服务器:Ubuntu,Nginx.
我有一个域名example.com在namecheap.com注册并在DigitalOcean配置.
我有www子域名的CNAME记录:
www.example.com. 1800 IN CNAME example.com.
这是我的/ etc / Nginx / sites-enabled / default文件内容:
# HTTP - redirect all requests to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
}
# HTTPS - serve HTML from /usr/share/Nginx/html,proxy requests to /parse/
# through to Parse Server
server {
listen 80;
server_name www.example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443;
server_name example.com;
root /home/example/website;
index index.html index.htm;
ssl on;
# Use certificate and key provided by Let's Encrypt:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# Config (http://www.westphahl.net/blog/2012/01/03/setting-up-https-with-Nginx-and-startssl/)
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;
# Pass requests for /parse/ to Parse Server instance at localhost:1337
location /parse/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Nginx-Proxy true;
proxy_pass http://localhost:1337/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
location / {
try_files $uri $uri/ =404;
}
}
但是,当我尝试打开www.example.com时,Firefox会显示SSL_ERROR_BAD_CERT_DOMAIN“您的连接不安全”错误.
如何解决?
答案:感谢所有建议者,向www子域发布SSL证书就可以了.
这是Let’s Encrypt的命令:
./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
从Chrome的警告页面输出
原文链接:https://www.f2er.com/nginx/435380.htmlThis server could not prove that it is www.example.com; its security certificate is from example.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
证书已发布到顶级域example.com,但不是子域www.exmample.com.
如果ssl发行人说他们应该给你www,请与他们联系以获取更多信息.
请注意,此警告来自SSL握手级别,并且在请求到达Nginx服务器进行处理之前.
