linux - Amazon Linux 上的 SSLSetup : SSL Error, 提供了多个证书

Question

我已经设置了一个 Amazon Linux EC2 实例来托管我的域。我正在使用由 letsencrypt.org 签名的证书。

我生成了我的证书:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d <mywebsite.com>

在 apache 中启用 ssl:

sudo yum install mod24_ssl

并对我的 apache 配置进行了以下更改:

SSLCertificateFile      /etc/letsencrypt/live/<mydomain.com>/cert.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/<mydomain.com>/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/<mydomain.com>/chain.pem

访问 mydomain.com 时，我收到以下消息:

NET::ERR_CERT_AUTHORITY_INVALID
Subject: ip-172-31-37-151
Issuer: avast! Web/Mail Shield Self-signed Root
Expires on: Feb 16, 2018
Current date: Feb 16, 2017
PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIEYDCCA0igAwIBAgIQQxnowUTk2EGGE/O409WnvzANBgkqhkiG9w0BAQsFADCB
mDFDMEEGA1UECww6Z2VuZXJhdGVkIGJ5IGF2YXN0ISBhbnRpdmlydXMgZm9yIHNl
bGYtc2lnbmVkIGNlcnRpZmljYXRlczEfMB0GA1UECgwWYXZhc3QhIFdlYi9NYWls
IFNoaWVsZDEwMC4GA1UEAwwnYXZhc3QhIFdlYi9NYWlsIFNoaWVsZCBTZWxmLXNp
Z25lZCBSb290MB4XDTE3MDIxNjE3NTgwN1oXDTE4MDIxNjE3NTgwN1owgbExCzAJ
BgNVBAYTAi0tMRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5
MRkwFwYDVQQKDBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5p
emF0aW9uYWxVbml0MRkwFwYDVQQDDBBpcC0xNzItMzEtMzctMTUxMSQwIgYJKoZI
hvcNAQkBFhVyb290QGlwLTE3Mi0zMS0zNy0xNTEwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCVUjj4IziKclAqMWktKeq+lWPP0Jfo09a35xhQ08+A/n8k
ToB8oZosYwDLuQDV3kNYCJ03eq2EK3/JwU59uBGU217l4YrG4p93RnRRtV1vp+Au
+kxUlkuMx2yvz2M49ZHd44D7LOOB/V0wsnHQBHRS7iECfz4M+J6QWef4oMwP9mue
T8xJUst0N7mfekBBIAZOIpYjbcm4Nbq3Ol3S5AHd3VP3AbQr0MqHjciXx9Hf1ejt
1o0b96w0feEIZOcESYlwHK5Nl0hvS3WHZww4haAKPQVJxaH6XuMN54rB2Gt/oxhK
iHbBfjdgAanjvK8vab41n2krnaWU8gKIKp0JGjwbAgMBAAGjgYowgYcwDAYDVR0T
BAUwAwEB/zBqBgNVHREEYzBhgglsb2NhbGhvc3SCFWxvY2FsaG9zdC5sb2NhbGRv
bWFpboIQaXAtMTcyLTMxLTM3LTE1MYIraXAtMTcyLTMxLTM3LTE1MS51cy13ZXN0
LTIuY29tcHV0ZS5pbnRlcm5hbDALBgNVHQ8EBAMCAuQwDQYJKoZIhvcNAQELBQAD
ggEBABgX4vyY9XT7tGKv7HKRlTAZQ218e1fPIx9Y2+TeeJFoujE0QhDysVOB2tww
tqeuaXBnSoUini5pgWQZG8xUBiAu1ZHpFn7X3CSzU6WP9OlseGZolXcXEt7KopHv
Mk8RhHSIOyF3Z6CQvAjUbp4hvqNU4oXbcE9vBjWa8VhiFWJMH3GI645Zc3oICvKs
XziFc09haDk9yV/4dqec34xJLSUX4rWxmZX92l3pEjZwR7bXZRqWnt5IwDbxaswj
QwsEWJigOs2ZbHw2g8mESqbNpnbgxKOuMWxe1WxjBUYbGHfHQROb1COaDIANgqDW
PFjpaWnE/WwSOwvxRhxe0ETCY9Q=
-----END CERTIFICATE-----

看起来我的域提供的是自签名证书，而不是来自 letsencrypt.org 的证书。 An analysis on ssllabs.com shows my that two certificates are being provided by my domain.我没有创建的自签名证书以及来自 letsencrypt.org 的证书。

我如何摆脱这个自签名证书以及它来自哪里？

Answer 1

我讨厌编辑原始的 conf 文件，所以我花了几个小时找出正确的方法来做这件事。根据apache documentation :

Name-based virtual hosts for the best-matching set of <virtualhost>s are processed in the order they appear in the configuration. The first matching ServerName or ServerAlias is used, with no different precedence for wildcards (nor for ServerName vs. ServerAlias).

如果你往里面看/etc/httpd/conf.d/ssl.conf你会看到它定义了一个 <VirtualHost>没有 ServerName 的部分(粘贴在下面)。据观察，所有:443与 ServerName 不匹配的请求或 ServerAlias到时候ssl.conf is read 将匹配此部分，但此部分匹配的事实不会阻止其他部分也匹配(因为此部分没有 ServerName )。因此，如果我们定义 <VirtualHost>在 ssl.conf 之后读取的文件中的 s ，我们最终将包括两个证书。解决这个问题的方法是确保定义所有 <VirtualHost>带有 ServerName在按字母顺序排列在 ssl.conf 之前的文件中，例如 /etc/httpd/conf.d/aa_example.conf .如果 <VirtualHost>用ServerName在 apache 解析 ssl.conf 时已经匹配, 默认为 <VirtualHost>将不再符合匹配条件。

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   List the protocol versions which clients are allowed to connect with.
#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
#   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
#   protocol or later should remain in use.
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

#   User agents such as web browsers are not configured for the user's
#   own preference of either security or performance, therefore this
#   must be the prerogative of the web server administrator who manages
#   cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on

#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# By leaving this directive commented out, the system-wide OpenSSL
# default is used.  See update-crypto-policies(8) for more details.
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5

#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that restarting httpd will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convenience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt