默认虚拟主机的Qualys SslLabs报告单个ip上的第二个虚拟主机证书的证书不匹配
默认虚拟主机的Qualys SslLabs报告单个ip上的第二个虚拟主机证书的证书不匹配
提问于 2020-01-12 18:36:19
我在一个IP上有两个基于名称的虚拟主机。在第一个虚拟主机(默认)上的Qualys SSL实验室上的测试报告了第二个虚拟主机规范名称的证书不匹配,报告“此站点仅支持SNI”。如果我禁用第二个虚拟主机,测试将正确结束。我用openssl s_client做的一个测试没有报告任何问题:
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.mydomain.com
verify return:1
---
Certificate chain
0 s:CN = www.mydomain.com
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGXTCCBUWgAwIBAgISA9y+4P5bPxkfLq3K4eAzMsYXMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
..............................................................
+/NQyC6DsWJcID5sO7K++GBEl4iyHGQWCHlfY13Vpk8Iz81ov5/hHVtwZSZ60qKD
MRvIfmb9LzBHqdkL/Wjxt7gJC6YtuEYrIoP5+w2vZnLrG2jJCSWj6N8R+vh0Sh8e
qQ==
-----END CERTIFICATE-----
subject=CN = www.mydomain.com
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3628 bytes and written 401 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 19XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX07
Session-ID-ctx:
Resumption PSK: FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXE
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b6 72 41 25 a1 5f c8 bd-7b 8f fb 8c fc c2 0d f8 .rA%._..{.......
.............................................................................
00f0 - 00 66 31 2a a3 9e 1c 73-95 16 56 b8 71 45 32 cc .f1*...s..V.qE2.
Start Time: 1578821067
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: F0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC6
Session-ID-ctx:
Resumption PSK: DXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b6 72 41 25 a1 5f c8 bd-7b 8f fb 8c fc c2 0d f8 .rA%._..{.......
0010 - 03 94 2e 7e bb e9 58 3d-64 ad 31 73 50 03 5f 91 ...~..X=d.1sP._.
.................................................................................
00f0 - 20 83 7f 51 a0 e7 88 c8-f6 05 23 55 6e e3 34 c6 ..Q......#Un.4.
Start Time: 1578821067
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
My default virtualhost has a ServerName www.mydomain.com directive in apache2.conf and its virtualhost file has one too.
The Qualys SSL Labs test for www.mydomain.com reports a `Alternative names www.mysecond-domain.com MISMATCH`.
I don't undestand why Qualys SSL LABS keeps on involving the second virtualhost when i'm testing the default virtualhost.
Regards回答 1
Stack Overflow用户
发布于 2020-07-04 06:04:55
您必须在/etc/apache2/sites available中启用和配置default-ssl.conf,在我的例子中是Ubuntu18.04。默认不要使用000--ssl.conf。我假设vhosts已经配置好了。使用命令a2ensite可以启用默认的-ssl.conf。然后编辑和更改配置。您必须确保虚拟主机是而不是。
检查此配置。这将使SNI工作。希望你能修好它。
nano /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
# <VirtualHost _default_:443>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# SSL Engine Options:
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>还在ports.conf /etc/apache2/ports.conf中进行了设置
Listen 80
<IfModule mod_ssl.c>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>确保启用了mod_ssl.c和mod_gnutls.c。如果没有,请设置a2enmod mod_ssl.c和a2enmod mod_gnutls.c。然后执行systemctl reload apache2
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/59702953
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号