配置 SSL 时出现中间证书问题
我在服务器中安装 ssl 证书时遇到问题。 vhost 文件看起来像这样
`<VirtualHost <ip>:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/YourIntermediateCertificate.crt
</VirtualHost>`
我尝试过 SSL 检查器,结果如下。
它显示的错误是
并非所有 Web 浏览器都信任该证书。您可能需要 安装中间/链证书以将其链接到受信任的根 证书。 详细了解此错误。解决这个问题最快的方法 问题是联系您的 SSL 提供商。
已安装中间证书。映像中服务器的通用名称应与主机名相同。我不知道为什么它是“CloudFlare 起源证书”。需要帮助来解决这个问题。谢谢!!
I have trouble installing the ssl certificate in a server.
The vhost file looks like this
`<VirtualHost <ip>:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/YourIntermediateCertificate.crt
</VirtualHost>`
I have tried SSL checker and the results are as follwing.
the error it shows is
The certificate is not trusted in all web browsers. You may need to
install an Intermediate/chain certificate to link it to a trusted root
certificate. Learn more about this error. The fastest way to fix this
problem is to contact your SSL provider.
An intermediate certificate is already installed. The common name for server in the image should be same as host name. I am not sure why it is "CloudFlare Origin Certificate". Need help in solving this issue. Thanks!!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我已经研究并找到了这个问题的答案。
要解决此问题,我们需要使用 cloudflare 仪表板为所有 A、AAAA 和 CNAME 记录启用代理。下面解释为什么要启用代理。
通常,请求直接到达源(服务器)并提供响应。为了加密此通信,我们使用 SSL 证书。但是,SSL 证书也用于源服务器的身份识别。在上述情况下,没有提供链证书文件来识别源服务器(即 yourdomain.com),而是将证书颁发给 cloudflare。
启用代理后,请求到达 cloudflare 并将相同的请求发送到源服务器,cloudflare 代理接收源服务器的响应并将其发送给用户。通过这种方式,用户浏览器将 cloudflare 代理视为原始服务器并识别 cloudflare,因为它有自己的 ssl(我们不需要打扰)。
启用代理后,我们不需要在源服务器上安装任何链证书文件。我们只需要安装cloudflare颁发的服务器证书即可。
I have researched and found an answer for this issue.
To resolve the issue we need to enable the proxy for all A, AAAA, and CNAME records using cloudflare dashboard. Below is the explanation for why to enable the proxy.
Normally, the request hit the origin(server) directly and response is served. To encrypt this communication we use SSL certificate. But, the SSL certificate is also used for the identity of the origin server. Here in the above case, no chain certificate file is provided to identify the origin server i.e yourdomain.com, rather the certificate is issued to cloudflare.
After enabling the proxy, the request hits cloudflare and the same request is sent to the origin server, the response from origin server is received by the cloudflare proxy and it is sent to the user. In this way the users browser thinks cloudflare proxy as the origin server and identifies cloudflare since it has its own ssl ( we don't need to bother ).
After enabling proxy, we don't need any chain certificate file to be installed in the origin server. We just need to install the server certificate issued by cloudflare.