AWS Elastic Load Balancer 的 SSL 证书配置错误
[英]Misconfiguration of SSL Certificate for AWS Elastic Load Balancer
问题描述
I am attempting to configure a SSL certificate to support HTTPS through an AWS ELB.
我正在尝试配置 SSL 证书以通过 AWS ELB 支持 HTTPS。 I have everything configured:我已经配置好了一切:
1) GoDaddy SSL cert configured within AWS ELB (including the certificate chain). 1) 在 AWS ELB 中配置的 GoDaddy SSL 证书(包括证书链)。
2) Have the ELB listeners looking like this: 2) 让 ELB 监听器看起来像这样:
client ---> HTTPS --> ELB port 443 --> HTTP ---> server port 80客户端 ---> HTTPS --> ELB 端口 443 --> HTTP ---> 服务器端口 80
3) Within GoDaddy, created a CNAME entry such as this: 3) 在 GoDaddy 中,创建了一个 CNAME 条目,如下所示:
service.acme.com CNAME to aws-some-region.elb.amazonaws.com service.acme.com CNAME 到 aws-some-region.elb.amazonaws.com
4) If I curl -kv https://service.acme.com/ 4)如果我 curl -kv https://service.acme.com/
* Trying 52.6.xxx.xx...
* Connected to service.acme.com (52.6.xxx.xxx) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: pixxeen.com
* Server certificate: Go Daddy Secure Certificate Authority - G2
* Server certificate: Go Daddy Root Certificate Authority - G2
> GET / HTTP/1.1
> Host: service.acme.com
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Type: text/html
< Date: Mon, 22 Feb 2016 14:06:08 GMT
< ETag: W/"154-1455797592000"
< Last-Modified: Thu, 18 Feb 2016 12:13:12 GMT
< Server: Apache-Coyote/1.1
< Content-Length: 154
< Connection: keep-alive
<
<html>
<head>
<title>Acme Service Application</title>
</head>
<body bgcolor=white>
<p>Acme Service Application</p>
</body>
* Connection #0 to host service.acme.com left intact
The HTML is an index.html page that I have deployed for the ELB to request to confirm the EC2 instance is up and running. HTML 是我为 ELB 部署的 index.html 页面,用于请求确认 EC2 实例已启动并正在运行。
However, the problem I am running into is if any mobile client framework hits the service.acme.com service endpoints (okhttp or AFNetworking), I am seeing the following (this is an okhttp call):但是,我遇到的问题是,如果任何移动客户端框架访问 service.acme.com 服务端点(okhttp 或 AFNetworking),我会看到以下内容(这是一个 okhttp 调用):
02-22 08:52:10.513 2564-2564/com.acme W/System.err: javax.net.ssl.SSLPeerUnverifiedException: Hostname service.acme.com not verified:
02-22 08:52:10.513 2564-2564/com.acme W/System.err: certificate: sha1/+axZF3Oyaatuoio5rsmNhUUhOZE=
02-22 08:52:10.513 2564-2564/com.acme W/System.err: DN: CN=acme.com,OU=Domain Control Validated
02-22 08:52:10.513 2564-2564/com.acme W/System.err: subjectAltNames: [acme.com, www.acme.com]
So, does anyone have an idea where I went wrong?那么,有没有人知道我哪里出错了?
I paddled around StackOverflow and ran into this post (one of the most detailed I have seen): Installing SSL cert on Amazon EC2 ELB and it seems to confirm all of the steps I did.我在 StackOverflow 上闲逛,看到了这篇文章(我见过的最详细的文章之一): 在 Amazon EC2 ELB 上安装 SSL 证书,它似乎证实了我所做的所有步骤。
2 个解决方案
解决方案1
1 已采纳 2016-02-22 14:44:11
Your certificate is not valid for the service.acme.com domain name.您的证书对于service.acme.com域名无效。
It's only valid for the exact hosts acme.com and www.acme.com .它仅对确切的主机acme.com和www.acme.com 有效。
You will see this error clearly if you omit the -k (insecure) option of curl (which is not a good test flag since it intentionally ignores most SSL problems)如果省略curl的-k (不安全)选项,您将清楚地看到此错误(这不是一个好的测试标志,因为它有意忽略了大多数 SSL 问题)
解决方案2
0 2019-11-15 11:06:35
The certificate attached to the ELB will be validated against the cname not the ELB name itself.附加到 ELB 的证书将根据 cname 而不是 ELB 名称本身进行验证。 If you have attached the certificate xyzcom to the ELB , than you cname should match xyzcom and not the ELB cname.如果您已将证书 xyzcom 附加到 ELB ,那么您的 cname 应该匹配 xyzcom 而不是 ELB cname。
If you have the wild card cert *.xyzcom , than your cname can be anything.xyzcom to be compliant.如果您有通配符证书 *.xyzcom ,那么您的 cname 可以是任何内容。 xyzcom 以符合要求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.