我遇到的问题与CloudFront error when serving over HTTPS using SNI中的问题类似但不完全相同。我的域名是cartasblogatorias.com,Cloudfront URL是d2nmvk8sd34zkj.cloudfront.net。我在Cloudfront URL上有一个指向cdn.cartasblogatorias.com的CNAME:
$ dig cdn.cartasblogatorias.com CNAME
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> cdn.cartasblogatorias.com CNAME
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20775
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;cdn.cartasblogatorias.com. IN CNAME
;; ANSWER SECTION:
cdn.cartasblogatorias.com. 300 IN CNAME d2nmvk8sd34zkj.cloudfront.net.
我的网站仅限HTTPS,我也只为HTTPS设置了Cloudfront分发版。我已成功将新证书上传到IAM。证书签出 - 这是SSL实验室的结果:https://www.ssllabs.com/ssltest/analyze.html?d=cdn.cartasblogatorias.com&s=54.230.34.152&hideResults=on。
如果我尝试从Cloudfront检索文档,则会收到错误网关错误。这是一个例子。
$ curl -v -i https://cdn.cartasblogatorias.com/wp-content/themes/blogatory2013/style.css
* About to connect() to cdn.cartasblogatorias.com port 443 (#0)
* Trying 54.230.49.87...
* connected
* Connected to cdn.cartasblogatorias.com (54.230.49.87) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: OU=Domain Control Validated; OU=PositiveSSL; CN=cdn.cartasblogatorias.com
* start date: 2014-11-11 00:00:00 GMT
* expire date: 2015-11-11 23:59:59 GMT
* subjectAltName: cdn.cartasblogatorias.com matched
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
* SSL certificate verify ok.
> GET /wp-content/themes/blogatory2013/style.css HTTP/1.1
> User-Agent: curl/7.26.0
> Host: cdn.cartasblogatorias.com
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 502 Bad Gateway
HTTP/1.1 502 Bad Gateway
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 538
Content-Length: 538
< Connection: keep-alive
Connection: keep-alive
< Server: CloudFront
Server: CloudFront
< Date: Wed, 12 Nov 2014 23:31:49 GMT
Date: Wed, 12 Nov 2014 23:31:49 GMT
< X-Cache: Error from cloudfront
X-Cache: Error from cloudfront
< Via: 1.1 d4222c62b25c473e3144101cac9e476a.cloudfront.net (CloudFront)
Via: 1.1 d4222c62b25c473e3144101cac9e476a.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: 8FfTtqnpL3SKc1o4yfcJxHxlHE6_XA40wslC8wmanU1sDPcuBBTzTw==
X-Amz-Cf-Id: 8FfTtqnpL3SKc1o4yfcJxHxlHE6_XA40wslC8wmanU1sDPcuBBTzTw==
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: gb2PWX0fp0WLPIWchwZu0s5RZOi5OnkJKfaDXjCiOMySxM3MzcJGXg==
</PRE>
<ADDRESS>
</ADDRESS>
* Connection #0 to host cdn.cartasblogatorias.com left intact
</BODY></HTML>* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
如果我使用cloudfront URL而不是CNAME尝试此操作,则会收到403错误而不是502错误。
$ curl -v -i d2nmvk8sd34zkj.cloudfront.net/wp-content/themes/blogatory2013/style.css
* About to connect() to d2nmvk8sd34zkj.cloudfront.net port 80 (#0)
* Trying 54.230.49.84...
* connected
* Connected to d2nmvk8sd34zkj.cloudfront.net (54.230.49.84) port 80 (#0)
> GET /wp-content/themes/blogatory2013/style.css HTTP/1.1
> User-Agent: curl/7.26.0
> Host: d2nmvk8sd34zkj.cloudfront.net
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Server: CloudFront
Server: CloudFront
< Date: Wed, 12 Nov 2014 23:36:33 GMT
Date: Wed, 12 Nov 2014 23:36:33 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 538
Content-Length: 538
< Connection: keep-alive
Connection: keep-alive
< X-Cache: Error from cloudfront
X-Cache: Error from cloudfront
< Via: 1.1 18d45aa6695a141c1f24bfdb6749025d.cloudfront.net (CloudFront)
Via: 1.1 18d45aa6695a141c1f24bfdb6749025d.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: EmskMTIcA44_RC_gXVjFbGMDn18MQ8e3Bl4fe3YbRAy9DKrH1CfJww==
X-Amz-Cf-Id: EmskMTIcA44_RC_gXVjFbGMDn18MQ8e3Bl4fe3YbRAy9DKrH1CfJww==
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: EmskMTIcA44_RC_gXVjFbGMDn18MQ8e3Bl4fe3YbRAy9DKrH1CfJww==
</PRE>
<ADDRESS>
</ADDRESS>
* Connection #0 to host d2nmvk8sd34zkj.cloudfront.net left intact
</BODY></HTML>* Closing connection #0
在尝试检索这些文档后,我在access.log文件或error.log文件中都没有看到任何相关条目,所以在我看来,cloudfront甚至没有尝试从我的服务器检索文档。 / p>
我有另一个网站具有完全相同的设置,这没有问题。
$ curl -v -i https://cdn.lettersblogatory.com/wp-content/themes/blogatory2013/style.css
* About to connect() to cdn.lettersblogatory.com port 443 (#0)
* Trying 54.230.51.124...
* connected
* Connected to cdn.lettersblogatory.com (54.230.51.124) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: OU=Domain Control Validated; OU=PositiveSSL; CN=cdn.lettersblogatory.com
* start date: 2014-09-01 00:00:00 GMT
* expire date: 2015-09-01 23:59:59 GMT
* subjectAltName: cdn.lettersblogatory.com matched
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
* SSL certificate verify ok.
> GET /wp-content/themes/blogatory2013/style.css HTTP/1.1
> User-Agent: curl/7.26.0
> Host: cdn.lettersblogatory.com
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: text/css
Content-Type: text/css
< Content-Length: 3986
Content-Length: 3986
< Connection: keep-alive
Connection: keep-alive
< Date: Wed, 12 Nov 2014 23:49:46 GMT
Date: Wed, 12 Nov 2014 23:49:46 GMT
< Server: Apache
Server: Apache
< Last-Modified: Tue, 07 Oct 2014 02:30:12 GMT
Last-Modified: Tue, 07 Oct 2014 02:30:12 GMT
< ETag: "2617e-f92-504cbfa940334"
ETag: "2617e-f92-504cbfa940334"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: max-age=604800
Cache-Control: max-age=604800
< Expires: Wed, 19 Nov 2014 23:49:46 GMT
Expires: Wed, 19 Nov 2014 23:49:46 GMT
< Strict-Transport-Security: max-age=15552000; includeSubDomains
Strict-Transport-Security: max-age=15552000; includeSubDomains
< Vary: Accept-Encoding
Vary: Accept-Encoding
< X-Cache: Miss from cloudfront
X-Cache: Miss from cloudfront
< Via: 1.1 c29727627b176634b1d591f0d7a258d7.cloudfront.net (CloudFront)
Via: 1.1 c29727627b176634b1d591f0d7a258d7.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: egp0Hu5XVUeedCJNJ2Xu0R8xbex5DjJFXxZoUXJVBg5aciSIWA6SfA==
X-Amz-Cf-Id: egp0Hu5XVUeedCJNJ2Xu0R8xbex5DjJFXxZoUXJVBg5aciSIWA6SfA==
[Contents of the file here]
* Connection #0 to host cdn.lettersblogatory.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
据我所知,这两个网站的云端设置是相同的。问题网站有一个全新的证书。另一个证书较旧。
我猜测问题可能与较新的证书有关,由于SHA1的弃用,该证书是使用SHA2发布的,但我不知道为什么会这样或者该怎么做。所有建议都表示赞赏。
谢谢!
答案 0 :(得分:4)
回答了我自己的问题。我上传到Cloudfront的证书没有问题;它与原始服务器上的证书有关。该证书适用于Web浏览,但中间证书文件中的证书顺序不稳定。更具体地说,当我最初从Comodo获得证书时,我错误地选择了&#34; Apache + OpenSSL&#34;而不是&#34; Apache + Mod SSL。&#34;我重新颁发了证书并使用新证书重新启动了我的Apache服务器,Cloudfront现在可以连接到服务器。