SSL配置- Lightsail

Question

无法让SSL在Amazon上使用加密(certbot --apache)

• 光帆图像Centos7
• 添加Apache2

注意：(example.com，subdomain.example.com不是我的域名，我是匿名的)

以下是我所采取的故障排除步骤。

• 我能确认443是用netcat打开的，
• apache正在使用lsof -i -P -n | grep LISTEN监听
• 从另一个系统echo | openssl s_client -showcerts -servername example.com -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text运行此命令将显示一个加密证书(我不知道如何验证它)
• chrome显示“此站点无法提供安全连接。example.com发送了无效的响应. ERR_SSL_PROTOCOL_ERROR
• 这个测试工具https://www.ssllabs.com/ssltest/analyze.html给出了“评估失败:不支持安全协议”的结果
• 以下是我安装certbot https://certbot.eff.org/lets-encrypt/centosrhel7-apache所遵循的说明

我的SSL配置：

<IfModule mod_ssl.c>
    SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
    SSLSessionCacheTimeout  300
    SSLRandomSeed startup file:/dev/urandom  256
    SSLRandomSeed connect builtin
    SSLCryptoDevice builtin

    <VirtualHost example.com:443>
        # This first-listed virtual host is also the default for *:80
        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

        ServerName example.com
        ServerAlias example.com
        DocumentRoot "/var/www/html/com.example"
        SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    </VirtualHost>
    </IfModule>
    <IfModule mod_ssl.c>
    <VirtualHost subdomain.example.com:443>
        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

        ServerName subdomain.example.com
        ServerAlias subdomain.example.com
        DocumentRoot "/var/www/html/com.example.subdomain/"
        SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    </VirtualHost>
</IfModule>

#certbot证书

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: example.com
    Serial Number:XXXXXXXXXXXXXXXXXXXXXXXX
    Key Type: RSA
    Domains: example.com subdomain.example.com
    Expiry Date: 2021-04-16 18:02:53+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

加载apache模块：

core mod_so http_core mod_access_compat mod_actions mod_alias mod_allowmethods mod_auth_basic mod_auth_digest mod_authn_anon mod_authn_core mod_authn_dbd mod_authn_dbm mod_authn_file mod_authn_socache mod_authz_core mod_authz_dbd mod_authz_dbm mod_authz_groupfile mod_authz_host mod_authz_owner mod_authz_user mod_autoindex mod_cache mod_cache_disk mod_data mod_dbd mod_deflate mod_dir mod_dumpio mod_echo mod_env mod_expires mod_ext_filter mod_filter mod_headers mod_include mod_info mod_log_config mod_logio mod_mime_magic mod_mime mod_negotiation mod_remoteip mod_reqtimeout mod_rewrite mod_setenvif mod_slotmem_plain mod_slotmem_shm mod_socache_dbm mod_socache_memcache mod_socache_shmcb mod_status mod_substitute mod_suexec mod_unique_id mod_unixd mod_userdir mod_version mod_vhost_alias mod_dav mod_dav_fs mod_dav_lock mod_lua prefork mod_proxy mod_lbmethod_bybusyness mod_lbmethod_byrequests mod_lbmethod_bytraffic mod_lbmethod_heartbeat mod_proxy_ajp mod_proxy_balancer mod_proxy_connect mod_proxy_express mod_proxy_fcgi mod_proxy_fdpass mod_proxy_ftp mod_proxy_http mod_proxy_scgi mod_proxy_wstunnel mod_ssl mod_systemd mod_cgi mod_php5

Answer 1

有几件事解决了这个问题的答案。

1. 确保有一个将解析www.yourdomain.com -certbot的虚拟主机条目需要这样做。
2. 每个配置文件只有一个虚拟主机- certbot在每个文件有多个条目时添加配置时有问题。
3. 在我的例子中，主域和子域被解析为不同的IP地址和服务器(测试和开发/生产)。certbot无法自动完成此操作，要么手动配置apache，要么为这两个服务器设置DNS，运行certbot，然后将配置和证书复制到另一个服务器，然后再次更改DNS。