如何使用 VirtualHost 在同一 Apache2 服务器上使用 2 个不同的证书?
我从 Gandi 获得域名 www.mondomaine.fr 的证书 但对于 sql.mondomaine.fr 我想使用自签名 SSL 证书。
如果我激活 sql.mondomaine.fr,则 www.mondomaine.fr 使用自签名证书而不是 Gandiś 证书。
如果我停用 sql.一切正常。
如何管理不同证书的使用?
似乎每个 SSL VirtualHost 都采用第一个 VirtualHost 配置。
感谢您的帮助。
这是我的配置:
对于 PHPMyAdmin :
<VirtualHost *:443>
# Chemin vers les données web
DocumentRoot /usr/share/phpmyadmin
ServerName sql.mondomaine.fr
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/phpmyadmin.pem
</VirtualHost>
对于 mondomaine.fr
<VirtualHost *:443>
ServerName www.mondomaine.fr
DocumentRoot /var/www/mondomaine/
CustomLog /var/log/apache2/secure_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/mondomaine.fr.crt
SSLCertificateKeyFile /etc/ssl/mondomaine.fr.key
SSLCACertificateFile /etc/ssl/GandiStandardSSLCA.pem
SSLVerifyClient None
</VirtualHost>
配置是正确的,因为如果读取的第一个 VirtualHost 是 PHPMyAdmin.pem ModSSL 使用此配置,如果是 mondomaine.fr.crt 则使用第一个 VirtualHost,Apache 使用此配置。
I get a certificate from Gandi for a domain www.mondomaine.fr
But for sql.mondomaine.fr I wanted to use a Self-Signed SSL certificate.
If I active sql.mondomaine.fr, the www.mondomaine.fr is using the self-signed certificate instead of the Gandiś one.
If I desactivate the sql. everything works fine.
How can I manage the use of different certificate ?
It seams that the first VirtualHost configuration is taking for every SSL VirtualHost.
Thank you for your help.
Here is my configuration :
For PHPMyAdmin :
<VirtualHost *:443>
# Chemin vers les données web
DocumentRoot /usr/share/phpmyadmin
ServerName sql.mondomaine.fr
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/phpmyadmin.pem
</VirtualHost>
For mondomaine.fr
<VirtualHost *:443>
ServerName www.mondomaine.fr
DocumentRoot /var/www/mondomaine/
CustomLog /var/log/apache2/secure_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/mondomaine.fr.crt
SSLCertificateKeyFile /etc/ssl/mondomaine.fr.key
SSLCACertificateFile /etc/ssl/GandiStandardSSLCA.pem
SSLVerifyClient None
</VirtualHost>
The configuration is correct because if the first VirtualHost read is PHPMyAdmin.pem ModSSL use this one and if it is mondomaine.fr.crt the first VirtualHost, Apache use this one.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您遇到了 HTTP over SSL 的常见问题 - 当客户端连接时,它会使用 Host: HTTP 标头指定要连接到的主机,但这仅在 SSL 握手之后出现(出示证书时)已完成。最新版本的 TLS 支持扩展(在 RFC 4366 中指定),允许客户端在 SSL 握手期间指定要连接到的主机,具体目的是支持虚拟主机;引用 RFC:
“””
TLS 不提供客户端告诉服务器以下信息的机制:
它正在联系的服务器的名称。对于客户来说这可能是理想的
提供此信息以促进安全连接
在单个底层托管多个“虚拟”服务器的服务器
网络地址。
"""
根据 Wikipedia 的说法,最新版本的 Firefox、Opera、IE、Chrome 和 Safari 支持此扩展;其他客户端仍然不会发送此扩展,你就运气不好了。你还必须至少使用 TLS 1.1 启用扩展支持
有一些关于如何使用 Apache 进行设置的文档;可能需要使用特定选项重建 OpenSSL 和/或 Apache,具体取决于您的本地设置。
You're running up against a general problem with HTTP over SSL - when a client connects, it specifies which host it wants to connect to using the Host: HTTP header, but that only comes after the SSL handshake (when the certificate is presented) has completed. Recent versions of TLS support extensions (specified in RFC 4366) which allow the client to specify what host it is intending to connect to during the SSL handshake, with the specific intent of supporting vhosts; to quote the RFC:
"""
TLS does not provide a mechanism for a client to tell a server the
name of the server it is contacting. It may be desirable for clients
to provide this information to facilitate secure connections to
servers that host multiple 'virtual' servers at a single underlying
network address.
"""
According to Wikipedia, recent versions of Firefox, Opera, IE, Chrome, and Safari support this extension; other clients would still not send the extension, and you're out of luck there. You also have to use at least TLS 1.1 to enable extensions support.
There is some documentation on how to set this up with Apache; you may have to rebuild OpenSSL and/or Apache with specific options, depending on your local setup.
这取决于您创建证书的方式。如果您仅为 www 子域购买它,则不适用于 sql。
您需要做的就是让它允许任何子域,但据我所知,这些证书更昂贵。
另一方面,您可以使用自己的证书,您只需要确定在创建虚拟主机时要放置什么
Its depens how you created your certificate. if you bought it only for the www subdomain wont work for sql.
what you need to do is make it to allow any subdomain, but afaik those certificates are more expensive.
In the other hand you can use your own ceritificate, you only need to sure about what are you putting when you create your virtutalhost