么当您在自己的浏览器中检查时,只会看到正确的证书,因为您的浏览器确实支持 SNI。

相关内容