Let's Encypt、Firefox、Peer 的证书颁发者无法被识别

Let's Encypt、Firefox、Peer 的证书颁发者无法被识别

我最近将我的 TLS 终止从后端服务器移回我的反向代理,并且遇到了这个非常具体的问题。

当连接到我的 nextcloud 网站时,firefox 显示SEC_ERROR_UNKNOWN_ISSUER

有关错误的更多信息(证书信息在底部):

https://nextcloud.domain.com/

Peer’s Certificate issuer is not recognized.


HTTP Strict Transport Security: false

HTTP Public Key Pinning: false

奇怪的是,这个问题不会出现在任何其他浏览器上,只有 Firefox(Firefox 95、Ubuntu 20.04、Windows 10 和 Android 12;无扩展)才会出现。只有在首次浏览网站,然后关闭 Firefox,然后重新打开它并浏览到 nextcloud 上的任何 URL 时,才会出现错误。不幸的是,错误不一定发生在第二次浏览时,但无论是 Firefox 重启后第二次、第三次还是第四次浏览,都会发生错误。我可以通过重启反向代理上的 nginx 来解决错误。

需要明确的是,Firefox 重启似乎会触发此错误;关闭选项卡并重新打开不会产生错误。我还尝试清除 Firefox 中的站点数据并重新启动,但错误仍然发生。

更奇怪的是,我在同一个反向代理上有几个其他站点使用 lets encrypt certs(不同的子域),我无法在那里复制错误。它似乎仅限于 firefox+nextcloud+nginx。虽然重新启动后端 nginx/server 不会影响它。所以我想我的反向代理上应该缺少一个特定的配置。

我在这里不知所措,唯一改变的是 TLS 终止的位置和新的 Lets Encrypt 证书。希望我忽略了一些显而易见的东西,这不是一个更大的问题。

完整的 nginx 配置(减去其他子域和 mime 类型):

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}
http {
        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/sites-enabled/*;

        ##
        # Hardening
        ##
 
        add_header Allow "GET, POST, HEAD" always;
        add_header X-XSS-Protection "1; mode=block";
}


# configuration file /etc/nginx/snippets/ssl-params.conf:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload";
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

# configuration file /etc/nginx/sites-enabled/nextcloud.domain.com:
server {
        listen 443 ssl http2;
        ssl_certificate /etc/letsencrypt/live/nextcloud.domain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/nextcloud.domain.com/privkey.pem;
        include snippets/ssl-params.conf;
        server_name nextcloud.domain.com;
        location / {
                proxy_pass https://BACKENDIP;
                proxy_set_header X-Real-IP $remote_addr;
        }
}

# configuration file /etc/nginx/sites-enabled/reverseproxy.conf:
server {
        listen 80;
        server_name _;
        return 301 https://$host$request_uri;
}

通过 Firefox 获取服务器证书的一些信息:

Subject Name
Common Name nextcloud.domain.com

Issuer Name
Country US
Organization Let's Encrypt
Common Name R3

Validity
Not Before Fri, 10 Dec 2021 19:29:21 GMT
Not After Thu, 10 Mar 2022 19:29:20 GMT

中级证书:

Subject Name
Country US
Organization Let's Encrypt
Common Name R3

Issuer Name
Country US
Organization Internet Security Research Group
Common Name ISRG Root X1

Validity
Not Before Fri, 04 Sep 2020 00:00:00 GMT
Not After Mon, 15 Sep 2025 16:00:00 GMT

根证书:

Subject Name
Country US
Organization Internet Security Research Group
Common Name ISRG Root X1

Issuer Name
Organization Digital Signature Trust Co.
Common Name DST Root CA X3

Validity
Not Before Wed, 20 Jan 2021 19:14:03 GMT
Not After Mon, 30 Sep 2024 18:14:03 GMT

代理或服务器上没有任何错误。HTTP 请求显示为代码 200。

以下是我的两台服务器上两个证书的比较,它们都是通过 Lets Encrypt Certbot 颁发的,时间相隔几分钟:

这是 Firefox 有问题的证书: 证书错误

这是 Firefox 接受的证书: 良好证书

一个稍微令人担忧的问题是,当我在 Chrome 中浏览 Firefox 不信任的网站时,我会得到一个不是由同一组织颁发的根证书。

相关内容