www 证书无法正确提取 - nginx 和 certbot

tag-icon tag-icon nginx ssl https certbot
www 证书无法正确提取 - nginx 和 certbot

我正在使用带有 nginx 和 certbot 的 docker 堆栈。我的域名托管在 google domains 上。

我希望域名仅可通过 example.tld 访问:

  • 将所有 http 重定向到 https
  • 将 www 重定向到非 www

这是我的 nginx 配置:

server {
    listen      80;
    listen      [::]:80;
    access_log  off;
    error_log   off;
    server_name example.tld www.example.tld;
    return      301 https://example.tld$request_uri;
}

server {
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;
    access_log  off;
    error_log   off;
    server_name www.example.tld;
    return      301 https://example.tld$request_uri;
}

server {
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;
    server_name example.tld;

    root        /var/www/example.tld;

    index       index.html index.htm index.php;

    location / {
        try_files $uri $uri/ /index.php?/$request_uri;
    }

    location ~* ^/(assets|files|robots\.txt) { }

    location ~ \.php$ {
        include fastcgi-php.conf;
        fastcgi_pass phpfpm:9000;
    }

    location ~ /\.ht {
        deny all;
    }

    ssl_certificate     /etc/letsencrypt/live/example.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
    include             /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
    add_header          Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

我成功创建了证书

certbot certonly --preferred-challenges=dns --cert-name example.tld -d example.tld,www.example.tld

当我打开 www 网址时,Safari 告诉我Safari can't open the page "http(s)://www.example.tld" because Safari can't establish a secure connection to the server "www.example.tld"

但有效的是:

curl -iL http://www.example.tld/ 
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 11 Jun 2022 11:17:05 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://example.tld/
X-Frame-Options: SAMEORIGIN

HTTP/2 200

不起作用的是:

curl -iL https://example.tld/
curl: (60) SSL: no alternative certificate subject name matches target host name 'www.example.tld'

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

example.tld 和www.example.tld已设置。

答案1

这是错误的,它不应该起作用。Nginx 应该在错误日志中抱怨这个虚拟主机的配置不完整:

server {
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;
    access_log  off;
    error_log   off;
    server_name www.example.tld;
    return      301 https://example.tld$request_uri;
}

任何 SSL 虚拟主机都需要有证书。即使它所做的只是重定向到某个地方。因为它只有在建立安全连接后才会发出重定向。

server {
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;
    access_log  off;
    error_log   off;
    server_name www.example.tld;
    return      301 https://example.tld$request_uri;

    ssl_certificate     /etc/letsencrypt/live/example.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
    include             /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
    add_header          Strict-Transport-Security "max-age=31536000 includeSubDomains" always;
}

类似这样。但证书也应该是有效的;您可以创建一个同时具有example.tldwww.example.tld作为有效名称的证书(通过将它们都放入subjectAlternativeName字段中),当您一次性创建证书并在其中指定多个域时,Let's Encrypt 会执行此操作:

certbot --nginx -d example.tld -d www.example.tld

相关内容