为什么 Apache 提供新证书和过期证书?
Why is Apache serving a new certificate and an expired one?
由于这是一个敏感的客户项目,我所说的域名的所有使用都已替换为"example.com"。
我正在管理一个 public 网站,其 Let's Encrypt 证书最近过期。所以我遵循了 DigitalOcean 教程 here and used certbot-auto renew to renew the certificate (yes, I ran sudo service apache2 reload afterwards). It worked, but the problem is that the site now serves both the new certificate and the expired one, and it seems like a random selection happens. Sometimes the site is trusted by the browser because it receives the new one, other times the browser rejects the expired certificate. Even running the site through the SSL Labs analyzer 有时给出 A 级,有时给出失败。
当我的配置明确仅包含新证书时,可能是什么原因导致继续使用这两个证书?我很困惑。
运行 certbot-auto renew 现在给出这个结果:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted
Apache 的站点启用目录如下所示:
000-default.conf 000-default-le-ssl.conf
并且每个配置如下:
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
000-默认-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName example.com
</VirtualHost>
</IfModule>
我可以通过调用 sudo service apache2 stop 停止 apache,然后调用 运行 ps aux | grep apache 来解决问题。我发现有多个 apache 实例 运行。所以我杀了他们并再次启动 apache,现在一切正常。
由于这是一个敏感的客户项目,我所说的域名的所有使用都已替换为"example.com"。
我正在管理一个 public 网站,其 Let's Encrypt 证书最近过期。所以我遵循了 DigitalOcean 教程 here and used certbot-auto renew to renew the certificate (yes, I ran sudo service apache2 reload afterwards). It worked, but the problem is that the site now serves both the new certificate and the expired one, and it seems like a random selection happens. Sometimes the site is trusted by the browser because it receives the new one, other times the browser rejects the expired certificate. Even running the site through the SSL Labs analyzer 有时给出 A 级,有时给出失败。
当我的配置明确仅包含新证书时,可能是什么原因导致继续使用这两个证书?我很困惑。
运行 certbot-auto renew 现在给出这个结果:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted
Apache 的站点启用目录如下所示:
000-default.conf 000-default-le-ssl.conf
并且每个配置如下:
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
000-默认-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName example.com
</VirtualHost>
</IfModule>
我可以通过调用 sudo service apache2 stop 停止 apache,然后调用 运行 ps aux | grep apache 来解决问题。我发现有多个 apache 实例 运行。所以我杀了他们并再次启动 apache,现在一切正常。