LNMP1.4 多域名SSL安全證書設置問題

fortop · 发表于 2017-7-26 11:50:34

軍哥或其他有經驗師兄，需要大家幫忙指點一下。我在godaddy.com 購買了多域名(Deluxe (OV) SAN SSL)安全證書，首個域名已經成功設置啓用，但服務器增加新主機（域名）時，所有新域名都無法正常訪問到對應目錄（只能訪問服務器的默認地址，無論是設https抑或普通http都一樣），但設置好的首個SSL域名和之前的域名就沒受影響，可以正常使用。

另外godaddy.com 沒有多域名(Deluxe (OV) SAN SSL)安全證書設置相關教程，網上能找到的也不完全，跟着做亦不成功，哪位有成功經驗或相關資料的請分享一下，不勝感激！

附配置檔案：

nginx.conf

user  www www;

worker_processes auto;

error_log  /home/wwwlogs/nginx_error.log  crit;

pid       /usr/local/nginx/logs/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;

events
{
      use epoll;
      worker_connections 51200;
      multi_accept on;
}

http
{
      include    mime.types;
      default_type  application/octet-stream;

      server_names_hash_bucket_size 128;
      client_header_buffer_size 32k;
      large_client_header_buffers 4 32k;
      client_max_body_size 50m;

      sendfile on;
      tcp_nopush on;

      keepalive_timeout 60;

      tcp_nodelay on;

      fastcgi_connect_timeout 300;
      fastcgi_send_timeout 300;
      fastcgi_read_timeout 300;
      fastcgi_buffer_size 64k;
      fastcgi_buffers 4 64k;
      fastcgi_busy_buffers_size 128k;
      fastcgi_temp_file_write_size 256k;

      gzip on;
      gzip_min_length  1k;
      gzip_buffers    4 16k;
      gzip_http_version 1.1;
      gzip_comp_level 2;
      gzip_types    text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
      gzip_vary on;
      gzip_proxied expired no-cache no-store private auth;
      gzip_disable "MSIE [1-6]\.";

      #limit_conn_zone $binary_remote_addr zone=perip:10m;
      ##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.

      server_tokens off;
      access_log off;

server
{
      listen 80 default_server;
      #listen [::]:80 default_server ipv6only=on;
      server_name _;
      index index.html index.htm index.php;
      root  /home/wwwroot/default;

      #error_page 404 /404.html;

      # Deny access to PHP files in specific directory
      #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

      include enable-php.conf;

      location /nginx_status
      {
         stub_status on;
         access_log off;
      }

      location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
      {
         expires    30d;
      }

      location ~ .*\.(js|css)?$
      {
         expires    12h;
      }

      location ~ /.well-known {
         allow all;
      }

      location ~ /\.
      {
         deny all;
      }

      access_log  /home/wwwlogs/access.log;
}
include vhost/*.conf;
}

首個SSL主機www.screen.com.hk.conf：

server
{
      listen 80;
      #listen [::]:80;
      server_name www.screen.com.hk screen.com.hk;
      index index.html index.htm index.php default.html default.htm default.php;
      root  /home/wwwroot/www.screen.com.hk;

      include wordpress.conf;
      #error_page 404 /404.html;

      # Deny access to PHP files in specific directory
      #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

      include enable-php.conf;

      location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
      {
         expires    30d;
      }

      location ~ .*\.(js|css)?$
      {
         expires    12h;
      }

      location ~ /.well-known {
         allow all;
      }

      location ~ /\.
      {
         deny all;
      }

      access_log  /home/wwwlogs/www.screen.com.hk.log;
}

server
{
      listen 443 ssl http2;
      #listen [::]:443 ssl http2;
      server_name www.screen.com.hk screen.com.hk;
      index index.html index.htm index.php default.html default.htm default.php;
      root  /home/wwwroot/www.screen.com.hk;
      ssl on;
      ssl_certificate /usr/local/nginx/conf/ssl/screen.crt;
      ssl_certificate_key /usr/local/nginx/conf/ssl/screen.key;
      ssl_session_timeout 5m;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;
      ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
      ssl_session_cache builtin:1000 shared:SSL:10m;
      # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
      ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

      include wordpress.conf;
      #error_page 404 /404.html;

      # Deny access to PHP files in specific directory
      #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

      include enable-php.conf;

      location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
      {
         expires    30d;
      }

      location ~ .*\.(js|css)?$
      {
         expires    12h;
      }

      location ~ /.well-known {
         allow all;
      }

      location ~ /\.
      {
         deny all;
      }

      access_log  /home/wwwlogs/www.screen.com.hk.log;
}

server
{
listen 80;
server_name screen.com.hk www.screen.com.hk;
rewrite ^/(.*) https://www.screen.com.hk/$1 permanent;
}
server
{
listen 443;
server_name screen.com.hk www.screen.com.hk;
rewrite ^/(.*) https://www.screen.com.hk/$1 permanent;
}

licess · 发表于 2017-7-26 12:58:20

看该证书的DNS Name 里面只有带www的和不带www的域名，所以其他的二级域名的添加上这个证书的ssl肯定是显示不安全的，因为签发证书是其他的域名没有一起签发上

另外同个端口下存在多个相同的server_name是会报错的，http 301跳到https需要替换原来的，而不是新增 https://lnmp.org/faq/lnmp-nginx-301-rewrite.html

非www 跳到 www的https也是有问题的，443端口是需要设置证书的，要不就设置上证书，要不就在原https虚拟主机上进行判断域名 if ($host != 'www.screen.com.hk' ) { return 301 https://www.screen.com.hk$request_uri; }

fortop · 发表于 2017-7-26 16:31:06

非常感謝回覆！

我買的是5個域名的SSL證書，可以一張證書用在5個不同的域名（每個都可以www和沒www同時認證），但現在正常設置了第一個域名https://www.screen.com.hk之後增加其他域名主機就無法正常訪問（無論設普通http還是https都不能指向正確地址，全部指向默認頁面），而https://www.screen.com.hk本身訪問正常，設置此域名之前的主機亦不受影響可以正常使用，但之後所有域名主機則全部去了默認頁目錄（即/wwwroot/default）而不是正確的自身目錄。

我現在修改nginx.conf 內容如下，麻煩軍哥幫我看一下還有什麼問題：

user  www www;

worker_processes auto;

error_log  /home/wwwlogs/nginx_error.log  crit;

pid       /usr/local/nginx/logs/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;

events
{
      use epoll;
      worker_connections 51200;
      multi_accept on;
}

http
{
      include    mime.types;
      default_type  application/octet-stream;

      server_names_hash_bucket_size 128;
      client_header_buffer_size 32k;
      large_client_header_buffers 4 32k;
      client_max_body_size 50m;

      sendfile on;
      tcp_nopush on;

      keepalive_timeout 60;

      tcp_nodelay on;

      fastcgi_connect_timeout 300;
      fastcgi_send_timeout 300;
      fastcgi_read_timeout 300;
      fastcgi_buffer_size 64k;
      fastcgi_buffers 4 64k;
      fastcgi_busy_buffers_size 128k;
      fastcgi_temp_file_write_size 256k;

      gzip on;
      gzip_min_length  1k;
      gzip_buffers    4 16k;
      gzip_http_version 1.1;
      gzip_comp_level 2;
      gzip_types    text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
      gzip_vary on;
      gzip_proxied expired no-cache no-store private auth;
      gzip_disable "MSIE [1-6]\.";

      #limit_conn_zone $binary_remote_addr zone=perip:10m;
      ##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.

      server_tokens off;
      access_log off;

server
{
      listen 80 default_server;
      #listen [::]:80 default_server ipv6only=on;
      server_name _;
      index index.html index.htm index.php;
      root  /home/wwwroot/default;

      #error_page 404 /404.html;

      # Deny access to PHP files in specific directory
      #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

      include enable-php.conf;

      location /nginx_status
      {
         stub_status on;
         access_log off;
      }

      location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
      {
         expires    30d;
      }

      location ~ .*\.(js|css)?$
      {
         expires    12h;
      }

      location ~ /.well-known {
         allow all;
      }

      location ~ /\.
      {
         deny all;
      }

      access_log  /home/wwwlogs/access.log;
}
include vhost/*.conf;
}

fortop · 发表于 2017-7-26 16:31:45

另外附上：

可以正常訪問的www.screen.com.hk.conf 內容：

server
{
listen 80;
#listen [::]:80;
server_name www.screen.com.hk screen.com.hk;
return 301 https://www.screen.com.hk$request_uri;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/www.screen.com.hk;

include wordpress.conf;
#error_page 404 /404.html;

# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

include enable-php.conf;

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\.(js|css)?$
{
expires 12h;
}

location ~ /.well-known {
allow all;
}

location ~ /\.
{
deny all;
}

access_log /home/wwwlogs/www.screen.com.hk.log;
}

server
{
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name www.screen.com.hk screen.com.hk;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/www.screen.com.hk;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/screen.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/screen.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

include wordpress.conf;
#error_page 404 /404.html;

# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

include enable-php.conf;

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\.(js|css)?$
{
expires 12h;
}

location ~ /.well-known {
allow all;
}

location ~ /\.
{
deny all;
}

access_log /home/wwwlogs/www.screen.com.hk.log;
}

fortop · 发表于 2017-7-26 16:32:03

及不能正常訪問的www.projectorscreen.com.hk.conf 內容（注：沒開啓https)：

server
{
listen 80;
#listen [::]:80;
server_name www.projectorscreen.com.hk projectorscreen.com.hk;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/www.projectorscreen.com.hk;

include wordpress.conf;
#error_page 404 /404.html;

# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

include enable-php.conf;

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\.(js|css)?$
{
expires 12h;
}

location ~ /.well-known {
allow all;
}

location ~ /\.
{
deny all;
}

access_log /home/wwwlogs/www.projectorscreen.com.hk.log;
}

還有同樣不能正常訪問的www.digitalsignage.hk.conf內容（注：有開啓https)：

server
{
listen 80;
#listen [::]:80;
server_name www.digitalsignage.hk digitalsignage.hk;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/www.digitalsignage.hk;

include wordpress.conf;
#error_page 404 /404.html;

# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

include enable-php.conf;

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\.(js|css)?$
{
expires 12h;
}

location ~ /.well-known {
allow all;
}

location ~ /\.
{
deny all;
}

access_log /home/wwwlogs/www.digitalsignage.hk.log;
}

server
{
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name www.digitalsignage.hk digitalsignage.hk;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/www.digitalsignage.hk;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/digitalsignage.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/digitalsignage.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

include wordpress.conf;
#error_page 404 /404.html;

# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

include enable-php.conf;

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\.(js|css)?$
{
expires 12h;
}

location ~ /.well-known {
allow all;
}

location ~ /\.
{
deny all;
}

access_log /home/wwwlogs/www.digitalsignage.hk.log;
}

licess · 发表于 2017-7-26 19:54:37

访问显示默认页面，是添加该域名后没生效或者配置文件有错误

fortop · 发表于 2017-7-27 13:12:57

問題在哪個配置文件？能否幫忙看一下之前我提供的配置文件有沒錯誤？

原帖由 licess 于 2017-7-26 19:54 发表
访问显示默认页面，是添加该域名后没生效或者配置文件有错误

licess · 发表于 2017-7-27 19:52:16

大体看配置没问题，都是自动生成的
置顶帖反馈必读中有nginx的测试配置文件的命令

fortop · 发表于 2017-7-28 10:38:44

我用命令nginx -t測試結果提示失敗，信息如下：

[root@projector ~]# cd /usr/local/nginx/sbin
[root@projector sbin]# nginx -t
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/nginx/conf/ssl/digitalsignage.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@projector sbin]#

配置文件內容是以上資料沒變過，問題會在哪呢？

原帖由 licess 于 2017-7-27 19:52 发表
大体看配置没问题，都是自动生成的
置顶帖反馈必读中有nginx的测试配置文件的命令

licess · 发表于 2017-7-28 11:45:42

可能合并证书时顺序错误

		自动登录	找回密码
密码			注册

LNMP1.4 多域名SSL安全證書設置問題

军哥运维代购：http://shop63846532.taobao.com/

回复 7# 的帖子

回复 9# 的帖子