Let's Encrypt证书存在问题:https://www.website.com不能与重定向到https://website.com一起使用 [英] Issue with Let's Encrypt certificate : https://www.website.com not working with redirection to https://website.com

问题描述

我为网站生成的证书有问题(在此处称为website.com).

我可以输入浏览器http://www.website.com，并根据需要成功重定向到https://website.com(使用let's encrypt生成的证书).我已经使用Apache2的重写规则完成了这种重定向.当我键入http://website.com时，重定向到https://website.com也可以正常工作.

现在，当我直接在浏览器https://wwww.website.com中键入时，我遇到一个问题:我收到以下错误消息:

为了生成让我们加密证书的方法，我执行了以下命令:

./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -a standalone -d website.com --rsa-key-size 4096

我想生成一个同时适用于website.com和www.website.com的证书:上面带有cerbot-auto的命令对此正确吗?

在从Debian 7迁移到Debian 10之前，似乎在浏览器的证书信息窗口中有一个*.website.com名称，但我不确定.

如何键入 https://www.website.com 并正确重定向到 https://website.com 而没有上图所示的错误?

更新1

单个证书是否足以执行所有重定向，我的意思是仅一个证书website.com?在我以前的操作系统上就是这种情况，我认为我只有一个uniq证书(用于website.com).

我要进行以下重定向:

http://website.com -----> https://website.com

http://www.website.com -----> https://website.com

https://www.website.com -----> https://website.com

URL包含我要保持HTTP模式的目录podcast的URL.

因此，从>参考:Apache重定向www到非www和从HTTP到HTTPS ，我做到了:

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{REQUEST_URI} !^/podcast [NC]
RewriteRule ^ https://website.com%{REQUEST_URI} [L,NE,R=301]

这些重写规则似乎正确吗?

不幸的是，如果我直接键入https://www.website.com，则不会重定向到https://website.com，并且出现上面的警告"窗口图，我不知道该怎么办.

更新2

1)让我们加密"是否提供生成通配符"证书的可能性?我的意思是，当我们在浏览器中查看证书时，格式为*.website.com.

2)此外，还有谁知道如何使用apache2重写规则执行允许重定向 https://website.com .

要获取更多信息，我开始提供赏金. 在赏金结束时，我将讨论如何从 https://www.website.com 到 https://website.com (这些URL在相同的href标记下被屏蔽为赏金，但它们不同).

更新3

感谢您的回答.我认为我的问题与通配符证书无关，因为我只想从 https://www.website.com 转到 https://website.com (不要考虑上述UPDATE 2 .当然，只需一个简单的重写规则就足够了.在当前操作系统(Debian 10)之前，我运行的所有配置文件都运行良好，现在尝试再次使用.特别是，我仅使用通过选项"-d website.com"(我没有使用第二个域"www.website.com").

我将尝试修改这些重写规则以获取此重定向，而不必生成www.website.com证书文件.

解决方案

您可以尝试对原始certbot-auto命令运行此次要更新，以获取包含附加www.website.com域名的证书. (我相信这就是约翰·汉利(John Hanley)在对您的原始问题的评论中所说的) 请注意，根据一种来源(下面的lettencrypt社区链接)，如果您已经设置了URL重写规则，则可能必须删除它们，然后才能进行认证过程. (如果您运行命令并收到错误，则可能是原因)

./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -a standalone -d website.com -d www.website.com --rsa-key-size 4096

可能有用的参考:

certbot的

命令参数参考(手册页) https://certbot.eff.org/docs/man/certbot. html?highlight = bootstrap

letsencrypt社区有关添加新域的讨论 https://community.letsencrypt.org/t/add-a-domain-using-certbot-auto/33660

letencrypt文档以更新现有证书 https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates 注意，根据手册页，-renew-by-default缺省意味着--expand，在这些示例中使用 (--expand仅使您不必回答是否有意更新现有证书)

我认为您的重写规则看起来大致上不错，如前所述，可能需要暂时将其删除以生成证书.在这些规则之前，您可能需要"RewriteEngine On":

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{REQUEST_URI} !^/podcast [NC]
RewriteRule ^ https://website.com%{REQUEST_URI} [L,NE,R=301]

关于通配符证书的问题，仅在附加插件的帮助下才支持它们.在这里查看更多: https://certbot.eff.org/docs/using.html? Highlight = wildcard#id14

I have an issue with the certicate that I have generated for a website (dubbed here website.com).

I can type in brower http://www.website.com and successfully redirected to https://website.com as I wanted (with a certificate generated by let's encrypt). I have done this redirection with Rewrite Rules with Apache2. The redirection to https://website.com also works fine when I type http://website.com.

Now, I am face to an issue when I type directly in browser https://wwww.website.com : I get the following error :

To generate let's encrypt certifcate, I have executed the following command :

./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -a standalone -d website.com --rsa-key-size 4096

I would like to generate a certificate working both for website.com and www.website.com : is the command above with cerbot-auto correct for this ?

It seems that before my migration from Debian 7 to Debian 10, I had a *.website.com name in the certifcate info window of the browser but I am not sure.

How to type https://www.website.com and to be correctly redirected to https://website.com without having the error illustrated in the figure above ?

Update 1

Is a single certificate sufficient to make all the redirections to be performed, I mean in my case only one certificate website.com ? This was the case on my previous OS, I think that I had only a uniq certificate (for website.com).

I want to have the following redirections :

http://website.com -----> https://website.com

http://www.website.com -----> https://website.com

https://www.website.com -----> https://website.com

except for URL containing the directory podcast where I want to stay in HTTP mode.

So, from Ref: Apache redirect www to non-www and HTTP to HTTPS, I did :

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{REQUEST_URI} !^/podcast [NC]
RewriteRule ^ https://website.com%{REQUEST_URI} [L,NE,R=301]

Does these Rewrite rules seem to be correct ?

Unfortunately, if I type directly https://www.website.com, I am not redirected to https://website.com and the Warning window figure above appears, I don't know what to do.

Update 2

1) Does Let's Encrypt offer the possibility to generate a "wildcards" certificate ?, I mean under the form *.website.com when we look at the certificate in browsers.

2) Moreover, Does anyone know how to perform with apache2 Rewrite rules the rule which allows to redirect https://www.website.com to https://website.com.

To have more informations, I am starting a bounty. At the end of the bounty, I talk about what to do to make a redirection from https://www.website.com to https://website.com (these URL are masked into bounty under the same href tag but they are different).

Update 3

Thanks for your answers. I think my issue is not about wildcards certificates since I just want a redirection from https://www.website.com to https://website.com (don't take into account of the UPDATE 2 above. Surely a simple rewrite rule should be enough. Before my current OS (Debian 10), I was running well all my config files that I try to use again now. Especially, I was using only one certificate generated with the option "-d website.com" (I didn't use a second domain "www.website.com").

I am going to try to modify these rewrite rules to get this redirection without being obliged to generate a www.website.com certificate files.

解决方案

You could try running this minor update to your original certbot-auto command to get your certificate to include the additional www.website.com domain name (I believe this is what John Hanley was talking about in his comment on your original question) Please note, according to one source (letsencrypt community link below) you may have to remove URL rewrite rules if you already have them set up, before the certification process will work. (if you run the command and get an error, that might be why)

./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -a standalone -d website.com -d www.website.com --rsa-key-size 4096

references that might be helpful:

command paramter reference for certbot (man page) https://certbot.eff.org/docs/man/certbot.html?highlight=bootstrap

letsencrypt community discussion of adding a new domain https://community.letsencrypt.org/t/add-a-domain-using-certbot-auto/33660

letsencrypt documentation for updating an existing certificate https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates note, according to the man page, --renew-by-default implies --expand, which is used in these examples (--expand just prevents you from having to answer whether you are intentionally updating the existing certificate)

I think your rewrite rule looks mostly fine as it is, as mentioned before it might need to be removed temporarily to get you certificate generated. And you may need "RewriteEngine On" before those rules:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{REQUEST_URI} !^/podcast [NC]
RewriteRule ^ https://website.com%{REQUEST_URI} [L,NE,R=301]

And to the question about wildcard certificates, they are supported but only with the help of additional plugins. See more here: https://certbot.eff.org/docs/using.html?highlight=wildcard#id14

这篇关于Let's Encrypt证书存在问题:https://www.website.com不能与重定向到https://website.com一起使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！