如何解决为什么Nginx可能会通过不正确的ssl证书?
我在单个nginx服务器上托管了两个域,例如。 a.com和b.com。 Nginx用作反向代理,必须将https请求作为http传递给后端。您可以在下面找到a.com的配置(b.com具有相同的结构,但链接到另一个ssl文件):
upstream webservers {
....
}
server {
listen 443 ssl;
server_name a.com;
ssl_certificate /etc/nginx/ssl/a.crt;
ssl_certificate_key /etc/nginx/ssl/a.key;
ssl_dhparam /etc/nginx/ssl/default.dh;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://webservers;
}
}
不幸的是,当我测试curl https://b.com时,失败并显示curl: (60) SSL: no alternative certificate subject name matches target host name b.com。当我尝试从浏览器打开它时,它失败并显示NET::ERR_CERT_COMMON_NAME_INVALID,并且表明它使用a.com证书。
我的错误在哪里?
Upd#1
我必须允许HTTP临时解决问题。
openssl s_client -connect b.com:443 -prexit
140648924489024:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Name or service not known
connect:errno=22
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
Verification: OK
---
New,(NONE),Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
配置:
# configuration file /etc/nginx/sites-enabled/a.com:
upstream a-webservers {
server 192.168.0.252 max_fails=3 fail_timeout=30s;
server 192.168.0.252 max_fails=3 fail_timeout=30s;
}
server {
listen 443 ssl;
server_name a.com;
error_log /var/log/nginx/a.com-error.log;
access_log off;
ssl_certificate /etc/nginx/ssl/a.crt;
ssl_certificate_key /etc/nginx/ssl/a.key;
ssl_dhparam /etc/nginx/ssl/default.dh;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://a-webservers;
}
}
# configuration file /etc/nginx/sites-enabled/b.com:
upstream b-webservers {
server 192.168.0.252 max_fails=3 fail_timeout=30s;
server 192.168.0.252 max_fails=3 fail_timeout=30s;
}
server {
listen 80;
listen 443 ssl;
server_name b.com;
error_log /var/log/nginx/b.com-error.log;
access_log off;
ssl_certificate /etc/nginx/ssl/b.crt;
ssl_certificate_key /etc/nginx/ssl/b.key;
ssl_dhparam /etc/nginx/ssl/default.dh;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://b-webservers;
}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。