的httpd.conf

Question

secure.dynaccount.com（Thawte证书） http://certlogik.com/sslchecker/secure.dynaccount.com/

api.dynaccount.com（自签名） http://certlogik.com/sslchecker/api.dynaccount.com/

的httpd.conf

# Thawte certified
<VirtualHost 88.198.55.138:443>
    ServerName secure.dynaccount.com
    DocumentRoot /var/www/dynaccount.com

    SSLEngine on
    SSLCertificateKeyFile /var/ini/ssl/secure.dynaccount.com/private.key
    SSLCertificateFile /var/ini/ssl/secure.dynaccount.com/public.crt
    SSLCertificateChainFile /var/ini/ssl/secure.dynaccount.com/intermediate.crt
    SSLVerifyDepth 1
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>

# self-signed
<VirtualHost 88.198.55.154:443>
    ServerName api.dynaccount.com
    DocumentRoot /var/www/dynaccount.com

    SSLEngine on
    SSLCertificateKeyFile /var/ini/ssl/api.dynaccount.com/private.key
    SSLCertificateFile /var/ini/ssl/api.dynaccount.com/public.crt
    SSLVerifyDepth 0
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>

Answer 1

您是否阅读过Apache HTTP文档？

http://httpd.apache.org/docs/2.0/vhosts/name-based.html

基于名称的虚拟主机不能与SSL安全服务器一起使用因为SSL协议的性质。

每个IP可以拥有一个SSL主机。

原因？

SSL连接参数是按vhosts设置的，但必须在httpd读取主机HTTP标头之前协商。

这是有道理的，不是吗？

更新：

将SSLCACertificateFile更改为SSLCertificateChainFile并根据docs提供正确的文件格式或完全禁用客户端证书验证

Answer 2

这里的问题是你有两倍的ServerName。

在您的第二个VHost中，您应该ServerName api.dynaccount.com而不是ServerAlias

我不确定这是什么问题，但试一试：）

编辑：对于Server could not reliably resolve server name错误，您必须在httpd.conf中定义ServerName（不在VirtualHost中，这将是默认服务器名称）

多个SSL证书Apache2

的httpd.conf

2 个答案: