越来越多的浏览器不在支持 http 协议了, 这就要求你为你的网站必须绑定 SSL 证书谷歌浏览器也将要在今年取消对 http 协议的支持, 申请 CA 证书迫在眉睫我购买有两个域名, 一个虚拟机, 没事鼓捣鼓捣, 图个乐趣在阿里云申请了免费证书, 一直用的好好的这次过年恰遇证书更新, 想一起把所有域名都升级到 https 购买两个证书分别绑定域名顺带说一下如何阿里云购买免费域名, 现在已经不太容易找到免费域名购买按钮了
动图示意购买免费 CA
购买完成, 并分别绑定 www.a.com 和 www.b.com 后, 访问 a.com 一直提示 CA 错误, 发现 CA 证书来自 www.b.com 一度怀疑自己绑定错误了域名, 吊销证书又重新购买, 问题依旧在 IE 中没有有用的提示信息, 在谷歌中会提示证书错误, 且可以发现错误证书信息:
这个问题早在 2012 年就被发现并且提出的解决办法, 参考英文请点击跳转 阿里云的解决方案
- Problem
- As more e-commerce sites come on line and more businesses are storing and sharing sensitive documents online, the ability to host and scale secure sites are increasingly more important. Prior to Windows Server 2012, there were a couple of challenges when it comes to hosting secure sites:
随着更多电子商务网站上线, 越来越多的企业在线存储和分享敏感信息, 托管和确保安全网站的能力变得尤为重要, win server 2012 之前, 当托管 SSL 站点时有两个挑战:
SSL Scalability: In a multi-tenanted environment, such as a shared hosting, there is a limitation as to how many secure sites can be hosted on Windows Server, resulting in a low site-density.
SSL 的可伸缩性: 在多站点环境下, 比如一个共享的服务器, 托管的安全网站数量收到限制 (只允许一个), 导致安全网站密度很低
IPv4 scarcity: Because the network end-point can only be identified with IP:Port binding, where tenants request to use the standard SSL port, 443, hosting a secure site often means offering a dedicated IP address per tenant.
IPv4 地址不足, 因为互联网上的一个终端仅能靠一对 IP:Port 来访问, 当每个站点使用标准端口 443 时, 意味着需要为每一个站点提供专用的 IP 地址
- Solution
- On Windows Server 2012, IIS supports Server Name Indication (SNI), which is a TLS extension to include a virtual domain as a part of SSL negotiation. What this effectively means is that the virtual domain name, or a hostname, can now be used to identify the network end point. In addition, a highly scalable webHosting store has been created to complement SNI. The result is that the secure site density is much higher on Windows Server 2012 and it is achieved with just one IP address.
- It should be noted that in order for this feature to be used, your client browsers have to support SNI. Most modern browsers support SNI; however, Internet Explorer (of any version) on Windows XP does not support SNI.
解决方案是针对 win server 2012 的 II7-IIS8, 具体办法可以参考原文, 本文仅针对 IIS8.5 来说明:
文中提到的 SNI(Server Name Indication) 中文名称是: 需要服务器名称指示 (如图), 这是一个一般人很难理解的中文翻译, 记住, 他就是 SNI
另外非常重要的是:
无论你访问任指向本服务器的域名, 如果所有网站都没有勾选 SNI, 那么任何针对这个 IP:Port 的 CA 请求, 都将返回第一个绑定的 CA 证书
如果第一个站点没有勾选, 效果同第一条相同
所以最好的解决办法是: 所有站点都选择勾选 SNI
来源: http://www.bubuko.com/infodetail-2504347.html