Свежая установка CentOS 7
1. После подключения имеем отсутствие установленного ethtool
Добавьте, пожалуйста, установку ethtool
Патч
2. А теперь главная проблема, а именно в настройке собственного SSL-сертификата через Bitrix-меню (Configure own certificate). Процесс выглядит следующим образом:
Создаем директорию /etc/nginx/certs/ и размещаем в ней необходимый сертификат сайта, цепочку сертификатов удостоверяющего центра и приватный ключ, пример:
Работа с меню
Итоговый конфиг выглядит следующим образом:
И файл /etc/nginx/certs/default/cert.pem, к сожалению, не содержит цепочки сертификатов:
Что естественно приводит к проблемам вида:
Вижу тут два пути решения проблемы:
1. (Рекомендуемый) Автоматически в итоговый сертификат записывать сначала сертификат, а потом chain
Патч
2. (Не рекомендуемый) Писать в блоке Requirements for Importing Certificates что файл сертификата должен быть сразу итоговым, т.е. содержать и сертификат и цепочку сертификатов CAhttp://nginx.org/ru/docs/http/ngx_http_ssl_module.html#ssl_certificate
Текущая реализация вводит в заблуждение и работает не так, как ожидается.
Спасибо за внимание!
Код |
---|
[root@s052d7fbf ~]# rpm -qa | grep bitrix bitrix-env-7.2-2.el7.centos.noarch [root@s052d7fbf ~]# |
1. После подключения имеем отсутствие установленного ethtool
Код |
---|
Bitrix virtual appliance version 7.2.2 Pool Configuration manager on this host Not found configured server's pool! May be You want to add new. Server network interfaces: ------------------------------------------------------------------------------------ Int | Link | Speed | MAC | IPAddress ------------------------------------------------------------------------------------ /opt/webdir/bin/bitrix_utils.sh: line 644: ethtool: command not found ------------------------------------------------------------------------------------ Available actions: 0. Exit Enter selection: 0 |
Добавьте, пожалуйста, установку ethtool
Патч
Код |
---|
--- ./bitrix-env.sh.bak 2018-03-22 14:38:32.451451865 +0300 +++ ./bitrix-env.sh 2018-03-22 14:38:47.773550245 +0300 @@ -103,7 +103,7 @@ # install packages yum clean all >/dev/null 2>&1 - yum install -y yum-fastestmirror >/dev/null 2>&1 + yum install -y yum-fastestmirror ethtool >/dev/null 2>&1 print "Configuration EPEL repository is completed." 1 } |
2. А теперь главная проблема, а именно в настройке собственного SSL-сертификата через Bitrix-меню (Configure own certificate). Процесс выглядит следующим образом:
Создаем директорию /etc/nginx/certs/ и размещаем в ней необходимый сертификат сайта, цепочку сертификатов удостоверяющего центра и приватный ключ, пример:
Код |
---|
[root@s052d7fbf ~]# ls -la /etc/nginx/certs/ total 20 drwxr-xr-x 2 root root 4096 мар 22 14:54 . drwxr-xr-x 6 root root 4096 мар 22 14:53 .. -rw------- 1 root root 2179 мар 22 14:53 cert.pem -rw------- 1 root root 1684 мар 22 14:54 chain.pem -rw------- 1 root root 3243 мар 22 14:54 privkey.pem [root@s052d7fbf ~]# for myfile in $(find /etc/nginx/certs/ -type f); do echo 'Content of file '$myfile; cat $myfile; done Content of file /etc/nginx/certs/privkey.pem -----BEGIN RSA PRIVATE KEY----- MIIJKAIBAAKCAgEAs7MmZ77lkvQsQ4b4qOgLgzxa6bbAHsDNGud8ku4cXD7oBVfO YXBQ5XlfTvFrShAH+I2zOUYOWdtwPtdpXgzD2ZAsFBk6Uwnkmenq5eEN2KppD4hu j9ToXqCbWNyp4JA1/jLsM7ohBGnMoln2Xg/HU3l/fNGXxwOV/GpEkleAWS36dAft gXGmbVvJE6hg6zcsvdj9MD/IIC6AL3W/tuerVaynBdZ7cwiVN6b7dYbdyiE32lTf lbebfA81LI7hA2bh7lZb6nvAGfu3uJglfGWzY6q3eCbIGSQyvfBl9z+JkA9fjrhf 0CgR6cIHbUwD8KFXdZ6iCzg5lDhldt4/AgpilvQ/AnfpyMpnmrjnsBpWVoDOhKPO NCSoYwAYx8BS3ZZK5jbMCICYzvGMBSRQL59649qkchXHXIUBHUmr/oOj5dwcj2kp i+UE2CHzGCAUtC1iKrHkc5m/zYXe39t54LD7uacPSSFGrTj/Al9WuZfpI6xldXDq bBCscbv+ZujlUWUzr8fzBO6OBV//0rst5dyvKm4O0mG9OXd530cOFUP7S4+JtVSp 77An9QJNJ9XATHsHFiJJYNYdVyUq70zWeBGSkvKMpqaLCyGSGkUz6Jyu0u6UarBS ykJFyfDTr4i+aj6+ZpJ4IB6irE3+y1nZEj5zDs8kLZM5shfDcEk/rtsro90CAwEA AQKCAgBX5thwg0bVfa9xUMKuDOQkzA9Ep+qOoI00Dew4C1XAId1pT6xaqZBIz/g5 K4rp7bGYeegjqgs3FUpw0vpt0Ry0ffux0S1glURHrc8Dp/UX+TPvLzO2E9WfBD05 WKeYe7KNp+c23mNsPzykZhFHrbw5LwOX0QbHiQ+DK5BjbX4RIZaTz5T0bt2UPQO9 I+5U4OZ3737abTi91UFK9fRTyjtba1tAVcyJVrd3Q61ZriEr0Nf7auz71ZavNtkx 9KpI+bim14OazfIIQ8N4/qPHmBAKPuYEViQneDeCBeg668+ksoBx1eq4bgFlMU5k vnxm5uVbWb+2cUhpIrUvUkPMAbx7e+vA08mYuMxXA2VeYvGFLLD58VmuVgGljwHi Qcr1v9t3s7U1txkvSGNF/xt4jGGFJpzWofSW3hHibsbFsfcvig7uxMRd2DCkTZha +Qd3rsuUADTarL8csosPT43UprLCjqGLS/ETZ9HTnUjY9d6VwPx+193RL+LuP9T1 RAL0QVO9l37yrZGJQA9xcvudC7SyhCZY9y+rldtCanleUd+MwducVsczSpxxtpjt SQoUFkAa4SP9Sob6/Z/Z0Y8Q00/Nb2tMNVLrUKNAt3y8dBP1Uno5EsIWCbQA1y4h QRy47rRyBjxl09DaDCFo8spS/z8Y1/oUAbF+UyPkr3XEBeiVWQKCAQEA7um89DlL MkmX6tajz5ouCZObX+S6VE31bAyLiPfsU7uEDVArDrMEhUNDdLx+xrMD9WCxykZ6 S6v2yifG8F5Cy1oq5F+UuQXWV+3Js9/q23U97UjkGnbcqq95MMt+9SYy/Q++nPW9 HgNBCJzGOXg6cwRIH/SI2IsYANV7chaNoBXyA+EjLUgFoaKOGcU8ChxLP+VBV/Yk n61+joAFWS500sQ04MB+n5KNaIEzqETB/HGf8H9cwlZvA30Excgtu3ZjfkE2XD3j P48k1WNB1vamNIQaQUFJ63lYVvBsdFztHpId9jHg0NO83z4ZtmV+18YlVTld2o2d wzeVJF0kR8zVFwKCAQEAwI1GqwG7NRaV/wv4kLBe2HHYt3cwgl3hmlAaIvdqGz7g e9LEo7AsP8S4iAluocq4nybdlFqH1qhOwX/OKRLOGPb2du7WeYQGpHevvT1jnUA5 OSApQPOcqNip1giRlCqsdNiCJvJIXsljFbBFLtGqq0BPWQEvyW8YtPQUKqPVGKkp Re0ZYMZNzCA29LSS1GV/CzX3l5BHULVcgbZJc3MTk2tkOpRY6wWVMJcbRmshNe4T d6voNCHVdOG/I5CotNA8rzzshir4/tGdA97+cmlAJOXRnaminVeouUdx6ayl77CZ FUigX9F5zEiVPYevXqxWGk6hcGg79yFAKoj60qSPKwKCAQAoZTr+rEVLnmfiXCJc crxAAEYwI5Nht8C8YS6inRDHY5hDS//Lv3cPNT1NmqVw4UnVDmFhSyNYch4LNkiL 0dRHX9qKvKJ/2j3QpjMJh93E94DeAwoWc2yCK6M5Hd88ghXy9duL3Hz6eyBe3Wsi wnJXiizLwmP1ASew1GfH9YpCvBMslr+E432YQ8z1DIVHTFto1VGEFulAWmxgmcLN vm4gSO6L5eBDCNuCBP6AAAgwr+GUH2TGsyiYFWZeLqeU38KY0Vvoosour/xRXDQA rbmSfZeW2vwtpVnLcWFVF3U8SwZn3y0dAgAYWv6r+WNGBom/bDCzSGiZXmeIO3tr 7HVHAoIBAGjpkOOD4fifAcMhRqGvNz4/aZEtA+VEObPWiSccH1gQ/kb5I+L8DmAA U3rriLfmuIkeqAQ4/2JZ+e88L5v5fwnjJY7Pu1QiN2xNOhel5yy63XLerxuQoH7u 7jqMGKXeSnCvttp5kCz1FWOv00IbQx5jv9gC6YKbYZ7WjlZdRbJWGQLcmMM9yQ27 T7Ys3QOU+Y+mK+0M046KAok6RPL+dGASV14Djh8fv5Xl/xpzLHkx6rF9nNsqxB8X EQnTu9gozae9TjIcH+bXVvHRAlpcNnLkNT3uO4f3RxsMbmifhRn/4qjSFW+ftvkz Yv1PfKHczF0xEo0ofeO83jVOxTsYJlkCggEBANNBjisgj0SwVlnqExke7NxxqHGR ghmD6a+7cviC8JHeHOcABJWPMjLoYtTiw5P09/tzQ1OXjBQ7uRfA3lkxFuyPDqtO eVO1sEHLrjCPcHF4aA3CnZgZ2DcyuLDJgtfPsS2CfuJjEXanqTtdx2XxPhxATBNT RiJzmhsTEG7qCGsc3/FgnkAxgqn7zlcdofxJNx/xPwTYtyVkzZQpfj6C23HcwJEl eeRUozucZoeY7mKokPzjz2ugTPqIAqRexkd/6soZbQarjYelJOSGRRSyNgo6fuNa fDMrW5tju0N2eF5l5hA0QoGpkv98sc6J8EyNi731TzqoySGcd3j7kGo66rk= -----END RSA PRIVATE KEY----- Content of file /etc/nginx/certs/chain.pem http://cert.int-x3.letsencrypt.org/ -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- Content of file /etc/nginx/certs/cert.pem -----BEGIN CERTIFICATE----- MIIGGzCCBQOgAwIBAgISAyln5J9hRUy9X/w2ccrN/oRXMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAzMjIxMDQ2NTNaFw0x ODA2MjAxMDQ2NTNaMCcxJTAjBgNVBAMTHHMwNTJkN2ZiZi5mYXN0dnBzLXNlcnZl ci5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzsyZnvuWS9CxD hvio6AuDPFrptsAewM0a53yS7hxcPugFV85hcFDleV9O8WtKEAf4jbM5Rg5Z23A+ 12leDMPZkCwUGTpTCeSZ6erl4Q3YqmkPiG6P1OheoJtY3KngkDX+MuwzuiEEacyi WfZeD8dTeX980ZfHA5X8akSSV4BZLfp0B+2BcaZtW8kTqGDrNyy92P0wP8ggLoAv db+256tVrKcF1ntzCJU3pvt1ht3KITfaVN+Vt5t8DzUsjuEDZuHuVlvqe8AZ+7e4 mCV8ZbNjqrd4JsgZJDK98GX3P4mQD1+OuF/QKBHpwgdtTAPwoVd1nqILODmUOGV2 3j8CCmKW9D8Cd+nIymeauOewGlZWgM6Eo840JKhjABjHwFLdlkrmNswIgJjO8YwF JFAvn3rj2qRyFcdchQEdSav+g6Pl3ByPaSmL5QTYIfMYIBS0LWIqseRzmb/Nhd7f 23ngsPu5pw9JIUatOP8CX1a5l+kjrGV1cOpsEKxxu/5m6OVRZTOvx/ME7o4FX//S uy3l3K8qbg7SYb05d3nfRw4VQ/tLj4m1VKnvsCf1Ak0n1cBMewcWIklg1h1XJSrv TNZ4EZKS8oymposLIZIaRTPonK7S7pRqsFLKQkXJ8NOviL5qPr5mknggHqKsTf7L WdkSPnMOzyQtkzmyF8NwST+u2yuj3QIDAQABo4ICHDCCAhgwDgYDVR0PAQH/BAQD AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA MB0GA1UdDgQWBBRS0omsGNjLMmwODk2AoHeUbwEzfzAfBgNVHSMEGDAWgBSoSmpj BH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0 dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0 dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMCcGA1UdEQQgMB6CHHMw NTJkN2ZiZi5mYXN0dnBzLXNlcnZlci5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwB AgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxl dHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRl IG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQg b25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBm b3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkq hkiG9w0BAQsFAAOCAQEATqAvydnRidPh2Didg9pPMMUMhbzGhuzHq23W29O55jKT u37A8Az6vhIeVI7I09HPdwcqwSCctNPEuHS+hYc/puaj6f0vQWU/uZRlBNHiku8w p8wELGHw7r1u6R9zT0IpFp/SzycgkXZalAGF0HLCYVl0HysK71kGRMz8VmB1gi4m 06GyapdhDqPG8DgfprHnhRQPdNvJMHfKnXmsTt2MIq/TXflozvHmAqicRzIEinLS cI0A49YGvJ2FOoEFgDLgaB6bpa/DA5auTBmMfC/dGzsM+gDBvjjS9Q2CY9y5BJ3v x++dsveME0A7NNYyfPyr9+h5hEM/TqpNF/BCoG71Gw== -----END CERTIFICATE----- [root@s052d7fbf ~]# |
Работа с меню
Код |
---|
Bitrix virtual appliance version 7.2.2 Certificates configuration Found 1 sites: ------------------------------------------------------------------------------------ SiteName | dbName | Type | S | Certificate | Key ------------------------------------------------------------------------------------ default | sitemanager | kernel | N | ssl/cert.pem | ssl/cert.pem ------------------------------------------------------------------------------------ Note: S - Only HTTPS access to the server (N = turned off, Y = turned on) Available actions: 1. Configure Let's encrypt certificate 2. Configure own certificate 3. Return default certificate 0. Previous screen or exit Enter selection: 2 You can enter multiple comma-separated values. Example: default, test Enter site name (default): Requirements for Importing Certificates: * The certificate, private key, and certificate chain must all be PEM-encoded. * The private key must be unencrypted. * The certificate, private key are mandatory. * You need to use full path for the certificate, private key, and certificate chain or you can upload files to /etc/nginx/certs and use relative paths. Path to Private Key: privkey.pem Path to Certificate: cert.pem Path to Certificate Chain: chain.pem Please confirm installation of certificate for site=default (Y|n): Y Start task: JobID : site_certificate_7035010341 PID : 16193 Status : running It will run 'Configuration Certificate for site=default' in the pool. Press ENTER to exit: |
Итоговый конфиг выглядит следующим образом:
Код |
---|
[root@s052d7fbf ~]# cat /etc/nginx/bx/site_avaliable/ssl.s1.conf # Default SSL certificate enabled website server { listen 443 default_server http2; server_name _; # Enable SSL connection server_name_in_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host:443; # CERTIFICATE ANSIBLE MANAGED BLOCK include bx/conf/ssl_options.conf; ssl_certificate /etc/nginx/certs/default/cert.pem; ssl_certificate_key /etc/nginx/certs/default/privkey.pem; ssl_trusted_certificate /etc/nginx/certs/default/chain.pem; # CERTIFICATE ANSIBLE MANAGED BLOCK proxy_set_header HTTPS YES; set $proxyserver "http://127.0.0.1:8888"; set $docroot "/home/bitrix/www"; index index.php; root /home/bitrix/www; # Include parameters common to all websites include bx/conf/bitrix.conf; # Include server monitoring API's include bx/server_monitor.conf; } [root@s052d7fbf ~]# |
И файл /etc/nginx/certs/default/cert.pem, к сожалению, не содержит цепочки сертификатов:
Код |
---|
[root@s052d7fbf ~]# cat /etc/nginx/certs/default/cert.pem -----BEGIN CERTIFICATE----- MIIGGzCCBQOgAwIBAgISAyln5J9hRUy9X/w2ccrN/oRXMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAzMjIxMDQ2NTNaFw0x ODA2MjAxMDQ2NTNaMCcxJTAjBgNVBAMTHHMwNTJkN2ZiZi5mYXN0dnBzLXNlcnZl ci5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzsyZnvuWS9CxD hvio6AuDPFrptsAewM0a53yS7hxcPugFV85hcFDleV9O8WtKEAf4jbM5Rg5Z23A+ 12leDMPZkCwUGTpTCeSZ6erl4Q3YqmkPiG6P1OheoJtY3KngkDX+MuwzuiEEacyi WfZeD8dTeX980ZfHA5X8akSSV4BZLfp0B+2BcaZtW8kTqGDrNyy92P0wP8ggLoAv db+256tVrKcF1ntzCJU3pvt1ht3KITfaVN+Vt5t8DzUsjuEDZuHuVlvqe8AZ+7e4 mCV8ZbNjqrd4JsgZJDK98GX3P4mQD1+OuF/QKBHpwgdtTAPwoVd1nqILODmUOGV2 3j8CCmKW9D8Cd+nIymeauOewGlZWgM6Eo840JKhjABjHwFLdlkrmNswIgJjO8YwF JFAvn3rj2qRyFcdchQEdSav+g6Pl3ByPaSmL5QTYIfMYIBS0LWIqseRzmb/Nhd7f 23ngsPu5pw9JIUatOP8CX1a5l+kjrGV1cOpsEKxxu/5m6OVRZTOvx/ME7o4FX//S uy3l3K8qbg7SYb05d3nfRw4VQ/tLj4m1VKnvsCf1Ak0n1cBMewcWIklg1h1XJSrv TNZ4EZKS8oymposLIZIaRTPonK7S7pRqsFLKQkXJ8NOviL5qPr5mknggHqKsTf7L WdkSPnMOzyQtkzmyF8NwST+u2yuj3QIDAQABo4ICHDCCAhgwDgYDVR0PAQH/BAQD AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA MB0GA1UdDgQWBBRS0omsGNjLMmwODk2AoHeUbwEzfzAfBgNVHSMEGDAWgBSoSmpj BH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0 dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0 dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMCcGA1UdEQQgMB6CHHMw NTJkN2ZiZi5mYXN0dnBzLXNlcnZlci5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwB AgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxl dHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRl IG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQg b25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBm b3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkq hkiG9w0BAQsFAAOCAQEATqAvydnRidPh2Didg9pPMMUMhbzGhuzHq23W29O55jKT u37A8Az6vhIeVI7I09HPdwcqwSCctNPEuHS+hYc/puaj6f0vQWU/uZRlBNHiku8w p8wELGHw7r1u6R9zT0IpFp/SzycgkXZalAGF0HLCYVl0HysK71kGRMz8VmB1gi4m 06GyapdhDqPG8DgfprHnhRQPdNvJMHfKnXmsTt2MIq/TXflozvHmAqicRzIEinLS cI0A49YGvJ2FOoEFgDLgaB6bpa/DA5auTBmMfC/dGzsM+gDBvjjS9Q2CY9y5BJ3v x++dsveME0A7NNYyfPyr9+h5hEM/TqpNF/BCoG71Gw== -----END CERTIFICATE----- [root@s052d7fbf ~]# |
Что естественно приводит к проблемам вида:
Код |
---|
curl https://s052d7fbf.fastvps-server.com/ curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. |
Вижу тут два пути решения проблемы:
1. (Рекомендуемый) Автоматически в итоговый сертификат записывать сначала сертификат, а потом chain
Патч
Код |
---|
--- /etc/ansible/roles/web/tasks/configure_cert.yml.old 2018-03-22 15:30:28.359377392 +0300 +++ /etc/ansible/roles/web/tasks/configure_cert.yml 2018-03-22 16:07:53.210654504 +0300 @@ -46,6 +46,19 @@ owner: root group: bitrix with_items: "{{ site_names }}" + when: certificate_chain is undefined + +- name: copy certificate + copy: + content: | + {{ lookup('file', certificate) }} + {{ lookup('file', certificate_chain) }} + dest: "/etc/nginx/certs/{{ item }}/{{ certificate | basename }}" + mode: 0640 + owner: root + group: bitrix + with_items: "{{ site_names }}" + when: certificate_chain is defined - name: copy private_key copy: |
2. (Не рекомендуемый) Писать в блоке Requirements for Importing Certificates что файл сертификата должен быть сразу итоговым, т.е. содержать и сертификат и цепочку сертификатов CA
Текущая реализация вводит в заблуждение и работает не так, как ожидается.
Спасибо за внимание!