Question

更新letsencrypt证书后，我的网站存在一个问题。我试图调试Nginx，但日志很清楚。但它的确有效。似乎我没有选择重新安装我的服务器。帮助

curl --no-sessionid  -I -vvvv --tlsv1.2 -qv -3 https://example.com/
*   Trying 176.9.92.134...
* TCP_NODELAY set
* Connected to site.com (999.9.9.999) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /Users/user/anaconda3/ssl/cacert.pem
  CApath: none
* SSLv3 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to example.ru:443
* Curl_http_done: called premature == 1
* Closing connection 0

curl: (35) Unknown SSL protocol error in connection to example.com:443

通过openssl进行检查

`openssl s_client -connect example.com:443 -servername example.com -prexit
CONNECTED(00000003)
140736982107144:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 326 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519402519
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 326 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519402519
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---`

Nginx配置 `server { 听99.99.99.99：443 ssl; server_name example.com;

    ssl_trusted_certificate /var/www/example/ca.cer;
    ssl_certificate /var/www/example/fullchain.cer;
    ssl_certificate_key /var/www/example/example.com.key;

    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /var/www/example/example_dhparam.pem;

    # modern configuration. tweak to your needs.
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 127.0.0.1 8.8.8.8;


    location /.well-known/ {
       alias /var/www/example/ssl/.well-known/;
    }

    location / {
       alias /var/www/example/index.html;
    }
}`

Answer 1

不应该是

server {
               listen 443 ssl; 
               server_name example.com;
               ...
}

与参考资料类似，http://nginx.org/en/docs/http/configuring_https_servers.html

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}

要配置HTTPS服务器，必须使用ssl参数在服务器块中的侦听套接字上启用了应指定服务器证书和私钥文件的位置＆gt;

与example.com相关的未知SSL协议错误

1 个答案: