我正在尝试在树莓派上建立一个网络服务器,它运行基于 Debian 的系统。
我安装并设置了 apache(如下本指南),在我的路由器上设置端口转发,并创建了 3 个仅有 html 的网站来测试。
由于我只有一个域名,所以我想尝试使用带有子域名的虚拟主机:主域名有ServerName domain.com
和ServerAlias www.domain.com
,其他两个是ServerName x/y.domain.com ServerAlias www.x/y.domain.com
。到目前为止(仅 http)一切正常,我可以使用其名称/别名中指定的域名可靠地访问服务器。
然后我开始使用安装证书来启用 https。我找到了 certbot / letsencrypt 并按照本指南。在第 7 步运行时:sudo certbot --apache
我决定为所有已启用的域(6 个,前面提到的 3 个域的主名称和别名)获取证书。输出成功,但当我尝试连接到我的主域(domain.com
)时,我无法访问它,无论是使用 http 还是 https。(我收到错误:为了简化操作,我禁用了其他 2 个站点(现在是 4 个,因为 certbot 创建并启用了 https 版本),我只在 http / https 上保留了我的主域。
我尝试删除 certbot 证书并获取新的证书这些命令. 又一次成功输出
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/bravewonderer.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/bravewonderer.com/privkey.pem
This certificate expires on 2023-01-18.
我手动检查了证书文件,它们存在并且其中包含数据。
但当我再次尝试访问https://bravewonderer.com
或http://www.bravewonderer.com
只是得到Secure Connection Failed ... Error code: SSL_ERROR_RX_RECORD_TOO_LONG
这些是网站 http 和 https 版本的完整配置文件,其中包括 certbot 生成的文件,包括:
# /etc/apache2/sites-available/head.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/head/public_html
ServerName bravewonderer.com
ServerAlias www.bravewonderer.com
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.bravewonderer.com [OR]
RewriteCond %{SERVER_NAME} =bravewonderer.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
-------------------------------------------------------------------------------------
# /etc/apache2/sites-available/head-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/head/public_html
ServerName bravewonderer.com
ServerAlias www.bravewonderer.com
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/bravewonderer.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bravewonderer.com/privkey.pem
</VirtualHost>
</IfModule>
----------------------------------------------------------------------------
# /etc/letsencrypt/options-ssl-apache.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
#SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
如果有人能给我指明正确的方向那将会非常有帮助。
编辑。一些附加说明:
sudo a2enmod ssl
告诉我 ssl 已启用- 当我尝试使用我的电脑连接到服务器时,从我有限的理解
curl http://bravewonderer.com:443
来看,301 Moved Permanently, document has moved to https://bravewonderer.com
似乎:- 服务器正在尝试将我重定向到 https 版本,但是
- 由于错误,它最终无法访问
在尝试排除故障时,我还运行了 curl -vhttps://bravewonderer.com输出是
* Trying 2.230.32.65:443...
* Connected to bravewonderer.com (2.230.32.65) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* (5454) (IN), , Unknown (72):
* error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) error:0A00010B:SSL routines::wrong version number
答案1
您没有在 :443 vhost 上运行 TLS:
$ curl -I http://bravewonderer.com:443
HTTP/1.1 301 Moved Permanently
Date: Thu, 20 Oct 2022 12:18:07 GMT
Server: Apache/2.4.54 (Debian)
Location: https://bravewonderer.com/
Content-Type: text/html; charset=iso-8859-1
这应该失败,因为我尝试将 HTTP 与 HTTPS 服务器通信。但失败了。您的服务器配置不正确。
答案2
我解决了这个问题,简而言之:我的路由器端口转发配置不正确,我认为它将流量从端口 443 映射到端口 80。
较长的回答:为了解决问题,我开始逐一删除所有不必要的内容。我注意到,在删除端口 80 上的所有侦听器并仅保留端口 443 上的侦听器后,对端口 80 的请求仍然通过(而对 443 的请求失败)。我不确定这是怎么发生的,但我的路由器将端口 443 的流量切换到端口 80,反之亦然。