更新LetSencrypt证书后,与我的网站相关的问题。我试图调试nginx,但日志很清楚。但这有效。似乎我别无选择,可以重新安装我的服务器。帮助。
curl --no-sessionid -I -vvvv --tlsv1.2 -qv -3 https://example.com/
* Trying 176.9.92.134...
* TCP_NODELAY set
* Connected to site.com (999.9.9.999) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /Users/user/anaconda3/ssl/cacert.pem
CApath: none
* SSLv3 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to example.ru:443
* Curl_http_done: called premature == 1
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to example.com:443
openssl
进行了一些检查`openssl s_client -connect example.com:443 -servername example.com -prexit
CONNECTED(00000003)
140736982107144:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 326 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1519402519
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 326 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1519402519
Timeout : 300 (sec)
Verify return code: 0 (ok)
---`
nginx配置`server { 听99.99.99.99:443 SSL; server_name example.com;
ssl_trusted_certificate /var/www/example/ca.cer;
ssl_certificate /var/www/example/fullchain.cer;
ssl_certificate_key /var/www/example/example.com.key;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /var/www/example/example_dhparam.pem;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.1 8.8.8.8;
location /.well-known/ {
alias /var/www/example/ssl/.well-known/;
}
location / {
alias /var/www/example/index.html;
}
}`
不应该是
server {
listen 443 ssl;
server_name example.com;
...
}
喜欢从参考,http://nginx.org/en/docs/http/configuring_https_servers.html
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
...
}
要配置HTTPS服务器,SSL参数必须为 启用了服务器块中的侦听插座,以及 应指定服务器证书和私钥文件的位置。