opennssl s_client显示错误的证书:浏览器显示正确 [英] opennssl s_client shows wrong cert: browser shows correct
问题描述
我们有2个域指向相同的公共AWS ELB,在该ELB后面有nginx,它将请求重定向到正确的服务器.
We have 2 domains pointing to the same public AWS ELB and behind that ELB we have nginx, which will redirect requests to the correct server.
当我们在浏览器(Chrome/Safari/etc)中访问sub.domainA.com时,一切正常,但是当我们使用openssl之类的工具时,会出现证书错误:
When we hit sub.domainA.com in the Browser (Chrome/Safari/etc), everything works, but when we use tools like openssl, we get a cert error:
openssl s_client -host sub.domainA.com -port 443 -prexit -showcerts
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/CN=*.domainB.com
verify error:num=20:unable to get local issuer certificate
verify return:1
由于某种原因,domainA使用的是domainB证书,我不知道为什么.
For some reason, domainA is using domainB certs and I have no idea why.
我几乎100%确信问题出在我们的nginx配置上(更具体地说,没有默认的服务器块)
I'm almost 100% sure the issue is with our nginx config (and more specifically, not having a default server block)
这是我们的Nginx配置:
Here is our nginx config:
worker_processes auto;
error_log /var/log/nginx/error.log;
error_log /var/log/nginx/error.log warn;
error_log /var/log/nginx/error.log notice;
error_log /var/log/nginx/error.log info;
events {
worker_connections 1024;
}
http {
include /usr/local/openresty/nginx/conf/mime.types;
default_type application/octet-stream;
...
#
# DomainB
#
server {
ssl on;
ssl_certificate /etc/nginx/domainB.crt;
ssl_certificate_key /etc/nginx/domainB.key;
listen 8080;
server_name *.domainB.com;
access_log /var/log/nginx/access.log logstash_json;
error_page 497 301 =200 https://$host$request_uri;
set $target_web "web.domainB_internal.com:80";
location / {
keepalive_timeout 180;
resolver 10.10.0.2 valid=30s;
proxy_set_header Host $host;
proxy_pass http://$target_web;
proxy_set_header X-Unique-ID $request_id;
}
}
#
# DomainA
#
server {
ssl on;
ssl_certificate /etc/nginx/domainA.crt;
ssl_certificate_key /etc/nginx/domainA.key;
listen 8080;
server_name *.domainA.com;
access_log /var/log/nginx/access.log logstash_json;
error_page 497 301 =200 https://$host$request_uri;
set $target_web "web.domainA_internal.com:80";
location / {
keepalive_timeout 180;
resolver 10.10.0.2 valid=30s;
proxy_set_header Host $host;
proxy_pass http://$target_web;
proxy_set_header X-Unique-ID $request_id;
}
}
}
它根本不应该落在domainB块中! 但是,当使用"openssl s_client"时,我们会看到它,但在浏览器中却看不到.
It shouldn't even be falling in the domainB block at all! Yet we see it when using "openssl s_client", but not in the browser.
有什么想法为什么我们在使用"openssl s_client -host sub.domainA.com"时完全看到domainB?
Any ideas why we see domainB at all when using "openssl s_client -host sub.domainA.com"?
非常类似于
非常有用的网站: https://tech. mendix.com/linux/2014/10/29/nginx-certs-sni/
推荐答案
您需要在openssl
命令中指定servername
选项.
You need to specify the servername
option in your openssl
command.
从 openssl s_client 文档中:
-服务器名名称
-servername name
在ClientHello中设置TLS SNI(服务器名称指示)扩展名 消息.
Set the TLS SNI (Server Name Indication) extension in the ClientHello message.
所以尝试类似的东西
openssl s_client -connect sub.domainA.com:443 -showcerts -servername sub.domainA.com
这篇关于opennssl s_client显示错误的证书:浏览器显示正确的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!