主页 / server / 问题 / 836096
Accepted
Álvaro González
Asked: 2017-03-04 05:17:19 +0800 CST

使用虚拟主机证书

  • 772

我正在尝试在基于名称的虚拟主机中启用 SSL。从文档中我了解到 SNI 不需要显式启用,如果服务器和客户端都符合最低要求,它会自动发生,我认为他们这样做:

  • Apache/2.4.25 (Win32)
  • OpenSSL/1.0.2k
  • 火狐/51.0.1 (x64)

我已将配置剥离到最低限度:

Listen 80

LoadModule ssl_module modules/mod_ssl.so


<VirtualHost *:80>
    ServerName localhost
    DocumentRoot "D:/Servidores/Apache/htdocs"
</VirtualHost>


Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300

<VirtualHost _default_:443>
    ServerName localhost
    DocumentRoot "D:/Servidores/Apache/htdocs"
    SSLEngine on
    SSLCertificateFile "D:/DOS/Apache24/conf/server.crt"
    SSLCertificateKeyFile "D:/DOS/Apache24/conf/server.key"
</VirtualHost>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin


<VirtualHost *:80>
    ServerName tmp
    DocumentRoot "D:/tmp"
</VirtualHost>
<VirtualHost *:443>
    ServerName tmp
    DocumentRoot "D:/tmp"
    SSLCertificateFile "D:/Servidores/Apache/certificados/tmp.crt"
    SSLCertificateKeyFile "D:/Servidores/Apache/certificados/tmp.key"
</VirtualHost>

C:\>httpd -f conf/prueba-test.conf

然而,当我尝试加载时,https://tmp/我总是从<VirtualHost _default_:443>(对于 host localhost)而不是从(对于ServerName tmphost )获取证书tmp

这是记录的内容:

[Fri Mar 03 14:11:57.360237 2017] [ssl:warn] [pid 11684:tid 668] AH01906: tmp:80:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 03 14:11:57.361240 2017] [ssl:warn] [pid 11684:tid 668] AH01906: localhost:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 03 14:11:57.433220 2017] [ssl:warn] [pid 11684:tid 668] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Mar 03 14:11:57.433220 2017] [ssl:warn] [pid 11684:tid 668] AH01906: tmp:80:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 03 14:11:57.434223 2017] [ssl:warn] [pid 11684:tid 668] AH01906: localhost:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 03 14:11:57.436228 2017] [mpm_winnt:notice] [pid 11684:tid 668] AH00455: Apache/2.4.25 (Win32) OpenSSL/1.0.2k configured -- resuming normal operations
[Fri Mar 03 14:11:57.436228 2017] [mpm_winnt:notice] [pid 11684:tid 668] AH00456: Apache Lounge VC14 Server built: Dec 17 2016 10:42:52
[Fri Mar 03 14:11:57.436228 2017] [core:notice] [pid 11684:tid 668] AH00094: Command line: 'httpd -d D:/DOS/Apache24 -f conf/prueba-ssl.conf'
[Fri Mar 03 14:11:57.444250 2017] [mpm_winnt:notice] [pid 11684:tid 668] AH00418: Parent: Created child process 15380
[Fri Mar 03 14:11:57.910024 2017] [ssl:warn] [pid 15380:tid 648] AH01906: localhost:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 03 14:11:57.988164 2017] [ssl:warn] [pid 15380:tid 648] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Mar 03 14:11:57.988164 2017] [ssl:warn] [pid 15380:tid 648] AH01906: localhost:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 03 14:11:57.988164 2017] [mpm_winnt:notice] [pid 15380:tid 648] AH00354: Child: Starting 64 worker threads.

问题可能是什么?

ssl ssl-certificate apache-2.4 windows-10 sni

2 个回答

  1. 这可能与它们的配置顺序有关。尝试将<VirtualHost _default_:443>配置移动到文件底部并重新加载/重新启动 apache。

    • 0
  2. Best Answer

    最后,这不过是一个愚蠢的错误。我在辅助虚拟主机中错过了这个:

    SSLEngine on

    由于这是启用 SSL 的指令,因此我在此类主机中根本没有 SSL(既不是 SNI,也不是常规的)。

    (该指令多年来一直存在于我所有基于 IP 的虚拟主机中,但当我开始使用 SNI 时,有人设法在我正在测试的主机中将其删除。)

    • 0

相关问题