nginx:[警告]“ssl_stapling”被忽略,在证书中的 OCSP 响应程序“r3.o.lencr.org”中找不到主机

nginx:[警告]“ssl_stapling”被忽略,在证书中的 OCSP 响应程序“r3.o.lencr.org”中找不到主机

我更新了我的路由器固件,它最终杀死了我的网络服务器,所以我恢复到旧固件,希望它能自行恢复。事实并非如此。

所以现在我正在解决一个我可能束手无策的问题,我无法让它发挥作用。我在后台运行的所有应用程序都工作正常,互联网/局域网也工作正常。

每当我尝试启动 nginx Web 服务器时,它都会返回此 OCSP 响应程序消息,我尝试更改一些内容但无济于事。当我没有改变任何东西来搞乱它时,为什么我必须改变任何东西才能让它工作?

我尝试打开 nginx 调试模式,它向我显示了以下内容:

2022/07/15 11:53:50 [debug] 2294#2294: *308 write new buf t:1 f:0 000055F521DAC0C0, pos 000055F521DAC0C0, size: 268 file: 0, size: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 http write filter: l:0 f:0 s:268
2022/07/15 11:53:50 [debug] 2294#2294: *308 http output filter "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae"
2022/07/15 11:53:50 [debug] 2294#2294: *308 http copy filter: "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae"
2022/07/15 11:53:50 [debug] 2294#2294: *308 image filter
2022/07/15 11:53:50 [debug] 2294#2294: *308 xslt filter body
2022/07/15 11:53:50 [debug] 2294#2294: *308 http postpone filter "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae" 000055F521D4F2B0
2022/07/15 11:53:50 [debug] 2294#2294: *308 write old buf t:1 f:0 000055F521DAC0C0, pos 000055F521DAC0C0, size: 268 file: 0, size: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 write new buf t:0 f:0 0000000000000000, pos 000055F520815B20, size: 116 file: 0, size: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 write new buf t:0 f:0 0000000000000000, pos 000055F520815E20, size: 62 file: 0, size: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 http write filter: l:1 f:0 s:446
2022/07/15 11:53:50 [debug] 2294#2294: *308 http write filter limit 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 writev: 446 of 446
2022/07/15 11:53:50 [debug] 2294#2294: *308 http write filter 0000000000000000
2022/07/15 11:53:50 [debug] 2294#2294: *308 http copy filter: 0 "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae"
2022/07/15 11:53:50 [debug] 2294#2294: *308 http finalize request: 0, "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae" a:1, c:1
2022/07/15 11:53:50 [debug] 2294#2294: *308 set http keepalive handler
2022/07/15 11:53:50 [debug] 2294#2294: *308 http close request
2022/07/15 11:53:50 [debug] 2294#2294: *308 http log handler
2022/07/15 11:53:50 [debug] 2294#2294: *308 free: 000055F521D4E2C0, unused: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 free: 000055F521DABCE0, unused: 2283
2022/07/15 11:53:50 [debug] 2294#2294: *308 free: 000055F521D036F0
2022/07/15 11:53:50 [debug] 2294#2294: *308 hc free: 0000000000000000
2022/07/15 11:53:50 [debug] 2294#2294: *308 hc busy: 0000000000000000 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 tcp_nodelay
2022/07/15 11:53:50 [debug] 2294#2294: *308 reusable connection: 1
2022/07/15 11:53:50 [debug] 2294#2294: *308 event timer add: 25: 75000:2596208
2022/07/15 11:55:05 [debug] 2294#2294: *308 event timer del: 25: 2596208
2022/07/15 11:55:05 [debug] 2294#2294: *308 http keepalive handler
2022/07/15 11:55:05 [debug] 2294#2294: *308 close http connection: 25
2022/07/15 11:55:05 [debug] 2294#2294: *308 reusable connection: 0
2022/07/15 11:55:05 [debug] 2294#2294: *308 free: 0000000000000000
2022/07/15 11:55:05 [debug] 2294#2294: *308 free: 000055F521DE3340, unused: 136

这就是正常的 error.log 通过 systemctl 向我抛出的内容:

nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate

我认为这是一个 DNS 问题,但我自己无法弄清楚是什么,根据论坛帖子,错误消息表明 r3.o.lencr.org 名称的解析存在问题,如 nginx 在启动时使用系统解析器。

我的反向配置:

server {
        listen 80 default_server;
        #listen [::]:80 default_server;

        server_name dns.name.here 192.168.0.100;

        return 301 https://$server_name$request_uri;
        }
        upstream netdata {
                server 127.0.0.1:19999;
                keepalive 64;
}
server {
#-------------------- SSL CONFIG -----------------------------------

listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/dnsname/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dnsname/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/dnsname/chain.pem;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd;
error_page 401 403 404 /404.html; error_log /var/log/nginx/nnferror.log;
# First attempt to serve request as file, then as directory, then fall back to displaying a 404.
        location / {
                try_files $uri $uri/ =404;
        }
# Deny access to .htaccess files, if Apache's document root concurs with nginx's one
        location ~ /\.ht {
                deny all;
        }
# Let's Encrypt Webroot plugin location -- allow access
        location ^~ /.well-known/acme-challenge/ {
                auth_basic off;
                autoindex on;
        }

我的 ssl.conf:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

# Set Google's public DNS servers as upstream resolver
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;

# Modify X-Frame-Option from DENY to SAMEORIGIN, required for Deluge Web UI, ownCloud, etc.
add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

# Use the 2048 bit DH key
ssl_dhparam /etc/ssl/certs/dhparam.pem;

还尝试检查我是否真的可以与 8.8.8.8 通信

dig @8.8.8.8 r3.o.lencr.org

; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> @8.8.8.8 r3.o.lencr.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58758
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;r3.o.lencr.org.                        IN      A

;; ANSWER SECTION:
r3.o.lencr.org.         120     IN      CNAME   o.lencr.edgesuite.net.
o.lencr.edgesuite.net.  19792   IN      CNAME   a1887.dscq.akamai.net.
a1887.dscq.akamai.net.  20      IN      A       83.255.218.9
a1887.dscq.akamai.net.  20      IN      A       83.255.218.98

;; Query time: 63 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jul 15 12:53:27 CEST 2022
;; MSG SIZE  rcvd: 142

我也尝试过重新安装nginx,但没有成功。

nginx 版本:nginx/1.18.0 (Ubuntu)

乌班图18.04

路由器:Asus AC88U with Merlin v386,5(v387 导致问题)

谁能告诉我这里发生了什么?

相关内容