我正在运行website,其中结帐流程使用Comodo EV证书进行SSL认证.
我们还在整个网站上进行了Piwik网站分析跟踪,该网站通过统计子域提供服务.为了防止混合域错误,可以通过HTTPS和HTTP访问Piwik – 对于HTTPS,我们的Piwik子域使用(便宜得多的)Comodo PositiveSSL证书进行认证.
这是奇怪的部分 – 当通过wget和某些版本的Internet Explorer访问主站点上的HTTPS页面时,stats.psychicbazaar.com证书似乎以某种方式错误地加载,导致IE中出现“不匹配的地址”警告,以及在wget中:
ERROR: certificate common name `stats.psychicbazaar.com' doesn't match requested host name `www.psychicbazaar.com'.
curl,Chrome或Firefox不会出现此问题.例如,使用curl:
$curl -Iv https://www.psychicbazaar.com/shop/checkout
*
这里可能会发生什么 – 为什么当浏览器在主域上加载页面时,浏览器会在子域的SSL证书上读取和出错?任何帮助非常感谢!
# dig stats.psychicbazaar.com
[...]
;; ANSWER SECTION:
stats.psychicbazaar.com. 3600 IN A 178.79.183.162
[...]
# dig www.psychicbazaar.com
[...]
;; ANSWER SECTION:
www.psychicbazaar.com. 3600 IN A 178.79.183.162
[...]
如果您为两者使用相同的IP地址,您的Web服务器究竟应该知道为TLS交换提供哪个证书?这不起作用:
http://wiki.apache.org/httpd/NameBasedSSLVHosts
As a rule,it is impossible to host more than one SSL virtual host on the same IP address and port. This is because Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer. But the name of the host being requested is contained only in the HTTP request headers,which are part of the encrypted content. It is therefore not available until after the encryption is already negotiated.