我正在为这个问题扯头发。 因此,我有一个PHP应用程序,它正在从“个人”服务器迁移到AWS-EC2。 我已经在AWS-EC2服务器上安装了所有组件。 Apache2,PHP 7.3,MySql等 我在进行跳转之前正在测试应用程序,并且在测试SoapCliet调用时出现以下PHP错误:
WSDL SOAP-ERROR: Parsing WSDL: Couldn t load from "https://celcer.sri.gob.ec/comprobantes-electronicos-ws/RecepcionComprobantesOffline?wsdl"
我调查了尝试调试问题并尝试wget调用的错误,我得到了:
$ sudo wget https://celcer.sri.gob.ec/comprobantes-electronicos-ws/RecepcionComprobantesOffline?wsdl
--2019-04-24 14:29:58-- https://celcer.sri.gob.ec/comprobantes-electronicos-ws/RecepcionComprobantesOffline?wsdl
Resolving celcer.sri.gob.ec (celcer.sri.gob.ec)... 186.42.213.26
Connecting to celcer.sri.gob.ec (celcer.sri.gob.ec)|186.42.213.26|:443... connected.
Unable to establish SSL connection.
然后我尝试调用cURL:
$ sudo curl -v https://celcer.sri.gob.ec/comprobantes-electronicos-ws/RecepcionComprobantesOffline?wsdl
Trying 186.42.213.26...
TCP_NODELAY set
Connected to celcer.sri.gob.ec (186.42.213.26) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
(304) (OUT), TLS handshake, Client hello (1):
OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to celcer.sri.gob.ec:443
stopped the pause stream!
Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to celcer.sri.gob.ec:443
然后我尝试使用openSSL:
$ sudo openssl s_client -connect celcer.sri.gob.ec:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 319 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Versions of stuff:
Ubuntu Linux 18.04.2
PHP 7.3
OpenSSL 1.1.1b 26 Feb 2019
我一直在寻找答案,但没有解决办法。 显然,所有这些命令都可以在我的旧服务器(不是EC2)上完美运行,尽管Ubuntu的版本是16.04.1,而OpenSSL是1.0.2g。我还为PC上的Windows安装了OpenSSL 1.1.1b(以检查它是否是版本问题),并成功连接到所提到的站点。
我尝试没有成功或进行任何更改: -禁用IPv6 -使用其他选项,例如-servername或特定协议 -在主机文件上指定服务器IP -重新启动 -更新 -更新CA证书 -设置防火墙(两个服务器防火墙均配置相同)
我必须说并非在所有站点上都发生此错误,实际上,我只是在这个特定站点celcer.sri.gob.ec上发现了此问题,该站点是地方政府站点,甚至认为也没有用而且徒劳无益他们更改了任何内容(即使配置不正确),这也是 IS 也是我唯一需要了解的站点。
经过数小时的阅读和探索,我现在绝望了。我能找到的唯一区别是,这台新服务器是一台AWS EC2服务器,并且某些中间层的亚马逊防火墙导致了此问题,但是我不知道如何调试这种说法。我的EC2安全组只为Web服务器打开了端口80和443,为特定IP设置了SSH。
请帮助
编辑1: 我之前曾尝试过,结果相同:
$ openssl s_client -connect celcer.sri.gob.ec:443 -servername celcer.sri.gob.ec
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 319 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
是的,它可以与其他多个https网站一起使用,例如:
s$ openssl s_client -connect stackoverflow.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = NY, L = New York, O = "Stack Exchange, Inc.", CN = *.stackexchange.com
verify return:1
---
Certificate chain
0 s:C = US, ST = NY, L = New York, O = "Stack Exchange, Inc.", CN = *.stackexchange.com
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
---
Server certificate, etc, etc....
编辑2: 因此,当我继续摆弄这个问题时,由于我确信每一分钟都写了《 AWS问题》,所以我去了我的AWS账户,创建了一个安全组,该安全组允许所有入站和出站流量,并启动了新的Ubuntu实例,我登录后便立即尝试使用opensl,首先在任何安全站点上都尝试使用该站点,然后在两种情况下都使用提到的站点和 SAME RESPONSE ,一个成功的错误号为errno = 104 。
然后这次使用Amazon Linux 启动了另一个新实例,这是登录后的第一件事,并且在两种情况下都实现了 SAME RESPONSE ,一个成功的问题是errno = 104。
这很有趣,因为我现在几乎可以确定它不是服务器的配置,而是亚马逊和celcer.sri.gob.ec之间的某些防火墙上的一个块。问题是我怎么能发现这一点,网络是我的IT技能中较少的一个。
请帮助。
答案 0 :(得分:0)
尽管我们可能永远找不到导致问题的原因,但我遵循了AWS论坛成员的建议,该成员发现解决方案是移至另一个AWS区域。不知何故,我需要与之通信的政府服务器在某个地方中断了与我选择启动实例的特定原始区域的通信。
我选择了另一个地区,问题就解决了。