我们有两个域(gis4business.co.uk和gis4business.com)指向使用apache托管的同一网站。我们正在整个网站上使用SSL,并为* .gis4business.co.uk提供了通配符SSL证书。

默认的apache conf文件(000-default.conf)具有配置为从http重定向到https的单个虚拟主机,如下所示:

<VirtualHost *:80>
   ...
   Redirect permanent "/" "https://www.gis4business.co.uk/"
</VirtualHost>


然后,我们有一个默认的SSL配置文件(default-ssl.conf),该文件具有一个配置如下的虚拟主机:

<VirtualHost _default_:443>
    ServerName gis4business.co.uk
    ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
    ...
    SSLEngine on
    SSLCertificateFile      /etc/ssl/certs/certificate.crt
    SSLCertificateKeyFile /etc/ssl/private/privatekey.key
    SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>


对于以下网址,此配置可以正常工作:


http://www.gis4business.co.uk
http://www.gis4business.com
https://www.gis4business.co.uk


但是,URL https://www.gis4business.com会导致证书警告(firefox中为SSL_ERROR_BAD_CERT_DOMAIN,Chrome中为ERR_CERT_COMMON_NAME_INVALID)。

它显然抱怨SSL证书与域(gis4business.com)不匹配,因此我假设我们需要从gis4business.com到gis4business.co.uk的HTTPS重定向。我们已经尝试了各种配置,但尚未设法使重定向工作。

我们尝试过:

1)将另一个虚拟主机(*:443)添加到000-default.conf文件的顶部,如下所示:

<VirtualHost *:443>
    ServerName gis4business.co.uk
    ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
    Redirect permanent "/" "https://www.gis4business.co.uk/"
    ...
    SSLEngine on
    SSLCertificateFile      /etc/ssl/certs/certificate.crt
    SSLCertificateKeyFile /etc/ssl/private/privatekey.key
    SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>


2)将另一个虚拟主机(默认:443)添加到default-ssl.conf文件的顶部,如下所示:

<VirtualHost _default_:443>
    ServerName gis4business.co.uk
    ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
    Redirect permanent "/" "https://www.gis4business.co.uk/"
    ...
    SSLEngine on
    SSLCertificateFile      /etc/ssl/certs/certificate.crt
    SSLCertificateKeyFile /etc/ssl/private/privatekey.key
    SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>


如果可以将https从一个域重定向到另一个域而没有证书错误,那么什么是正确的配置才能使它起作用?

最佳答案

让我们看看redirect指令如何工作


  通过要求客户端在新位置重新获取资源,Redirect指令将旧的URL映射到新的URL。


apache处理第一个请求,生成一个30x响应,以自动将浏览器重定向到新URL

           browser                       SERVER             SSL  cert
https://www.gis4business.com       -->  redirect     *.gis4business.co.uk
           302-redirect            <--
https://www.gis4business.co.uk/    -->  process      *.gis4business.co.uk


第一个请求是使用发给https://www.gis4business.com的证书从*.gis4business.co.uk提供的,因此因此被认为是无效的

要解决此问题,您需要使用颁发给www.gis4business.com*.gis4business.com的证书。使用两个主机名定义一个新的虚拟主机或请求一个新的证书。

关于apache - Apache HTTPS重定向证书错误,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/48382040/

10-15 16:57