多IP设置SSL 的 SNI问题

几周前 我升级 VPS 多加了一个IP地址 并购买了 3年 SSL Certificates – Comodo PositiveSSL 用于 justyy.com 可是 通过 ssllabs 测试 显示 JustYY.com

“This site works only in browsers with SNI support.”

https://www.ssllabs.com/ssltest/analyze.html?d=justyy.com

但是另一个站点 helloacm.com 却一点问题也没有: https://www.ssllabs.com/ssltest/analyze.html?d=helloacm.com

Quickhost 客服回说 “This issue is related to the configuration of the web server service you are running on the VPS. Either Apache, Nginx, TomCat etc.. The issue you see is your software not serving the correct SSL certificate. You will need 1 IP for each site with SSL. Then you will need to configure web server “Apache ?” to listen on that IP on port 443 (standard HTTPS port) for each sites SSL vhost entry. not to be confused with the HTTP vhost entries. ”

Quickhost 客服回说 “If you are using SNI then you are sharing the IP. If not configured correctly the wrong SSL will be served. Perhaps the SSL from the default or first vhost? I guess you have 1 IP as VPS default IP and 1 IP for the other site. So currently Apache or whichever web server you are using is sharing 1 IP as a standard vhost and a SSL vhost. Unfortunately as this is not a managed VPS there is not much else we can do as we have no visibility over the configuration. Please understand that this is a common issue and is not related to the SSL certificate but rather a web server config issue.”

后来我把 /etc/apache2/sites-enabled/justyy.com.conf 中的 <Virtualhost *:443> 改成用IP <VirtualHost 78.157.*.*:443> 并且重新启动 apache2 服务器:

1
2

sudo /etc/init.d/apache2 restart  # 或者
sudo service apache2 restart

sudo /etc/init.d/apache2 restart  # 或者
sudo service apache2 restart

SNI 支持是给那些 没有用 dedicated IP 而用共享IP的网站 使用SSL的 但是缺点是旧一点的操作系统或者浏览器 像XP-IE6-IE8 就不支持. 虽然只是小众 但是我是专门为了本站购买了另一独立IP的 所以为什么要浪费?

英文: https://helloacm.com/correctly-serving-ssl-certificate-for-multiple-domains-on-the-same-server-if-you-have-multiple-ips/

微信公众号: 小赖子的英国生活和资讯 JustYYUK