我正在将配置从单个主机切换到 nginx 服务器上的多个虚拟主机。在我进行更改之前,ssl 工作正常,但是在添加了几个虚拟主机之后,每个虚拟主机都有唯一的域名和 - 因此 - 不同的证书,ssl 不想工作。
我原来的配置是:
# fragment of nginx.conf file
http {
# ...
ssl_certificate_key /path/to/privkey.pem;
ssl_certificate /path/to/fullchain.pem;
ssl_dhparam /path/to/dhparam;
# ...
}
因此,这是 nginx 服务器的单个证书。
添加多个虚拟主机后,我希望他们为其域提供自己的正确证书。所以我从主nginx.conf
文件中删除了所有与 ssl 相关的参数,并将它们添加到虚拟主机文件中,如下所示:
# fragment of sites-enabled/my.server.com file
server {
listen 443 ssl;
root "/var/www/my.server.com/";
server_name my.server.com www.my.server.com;
location / {
try_files $uri $uri/ /index.html;
}
ssl_certificate_key /path/to/my/server/com/privkey.pem;
ssl_certificate /path/to/my/server/com/fullchain.pem;
ssl_dhparam /path/to/my/server/com/dhparam;
}
重新加载 nginx 后,我无法连接到这些虚拟主机:
# curl https://my.server.com
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.
# openssl s_client -connect my.server.com:443
CONNECTED(00000003) 140524682454680:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
--- no peer certificate available
--- No client certificate CA names sent
--- SSL handshake has read 0 bytes and written 305 bytes
--- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1488541876
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
对我来说,看起来 nginx 确实无法找到/读取证书文件,但事实并非如此,因为路径与没有虚拟主机的配置完全相同。
看了之后/var/logs/nginx/error.log
我也发现了这一行:
*39 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking
我确信这是我所缺少的非常小的和愚蠢的东西。谁能看到我做错了什么?
事实证明,至少有一个启用的虚拟主机绑定到 443 端口并且没有正确配置 ssl(
ssl_certificate_key
缺少ssl_certificate
参数)。我不知道为什么,但是 nginx 并没有抱怨这个,而是 - 其他虚拟主机被破坏了。