ssl - HAProxy Comodo SSL

Question

我正在尝试在 haproxy 上安装 haproxy comodo positivessl，但浏览器显示证书错误。HaProxy 配置：

global
    daemon
    #debug
    maxconn 15000
    pidfile /var/run/haproxy.pid
    stats socket /var/run/haproxy.stat mode 600

defaults
    mode http
    balance roundrobin
    timeout client 60s   # Client and server timeout must match the longest
    timeout server 60s   # time we may wait for a response from the server.
    timeout queue  60s   # Don't queue requests too long if saturated.
    timeout connect 4s   # There's no reason to change this one.
    timeout http-request 5s
    option http-server-close
    option httpclose
    option abortonclose
    option redispatch
    option forwardfor # set the client's IP in X-Forwarded-For.
    option tcp-smart-accept
    option tcp-smart-connect
    retries 2
    monitor-uri /monitor # Returns 200 if we're up; real path redacted
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

listen stats 0.0.0.0:8880
    stats enable
    stats hide-version
    stats uri     /
    stats realm   HAProxy\ Statistics
    stats auth example:example

frontend httpFrontEnd
    bind *:80
    bind *:443 ssl crt /etc/haproxy/certs/example_com.pem ca-file /etc/haproxy/certs/example_com.ca-bundle
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }

    stick-table type ip size 200k expire 5m store gpc0,conn_rate(10s)
    acl source_is_abuser src_get_gpc0 gt 0
    tcp-request connection reject if source_is_abuser
    acl conn_rate_abuse  sc1_conn_rate gt 100
    acl mark_as_abuser   sc1_inc_gpc0  gt 0
    tcp-request connection track-sc1 src
    tcp-request connection reject if conn_rate_abuse mark_as_abuser

    acl examplecom hdr_end(host) -i example.com
    use_backend examplecom_http if examplecom
    use_backend httpsBackEnd if { ssl_fc }

    default_backend httpBackEnd

backend examplecom_http
    server s1 X.X.X.X:80 check

backend httpBackEnd
    server httpBackEnd-Local X.X.X.X:81 check

backend httpsBackEnd
    server httpBackEnd-Local X.X.X.X:444 check

.pem 文件包含域 crt ，私钥

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

ca-bundle 文件来自 comodo

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

问题是我收到证书错误（名称不匹配）证书名称不匹配：颁发给：服务器

Answer 1

听起来您需要安装证书链。Comodo（和大多数其他 CA）将有一个浏览器必须遵循的链。在您的证书文件中，除了您的实际证书之外，只需添加中间证书和根 ca 证书。我的文件如下所示：

-----BEGIN MY CERTIFICATE-----
-----END MY CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN ROOT CERTIFICATE-----
-----END ROOT CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----