我正在尝试在haproxy上安装haproxy comodo positivessl但浏览器显示证书错误。 HaProxy配置:
global
daemon
#debug
maxconn 15000
pidfile /var/run/haproxy.pid
stats socket /var/run/haproxy.stat mode 600
defaults
mode http
balance roundrobin
timeout client 60s # Client and server timeout must match the longest
timeout server 60s # time we may wait for a response from the server.
timeout queue 60s # Don't queue requests too long if saturated.
timeout connect 4s # There's no reason to change this one.
timeout http-request 5s
option http-server-close
option httpclose
option abortonclose
option redispatch
option forwardfor # set the client's IP in X-Forwarded-For.
option tcp-smart-accept
option tcp-smart-connect
retries 2
monitor-uri /monitor # Returns 200 if we're up; real path redacted
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen stats 0.0.0.0:8880
stats enable
stats hide-version
stats uri /
stats realm HAProxy\ Statistics
stats auth example:example
frontend httpFrontEnd
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/example_com.pem ca-file /etc/haproxy/certs/example_com.ca-bundle
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
stick-table type ip size 200k expire 5m store gpc0,conn_rate(10s)
acl source_is_abuser src_get_gpc0 gt 0
tcp-request connection reject if source_is_abuser
acl conn_rate_abuse sc1_conn_rate gt 100
acl mark_as_abuser sc1_inc_gpc0 gt 0
tcp-request connection track-sc1 src
tcp-request connection reject if conn_rate_abuse mark_as_abuser
acl examplecom hdr_end(host) -i example.com
use_backend examplecom_http if examplecom
use_backend httpsBackEnd if { ssl_fc }
default_backend httpBackEnd
backend examplecom_http
server s1 X.X.X.X:80 check
backend httpBackEnd
server httpBackEnd-Local X.X.X.X:81 check
backend httpsBackEnd
server httpBackEnd-Local X.X.X.X:444 check
.pem文件包含域crt,私钥
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
ca-bundle文件来自comodo
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
问题是我收到证书错误(名称不匹配) 证书名称不匹配:颁发给:服务器
答案 0 :(得分:5)
听起来您需要安装证书链。 Comodo(和大多数其他CA)将拥有一个必须由浏览器遵循的链。在您的证书文件中,除了您的实际证书之外,只需添加中间证书和根证书。我的文件看起来像这样:
-----BEGIN MY CERTIFICATE-----
-----END MY CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN ROOT CERTIFICATE-----
-----END ROOT CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----