我在单个IP上有两个基于名称的虚拟主机。 在第一个虚拟主机(默认(上对 Qualys SSL LABS 进行的测试报告了第二个虚拟主机规范名称的证书不匹配,报告"此站点仅适用于 SNI 支持"。 如果我禁用第二个虚拟主机,测试将正确结束。 我由openssl进行的测试没有报告任何问题s_client:
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.mydomain.com
verify return:1
---
Certificate chain
0 s:CN = www.mydomain.com
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGXTCCBUWgAwIBAgISA9y+4P5bPxkfLq3K4eAzMsYXMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
..............................................................
+/NQyC6DsWJcID5sO7K++GBEl4iyHGQWCHlfY13Vpk8Iz81ov5/hHVtwZSZ60qKD
MRvIfmb9LzBHqdkL/Wjxt7gJC6YtuEYrIoP5+w2vZnLrG2jJCSWj6N8R+vh0Sh8e
qQ==
-----END CERTIFICATE-----
subject=CN = www.mydomain.com
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3628 bytes and written 401 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 19XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX07
Session-ID-ctx:
Resumption PSK: FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXE
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b6 72 41 25 a1 5f c8 bd-7b 8f fb 8c fc c2 0d f8 .rA%._..{.......
.............................................................................
00f0 - 00 66 31 2a a3 9e 1c 73-95 16 56 b8 71 45 32 cc .f1*...s..V.qE2.
Start Time: 1578821067
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: F0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC6
Session-ID-ctx:
Resumption PSK: DXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b6 72 41 25 a1 5f c8 bd-7b 8f fb 8c fc c2 0d f8 .rA%._..{.......
0010 - 03 94 2e 7e bb e9 58 3d-64 ad 31 73 50 03 5f 91 ...~..X=d.1sP._.
.................................................................................
00f0 - 20 83 7f 51 a0 e7 88 c8-f6 05 23 55 6e e3 34 c6 ..Q......#Un.4.
Start Time: 1578821067
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
My default virtualhost has a ServerName www.mydomain.com directive in apache2.conf and its virtualhost file has one too.
The Qualys SSL Labs test for www.mydomain.com reports a `Alternative names www.mysecond-domain.com MISMATCH`.
I don't undestand why Qualys SSL LABS keeps on involving the second virtualhost when i'm testing the default virtualhost.
Regards
你必须在/etc/apache2/sites-available中启用和配置default-ssl.conf,在我的例子中是Ubuntu 18.04。不要使用 000-default-ssl.conf。我假设虚拟主机已经配置得很好。 使用命令 a2ensite,您可以启用 default-ssl.conf。 然后编辑并更改配置。 你必须确保虚拟主机是
检查此配置。这将使SNI工作。希望你能解决它。
nano/etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
# <VirtualHost _default_:443>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# SSL Engine Options:
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
也可以在ports.conf/etc/apache2/ports.conf中设置它
Listen 80
<IfModule mod_ssl.c>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
确保已启用 mod_ssl.c 和 mod_gnutls.c。如果没有,请将 a2enmod 设置为 mod_ssl.c 和 a2enmod mod_gnutls.c。然后执行systemctl 重新加载 apache2