ssl证书后，第二个虚拟主机域转发到apache测试页 [英] 2nd virtual host domain forwards to apache test page after ssl certificate

问题描述

好吧，我已经看过这个问题很多次了，但是我研究这2天中没有遇到过任何帖子似乎有所帮助，所以我将其发布在这里，希望有人知道问题所在.

Ok I've seen this question asked a multitude of times but none of the posts I've come across in the 2 days I've been researching this seem to help so I'm putting it out here in hopes of someone knowing the problem.

因此，我有一个使用Webmin的专用自我管理linux服务器，我在其上只有一个域，并添加了SSL证书，一切进展顺利.然后，我决定使用Webmin添加第二个域，并且在我决定我也需要该域的SSL证书之前，它的工作也非常顺利.

So I have a dedicated self managed linux server using Webmin, and I had a single domain on it and added an SSL certificate and everything was going great. Then I decided to add a second domain using Webmin and it was going great too until I decided I needed an SSL certificate for that domain as well.

添加SSL证书后，第一个域丝毫没有问题，只有第二个域丝毫没有问题.最初的问题是，当我尝试访问https://和我的域时，它会显示我的页面，但说它不安全，即使我知道在安装完证书后应该已经在该点了.此外，当我单击Chrome所说的不受保护的位置时，它将说我服务器上第一个域的域，而不是它应显示的实际域.

At no point have I had any issues with the first domain, only the 2nd one once I added the SSL certificate. At first the problem is when I tried to go to https:// and my domain, it would show my page but say it wasn't secure even though I know it should have been at this point after installing the certificate fine. Furthermore, when I would click on where Chrome said it wasn't secured, it would say the domain of my first domain on my server, not the actual domain that it should be showing.

换句话说，我在使用SSL的服务器上安装了example1.com，然后我添加了example2.com，它运行良好，但是一旦添加SSL，它就不安全了，当我尝试访问HTTPS版本时，它会说它是不安全的，当我单击查看证书时，它将在证书中显示example1.com名称，而不是我正在访问的页面的实际域.我知道我并非偶然尝试安装了错误的证书.

In other words I have example1.com on the server with SSL then I added example2.com and it worked fine but once I added SSL it wouldn't be secure and when I tried to visit the HTTPS version it would say it wasn't secure and when I clicked to view the certificate it would show the example1.com name in the certificate, not the actual domain for the page I was visiting. I know I didn't accidentally try installing the wrong certificate.

我花了大约12个小时来尝试研究这种情况的发生原因，并发现一些页面谈论了由于我为具有多个域的服务器使用单个IP地址而不起作用的原因.然后，我找到了一些有关如何确定服务器是否支持服务器名称指示的信息，并在Apache日志文件中看到了[ssl:warn] [pid 18329] AH02292:Init:基于名称的SSL，从而使我具有SNI支持虚拟主机仅适用于支持TLS服务器名称指示(RFC 4366)的客户端.

I spent maybe 12 hours trying to research why this was happening and came across some pages that talked about how since I am using a single IP address for my server with multiple domains that it won't work. Then I found some info on how to determine if my server supports Server Name Indication and saw in my Apache log file that I have SNI support due to seeing the message [ssl:warn] [pid 18329] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366).

在对我的httpd.conf和ssl.conf文件进行了6个小时的调整之后，我看到了一些进展，现在... example1.com仍然与以前完全相同，可以正常工作，但是现在example2.com看起来相同，但是如果我使用https协议，它将显示Apache Test页面，但它是安全的，并在证书信息中显示正确的域.如果我恢复为http，则显示正常页面(非测试页面)，但不安全.此外，Apache测试页告诉我将一些文件放在/var/www/html中，这实际上是放置它们的错误位置，因为example1.com的文件位于该位置.因此，我觉得.conf文件中的某个地方出了点问题，但我似乎无法弄清楚，SSL公司的人也不能.另外，我只是注意到，当我尝试访问example2.com HTTPS版本时，我得到了安全的Apache测试页，并且尝试添加任何页面(例如index.php或什至组成不存在的页面)在我的服务器上indexjlakjlkj.php上我收到了403禁止访问，您无权访问此服务器上的/index.php.

After 6 hours of tweaking with my httpd.conf and ssl.conf files I was able to see some progress, I guess... Now example1.com still is exactly the same as it was before, working perfectly, but now example2.com looks the same but if I go to https protocol it shows me the Apache Test page, but is secure, and shows the correct domain in the certificate info. if I revert to http it shows the normal page (not test page) but not secured. Furthermore the Apache test page tells me to put some files in /var/www/html which is actually the wrong place to put them as example1.com's files are at that location. So I feel like some place in the .conf files there is something wrong but I can't seem to figure it out and neither could the guy at the SSL company. Also I just noticed that when I try to access the example2.com HTTPS version and I get the Apache test page which is secure, and I try to add any page such as index.php or even a made up one that doesn't exist on my server indexjlakjlkj.php I get a 403 Forbidden, you do not have permission to access /index.php on this server.

我现在将粘贴这两个.conf文件中的内容:httpd.conf(注释行已删除，因此不会太长)

I will paste the contents from those two .conf files now: httpd.conf (commented lines removed so its not so long)

ServerRoot "/etc/httpd"


Listen *:80


Include conf.modules.d/*.conf


User apache
Group apache


ServerAdmin root@localhost

<Directory />
    AllowOverride All
    Require all denied
</Directory>


DocumentRoot "/var/www/html"


<Directory "/var/www">
    AllowOverride All
    # Allow open access:
    Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "/var/www/html">

    Options Indexes FollowSymLinks

    AllowOverride All

    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>


<Files ".ht*">
    Require all denied
</Files>


ErrorLog "logs/error_log"

LogLevel warn

<IfModule log_config_module>

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>


    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>

    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

</IfModule>


<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>

    TypesConfig /etc/mime.types

    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz


    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>


AddDefaultCharset UTF-8

<IfModule mime_magic_module>

    MIMEMagicFile conf/magic
</IfModule>


EnableSendfile on

IncludeOptional conf.d/*.conf
<VirtualHost *>
DocumentRoot "/home"
ServerName www.example2.com:80
ServerAlias *.example2.com
<Directory /home>
allow from all
Options None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *>
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
allow from all
Options None
Require all granted
</Directory>
ServerName www.example1.com:80
ServerAlias *.example1.com
</VirtualHost>
ServerName www.example1.com:80
KeepAlive on

ssl.conf

#
# When we also provide SSL we have to listen to the 
# the HTTPS port in addition.
#
Listen *:443 https
##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly. 
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##


<VirtualHost *:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

#   Speed-optimized SSL Cipher configuration:
#   If speed is your main concern (on busy HTTPS servers e.g.),
#   you might want to force clients to specific, performance
#   optimized ciphers. In this case, prepend those ciphers
#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
#   (as in the example below), most connections will no longer
#   have perfect forward secrecy - if the server's key is
#   compromised, captures of past or future traffic must be
#   considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on 

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /home/example2.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /home/example2.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context. 
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory /home/var/www/cgi-bin>
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly. 
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLCACertificateFile /home/example2.com.ca-bundle
ServerName www.example2.com:443
ServerAlias *.example2.com
DocumentRoot "/home"

</VirtualHost>
<VirtualHost *:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

#   Speed-optimized SSL Cipher configuration:
#   If speed is your main concern (on busy HTTPS servers e.g.),
#   you might want to force clients to specific, performance
#   optimized ciphers. In this case, prepend those ciphers
#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
#   (as in the example below), most connections will no longer
#   have perfect forward secrecy - if the server's key is
#   compromised, captures of past or future traffic must be
#   considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on 

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/www_example1_com.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/ssl/certs/www.example1.com.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context. 
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly. 
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLCACertificateFile /etc/ssl/certs/www_example1_com.ca-bundle
ServerAlias *.example1.com
ServerName www.example1.com:443
DocumentRoot "/var/www/html"
</VirtualHost>

即时通讯上的Apache错误日志:

Apache error log while im at it:

[Mon Jul 16 20:45:44.042843 2018] [mpm_prefork:notice] [pid 18329] AH00171: Graceful restart requested, doing restart
[Mon Jul 16 20:45:44.621658 2018] [auth_digest:notice] [pid 18329] AH01757: generating secret for digest authentication ...
[Mon Jul 16 20:45:44.629825 2018] [lbmethod_heartbeat:notice] [pid 18329] AH02282: No slotmem from mod_heartmonitor
[Mon Jul 16 20:45:44.652054 2018] [ssl:warn] [pid 18329] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Jul 16 20:45:44.874831 2018] [mpm_prefork:notice] [pid 18329] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.0.30 configured -- resuming normal operations
[Mon Jul 16 20:45:44.874916 2018] [core:notice] [pid 18329] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Jul 16 20:50:44.585607 2018] [mpm_prefork:notice] [pid 18329] AH00171: Graceful restart requested, doing restart
[Mon Jul 16 20:50:45.317293 2018] [auth_digest:notice] [pid 18329] AH01757: generating secret for digest authentication ...
[Mon Jul 16 20:50:45.323182 2018] [lbmethod_heartbeat:notice] [pid 18329] AH02282: No slotmem from mod_heartmonitor
[Mon Jul 16 20:50:45.344044 2018] [ssl:warn] [pid 18329] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Jul 16 20:50:45.609163 2018] [mpm_prefork:notice] [pid 18329] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.0.30 configured -- resuming normal operations
[Mon Jul 16 20:50:45.609223 2018] [core:notice] [pid 18329] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Jul 16 20:57:57.607491 2018] [mpm_prefork:notice] [pid 18329] AH00171: Graceful restart requested, doing restart
[Mon Jul 16 20:57:58.316199 2018] [auth_digest:notice] [pid 18329] AH01757: generating secret for digest authentication ...
[Mon Jul 16 20:57:58.322282 2018] [lbmethod_heartbeat:notice] [pid 18329] AH02282: No slotmem from mod_heartmonitor
[Mon Jul 16 20:57:58.340258 2018] [ssl:warn] [pid 18329] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Jul 16 20:57:58.521733 2018] [mpm_prefork:notice] [pid 18329] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.0.30 configured -- resuming normal operations
[Mon Jul 16 20:57:58.521798 2018] [core:notice] [pid 18329] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

我在这里完全不知所措，也许对此有一些额外的关注或一些更有经验的人可以在这里帮助我.我花了2天的时间查看所有内容，除了购买多域SSL证书(而不是我购买的两个单一证书)外，不知道该怎么做，但不确定目前是否可以使用.我很乐意根据要求提供其他文件供审核.非常感谢您对我的关注，无论谁在寻找:)

I'm at a complete loss here, perhaps some extra eyes on this or some more experienced individuals can help me out here. I've spent 2 days looking over everything and not sure what to do other than perhaps purchase a multi domain SSL certificate instead of the two single certs that I bought, but not sure that will even work at this point. I'll be happy to supply any other files for review upon request. Thanks so much for looking into this for me, whomever is looking :)

推荐答案

哇，您的配置一团糟！您应该真正阅读 https://stackoverflow.com/help/mcve .

Wow your configuration is a mess! You should really read https://stackoverflow.com/help/mcve.

但是，我在这里看到了几个问题:

However, I see a couple issues here:

• 您有4个VirtualHosts，2个端口*，2个端口443.这会使Apache混乱.
• 没有缩进.好的，Apache不在乎，但是我们照做！这很难读.空行分隔虚拟主机是个好习惯.
• SSL不喜欢同一IP上的多个域(稍后会更多).

假设您想要

• http://www.exemple1.com
• http://www.example2.com
• https://www.example1.com
• https://www.example2.com
• 全部位于同一台服务器上，并具有https域的证书

我会做(不是一个完整的产品准备配置，只是为了说明我的观点):

I would do (not a complete prod ready config, just to illustrate my point):

# www.example1.com, port 80
<VirtualHost *:80>
    ServerName www.example1.com
    ServerAlias example1.com

    ErrorLog "logs/example1_80_error_log"
    CustomLog "logs/example1_80_access_log" Combined

    DocumentRoot "/var/www/html"
    <Directory "/var/www/html">
        allow from all
        Options None
        Require all granted
    </Directory>
</VirtualHost>

# www.example2.com, port 80
<VirtualHost *:80>
    ServerName www.example2.com
    ServerAlias example2.com

    ErrorLog "logs/example2_80_error_log"
    CustomLog "logs/example2_80_access_log" Combined

    DocumentRoot "/home"
    <Directory "/home">
        allow from all
        Options None
        Require all granted
    </Directory>
</VirtualHost>

# www.example1.com, port 443
<VirtualHost 1.1.1.1:443>
    ServerName www.example1.com
    ServerAlias example1.com

    ErrorLog "logs/example1_443_error_log"
    CustomLog "logs/example1_443_access_log" Combined

    DocumentRoot "/var/www/html"
    <Directory "/var/www/html">
        allow from all
        Options None
        Require all granted
    </Directory>
</VirtualHost>

# www.example2.com, port 443
<VirtualHost 2.2.2.2:443>
    ServerName www.example2.com
    ServerAlias example2.com

    ErrorLog "logs/example2_443_error_log"
    CustomLog "logs/example2_443_access_log" Combined

    DocumentRoot "/home"
    <Directory "/home">
        allow from all
        Options None
        Require all granted
    </Directory>
</VirtualHost>

现在，有关端口80的一些详细信息:

Now some details, for port 80:

• 请勿使用< VirtualHost *> ，因为对于Apache而言，这意味着所有端口，所有记录，均使用此VirtualHost！"
• 您可以有许多虚拟主机.Apache将根据ServerName的值以及接收到的URL知道要使用哪一个.
• 如果收到的URL与端口80个VirtualHost都不匹配，它将使用顶部的第一个URL.
• 如果您使用的是Apache 2.2，则必须添加 NameVirtualHost *:80 来激活该机制，Apache 2.4会自动执行.
• 我放置 *:80 告诉Apache接受来自任何IP地址的端口80请求，因为它可以按名称区分VirtualHost.

• Do not use <VirtualHost *> as this for Apache means "all ports, all requets, use this VirtualHost!"
• You can have many Virtualhosts. Apache will know which one to use based on the value of ServerName, and the URL it received.
• If the URL received matches none of the port 80 VirtualHosts, it will use the first one from the top.
• If you are on Apache 2.2, you have to add NameVirtualHost *:80 to activate that mechanism, Apache 2.4 does it automatically.
• I put *:80 to tell Apache to accept port 80 requests from any IP address, since it can differentiate between the VirtualHosts by name.

对于日志文件:

• 我总是按虚拟主机分开我的日志.尝试在1个文件中对所有内容进行调试是很疯狂的.
• 例如，它还允许您将不同的日志级别应用于不同的域，而无需在 debug 中包含整个基础结构.

• I always separate my logs, per Virtualhost. Trying to debug it all in 1 file is crazy.
• It also allows you to apply different log levels to different domains without having the entire infra in debug for example.

对于端口443，有点复杂:

For port 443, a bit more complicated:

• 您注意到，当您请求 https://ANYDOMAIN/时，它总是使用第一个.
• 这是因为Apache必须先 与浏览器协商密码和证书，然后然后它将知道请求哪个域.
• 没有等效的 NameVirtualHost *:443 .
• 所以我们必须使用另一种方法来分隔两个域.
• 这就是为什么在我的配置中，我将< VirtualHost 1.1.1.1:443> 和< VirtualHost 2.2.2.2:443> 放进去.
• 1.1.1.1和2.2.2.2是虚构的IP地址.将这些更改为您拥有的真实IP.
• 这样，Apache就会知道，如果他收到对 https://www.example2.com 的请求，则它应该使用第二个:443 VirtualHost，因为DNS会将www.example2.com解析为IP 2.2..2.2.
• 但这意味着您可以在系统上设置2个IP地址.
• 此外，每个域需要1个证书(或仅使用alt_names都需要1个证书).

• As you noticed, when you ask for https://ANYDOMAIN/ it always uses the first one.
• That is because Apache must first negotiate the cipher and certificates with the browser and then it will know which domain is asked for.
• There is no equivalent to NameVirtualHost *:443 that will work.
• So we must use another method of separating the two domains.
• That is why in my config, I put <VirtualHost 1.1.1.1:443> and <VirtualHost 2.2.2.2:443>.
• 1.1.1.1 and 2.2.2.2 are fictional IP addresses. Change those to real IPs you have.
• That way Apache will know that if he gets a request for https://www.example2.com it should use the second :443 VirtualHost because DNS resolves www.example2.com to IP 2.2.2.2.
• But that implies that you can setup 2 IP addresses on your system.
• Also, you will need 1 certificate per domain (or only 1 certificate which is valid for both using alt_names).

有一种方法可以让您在:443上使用它，即SNI.对"Apache SNI SSL"进行一些研究，您将看到一些解释.但这超出了此答案的范围:-)

There is one method that will allow you to get this working for :443, that is SNI. Do some research on "Apache SNI SSL", you will see some explanations on that. But that is outside the scope of this answer :-)

这篇关于ssl证书后，第二个虚拟主机域转发到apache测试页的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！