图1
1、在 Chrome 浏览器中,提示:您的连接不是私密连接。如图1
您的连接不是私密连接 攻击者可能会试图从 learn-php-app-0605-prod.wangqiang.store 窃取您的信息(例如:密码、通讯内容或信用卡信息)。了解详情 NET::ERR_CERT_DATE_INVALID 如果您想获得 Chrome 最高级别的安全保护,请开启增强型保护 learn-php-app-0605-prod.wangqiang.store 通常会使用加密技术来保护您的信息。Chrome 此次尝试连接到 learn-php-app-0605-prod.wangqiang.store 时,该网站发回了异常的错误凭据。这可能是因为有攻击者在试图冒充 learn-php-app-0605-prod.wangqiang.store,或者 Wi-Fi 登录屏幕中断了此次连接。请放心,您的信息仍然是安全的,因为 Chrome 尚未进行任何数据交换便停止了连接。 您目前无法访问 learn-php-app-0605-prod.wangqiang.store,因为此网站使用了 HSTS。网络错误和攻击通常是暂时的,因此,此网页稍后可能会恢复正常。
2、参考:https://www.shuijingwanwq.com/2023/07/21/7894/ 。将一个网站的域名切换为另一个域名的流程 。这个切换的时间是 2023/06/05,现在的时间是 2023/12/11 。在半年前确定是正常的。
3、在 Firefox 浏览器中,提示:警告:面临潜在的安全风险。很可能该网站的证书已过期,因而阻碍 Firefox 安全地连接。如图2
警告:面临潜在的安全风险 Firefox 检测到问题而没有继续连接 learn-php-app-0605-prod.wangqiang.store。可能是该网站配置有误,或者您的计算机时钟设置有误。 很可能该网站的证书已过期,因而阻碍 Firefox 安全地连接。如果您继续访问该网站,攻击者可能尝试窃取您的密码、电子邮件或信用卡等信息。 您可以做什么? 这个问题大多与网站有关,无法通过您的操作解决。您可以向此网站的管理者反馈此问题。 详细了解…
4、决定删除虚拟主机,然后再重新添加。在 Verify finished, start to sign. 环节失败。重新删除、添加成功。如图3
Do you want to redirect all HTTP requests to HTTPS? [y/n]: y Please select domain cert key length. Enter one of 2048, 3072, 4096, 8192 will issue a RSA cert. Enter one of ec-256, ec-384, ec-521 will issue a ECC cert. Please enter your cert key length (default 2048): [Mon Dec 11 05:42:44 PM CST 2023] Using CA: https://acme.zerossl.com/v2/DV90 [Mon Dec 11 05:42:44 PM CST 2023] Single domain='learn-php-app-0605-prod.wangqiang.store' [Mon Dec 11 05:42:44 PM CST 2023] Getting domain auth token for each domain [Mon Dec 11 05:43:42 PM CST 2023] Getting webroot for domain='learn-php-app-0605-prod.wangqiang.store' [Mon Dec 11 05:43:42 PM CST 2023] Verifying: learn-php-app-0605-prod.wangqiang.store [Mon Dec 11 05:43:44 PM CST 2023] Processing, The CA is processing your order, please just wait. (1/30) [Mon Dec 11 05:43:48 PM CST 2023] Success [Mon Dec 11 05:43:48 PM CST 2023] Verify finished, start to sign. [Mon Dec 11 05:43:48 PM CST 2023] Lets finalize the order. [Mon Dec 11 05:43:48 PM CST 2023] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/AXuZJZhYYoC-V2rj0fM0pQ/finalize' [Mon Dec 11 05:44:51 PM CST 2023] Sign failed, finalize code is not 200. [Mon Dec 11 05:44:51 PM CST 2023] <html> <head><title>504 Gateway Time-out</title></head> <body> <center><h1>504 Gateway Time-out</h1></center> <hr><center>nginx</center> </body> </html> [Mon Dec 11 05:44:51 PM CST 2023] Please add '--debug' or '--log' to check more details. [Mon Dec 11 05:44:51 PM CST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh Do you want to add hotlink protection? [y/n]: y
[root@iZ23wv7v5ggZ ~]# ~/oneinstack/vhost.sh --del
#######################################################################
# OneinStack for CentOS/RedHat 7+ Debian 9+ and Ubuntu 16+ #
# For more information please visit https://oneinstack.com #
#######################################################################
Virtualhost list:
learn-php-app-0605-prod.wangqiang.store www.shuijingwanwq.com
Please input a domain you want to delete: learn-php-app-0605-prod.wangqiang.store
Do you want to delete Virtul Host directory? [y/n]: n
Domain: learn-php-app-0605-prod.wangqiang.store has been deleted.
[root@iZ23wv7v5ggZ ~]# ~/oneinstack/vhost.sh
#######################################################################
# OneinStack for CentOS/RedHat 7+ Debian 9+ and Ubuntu 16+ #
# For more information please visit https://oneinstack.com #
#######################################################################
What Are You Doing?
1. Use HTTP Only
2. Use your own SSL Certificate and Key
3. Use Let's Encrypt to Create SSL Certificate and Key
q. Exit
Please input the correct option: 3
Please input domain(example: www.example.com): learn-php-app-0605-prod.wangqiang.store
domain=learn-php-app-0605-prod.wangqiang.store
Please input the directory for the domain:learn-php-app-0605-prod.wangqiang.store :
(Default directory: /data/wwwroot/learn-php-app-0605-prod.wangqiang.store): /data/wwwroot/learn-php-app-0605-prod.shuijingwanwq.com
Create Virtul Host directory......
set permissions of Virtual Host directory......
Do you want to add more domain name? [y/n]: n
Do you want to redirect all HTTP requests to HTTPS? [y/n]: y
Please select domain cert key length.
Enter one of 2048, 3072, 4096, 8192 will issue a RSA cert.
Enter one of ec-256, ec-384, ec-521 will issue a ECC cert.
Please enter your cert key length (default 2048):
[Tue Dec 12 09:45:48 AM CST 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Dec 12 09:45:48 AM CST 2023] Single domain='learn-php-app-0605-prod.wangqiang.store'
[Tue Dec 12 09:45:48 AM CST 2023] Getting domain auth token for each domain
[Tue Dec 12 09:47:19 AM CST 2023] Getting webroot for domain='learn-php-app-0605-prod.wangqiang.store'
[Tue Dec 12 09:47:19 AM CST 2023] Verifying: learn-php-app-0605-prod.wangqiang.store
[Tue Dec 12 09:47:50 AM CST 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Dec 12 09:48:16 AM CST 2023] Success
[Tue Dec 12 09:48:16 AM CST 2023] Verify finished, start to sign.
[Tue Dec 12 09:48:16 AM CST 2023] Lets finalize the order.
[Tue Dec 12 09:48:16 AM CST 2023] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/Vngx1i061GLKvKou91RuTg/finalize'
[Tue Dec 12 09:48:46 AM CST 2023] Order status is processing, lets sleep and retry.
[Tue Dec 12 09:48:46 AM CST 2023] Retry after: 15
[Tue Dec 12 09:49:02 AM CST 2023] Polling order status: https://acme.zerossl.com/v2/DV90/order/Vngx1i061GLKvKou91RuTg
[Tue Dec 12 09:49:32 AM CST 2023] Downloading cert.
[Tue Dec 12 09:49:32 AM CST 2023] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/fOxlsHbazT9i7VwqoS2W7g'
[Tue Dec 12 09:50:06 AM CST 2023] Cert success.
-----BEGIN CERTIFICATE-----
xxxxxxxxxx
-----END CERTIFICATE-----
[Tue Dec 12 09:50:06 AM CST 2023] Your cert is in: /root/.acme.sh/learn-php-app-0605-prod.wangqiang.store/learn-php-app-0605-prod.wangqiang.store.cer
[Tue Dec 12 09:50:06 AM CST 2023] Your cert key is in: /root/.acme.sh/learn-php-app-0605-prod.wangqiang.store/learn-php-app-0605-prod.wangqiang.store.key
[Tue Dec 12 09:50:06 AM CST 2023] The intermediate CA cert is in: /root/.acme.sh/learn-php-app-0605-prod.wangqiang.store/ca.cer
[Tue Dec 12 09:50:06 AM CST 2023] And the full chain certs is there: /root/.acme.sh/learn-php-app-0605-prod.wangqiang.store/fullchain.cer
Do you want to add hotlink protection? [y/n]: y
Allow Rewrite rule? [y/n]: y
Please input the rewrite of programme :
wordpress,opencart,magento2,drupal,joomla,codeigniter,laravel
thinkphp,pathinfo,discuz,typecho,ecshop,nextcloud,zblog,whmcs rewrite was exist.
(Default rewrite: other): laravel
You choose rewrite=laravel
Allow Nginx/Tengine/OpenResty access_log? [y/n]: y
You access log file=/data/wwwlogs/learn-php-app-0605-prod.wangqiang.store_nginx.log
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Reload Nginx......
#######################################################################
# OneinStack for CentOS/RedHat 7+ Debian 9+ and Ubuntu 16+ #
# For more information please visit https://oneinstack.com #
#######################################################################
Your domain: learn-php-app-0605-prod.wangqiang.store
Virtualhost conf: /usr/local/nginx/conf/vhost/learn-php-app-0605-prod.wangqiang.store.conf
Directory of: /data/wwwroot/learn-php-app-0605-prod.shuijingwanwq.com
Rewrite rule: /usr/local/nginx/conf/rewrite/laravel.conf
Let's Encrypt SSL Certificate:/usr/local/nginx/conf/ssl/learn-php-app-0605-prod.wangqiang.store.crt
SSL Private Key: /usr/local/nginx/conf/ssl/learn-php-app-0605-prod.wangqiang.store.key
5、按需编辑 Nginx 配置文件后,编辑 root ,重启 Nginx 服务。如图4
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /usr/local/nginx/conf/ssl/learn-php-app-0605-prod.wangqiang.store.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/learn-php-app-0605-prod.wangqiang.store.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256;
ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256;
ssl_conf_command Options PrioritizeChaCha;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_buffer_size 2k;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
server_name learn-php-app-0605-prod.wangqiang.store;
access_log /data/wwwlogs/learn-php-app-0605-prod.wangqiang.store_nginx.log combined;
index index.html index.htm index.php;
root /data/wwwroot/learn-php-app-0605-prod.shuijingwanwq.com/public;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
include /usr/local/nginx/conf/rewrite/laravel.conf;
#error_page 404 /404.html;
#error_page 502 /502.html;
location ~ .*\.(wma|wmv|asf|mp3|mmf|zip|rar|jpg|gif|png|swf|flv|mp4)$ {
valid_referers none blocked *.wangqiang.store learn-php-app-0605-prod.wangqiang.store;
if ($invalid_referer) {
return 403;
}
}
location ~ [^/]\.php(/|$) {
#fastcgi_pass remote_php_ip:9000;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) {
deny all;
}
location /.well-known {
allow all;
}
}
[root@iZ23wv7v5ggZ ~]# service nginx restart Redirecting to /bin/systemctl restart nginx.service
6、打开:https://learn-php-app-0605-prod.wangqiang.store/robots.txt 。在 Chrome 浏览器、Firefox 浏览器 皆已经正常。如图5
7、深究根源,证书由 Let’s Encrypt 发布。Let’s Encrypt 是一家全球性的证书颁发机构(CA), 为世界各地的个人和团体提供获取、续期、管理 SSL/TLS 证书的服务。参考:Let’s Encrypt 的常见问题。https://letsencrypt.org/zh-cn/docs/faq/ 。证书有效期为 90 天。 其背后的原因可以从这里了解。这一期限不能调整,也没有例外。 我们建议您每 60 天自动续期一次证书(后续等待下一次证书过期后,希望能够想办法自动续期,而不是删除虚拟主机,再添加虚拟主机了。)。如图6
