Nginx https 此服务器无法证明其所在网域

发表于   |   分类于

问题

移动端最近反应分享到微信的链接有时候打不开有时候打得开,具体报错如下。只有Android有问题,IOS没有问题,通过Android浏览器发现如下报错

开发在代码里面打印出的报错日志如下

1
2
3
primary error: 3 certificate: Issued to: CN=*.example.com,C=CN;
                                                     Issued by: CN=Certum Domain Validation CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL;
                                                      on URL: https://example.com/

分析

发现这个问题后因为也是头一次碰到所以赶紧google,看看有没有大神能帮忙结局。结果所有解决办法都是说在代码层面添加一段代码。但是开发已经加了还是有问题。折腾了有大半天,突然想到去看看之前外包的Apache SSL 配置文件。发现有一项配置

1
SSLCertificateChainFile "/etc/ssl/bundle.crt"

在Nginx里面是没有配的。于是赶紧又google,找到了nginx官网的文档。

http://nginx.org/en/docs/http/configuring_https_servers.html

里面有这么一段话

SSL certificate chains
Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:

1
$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt

The resulting file should be used in the ssl_certificate directive:

1
2
3
4
5
6
7
server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.chained.crt;
    ssl_certificate_key www.example.com.key;
    ...
}

If the server certificate and the bundle have been concatenated in the wrong order, nginx will fail to start and will display the error message:

1
2
3
SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed
   (SSL: error:0B080074:x509 certificate routines:
    X509_check_private_key:key values mismatch)

because nginx has tried to use the private key with the bundle’s first certificate instead of the server certificate.

解决

按照官档的说明,大致的意思是有些浏览器还需要中间证书的支持,不然就会报错。这也正好印证了我之前的分析Apache的那段配置。赶紧按照官档重新生成了证书

1
cat www.example.com.crt bundle.crt > www.example.com.chained.crt

记住顺序不能错,然后把nginx配置的证书修改一下

1
2
3
...
ssl_certificate /etc/ssl/www.example.com.chained.crt
...

重新加载配置之后不再有报错了。大功告成!
å

SLB 证书格式报错

因为是通过SLB做的Https,所以要把证书放到SLB上,但是又报错说证书格式错误。

看到阿里云这篇文档,因为证书里面不能有空行,把空行解决就不会有问题了。

https://help.aliyun.com/document_detail/32332.html?spm=5176.doc32336.2.3.2i8bTn

坚持原创技术分享,您的支持将鼓励我继续创作!