主页 / server / 问题 / 1079871
Accepted
Francesco Galgani
Asked: 2021-10-08 05:01:35 +0800 CST

Searx(基于 Nginx)“Let's Encrypt”SSL 证书对 Safari(iPhone 和 MacOS)无效,对世界其他地区有效

  • 772

我在以下位置定制了 Searx ( https://searx.me/ ) 安装: https://ricercaalternativa.mydissent.net/

多年来,它一直与 Letsencrypt 一起正常工作。然而,就在几天前,Letsencrypt 提供的证书与除 Apple(iPhone 和 macOS 上的 Safari)之外的所有东西都兼容。

此测试显示“链问题”: https ://www.ssllabs.com/ssltest/analyze.html?d=ricercaalternativa.mydissent.net

我不知道如何解决这个问题(实际上这个问题的含义是什么),也是因为 SSL 证书的安装一直是完全自动化的,使用以下 Bash 脚本:

#!/bin/bash
YOUR_DOMAIN="ricercaalternativa.mydissent.net"
certbot certonly -d ${YOUR_DOMAIN} --manual --preferred-challenges dns
service uwsgi restart
service nginx restart

无论如何,--preferred-challenges dns似乎被忽略了:它没有要求我部署 DNS 记录。这是输出:

# ./updateSSL.sh 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/ricercaalternativa.mydissent.net.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ricercaalternativa.mydissent.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ricercaalternativa.mydissent.net/privkey.pem
   Your cert will expire on 2022-01-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

这是 certbot 的版本:

# apt-cache policy certbot | grep Installed
  Installed: 0.31.0-2~deb10u1+ubuntu18.04.1+certbot+3
nginx ssl-certificate lets-encrypt

1 个回答

  1. Best Answer

    您的问题源于您的网络服务器没有发送任何带有叶证书的链证书。这就是 SSL Labs 测试在显示“此服务器的证书链不完整”时试图告诉您的内容。

    浏览器和其他客户端必须猜测如何验证您发送的证书,并且在执行此操作时,有些客户端比其他客户端更有能力/更宽松。Safari 不是。由于最近的根 CA 证书到期,这只是最近才开始发生的。

    在您的 nginx 配置中,您可能有如下一行:

    ssl_certificate  /etc/letsencrypt/live/ricercaalternativa.mydissent.net/cert.pem;

    如果是这样,请更改cert.pemfullchain.pem重新启动 nginx。然后通过 SSL Labs 重新检查,看看它对您的链的描述。

    • 1

相关问题