如何使用 certbot 修复 apache 上 2 个域的 SSL_ERROR_NO_CYPHER_OVERLAP

tag-icon tag-icon apache-2.4 lets-encrypt
如何使用 certbot 修复 apache 上 2 个域的 SSL_ERROR_NO_CYPHER_OVERLAP

我们在一个 apache 上运行两个网站:www-example1-com、www-example2-com

www-example1-com 是第一个存在的站点,获得了 lets-encrypt 证书并且运行良好。www-example2-com 是第二个站点,也获得了 lets-encrypt 证书。

www-example1-com 运行正常。www-example2-com 在 Firefox 和 Chromium 中导致错误 Firefox 中的 SSL_ERROR_NO_CYPHER_OVERLAP Chromium 中的 ERR_SSL_VERSION_OR_CIPHER_MISMATCH

我目前所做的:

  • 我为 www-example2 生成了一个证书
  • 我扩展了 www-example1 的证书,使其也适用于 www-example2。
  • 我使用以下代码片段扩展了 /etc/apache2/sites-available 中的 example2.conf https://ssl-config.mozilla.org/
  • 我删除了 www.example2 的密钥和证书并重新收集。
  • 我检查了 example1-conf、example2-conf、000-default-le-ssl.conf、apache2.conf
  • https://www.ssllabs.com/ssltest/analyze.html?d=example2.com--> 评估失败:无法与安全服务器通信

apache的error.log输出这一行:[ssl:info] [pid 19288] (70014)End of file found: [client 192.168.0.9:53597] AH01991: SSL input filter read failed.

请注意:有一个 SNI 似乎配置正确,但我无法直接访问。

在每种情况下,错误消息都没有改变。

000-默认-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
    ServerAdmin webmaster@localhost
    Protocols h2 h2c http/1.1
    DocumentRoot /var/www/html/
    ServerName www.example1.com
    ServerAlias example1.com
    Protocols h2 h2c http/1.1

    <Directory /var/www/>
            Options -Indexes +FollowSymLinks
            AllowOverride all
            Order allow,deny
            allow from all
    </Directory>
    
    # added 01.04.2019 END
    
    <Directory /var/www/html/>
      Options -Indexes +FollowSymlinks
      AllowOverride All
      Require all granted
      allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    #SSLEngine off
    #Include /etc/letsencrypt/options-ssl-apache.conf
    #Header always set Content-Security-Policy upgrade-insecure-requests
    Include /etc/letsencrypt/options-ssl-apache.conf
    #SSLCertificateFile /etc/letsencrypt/live/www.example2.com/fullchain.pem
    #SSLCertificateKeyFile /etc/letsencrypt/live/www.example2.com/privkey.pem
    #Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/www.example1.com-0001/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.example1.com-0001/privkey.pem
    </VirtualHost>
    </IfModule>

例子2.conf

<VirtualHost *:80>
 Protocols h2 http/1.1
 ServerAdmin [email protected]
 DocumentRoot /var/www/html1/example2/
 ServerName www.example2.com
 ServerAlias example2.com
 <Directory /var/www/html1/example2>
    Options -Indexes +FollowSymLinks +MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
 </Directory>

 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 RewriteEngine on
 RewriteCond %{SERVER_NAME} =www.example2.com [OR]
 RewriteCond %{SERVER_NAME} =example2.com
 RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
 </VirtualHost>

 <IfModule mod_ssl.c>
 <VirtualHost *:443>
    ServerAdmin [email protected]
    Protocols h2 h2c http/1.1
    DocumentRoot /var/www/html1/example2
    ServerName www.example2.com
    ServerAlias example2.com

    <Directory /var/www/html1>
            Options -Indexes +FollowSymLinks
            AllowOverride all
            Order allow,deny
            allow from all
    </Directory>
    <Directory /var/www/html1/example2>
      Options -Indexes +FollowSymlinks
      AllowOverride All
      Require all granted
     allow from all
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
 #       SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
 #       SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 #       SSLHonorCipherOrder     off
 #       SSLSessionTickets       off

 #SSLUseStapling On
 #SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

 Include /etc/letsencrypt/options-ssl-apache.conf
 SSLCertificateFile /etc/letsencrypt/live/www.example1.com-0001/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/www.example1.com-0001/privkey.pem
 </VirtualHost>
 </IfModule>

openssl 的输出:

CONNECTED(00000003)
140386018971712:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1407:SSL alert      number 40
---
 no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 198 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher    : 0000
Session-ID: 
Session-ID-ctx: 
Master-Key: 
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1623677307
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

有人能帮忙找出错误吗?如果您需要更多信息,请告诉我。

提前致谢。

相关内容