Apache 2.4搞砸了SSL证书
[英]Apache 2.4 is messing up with SSL certificates
问题描述
I have the following virtual hosts configuration with two SSL certificates for domains *.example.com and *.dev.example.com: 
我具有以下虚拟主机配置,其中两个SSL证书用于域* .example.com和* .dev.example.com:
<VirtualHost *:443>
ServerName site.example.com
SSLEngine on
SSLProxyEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/example.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/example.key
ProxyPreserveHost on
ProxyPass / http://192.168.1.101:8073/
ProxyPassReverse / http://192.168.1.101:8073/
</VirtualHost>
<VirtualHost *:443>
ServerName site.dev.example.com
SSLEngine on
SSLProxyEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/dev_example.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/dev_example.key
ProxyPreserveHost on
ProxyPass / http://192.168.1.102:8073/
ProxyPassReverse / http://192.168.1.102:8073/
</VirtualHost>
<VirtualHost *:443>
ServerAlias *.dev.example.com
SSLEngine on
SSLProxyEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/dev_example.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/dev_example.key
<Proxy balancer://devcluster>
BalancerMember http://192.168.1.201:8182
BalancerMember http://192.168.1.202:8182
</Proxy>
ProxyPass / balancer://devcluster/
ProxyPassReverse / balancer://devcluster/
</VirtualHost>
<VirtualHost *:443>
ServerAlias *.example.com
SSLEngine on
SSLProxyEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/example.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/example.key
<Proxy balancer://mycluster>
BalancerMember http://192.168.1.203:8182
BalancerMember http://192.168.1.204:8182
</Proxy>
ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/
</VirtualHost>
When accessing web sites I get the following: 访问网站时,我得到以下信息:
site.example.com has valid certificate for *.example.com from example.crt
site.example.com具有来自example.crt的* .example.com的有效证书 site.dev.example.com has valid certificate for *.dev.example.com from dev_example.crt
site.dev.example.com具有来自dev_example.crt的* .dev.example.com的有效证书 anything.dev.example.com has valid certificate for *.dev.example.com from dev_example.crt
anything.dev.example.com具有dev_example.crt为* .dev.example.com有效证书 but anything.example.com gets invalid certificate for *.dev.example.com from dev_example.crt spceified in *.dev.example.com virtual host
但 anything.example.com从dev_example.crt在spceified变得无效证书* .dev.example.com * .dev.example.com虚拟主机
Looks like virtual host "ServerAlias *.example.com" is picking the certificate specified in virtual host "ServerAlias *.dev.example.com" 看起来虚拟主机“ ServerAlias * .example.com”正在选择虚拟主机“ ServerAlias * .dev.example.com”中指定的证书
Is it Apache glitch or something wrong with my configuration? 是Apache故障还是我的配置有问题?
1 个解决方案
解决方案1
2 已采纳 2017-07-09 19:32:25
You need to pick a unique ServerName for each SSL virtual host, even if you expect the ServerAlias to represent what you need. 您需要为每个SSL虚拟主机选择唯一的ServerName,即使您希望ServerAlias能够代表所需的内容。 mod_ssl uses the servername as a key for SNI. mod_ssl使用服务器名称作为SNI的密钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.