当尝试通过设置 -> 证书管理器(按照说明)为我的 Asustor NAS 生成 Let's Encrypt 证书时,该过程反复失败并出现错误Ref. 5402
。Let's Encrypt ACME Client
从 Asustor卸载/重新安装App Central
没有帮助。我还能尝试什么
有什么方法可以在没有公共证书的情况下配置 Nginx 吗?
这里的目标是,我想在公共互联网上发布 API,但所有 API 客户端(白名单客户端)都应该在其应用程序中 SSL 固定公共证书,而不是根据请求获取临时证书。所以我们不需要nginx来发布公共证书。
我知道公开共享证书是无害的,但这个特殊的要求来自我们的企业客户。他们甚至询问我们是否可以在 nginx 中放入无效的公共证书...因此,当没有真正公共证书的“攻击者”会将 API 视为错误时,而真正的 ssl 固定客户端将能够使用API 正常。
从昨天开始,我遇到了与https://upload.wikimedia.org/ URL 相关的任何问题,它们都给出了ERR_CERT_COMMON_NAME_INVALID
错误。
我尝试了一些故障排除,发现 SSL Checker 没有检测到错误(https://www.sslshopper.com/ssl-checker.html#hostname=https://upload.wikimedia.org/),甚至尝试使用以下命令访问 URL像https://www.proxysite.com/这样的代理网站是有效的。
我注意到我获得的证书至少可以说看起来很可疑。什么是sinkhole.duskrise.com
?
每个浏览器都会发生这种情况,甚至在 Windows 11 沙盒模式中也是如此。请注意,在 Wi-Fi 上一切正常,问题似乎仅在通过 LAN 连接时才会出现。我正在使用由我的 ISP (WindTre) 提供的 Home&Life HUB。
这可能与恶意软件有关吗?请注意,这是我遇到问题的唯一网站,维基百科工作正常,除了所有图像未显示托管在wikimedia.org
.
我正在尝试设置 nginx 作为小型个人服务器上的反向代理;但是,当我要求 certbot 生成 SSL 证书时,我遇到了一些循环逻辑。据我所知,certbot 应该修改 nginx.conf 文件以使用 certbot 的 SSL 证书,但如果 nginx.conf 未正确设置为使用 SLL 证书,则 certbot 将不会运行。这是我的nginx.conf
:
# /etc/nginx/nginx.conf
# Define the default server block to redirect all other traffic to a static HTML >
http{
server {
listen 80 default_server;
server_name _;
# Redirect all other traffic to the static HTML page
location / {
root /var/www/html;
index index.html;
}
}
# Server block for sub1.myDomain.org HTTP traffic
server {
listen 80;
server_name sub1.myDomain.org;
location / {
proxy_pass http://localhost:60000;
}
}
# Server block for sub1.myDomain.org HTTPS traffic
server {
listen 443 ssl;
server_name sub1.myDomain.org;
ssl_certificate /etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/sub1.myDomain.org/privatekey.pem
location / {
proxy_pass https://localhost:60001;
}
}
# Server block for sub2.myDomain.org HTTP traffic
server {
listen 80;
server_name sub2.myDomain.org;
location / {
proxy_pass http://localhost:60600;
}
}
# Server block for sub2.myDomain.org HTTPS traffic
server {
listen 443 ssl;
server_name sub2.myDomain.org;
ssl_certificate /etc/letsencrypt/live/sub2.myDomain.org/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/sub2.myDomain.org/privatekey.pem
location / {
proxy_pass https://localhost:60601;
}
}
}
当我运行sudo certbot --nginx -d sub1.myDomain.org
或sudo certbot certonly --nginx
出现以下错误时:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed
The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')
我缺少什么?预先非常感谢您的帮助。内容letsencrypt.log
:
2023-08-06 11:02:40,026:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2023-08-06 11:02:40,414:DEBUG:certbot._internal.main:certbot version: 2.6.0
2023-08-06 11:02:40,414:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/3024/bin/certbot
2023-08-06 11:02:40,414:DEBUG:certbot._internal.main:Arguments: ['--nginx', '-d', 'sub1.myDomain.org', '--preconfigured-renewal']
2023-08-06 11:02:40,414:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEn>
2023-08-06 11:02:40,431:DEBUG:certbot._internal.log:Root logging level set at 30
2023-08-06 11:02:40,433:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2023-08-06 11:02:40,449:ERROR:certbot.util:Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such fi>
nginx: configuration file /etc/nginx/nginx.conf test failed
2023-08-06 11:02:40,450:DEBUG:certbot._internal.plugins.disco:Misconfigured PluginEntryPoint#nginx: Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such fi>
nginx: configuration file /etc/nginx/nginx.conf test failed
Traceback (most recent call last):
File "/snap/certbot/3024/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 1003, in config_test
util.run_script([self.conf('ctl'), "-c", self.nginx_conf, "-t"])
File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/util.py", line 125, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such fi>
nginx: configuration file /etc/nginx/nginx.conf test failed
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 111, in prepare
self._initialized.prepare()
File "/snap/certbot/3024/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 199, in prepare
self.config_test()
File "/snap/certbot/3024/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 1005, in config_test
raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such fi>
nginx: configuration file /etc/nginx/nginx.conf test failed
2023-08-06 11:02:40,452:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f8058ca2e50>
Prep: Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such fi>
nginx: configuration file /etc/nginx/nginx.conf test failed
是否可以找到特定网站的 SSL 证书颁发者的历史记录?例如,如果一个网站原来有 A 公司颁发的证书,那么该网站有 B 公司颁发的新证书?我能否查到A公司是谁以及从开始到结束日期颁发证书的时间?在这种情况下,我无法访问托管该网站的服务器。我尝试通过网络浏览器查看证书信息,但似乎没有看到任何此类记录。
尝试连接到 github 时出现以下错误:
curl -vLk https://api.github.com/rate_limit
* Trying 140.82.121.6:443...
* Connected to api.github.com (140.82.121.6) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
这是在运行 rasbian bullseye 的树莓派上。
在同一网络上我的其他客户端上,运行 Ubuntu 22.04,一切正常。
我确实相信 openssl 版本足够好:
python -c 'import ssl; print(ssl.OPENSSL_VERSION)'
OpenSSL 1.1.1n 15 Mar 2022
任何想法如何解决这个问题?
升级到 Thunderbird 102(从 Ubuntu 20.04 存储库上的任何先前版本)后,我无法再连接到我运行的 CalDAV 服务器。Thunderbird 拒绝该证书,声称它属于不同的站点。
我连接到服务器的 FQDN 与证书的通用名称匹配,并且证书没有过期——我已经验证了这两件事。
该证书由私人 CA 颁发,我在升级之前很久就将其证书添加到了商店。我能够在升级之前连接到服务器。
即使定义安全异常也不起作用:每次刷新时,我都会收到相同的证书错误。
我的智能手机使用 DAVx⁵ 连接到同一台服务器没有问题。
如果我尝试使用 Firefox 105.0 连接到服务器,我会收到类似的错误 ( SSL_ERROR_BAD_CERT_DOMAIN
),但在添加安全异常后可以连接。(由于 Firefox 与 Thunderbird 共享一些代码,它们也可能共享某些错误或意外行为。)
证书没有指定密钥使用的任何目的——我已经看到其他一些应用程序因此开始拒绝证书,所以我想知道这是否是问题所在(在这种情况下,错误消息会产生误导)。
有任何想法吗?
我正在使用一种动态语言,它通过 FFI 包装 wldap32 dll。我正在使用 ApacheDS,我可以使用普通 LDAP 从我的客户端完美连接到它。但是,使用 LDAPS 时我无法连接到它。是的,选中该复选框以启动 LDAP(在端口 10636 上),一切似乎都很好。事实上,在 ApacheDS 中,我可以打开到 LDAPS 的连接并且它可以工作。问题出在我的客户身上。
我注意到在日志中,打印了以下内容:
[17:28:23] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected exception forcing session to close: sending disconnect notice to client.
javax.net.ssl.SSLException: Improper close state: Status = OK HandshakeStatus = NEED_WRAP
bytesConsumed = 0 bytesProduced = 7 sequenceNumber = 1
at org.apache.mina.filter.ssl.SslHandler.closeOutbound(SslHandler.java:497)
at org.apache.mina.filter.ssl.SslFilter.initiateClosure(SslFilter.java:762)
at org.apache.mina.filter.ssl.SslFilter.filterClose(SslFilter.java:693)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:49)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1155)
at org.apache.mina.core.filterchain.IoFilterAdapter.filterClose(IoFilterAdapter.java:146)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:49)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1155)
at org.apache.mina.filter.executor.ExecutorFilter.filterClose(ExecutorFilter.java:608)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:49)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1155)
at org.apache.mina.core.filterchain.IoFilterAdapter.filterClose(IoFilterAdapter.java:146)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireFilterClose(DefaultIoFilterChain.java:769)
at org.apache.mina.core.session.AbstractIoSession.closeNow(AbstractIoSession.java:353)
at org.apache.mina.core.service.IoHandlerAdapter.inputClosed(IoHandlerAdapter.java:102)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.inputClosed(DefaultIoFilterChain.java:997)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119)
at org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119)
at org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119)
at org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119)
at org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireInputClosed(DefaultIoFilterChain.java:728)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:556)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1222)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1211)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
在我的 C 客户端上,调用函数 ldap_simple_bind_s() 时出现错误“LDAP_SERVER_DOWN (81)”
这有什么告诉任何人的吗?
提前致谢!