简短的介绍: http://example.com正确重定向至https://example.com和负载。 http://www.example.com未重定向至https://www.example.com. 直接加载失败,出现证书错误。
我使用 certbot 安装了 SSL 证书。当我向 certbot 查询证书列表时,我得到:
Found the following certs:
Certificate Name: example.com-0004
Domains: example.com www.example.com
Expiry Date: 2020-05-17 21:13:21+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/example.com-0004/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com-0004/privkey.pem
在我的 Apache 配置中,我有:
<VirtualHost *:80>
ServerName example.com
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R]
</VirtualHost>
<VirtualHost *:80>
ServerName www.example.com
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R]
</VirtualHost>
<IfModule mod_ssl.c>
NameVirtualHost *:443
Include /etc/httpd/conf/httpd-le-ssl.conf
</IfModule>
在 httpd-le-ssl.conf 中我有:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com-0004/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0004/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com-0004/chain.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.example.com
DocumentRoot /var/www/html
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com-0004/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0004/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com-0004/chain.pem
</VirtualHost>
</IfModule>
我有两个问题。为什么 www 的重定向不起作用?为什么 www 的证书无法识别?Chrome 告诉我:
This server could not prove that it is www.ncprepswimming.com;
its security certificate is not trusted by your computer's operating system.
This may be caused by a misconfiguration or an attacker intercepting your connection.
我的证书和配置有什么问题?apachectl -S 的输出是:
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443 is a NameVirtualHost
default server www.example.com (/etc/httpd/conf.d/ssl.conf:76)
port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:76)
port 443 namevhost example.com (/etc/httpd/conf/httpd-le-ssl.conf:2)
port 443 namevhost www.example.com (/etc/httpd/conf/httpd-le-ssl.conf:12)
*:80 is a NameVirtualHost
default server www.example.com (/etc/httpd/conf/httpd.conf:1006)
port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1006)
port 80 namevhost db.example.com (/etc/httpd/conf/httpd.conf:1086)
alias www.db.example.com
port 80 namevhost example.com (/etc/httpd/conf/httpd.conf:1092)
port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1099)
port 80 namevhost svn.example.com (/etc/httpd/conf/httpd.conf:1106)
alias www.svn.example.com
Syntax OK
答案1
如果您通过访问 www 和非 www URL 检查所提供的证书,您会发现 www 版本使用的不是同一个证书。这应该告诉您,您可能在某处有一个重复/错误的配置,指向了错误的证书。
apachectl -S 的输出清楚地显示了端口 443 上的多个 www.example.com 配置(假设此处的混淆是正确的):
VirtualHost configuration:
default server www.example.com (/etc/httpd/conf.d/ssl.conf:76)
port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:76)
port 443 namevhost www.example.com (/etc/httpd/conf/httpd-le-ssl.conf:12)
您需要自己查看配置以确定哪个是正确的,哪个不正确,但可能您只需要删除 ssl.conf(或注释掉一些行)并重新启动。