RHEL/Apache ssl.conf配置问题
我们有多个子域,每个子域在 httpd.conf 和 ssl.conf 中都有自己的虚拟主机条目(对于那些支持 https 的子域)。 我们的主 www 子域有一个与之关联的 GoDaddy 证书。 如下所示:
<VirtualHost 172.16.247.153:443>
DocumentRoot "/var/www/api"
ServerName api.bulbstorm.com:443
ErrorLog logs/api-error_log
CustomLog logs/api-access_log common
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /var/www/certs/api/server.crt
SSLCertificateKeyFile /var/www/certs/api/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
<Directory "/var/www/api">
Options +FollowSymLinks
RewriteEngine On
AllowOverride All
Order allow,deny
Allow from all
</Directory>
php_value include_path "/var/www/inc"
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
我现在在我们的开发服务器上配置的子域(“api.bulbstorm.com”)有一个 ssl.conf 虚拟主机条目, /var/www/certs/api/ 中的密钥文件是根据找到的说明使用 openssl 生成的 在这里。
api 子域最初指向 www 子域的 godaddy 证书。 但即使我已经更改了与 api 子域关联的虚拟主机条目以指向自签名证书/密钥对(并重新启动了 httpd,完全清除了与先前的 godaddy 证书异常相关的浏览器设置等)浏览器仍然发出警告说该证书适用于 www 域。 当我查看证书时,浏览器正在提取它,看起来他们仍在获取 godaddy 证书。
在 ssl.conf 文件的较高位置有以下几行:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
This cert/keypair is different from the godaddy cert/keypair 在 www 子域的虚拟主机条目中引用的 godaddy 证书/密钥对,它看起来像这样:
SSLCertificateFile /etc/www.bulbstorm.com_ssl/www.bulbstorm.com.crt
SSLCertificateKeyFile /etc/www.bulbstorm.com_ssl/www.bulbstorm.com.key
SSLCertificateChainFile /etc/www.bulbstorm.com_ssl/gd_intermediate_bundle.crt
Any light that Anybody can shed on the我遇到的问题将不胜感激。
We've got multiple subdomains, each with it's own virtualhost entry in httpd.conf and (for those supporting https) in ssl.conf as well. Our main www subdomain has a GoDaddy cert associated with it. The subdomain I'm configuring right now on our dev server ("api.bulbstorm.com") has an ssl.conf virtualhost entry that looks like this:
<VirtualHost 172.16.247.153:443>
DocumentRoot "/var/www/api"
ServerName api.bulbstorm.com:443
ErrorLog logs/api-error_log
CustomLog logs/api-access_log common
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /var/www/certs/api/server.crt
SSLCertificateKeyFile /var/www/certs/api/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
<Directory "/var/www/api">
Options +FollowSymLinks
RewriteEngine On
AllowOverride All
Order allow,deny
Allow from all
</Directory>
php_value include_path "/var/www/inc"
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
... the crt & key files in /var/www/certs/api/ were generated using openssl per instructions found here.
The api subdomain originally pointed to the godaddy cert for the www subdomain. But even though I've changed the virtualhost entry associated with the api subdomain to point to the self-signed certificate/key pair (and have restarted httpd, completely cleared browser settings related to the previous exception for the godaddy cert, etc.) browsers are still throwing warnings saying that the cert is for the www domain. When I look at the cert the browsers are pulling it looks like they're still getting the godaddy cert.
Higher up in the ssl.conf file there are these lines:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
This cert/key pair is different than the godaddy cert/key pair referenced in the virtualhost entry for the www subdomain, which looks like this:
SSLCertificateFile /etc/www.bulbstorm.com_ssl/www.bulbstorm.com.crt
SSLCertificateKeyFile /etc/www.bulbstorm.com_ssl/www.bulbstorm.com.key
SSLCertificateChainFile /etc/www.bulbstorm.com_ssl/gd_intermediate_bundle.crt
Any light that anyone can shed on the issue I'm having will be appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这个问题的“答案”是将其重新发布到 serverfault.com 上。
The "answer" to this question was to repost it on serverfault.com.