在 Apache2 上安装 Certbot 后出现 SSL_ERROR_RX_RECORD_TOO_LONG

在 Apache2 上安装 Certbot 后出现 SSL_ERROR_RX_RECORD_TOO_LONG

我正在尝试在树莓派上建立一个网络服务器,它运行基于 Debian 的系统。

我安装并设置了 apache(如下本指南),在我的路由器上设置端口转发,并创建了 3 个仅有 html 的网站来测试。

由于我只有一个域名,所以我想尝试使用带有子域名的虚拟主机:主域名有ServerName domain.comServerAlias www.domain.com,其他两个是ServerName x/y.domain.com ServerAlias www.x/y.domain.com。到目前为止(仅 http)一切正常,我可以使用其名称/别名中指定的域名可靠地访问服务器。

然后我开始使用安装证书来启用 https。我找到了 certbot / letsencrypt 并按照本指南。在第 7 步运行时:sudo certbot --apache我决定为所有已启用的域(6 个,前面提到的 3 个域的主名称和别名)获取证书。输出成功,但当我尝试连接到我的主域(domain.com)时,我无法访问它,无论是使用 http 还是 https。(我收到错误:为了简化操作,我禁用了其他 2 个站点(现在是 4 个,因为 certbot 创建并启用了 https 版本),我只在 http / https 上保留了我的主域。

我尝试删除 certbot 证书并获取新的证书这些命令. 又一次成功输出

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/bravewonderer.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/bravewonderer.com/privkey.pem
This certificate expires on 2023-01-18.

我手动检查了证书文件,它们存在并且其中包含数据。

但当我再次尝试访问https://bravewonderer.comhttp://www.bravewonderer.com只是得到Secure Connection Failed ... Error code: SSL_ERROR_RX_RECORD_TOO_LONG

这些是网站 http 和 https 版本的完整配置文件,其中包括 certbot 生成的文件,包括:

# /etc/apache2/sites-available/head.conf
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/head/public_html

        ServerName bravewonderer.com
        ServerAlias www.bravewonderer.com

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.bravewonderer.com [OR]
RewriteCond %{SERVER_NAME} =bravewonderer.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
-------------------------------------------------------------------------------------

# /etc/apache2/sites-available/head-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/head/public_html

        ServerName bravewonderer.com
        ServerAlias www.bravewonderer.com

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/bravewonderer.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bravewonderer.com/privkey.pem
</VirtualHost>
</IfModule>
----------------------------------------------------------------------------

# /etc/letsencrypt/options-ssl-apache.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     on
#SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

如果有人能给我指明正确的方向那将会非常有帮助。

编辑。一些附加说明:

  • sudo a2enmod ssl告诉我 ssl 已启用
  • 当我尝试使用我的电脑连接到服务器时,从我有限的理解curl http://bravewonderer.com:443来看,301 Moved Permanently, document has moved to https://bravewonderer.com似乎:
    1. 服务器正在尝试将我重定向到 https 版本,但是
    2. 由于错误,它最终无法访问

在尝试排除故障时,我还运行了 curl -vhttps://bravewonderer.com输出是

*   Trying 2.230.32.65:443...
* Connected to bravewonderer.com (2.230.32.65) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* (5454) (IN), , Unknown (72):
* error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) error:0A00010B:SSL routines::wrong version number

答案1

您没有在 :443 vhost 上运行 TLS:

$ curl -I http://bravewonderer.com:443
HTTP/1.1 301 Moved Permanently
Date: Thu, 20 Oct 2022 12:18:07 GMT
Server: Apache/2.4.54 (Debian)
Location: https://bravewonderer.com/
Content-Type: text/html; charset=iso-8859-1

应该失败,因为我尝试将 HTTP 与 HTTPS 服务器通信。但失败了。您的服务器配置不正确。

答案2

我解决了这个问题,简而言之:我的路由器端口转发配置不正确,我认为它将流量从端口 443 映射到端口 80。

较长的回答:为了解决问题,我开始逐一删除所有不必要的内容。我注意到,在删除端口 80 上的所有侦听器并仅保留端口 443 上的侦听器后,对端口 80 的请求仍然通过(而对 443 的请求失败)。我不确定这是怎么发生的,但我的路由器将端口 443 的流量切换到端口 80,反之亦然。

相关内容