Apache 2.4搞砸了SSL證書

Question

我具有以下虛擬主機配置，其中兩個SSL證書用於域* .example.com和* .dev.example.com：

<VirtualHost *:443>
    ServerName site.example.com

    SSLEngine on
    SSLProxyEngine on
    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    SSLCertificateFile    /etc/apache2/ssl/certs/example.crt
    SSLCertificateKeyFile /etc/apache2/ssl/private/example.key

    ProxyPreserveHost on
    ProxyPass / http://192.168.1.101:8073/
    ProxyPassReverse / http://192.168.1.101:8073/
</VirtualHost>

<VirtualHost *:443>
    ServerName site.dev.example.com

    SSLEngine on
    SSLProxyEngine on
    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    SSLCertificateFile    /etc/apache2/ssl/certs/dev_example.crt
    SSLCertificateKeyFile /etc/apache2/ssl/private/dev_example.key

    ProxyPreserveHost on
    ProxyPass / http://192.168.1.102:8073/
    ProxyPassReverse / http://192.168.1.102:8073/
</VirtualHost>

<VirtualHost *:443>
    ServerAlias *.dev.example.com

    SSLEngine on
    SSLProxyEngine on
    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    SSLCertificateFile    /etc/apache2/ssl/certs/dev_example.crt
    SSLCertificateKeyFile /etc/apache2/ssl/private/dev_example.key

    <Proxy balancer://devcluster>
        BalancerMember http://192.168.1.201:8182 
        BalancerMember http://192.168.1.202:8182 
    </Proxy>    
    ProxyPass / balancer://devcluster/
    ProxyPassReverse / balancer://devcluster/
</VirtualHost>

<VirtualHost *:443>
    ServerAlias *.example.com

    SSLEngine on
    SSLProxyEngine on
    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    SSLCertificateFile    /etc/apache2/ssl/certs/example.crt
    SSLCertificateKeyFile /etc/apache2/ssl/private/example.key

    <Proxy balancer://mycluster>
        BalancerMember http://192.168.1.203:8182 
        BalancerMember http://192.168.1.204:8182 
    </Proxy>    
    ProxyPass / balancer://mycluster/
    ProxyPassReverse / balancer://mycluster/
</VirtualHost>

訪問網站時，我得到以下信息：

1. site.example.com具有來自example.crt的* .example.com的有效證書

2. site.dev.example.com具有來自dev_example.crt的* .dev.example.com的有效證書

3. anything.dev.example.com具有dev_example.crt為* .dev.example.com有效證書

4. 但 anything.example.com從dev_example.crt在spceified變得無效證書* .dev.example.com * .dev.example.com虛擬主機

看起來虛擬主機“ ServerAlias * .example.com”正在選擇虛擬主機“ ServerAlias * .dev.example.com”中指定的證書

是Apache故障還是我的配置有問題？

Answer 1

您需要為每個SSL虛擬主機選擇唯一的ServerName，即使您希望ServerAlias能夠代表所需的內容。 mod_ssl使用服務器名稱作為SNI的密鑰。