Nginx 的自签名 SSL 证书无法与 Chrome 一起使用

我已经为本地主机 nginx 开发环境生成了自签名 SSL 证书和颁发机构，并在 Firefox 和 Chrome 中导入了证书颁发机构。

- Firefox：运行正常，证书被识别/有效，HTTPS 运行正常

- Chrome：出现错误，网站无法加载

This site can’t provide a secure connection
localhost sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

以下是我一步步做的

/tmp/openssl.cnf步骤 1.使用以下代码创建一个文件

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
C = US
ST = New York
L = Rochester
O = Localhost CA
OU = Development
CN = localhost

[ CA_default ]
copy_extensions = copy

[v3_ca]
subjectAltName = @alternate_names
keyUsage = critical, digitalSignature, cRLSign, keyCertSign, keyEncipherment

[alt_names]
DNS.1 = localhost
# Support subdomains
#DNS.2 = *.domain.local

步骤 2. 使用以下方式生成证书/密钥对

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/localhost.key -out /etc/ssl/localhost.crt -config /tmp/openssl.cnf

步骤 3. 生成自定义证书颁发机构

cat /etc/ssl/localhost.key /etc/ssl/localhost.crt > /etc/ssl/custom-ca.crt

步骤 4. 通过执行以下操作，将 /etc/ssl/custom-ca.crt 导入为操作系统 (Ubuntu) 的受信任证书颁发机构：

mkdir /usr/share/ca-certificates/extra
cp /etc/ssl/custom-ca.crt /usr/share/ca-certificates/extra/
echo "extra/foo.crt" >> /etc/ca-certificates.conf
update-ca-certificates

步骤 5. 在两个浏览器中导入 /etc/ssl/custom-ca.crt 作为受信任的证书颁发机构，然后重新启动它们

这是我的 nginx 配置

upstream backend {
        server 127.0.0.1:3000;
}

server {
        listen 443 ssl http2 default_server;
        listen [::]:443 http2 ipv6only=on default_server;

        server_name _;
        access_log /var/log/nginx/web-access.log;

        ssl_certificate /etc/ssl/localhost.crt;
        ssl_certificate_key /etc/ssl/localhost.key;

        root /var/www/mysite/public;

        location / {
                try_files $uri @backend; # Try static files first, then NodeJs
        }

        gzip on;
        gzip_min_length  256;
        gzip_proxied     any;
        gzip_comp_level 6;
        gzip_types  text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
        gzip_vary on;
        gzip_disable     "msie6";

        ## All static files will be served directly.
        location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|webp|woff|woff2|svg)$ {
            access_log off;
            expires 365d;
            add_header Cache-Control public;

            ## No need to bleed constant updates. Send the all shebang in one
            ## fell swoop.
            tcp_nodelay off;

            ## Set the OS file cache.
            open_file_cache max=3000 inactive=120s;
            open_file_cache_valid 45s;
            open_file_cache_min_uses 2;
            open_file_cache_errors off;
        }

        location @backend {
                proxy_pass http://backend;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}