我相信我遇到的两个问题是相关的,但不知道从哪里开始。第一个问题是,当请求解析到我的服务器的特定域时,其在 sites-enabled 中的 conf 文件会被忽略,000-default.conf 也是如此,而是使用按字母顺序排列的第一个 conf,并显示该站点,但浏览器栏中显示的是我请求的域。
这只发生在这个域上,这导致了第二个问题。我有一个多域证书(CA),其中的所有域都按预期显示。我为这个其他域安装了 certbot 证书。当我将 openssl 与这个其他域的域名一起使用时,它会显示多域证书的内容。当我使用 SSL 检查器时,我得到了相同的结果,它指出我输入的域名不包含在证书中。
我注意到,当我在列出 *:443 和 *:80 文件之前执行 apachectl -S 时,它会列出一个以服务器 IP 地址为命名服务器的虚拟主机,并且它列出的第一个文件不是 000-default(它是 *:80 和 *:443 的第一个文件),而是按字母顺序排列的下一个文件。
有问题的域名是 halgrossman.com。
halgrossman.com.conf
<VirtualHost *:80>
ServerName halgrossman.com
ServerAlias www.halgrossman.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/drupal/halgrossman/web
<Directory /var/www/html/drupal/halgrossman/web>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
halgrossman.com-le-ssl.conf
<VirtualHost *:443>
ServerName halgrossman.com
ServerAlias www.halgrossman.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/drupal/halgrossman/web
<Directory /var/www/html/drupal/halgrossman/web>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/halgrossman.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/halgrossman.com/privkey.pem
</VirtualHost>
openssl 的输出
openssl s_client -connect halgrossman.com:443 -servername halgrossman.com
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = theaccidentalcoder.com
verify return:1
---
Certificate chain
0 s:CN = theaccidentalcoder.com
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 2 00:00:00 2024 GMT; NotAfter: Dec 21 23:59:59 2024 GMT
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
v:NotBefore: Nov 2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
3 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
v:NotBefore: Jan 1 00:00:00 2004 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
theaccidentalcoder.com 是多域 CA 证书上的主要域,halgrossman.com 不属于该域。
SSL 检查器的输出
halgrossman.com resolves to 45.56.118.187
Server Type: Apache/2.4.52 (Ubuntu)
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
The certificate was issued by Sectigo.
The certificate will expire in 84 days.
None of the common names in the certificate match the name that was entered (halgrossman.com). You may receive an error when accessing this site in a web browser. Learn more about name mismatch errors.
Common name: theaccidentalcoder.com
SANs: theaccidentalcoder.com, ascaatl.org, guildbuildersinc.com, musictohealby.com, souknook.com, thetouristlife.com
Valid from September 1, 2024 to December 21, 2024
apache2ctl -S 的输出
45.56.118.187:443 is a NameVirtualHost
default server guildbuildersinc.com (/etc/apache2/sites-enabled/guildbuildersinc.com.conf:37)
port 443 namevhost guildbuildersinc.com (/etc/apache2/sites-enabled/guildbuildersinc.com.conf:37)
port 443 namevhost musictohealby.com (/etc/apache2/sites-enabled/musictohealby.com.conf:37)
port 443 namevhost theaccidentalcoder.com (/etc/apache2/sites-enabled/theaccidentalcoder.com.conf:23)
port 443 namevhost thetouristlife.com (/etc/apache2/sites-enabled/thetouristlife.com.conf:21)
*:443 halgrossman.com (/etc/apache2/sites-enabled/halgrossman.com-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server halgrossman.com (/etc/apache2/sites-enabled/00-default.conf:1)
port 80 namevhost halgrossman.com (/etc/apache2/sites-enabled/00-default.conf:1)
alias www.halgrossman.com
port 80 namevhost default (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost guildbuildersinc.com (/etc/apache2/sites-enabled/guildbuildersinc.com.conf:1)
alias www.guildbuildersinc.com
port 80 namevhost halgrossman.com (/etc/apache2/sites-enabled/halgrossman.com.conf:1)
alias www.halgrossman.com
port 80 namevhost musictohealby.com (/etc/apache2/sites-enabled/musictohealby.com.conf:1)
alias www.musictohealby.com
port 80 namevhost theaccidentalcoder.com (/etc/apache2/sites-enabled/theaccidentalcoder.com.conf:1)
alias www.theaccidentalcoder.com
port 80 namevhost thetouristlife.com (/etc/apache2/sites-enabled/thetouristlife.com.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
请注意,首先出现的域名列表是针对 IP 列出的,不包括 000-default。它首先列出的域名 guildbuildersinc.com 是按字母顺序在 000-default 之后的第一个域名,也是请求https://halgrossman.com时出现的站点。
在这种情况下,事实证明多域证书中域的 conf 文件有一个 443 条目:
而不是
因此,Apache 会在第一个这样编码的文件处停止。当我按字母顺序修复第一个文件时,它会在下一个文件处停止并返回该站点,依此类推。更改所有 .conf 文件以使其包含正确的行,解决了该问题。