Apache 2.4 搞乱了 SSL 证书
Apache 2.4 is messing up with SSL certificates
我有以下带有两个 SSL 证书的虚拟主机配置
对于域 *.example.com 和 *.dev.example.com:
<VirtualHost *:443>
ServerName site.example.com
SSLEngine on
SSLProxyEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/example.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/example.key
ProxyPreserveHost on
ProxyPass / http://192.168.1.101:8073/
ProxyPassReverse / http://192.168.1.101:8073/
</VirtualHost>
<VirtualHost *:443>
ServerName site.dev.example.com
SSLEngine on
SSLProxyEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/dev_example.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/dev_example.key
ProxyPreserveHost on
ProxyPass / http://192.168.1.102:8073/
ProxyPassReverse / http://192.168.1.102:8073/
</VirtualHost>
<VirtualHost *:443>
ServerAlias *.dev.example.com
SSLEngine on
SSLProxyEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/dev_example.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/dev_example.key
<Proxy balancer://devcluster>
BalancerMember http://192.168.1.201:8182
BalancerMember http://192.168.1.202:8182
</Proxy>
ProxyPass / balancer://devcluster/
ProxyPassReverse / balancer://devcluster/
</VirtualHost>
<VirtualHost *:443>
ServerAlias *.example.com
SSLEngine on
SSLProxyEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/example.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/example.key
<Proxy balancer://mycluster>
BalancerMember http://192.168.1.203:8182
BalancerMember http://192.168.1.204:8182
</Proxy>
ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/
</VirtualHost>
访问网站时,我得到以下信息:
site.example.com 具有来自 example.crt
[ 的 *.example.com 的有效证书=38=]
site.dev.example.com 具有来自 dev_example.crt[ 的 *.dev.example.com 的有效证书=11=]
anything.dev.example.com 具有来自 dev_example.crt[ 的 *.dev.example.com 的有效证书=11=]
但是 任何东西。example.com 获得了 *.dev 的无效证书。example.com from dev_example.crt spceified in *.dev.example.com virtual host
看起来虚拟主机 "ServerAlias *.example.com" 正在选取虚拟主机 "ServerAlias *.dev.example.com"
中指定的证书
是 Apache 故障还是我的配置有问题?
您需要为每个 SSL 虚拟主机选择一个唯一的 ServerName,即使您希望 ServerAlias 代表您的需要。 mod_ssl 使用服务器名称作为 SNI 的密钥。
我有以下带有两个 SSL 证书的虚拟主机配置 对于域 *.example.com 和 *.dev.example.com:
<VirtualHost *:443>
ServerName site.example.com
SSLEngine on
SSLProxyEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/example.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/example.key
ProxyPreserveHost on
ProxyPass / http://192.168.1.101:8073/
ProxyPassReverse / http://192.168.1.101:8073/
</VirtualHost>
<VirtualHost *:443>
ServerName site.dev.example.com
SSLEngine on
SSLProxyEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/dev_example.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/dev_example.key
ProxyPreserveHost on
ProxyPass / http://192.168.1.102:8073/
ProxyPassReverse / http://192.168.1.102:8073/
</VirtualHost>
<VirtualHost *:443>
ServerAlias *.dev.example.com
SSLEngine on
SSLProxyEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/dev_example.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/dev_example.key
<Proxy balancer://devcluster>
BalancerMember http://192.168.1.201:8182
BalancerMember http://192.168.1.202:8182
</Proxy>
ProxyPass / balancer://devcluster/
ProxyPassReverse / balancer://devcluster/
</VirtualHost>
<VirtualHost *:443>
ServerAlias *.example.com
SSLEngine on
SSLProxyEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/example.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/example.key
<Proxy balancer://mycluster>
BalancerMember http://192.168.1.203:8182
BalancerMember http://192.168.1.204:8182
</Proxy>
ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/
</VirtualHost>
访问网站时,我得到以下信息:
site.example.com 具有来自 example.crt
[ 的 *.example.com 的有效证书=38=]site.dev.example.com 具有来自 dev_example.crt[ 的 *.dev.example.com 的有效证书=11=]
anything.dev.example.com 具有来自 dev_example.crt[ 的 *.dev.example.com 的有效证书=11=]
但是 任何东西。example.com 获得了 *.dev 的无效证书。example.com from dev_example.crt spceified in *.dev.example.com virtual host
看起来虚拟主机 "ServerAlias *.example.com" 正在选取虚拟主机 "ServerAlias *.dev.example.com"
中指定的证书是 Apache 故障还是我的配置有问题?
您需要为每个 SSL 虚拟主机选择一个唯一的 ServerName,即使您希望 ServerAlias 代表您的需要。 mod_ssl 使用服务器名称作为 SNI 的密钥。