opennssl s_client显示错误的证书:浏览器显示正确 [英] opennssl s_client shows wrong cert: browser shows correct

问题描述

我们有2个域指向相同的公共AWS ELB，在该ELB后面有nginx，它将请求重定向到正确的服务器.

We have 2 domains pointing to the same public AWS ELB and behind that ELB we have nginx, which will redirect requests to the correct server.

当我们在浏览器(Chrome/Safari/etc)中访问sub.domainA.com时，一切正常，但是当我们使用openssl之类的工具时，会出现证书错误:

When we hit sub.domainA.com in the Browser (Chrome/Safari/etc), everything works, but when we use tools like openssl, we get a cert error:

openssl s_client -host sub.domainA.com -port 443 -prexit -showcerts

CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/CN=*.domainB.com
verify error:num=20:unable to get local issuer certificate
verify return:1

由于某种原因，domainA使用的是domainB证书，我不知道为什么.

For some reason, domainA is using domainB certs and I have no idea why.

我几乎100％确信问题出在我们的nginx配置上(更具体地说，没有默认的服务器块)

I'm almost 100% sure the issue is with our nginx config (and more specifically, not having a default server block)

这是我们的Nginx配置:

Here is our nginx config:

worker_processes  auto;

error_log  /var/log/nginx/error.log;
error_log  /var/log/nginx/error.log warn;
error_log  /var/log/nginx/error.log notice;
error_log  /var/log/nginx/error.log info;

events {
    worker_connections  1024;
}

http {
    include       /usr/local/openresty/nginx/conf/mime.types;
    default_type  application/octet-stream;
...
    #
    # DomainB
    #

    server {
        ssl on;
        ssl_certificate /etc/nginx/domainB.crt;
        ssl_certificate_key /etc/nginx/domainB.key;

        listen 8080;

        server_name *.domainB.com;

        access_log  /var/log/nginx/access.log  logstash_json;

        error_page 497 301 =200 https://$host$request_uri;

        set $target_web "web.domainB_internal.com:80";
        location / {
            keepalive_timeout  180;
            resolver 10.10.0.2 valid=30s;
            proxy_set_header Host $host;
            proxy_pass http://$target_web;
            proxy_set_header X-Unique-ID $request_id;
        }
    }

    #
    # DomainA
    #
    server {
        ssl on;
        ssl_certificate /etc/nginx/domainA.crt;
        ssl_certificate_key /etc/nginx/domainA.key;


        listen 8080;
        server_name *.domainA.com;

        access_log  /var/log/nginx/access.log  logstash_json;

        error_page 497 301 =200 https://$host$request_uri;

        set $target_web "web.domainA_internal.com:80";

        location / {
            keepalive_timeout  180;
            resolver 10.10.0.2 valid=30s;
            proxy_set_header Host $host;
            proxy_pass http://$target_web;
            proxy_set_header X-Unique-ID $request_id;
        }
    }
}

它根本不应该落在domainB块中！ 但是，当使用"openssl s_client"时，我们会看到它，但在浏览器中却看不到.

It shouldn't even be falling in the domainB block at all! Yet we see it when using "openssl s_client", but not in the browser.

有什么想法为什么我们在使用"openssl s_client -host sub.domainA.com"时完全看到domainB?

Any ideas why we see domainB at all when using "openssl s_client -host sub.domainA.com"?

非常类似于Openssl显示了不同的服务器证书浏览器正确显示时

非常有用的网站: https://tech. mendix.com/linux/2014/10/29/nginx-certs-sni/

推荐答案

您需要在openssl命令中指定servername选项.

You need to specify the servername option in your openssl command.

从 openssl s_client 文档中:

-服务器名名称

-servername name

在ClientHello中设置TLS SNI(服务器名称指示)扩展名 消息.

Set the TLS SNI (Server Name Indication) extension in the ClientHello message.

所以尝试类似的东西

openssl s_client -connect sub.domainA.com:443 -showcerts -servername sub.domainA.com

这篇关于opennssl s_client显示错误的证书:浏览器显示正确的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！