Amazon Linux上的SSLSetup：SSL錯誤，提供了多個證書

Question

我已經設置了Amazon Linux EC2實例來託管我的域。我正在使用由letsencrypt.org簽署的證書。

我產生我的證書：

wget https://dl.eff.org/certbot-auto 
chmod a+x certbot-auto 
sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d <mywebsite.com> 

啓用了SSL在阿帕奇：

sudo yum install mod24_ssl 

，並提出以下修改我的Apache配置：

SSLCertificateFile  /etc/letsencrypt/live/<mydomain.com>/cert.pem 
SSLCertificateKeyFile /etc/letsencrypt/live/<mydomain.com>/privkey.pem 
SSLCertificateChainFile /etc/letsencrypt/live/<mydomain.com>/chain.pem 

當來訪MYDOMAIN。 com我收到以下消息：

NET::ERR_CERT_AUTHORITY_INVALID 
Subject: ip-172-31-37-151 
Issuer: avast! Web/Mail Shield Self-signed Root 
Expires on: Feb 16, 2018 
Current date: Feb 16, 2017 
PEM encoded chain: 
-----BEGIN CERTIFICATE----- 
MIIEYDCCA0igAwIBAgIQQxnowUTk2EGGE/O409WnvzANBgkqhkiG9w0BAQsFADCB 
mDFDMEEGA1UECww6Z2VuZXJhdGVkIGJ5IGF2YXN0ISBhbnRpdmlydXMgZm9yIHNl 
bGYtc2lnbmVkIGNlcnRpZmljYXRlczEfMB0GA1UECgwWYXZhc3QhIFdlYi9NYWls 
IFNoaWVsZDEwMC4GA1UEAwwnYXZhc3QhIFdlYi9NYWlsIFNoaWVsZCBTZWxmLXNp 
Z25lZCBSb290MB4XDTE3MDIxNjE3NTgwN1oXDTE4MDIxNjE3NTgwN1owgbExCzAJ 
BgNVBAYTAi0tMRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5 
MRkwFwYDVQQKDBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5p 
emF0aW9uYWxVbml0MRkwFwYDVQQDDBBpcC0xNzItMzEtMzctMTUxMSQwIgYJKoZI 
hvcNAQkBFhVyb290QGlwLTE3Mi0zMS0zNy0xNTEwggEiMA0GCSqGSIb3DQEBAQUA 
A4IBDwAwggEKAoIBAQCVUjj4IziKclAqMWktKeq+lWPP0Jfo09a35xhQ08+A/n8k 
ToB8oZosYwDLuQDV3kNYCJ03eq2EK3/JwU59uBGU217l4YrG4p93RnRRtV1vp+Au 
+kxUlkuMx2yvz2M49ZHd44D7LOOB/V0wsnHQBHRS7iECfz4M+J6QWef4oMwP9mue 
T8xJUst0N7mfekBBIAZOIpYjbcm4Nbq3Ol3S5AHd3VP3AbQr0MqHjciXx9Hf1ejt 
1o0b96w0feEIZOcESYlwHK5Nl0hvS3WHZww4haAKPQVJxaH6XuMN54rB2Gt/oxhK 
iHbBfjdgAanjvK8vab41n2krnaWU8gKIKp0JGjwbAgMBAAGjgYowgYcwDAYDVR0T 
BAUwAwEB/zBqBgNVHREEYzBhgglsb2NhbGhvc3SCFWxvY2FsaG9zdC5sb2NhbGRv 
bWFpboIQaXAtMTcyLTMxLTM3LTE1MYIraXAtMTcyLTMxLTM3LTE1MS51cy13ZXN0 
LTIuY29tcHV0ZS5pbnRlcm5hbDALBgNVHQ8EBAMCAuQwDQYJKoZIhvcNAQELBQAD 
ggEBABgX4vyY9XT7tGKv7HKRlTAZQ218e1fPIx9Y2+TeeJFoujE0QhDysVOB2tww 
tqeuaXBnSoUini5pgWQZG8xUBiAu1ZHpFn7X3CSzU6WP9OlseGZolXcXEt7KopHv 
Mk8RhHSIOyF3Z6CQvAjUbp4hvqNU4oXbcE9vBjWa8VhiFWJMH3GI645Zc3oICvKs 
XziFc09haDk9yV/4dqec34xJLSUX4rWxmZX92l3pEjZwR7bXZRqWnt5IwDbxaswj 
QwsEWJigOs2ZbHw2g8mESqbNpnbgxKOuMWxe1WxjBUYbGHfHQROb1COaDIANgqDW 
PFjpaWnE/WwSOwvxRhxe0ETCY9Q= 
-----END CERTIFICATE----- 

看起來我的域名提供自簽名證書，而不是來自letsencrypt.org的證書。 An analysis on ssllabs.com shows my that two certificates are being provided by my domain.我沒有創建的自簽名證書以及來自letsencrypt.org的證書。

如何擺脫此自簽名證書，它來自哪裏？

Answer 1

正在運行grep -rnw '/etc/httpd/.' -e "SSLCertificateFile"顯示文件/var/httpd/conf.d/ssl.conf中還設置了安全證書。我將這個文件中的行註釋掉了，一切都按預期工作。

./conf/httpd.conf:357:  SSLCertificateFile  /etc/letsencrypt/live/codewise.tech/cert.pem 
./conf/httpd.conf:376: SSLCertificateFile  /etc/letsencrypt/live/codewise.tech/cert.pem 
./conf.d/ssl.conf:94:# Point SSLCertificateFile at a PEM encoded certificate. If 
./conf.d/ssl.conf:98:#SSLCertificateFile /etc/pki/tls/certs/localhost.crt 
./conf.d/ssl.conf:111:# the referenced file can be the same as SSLCertificateFile 

Answer 2

有幾件事情要考慮：

1）確保您更改後重新啓動Apache的。

2）使用openssl或其他工具來檢查certificate.pem和chain.pem文件 - 它們是否有多個certificate？

openssl x509 -in certificate.pem -text 

3）也許你有一個以上的虛擬服務器中配置Apache，然後從瀏覽器您的呼叫被路由到錯誤的。

4）apache日誌文件是否給你提供了進一步的線索？

我有一個這樣的問題，以前有多個基於命名的虛擬服務器路由不正確。我最終使用基於端口的路由來解決特定的問題。

Answer 3

我恨編輯原始conf文件，所以我只花了幾個小時搞清楚這樣做的正確方法。根據apache documentation：

名稱爲基礎的最佳匹配的集合 <虛擬主機>的虛擬主機在它們出現在 配置中的順序被處理。使用第一個匹配的ServerName或ServerAlias， 對通配符沒有不同的優先級（ServerName對比 ServerAlias）。

如果你看裏面0​​你會看到，它定義了一個<VirtualHost>部分沒有ServerName（粘貼下面）。從觀察結果來看，在ssl.conf被讀取的時間與本節相匹配的所有:443請求與ServerName或ServerAlias不匹配，但本節匹配的事實並不妨礙其他節匹配（因爲此節沒有ServerName ）。因此，如果我們是ssl.conf後讀取文件中定義我們的<VirtualHost> S，我們最終會包括兩名證書。解決這個問題的方法是確保定義所有<VirtualHost> s的一個ServerName在談到字母ssl.conf前的文件，如/etc/httpd/conf.d/aa_example.conf。如果有一個ServerName<VirtualHost>已經通過的時間相匹配的Apache解析ssl.conf，其默認<VirtualHost>將不再有資格作爲一個匹配。

## 
## SSL Virtual Host Context 
## 

<VirtualHost _default_:443> 

# General setup for the virtual host, inherited from global configuration 
#DocumentRoot "/var/www/html" 
#ServerName www.example.com:443 

# Use separate log files for the SSL virtual host; note that LogLevel 
# is not inherited from httpd.conf. 
ErrorLog logs/ssl_error_log 
TransferLog logs/ssl_access_log 
LogLevel warn 

# SSL Engine Switch: 
# Enable/Disable SSL for this virtual host. 
SSLEngine on 

# List the protocol versions which clients are allowed to connect with. 
# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be 
# disabled as quickly as practical. By the end of 2016, only the TLSv1.2 
# protocol or later should remain in use. 
SSLProtocol all -SSLv3 
SSLProxyProtocol all -SSLv3 

# User agents such as web browsers are not configured for the user's 
# own preference of either security or performance, therefore this 
# must be the prerogative of the web server administrator who manages 
# cpu load versus confidentiality, so enforce the server's cipher order. 
SSLHonorCipherOrder on 

# SSL Cipher Suite: 
# List the ciphers that the client is permitted to negotiate. 
# See the mod_ssl documentation for a complete list. 
# By leaving this directive commented out, the system-wide OpenSSL 
# default is used. See update-crypto-policies(8) for more details. 
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 
#SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5 

# Point SSLCertificateFile at a PEM encoded certificate. If 
# the certificate is encrypted, then you will be prompted for a 
# pass phrase. Note that restarting httpd will prompt again. Keep 
# in mind that if you have both an RSA and a DSA certificate you 
# can configure both in parallel (to also allow the use of DSA 
# ciphers, etc.) 
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) 
# require an ECC certificate which can also be configured in 
# parallel. 
SSLCertificateFile /etc/pki/tls/certs/localhost.crt 

# Server Private Key: 
# If the key is not combined with the certificate, use this 
# directive to point at the key file. Keep in mind that if 
# you've both a RSA and a DSA private key you can configure 
# both in parallel (to also allow the use of DSA ciphers, etc.) 
# ECC keys, when in use, can also be configured in parallel 
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 

# Server Certificate Chain: 
# Point SSLCertificateChainFile at a file containing the 
# concatenation of PEM encoded CA certificates which form the 
# certificate chain for the server certificate. Alternatively 
# the referenced file can be the same as SSLCertificateFile 
# when the CA certificates are directly appended to the server 
# certificate for convenience. 
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt