當我透過 Qualys 進行 SSL 測試來運行我的網域時,其主要問題是為此網域安裝的第二個 SSL 憑證。但是,我已經查看了我能想到的所有配置,似乎無法猜測為什麼發送第二個憑證。
我在 Debian 10 buster 上使用 nginx(剛剛更新到 1.16.1),我的所有憑證都是由 Let's Encrypt 透過 certbot 提供的。
有問題的網域是 med.mydomain.de,它會報告該網域的憑證(標記為受信任)以及頒發給網域 app.mydomain.de 的第二個憑證(標記為不受信任) )。
當我透過 SSL 測試器檢查網域 app.mydomain.de 本身時,它只會顯示一個 SSL 憑證。
這是 certbot 憑證的輸出:
Found the following certs:
Certificate Name: app.mydomain.de
Domains: app.mydomain.de
Expiry Date: 2020-04-11 12:15:31+00:00 (VALID: 77 days)
Certificate Path: /etc/letsencrypt/live/app.mydomain.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/app.mydomain.de/privkey.pem
Certificate Name: backend.mydomain.de
Domains: backend.mydomain.de
Expiry Date: 2020-04-23 13:22:39+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/backend.mydomain.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/backend.mydomain.de/privkey.pem
Certificate Name: med.mydomain.de
Domains: med.mydomain.de
Expiry Date: 2020-04-11 10:45:46+00:00 (VALID: 77 days)
Certificate Path: /etc/letsencrypt/live/med.mydomain.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/med.mydomain.de/privkey.pem
Certificate Name: rest.mydomain.de
Domains: rest.mydomain.de
Expiry Date: 2020-04-11 12:15:51+00:00 (VALID: 77 days)
Certificate Path: /etc/letsencrypt/live/rest.mydomain.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/rest.mydomain.de/privkey.pem
Certificate Name: webhook.mydomain.de
Domains: webhook.mydomain.de
Expiry Date: 2020-04-11 12:15:59+00:00 (VALID: 77 days)
Certificate Path: /etc/letsencrypt/live/webhook.mydomain.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/webhook.mydomain.de/privkey.pem
這是全域 nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
add_header X-Frame-Options "sameorigin";
}
這是相關伺服器的 nginx 設定:
server {
root /usr/share/nginx/sites/w_backend/public;
index index.php index.html;
server_name med.mydomain.de backend.mydomain.de;
location / {
try_files $uri $uri.html $uri/ @extensionless-php;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.3-fpm-w_backend.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param FULL_DIRECTORY /usr/share/nginx/sites/;
fastcgi_param GLOBAL_CONF_PATH /srv/conf/;
include fastcgi_params;
}
location @extensionless-php {
rewrite ^(.*)$ $1.php last;
}
listen 443 ssl;
listen [::]:443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/med.mydomain.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/med.mydomain.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = backend.mydomain.de) {
return 301 https://med.mydomain.de$request_uri;
} # managed by Certbot
if ($host = med.mydomain.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name med.mydomain.de backend.mydomain.de;
return 404; # managed by Certbot
}
誰能給我一個提示,告訴我可以去其他地方尋找嗎?我可以檢查任何 certbot 選項嗎?
答案1
是否可能是 Qualys 正在使用不支援 SNI 的舊版瀏覽器進行測試,在這種情況下,瀏覽器不知道哪個憑證是正確的,並會顯示第二個不受信任的憑證?這也可以解釋為什麼當您在自己的瀏覽器中檢查它時,您只會看到正確的證書,因為您的瀏覽器確實支援 SNI。