【发布时间】:2017-06-30 22:40:32
【问题描述】:
我已经在数字海滴上运行 serverpilot。
Ubuntu 14.04
它在第一个域中完美运行。
采用相同设置的第二个域存在问题。
Chrome 说
“此服务器无法证明它是domain2;它的安全证书来自domain1。这可能是由于配置错误或攻击者拦截了您的连接造成的”
【问题讨论】:
标签: digital-ocean lets-encrypt
我已经在数字海滴上运行 serverpilot。
Ubuntu 14.04
它在第一个域中完美运行。
采用相同设置的第二个域存在问题。
Chrome 说
“此服务器无法证明它是domain2;它的安全证书来自domain1。这可能是由于配置错误或攻击者拦截了您的连接造成的”
【问题讨论】:
标签: digital-ocean lets-encrypt
此错误表示 SSL 安装未成功,并且您在某处犯了错误。 This shell script 自动在您的所有 ServerPilot 应用上安装 SSL。
为了避免给用户带来任何麻烦,我在这里粘贴了 sn-p 以及如何安装 SSL 的说明:
#!/bin/bash
#################################################
#
# This script automates the installation
# of Let's Encrypt SSL certificates on
# your ServerPilot free plan
#
#################################################
theAction=$1
domainName=$2
appName=$3
spAppRoot="/srv/users/serverpilot/apps/$appName"
domainType=$4
spSSLDir="/etc/nginx-sp/vhosts.d/"
# Install Let's Encrypt libraries if not found
if ! hash letsencrypt 2>/dev/null; then
lecheck=$(eval "apt-cache show letsencrypt 2>&1")
if [[ "$lecheck" == *"No"* ]]
then
sudo wget --no-check-certificate https://dl.eff.org/certbot-auto &>/dev/null
sudo chmod a+x certbot-auto &>/dev/null
sudo mv certbot-auto /usr/local/bin/letsencrypt &>/dev/null
else
sudo apt-get install -y letsencrypt &>/dev/null
fi
fi
if [ -z "$theAction" ]
then
echo -e "\e[31mPlease specify the task. Should be either install or uninstall\e[39m"
exit
fi
if [ -z "$domainName" ]
then
echo -e "\e[31mPlease provide the domain name\e[39m"
exit
fi
if [ ! -d "$spAppRoot" ]
then
echo -e "\e[31mThe app name seems invalid as we didn't find its directory on your server\e[39m"
exit
fi
if [ -z "$appName" ]
then
echo -e "\e[31mPlease provide the app name\e[39m"
exit
fi
if [ "$theAction" == "uninstall" ]; then
sudo rm "$spSSLDir$appName-ssl.conf" &>/dev/null
sudo service nginx-sp reload
echo -e "\e[31mSSL has been removed. If you are seeing errors on your site, then please fix HTACCESS file and remove the rules that you added to force SSL\e[39m"
elif [ "$theAction" == "install" ]; then
if [ -z "$domainType" ]
then
echo -e "\e[31mPlease provide the type of the domain (either main or sub)\e[39m"
exit
fi
sudo service nginx-sp stop
echo -e "\e[32mChecks passed, press enter to continue\e[39m"
if [ "$domainType" == "main" ]; then
thecommand="letsencrypt certonly --register-unsafely-without-email --agree-tos -d $domainName -d www.$domainName"
elif [[ "$domainType" == "sub" ]]; then
thecommand="letsencrypt certonly --register-unsafely-without-email --agree-tos -d $domainName"
else
echo -e "\e[31mDomain type not provided. Should be either main or sub\e[39m"
exit
fi
output=$(eval $thecommand 2>&1) | xargs
if [[ "$output" == *"too many requests"* ]]; then
echo "Let's Encrypt SSL limit reached. Please wait for a few days before obtaining more SSLs for $domainName"
elif [[ "$output" == *"Congratulations"* ]]; then
if [ "$domainType" == "main" ]; then
sudo echo "server {
listen 443 ssl;
listen [::]:443 ssl;
server_name
$domainName
www.$domainName
;
ssl on;
ssl_certificate /etc/letsencrypt/live/$domainName/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$domainName/privkey.pem;
root $spAppRoot/public;
access_log /srv/users/serverpilot/log/$appName/dev_nginx.access.log main;
error_log /srv/users/serverpilot/log/$appName/dev_nginx.error.log;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto \$scheme;
include /etc/nginx-sp/vhosts.d/$appName.d/*.nonssl_conf;
include /etc/nginx-sp/vhosts.d/$appName.d/*.conf;
}" > "$spSSLDir$appName-ssl.conf"
elif [ "$domainType" == "sub" ]; then
sudo echo "server {
listen 443 ssl;
listen [::]:443 ssl;
server_name
$domainName
;
ssl on;
ssl_certificate /etc/letsencrypt/live/$domainName/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$domainName/privkey.pem;
root $spAppRoot/public;
access_log /srv/users/serverpilot/log/$appName/dev_nginx.access.log main;
error_log /srv/users/serverpilot/log/$appName/dev_nginx.error.log;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto \$scheme;
include /etc/nginx-sp/vhosts.d/$appName.d/*.nonssl_conf;
include /etc/nginx-sp/vhosts.d/$appName.d/*.conf;
}" > "$spSSLDir$appName-ssl.conf"
fi
echo -e "\e[32mSSL should have been installed for $domainName with auto-renewal (via cron)\e[39m"
# Add a cron job for auto-ssl renewal
grep "sudo service nginx-sp stop && yes | letsencrypt renew &>/dev/null && service nginx-sp start && service nginx-sp reload" /etc/crontab || sudo echo "@monthly sudo service nginx-sp stop && yes | letsencrypt renew &>/dev/null && service nginx-sp start && service nginx-sp reload" >> /etc/crontab
elif [[ "$output" == *"Failed authorization procedure."* ]]; then
echo -e "\e[31m$domainName isn't being resolved to this server. Please check and update the DNS settings if necessary and try again when domain name points to this server\e[39m"
elif [[ ! $output ]]; then
# If no output, we will assume that a valid SSL already exists for this domain
# so we will just add the vhost
sudo echo "server {
listen 443 ssl;
listen [::]:443 ssl;
server_name
$domainName
www.$domainName
;
ssl on;
ssl_certificate /etc/letsencrypt/live/$domainName/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$domainName/privkey.pem;
root $spAppRoot/public;
access_log /srv/users/serverpilot/log/$appName/dev_nginx.access.log main;
error_log /srv/users/serverpilot/log/$appName/dev_nginx.error.log;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto \$scheme;
include /etc/nginx-sp/vhosts.d/$appName.d/*.nonssl_conf;
include /etc/nginx-sp/vhosts.d/$appName.d/*.conf;
}" > "$spSSLDir$appName-ssl.conf"
echo -e "\e[32mSSL should have been installed for $domainName with auto-renewal (via cron)\e[39m"
grep "sudo service nginx-sp stop && yes | letsencrypt renew &>/dev/null && service nginx-sp start && service nginx-sp reload" /etc/crontab || sudo echo "@monthly sudo service nginx-sp stop && yes | letsencrypt renew &>/dev/null && service nginx-sp start && service nginx-sp reload" >> /etc/crontab
else
echo -e "\e[31mSomething unexpected occurred\e[39m"
fi
sudo service nginx-sp start && sudo service nginx-sp reload
else
echo -e "\e[31mTask cannot be identified. It should be either install or uninstall \e[39m"
fi
用法:
首先,将此代码复制到 /usr/local/bin/rwssl 并使其可执行(chmod +x /usr/local/bin/rwssl)。之后,您可以运行这些命令来执行操作:
安装 SSL
对于主域:
rwssl install example.com app_name main
对于子域:
rwssl install sub.example.com app_name main
P.S.:我是项目所有者。
【讨论】: