多个SSL证书Apache2
secure.dynaccount.com(解冻证书) api.dynaccount.com(自签名) httpd.conf多个SSL证书Apache2,apache,ssl,certificate,virtualhost,Apache,Ssl,Certificate,Virtualhost,secure.dynaccount.com(解冻证书) api.dynaccount.com(自签名) httpd.conf #Thawte认证 ServerName secure.dynaccount.com DocumentRoot/var/www/dynaccount.com 斯伦金安 SSLCertificateKeyFile/var/ini/ssl/secure.dynaccount.com/private.key SSLCertificateFile/var/ini/ssl/se
#Thawte认证
ServerName secure.dynaccount.com
DocumentRoot/var/www/dynaccount.com
斯伦金安
SSLCertificateKeyFile/var/ini/ssl/secure.dynaccount.com/private.key
SSLCertificateFile/var/ini/ssl/secure.dynaccount.com/public.crt
SSLCertificateChainFile/var/ini/ssl/secure.dynaccount.com/intermediate.crt
SSLVerifyDepth 1
SetEnvIf用户代理“*MSIE.*”\
nokeepalive ssl不干净关闭\
降级-1.0力响应-1.0
SSLCipherSuite全部:!ADH:!出口56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
#自签名
ServerName api.dynaccount.com
DocumentRoot/var/www/dynaccount.com
斯伦金安
SSLCertificateKeyFile/var/ini/ssl/api.dynaccount.com/private.key
SSLCertificateFile/var/ini/ssl/api.dynaccount.com/public.crt
SSLVerifyDepth 0
SetEnvIf用户代理“*MSIE.*”\
nokeepalive ssl不干净关闭\
降级-1.0力响应-1.0
SSLCipherSuite全部:!ADH:!出口56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
您的问题是,您的服务器名是原来的两倍
在第二个VHost中,您应该有ServerName api.dynaccount.com
和无ServerAlias
我不确定这是不是问题,但试试看:)
编辑:
由于
服务器无法可靠地解析服务器名错误,您必须在httpd.conf中定义一个服务器名(不是在VirtualHost中,这将是默认的服务器名)您是否阅读了Apache HTTP文档
基于名称的虚拟主机不能与SSL安全服务器一起使用
由于SSL协议的性质
每个IP可以有一个SSL主机
原因
SSL连接参数是根据vhost设置的,但必须在httpd读取主机HTTP头之前协商
这很有道理,不是吗
更新:
将SSLCatertificateFile更改为SSLCatertificateChainFile,并根据或禁用客户端证书验证提供正确的文件格式这两个通知?我也有,不用担心这个。我认为这是因为您使用星号来定义VirtualHost(正如我所做的),而Apache不太喜欢它。到目前为止,他还是理解它,所以我继续使用它&它很有效。@haltanbush>Apache甚至不会启动。。所以我不能忽略它[Wed Mar 28 11:00:35 2012][注意]请求优雅的重新启动,执行restart apache2:无法可靠地确定服务器的完全限定域名,将DynaAccount.com用于ServerName不是一个编程问题->投票决定转到ServerFault。您没有提到您使用SNI。是否有支持SNI的apache运行?我不确定。。已使用openssl信息更新了我的问题。。我不知道如何检查TLS扩展是否已启用以及其他两个先决条件..基于文档,OpenSSL必须在中编译启用tlsext选项。从您的OpenSSL版本中,我看不到它,所以可能看不到。好的,我现在有一个额外的IP可用。。但是当我重新启动服务器时,我得到一个错误。。如果api.dynaccount.com被注释掉,则没有错误检查我关于SSLCertificateChainFile和SSLVerifyDepth的更新答案
# Thawte certified
<VirtualHost 88.198.55.138:443>
ServerName secure.dynaccount.com
DocumentRoot /var/www/dynaccount.com
SSLEngine on
SSLCertificateKeyFile /var/ini/ssl/secure.dynaccount.com/private.key
SSLCertificateFile /var/ini/ssl/secure.dynaccount.com/public.crt
SSLCertificateChainFile /var/ini/ssl/secure.dynaccount.com/intermediate.crt
SSLVerifyDepth 1
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>
# self-signed
<VirtualHost 88.198.55.154:443>
ServerName api.dynaccount.com
DocumentRoot /var/www/dynaccount.com
SSLEngine on
SSLCertificateKeyFile /var/ini/ssl/api.dynaccount.com/private.key
SSLCertificateFile /var/ini/ssl/api.dynaccount.com/public.crt
SSLVerifyDepth 0
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>