HAProxy Comodo SSL

时间:2013-08-30 16:47:21

标签: ssl haproxy

我正在尝试在haproxy上安装haproxy comodo positivessl但浏览器显示证书错误。 HaProxy配置:

global
    daemon
    #debug
    maxconn 15000
    pidfile /var/run/haproxy.pid
    stats socket /var/run/haproxy.stat mode 600

defaults
    mode http
    balance roundrobin
    timeout client 60s   # Client and server timeout must match the longest
    timeout server 60s   # time we may wait for a response from the server.
    timeout queue  60s   # Don't queue requests too long if saturated.
    timeout connect 4s   # There's no reason to change this one.
    timeout http-request 5s
    option http-server-close
    option httpclose
    option abortonclose
    option redispatch
    option forwardfor # set the client's IP in X-Forwarded-For.
    option tcp-smart-accept
    option tcp-smart-connect
    retries 2
    monitor-uri /monitor # Returns 200 if we're up; real path redacted
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

listen stats 0.0.0.0:8880
    stats enable
    stats hide-version
    stats uri     /
    stats realm   HAProxy\ Statistics
    stats auth example:example

frontend httpFrontEnd
    bind *:80
    bind *:443 ssl crt /etc/haproxy/certs/example_com.pem ca-file /etc/haproxy/certs/example_com.ca-bundle
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }

    stick-table type ip size 200k expire 5m store gpc0,conn_rate(10s)
    acl source_is_abuser src_get_gpc0 gt 0
    tcp-request connection reject if source_is_abuser
    acl conn_rate_abuse  sc1_conn_rate gt 100
    acl mark_as_abuser   sc1_inc_gpc0  gt 0
    tcp-request connection track-sc1 src
    tcp-request connection reject if conn_rate_abuse mark_as_abuser

    acl examplecom hdr_end(host) -i example.com
    use_backend examplecom_http if examplecom
    use_backend httpsBackEnd if { ssl_fc }

    default_backend httpBackEnd

backend examplecom_http
    server s1 X.X.X.X:80 check

backend httpBackEnd
    server httpBackEnd-Local X.X.X.X:81 check

backend httpsBackEnd
    server httpBackEnd-Local X.X.X.X:444 check

.pem文件包含域crt,私钥

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

ca-bundle文件来自comodo

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

问题是我收到证书错误(名称不匹配) 证书名称不匹配:颁发给:服务器

1 个答案:

答案 0 :(得分:5)

听起来您需要安装证书链。 Comodo(和大多数其他CA)将拥有一个必须由浏览器遵循的链。在您的证书文件中,除了您的实际证书之外,只需添加中间证书和根证书。我的文件看起来像这样:

-----BEGIN MY CERTIFICATE-----
-----END MY CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN ROOT CERTIFICATE-----
-----END ROOT CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----