nginx letsencrypt 通配符与 ovh dns SSL_ERROR_BAD_CERT_DOMAIN

tag-icon tag-icon nginx ssl subdomain lets-encrypt wildcard
nginx letsencrypt 通配符与 ovh dns SSL_ERROR_BAD_CERT_DOMAIN

我对子域名的通配符证书有疑问。我希望为该域名使用一个证书,example.com并为同一级别的子域名使用同一个证书*.example.com

问题是子域名SSL_ERROR_BAD_CERT_DOMAIN在连接上返回 SSL 证书错误:。

我正在使用 OVH 作为域名主机。

这是一个类似的 Nginx 配置的链接:配置我用过的。

这是我用于生成证书的 certbot 命令:certbot': sudo certbot certonly --preferred-challenges dns --dns-ovh --dns-ovh-credentials /etc/nginx/ovh-credentials.ini -d 'example.com,*.example.com'

[nginx.conf]

# Generated by nginxconfig.io

user                 www-data;
pid                  /run/nginx.pid;
worker_processes     auto;
worker_rlimit_nofile 65535;

events {
    multi_accept       on;
    worker_connections 65535;
}

http {
    charset              utf-8;
    sendfile             on;
    tcp_nopush           on;
    tcp_nodelay          on;
    server_tokens        off;
    log_not_found        off;
    types_hash_max_size  2048;
    client_max_body_size 16M;

    # MIME
    include              mime.types;
    default_type         application/octet-stream;

    # Logging
    access_log           /var/log/nginx/access.log;
    error_log            /var/log/nginx/error.log warn;

    # SSL
    ssl_session_timeout  1d;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_tickets  off;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam          /etc/nginx/dhparam.pem;

    # Mozilla Intermediate configuration
    ssl_protocols        TLSv1.2 TLSv1.3;
    ssl_ciphers          ***************

    # OCSP Stapling
    ssl_stapling         on;
    ssl_stapling_verify  on;
    resolver             1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
    resolver_timeout     2s;

    # Load configs
    include              /etc/nginx/conf.d/*.conf;
    include              /etc/nginx/sites-enabled/*;
}

[常规.conf]

    # favicon.ico
location = /favicon.ico {
    log_not_found off;
    access_log    off;
}

# robots.txt
location = /robots.txt {
    log_not_found off;
    access_log    off;
}

# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
    expires    7d;
    access_log off;
}

# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
    add_header Access-Control-Allow-Origin "*";
    expires    7d;
    access_log off;
}

# gzip
gzip              on;
gzip_vary         on;
gzip_proxied      any;
gzip_comp_level   6;
gzip_types        text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

[letsencrypt.conf]

# ACME-challenge
location ^~ /.well-known/acme-challenge/ {
    root /var/www/_letsencrypt;
}

[php_fastcgi.conf]

# 404
try_files                     $fastcgi_script_name =404;

# default fastcgi_params
include                       fastcgi_params;

# fastcgi settings
fastcgi_pass                  unix:/var/run/php/php7.4-fpm.sock;
fastcgi_index                 index.php;
fastcgi_buffers               8 16k;
fastcgi_buffer_size           32k;

# fastcgi params
fastcgi_param DOCUMENT_ROOT   $realpath_root;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";

[安全.conf]

# security headers
add_header X-Frame-Options           "SAMEORIGIN" always;
add_header X-XSS-Protection          "1; mode=block" always;
add_header X-Content-Type-Options    "nosniff" always;
add_header Referrer-Policy           "no-referrer-when-downgrade" always;
add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts.googleapis.com stackpath.bootstrapcdn.com;" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;" always;

# . files
location ~ /\.(?!well-known) {
    deny all;
}

[示例.com.conf]

# define error page
error_page 403 = @notfound;
error_page 404 = @notfound;

server {
    listen                  443 ssl http2;
    server_name             example.com;
    set                     $base /srv/www/example;
    root                    $base/;

    # SSL
    ssl_certificate /etc/letsencrypt/live/example.com-0002/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com-0002/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/example.com-0002/chain.pem;

    # security
    include                 nginxconfig.io/security.conf;

    # index.php
    index                   index.php;

    # index.php fallback
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # additional config
    include nginxconfig.io/general.conf;

    # handle .php
    location ~ \.php$ {
        include nginxconfig.io/php_fastcgi.conf;
    }

    # error page location redirect 302
    location @notfound {
        return 302 /;
    }
}

# non-www, subdomains redirect
#server {
#    listen                  443 ssl http2;
#    server_name             .example.com;
#
#    # SSL
#    ssl_certificate /etc/letsencrypt/live/example.com-0002/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/example.com-0002/privkey.pem;
#    ssl_trusted_certificate /etc/letsencrypt/live/example.com-0002/chain.pem;
#    return 301 https://www.example.com$request_uri;
#}

# HTTP redirect
server {
    listen 80;
    server_name www.example.com; #default_server;
    include nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://www.example.com$request_uri;
    }
}

[a.example.com.conf]

server {
    listen      443 ssl http2;
    server_name a.example.com;
    set         $base /srv/www/a.example;
    root        $base/;

    # SSL
    ssl_certificate /etc/letsencrypt/live/example.com-0002/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com-0002/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/example.com-0002/chain.pem;

    # security
    include nginxconfig.io/security.conf;

    # index.php
    index index.php;

    # index.php fallback
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # additional config
    include nginxconfig.io/general.conf;

    # handle .php
    location ~ \.php$ {
        include nginxconfig.io/php_fastcgi.conf;
    }
}

# non-www, subdomains redirect
#server {
#    listen      443 ssl http2;
#    server_name .a.example.com;
#
#    # SSL
#    ssl_certificate /etc/letsencrypt/live/example.com-0002/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/example.com-0002/privkey.pem; # managed by Certbot
#    ssl_trusted_certificate /etc/letsencrypt/live/example.com-0002/chain.pem;
#    return 301 https://www.a.example.com$request_uri;
#}

# HTTP redirect
#server {
#    listen  80;
#    include nginxconfig.io/letsencrypt.conf;
#
#    location / {
#        return 301 https://a.example.com$request_uri;
#    }
#}

PS 当我打开浏览器并显示 a.example.com 上的证书时,我收到一条消息,该证书适用于https://www.a.example.com/www.example.com

A secure connection could not be established: the domain name requested does not match the server certificate.

更新:问题是 将a.example.com被重定向到www.a.example.com,因此 的证书https://a.example.com有效,但 的证书无效https://www.a.example.com。我不知道如何修复它。

相关内容