Nginx 在一段时间后无法验证上游证书

Nginx 在一段时间后无法验证上游证书

我在 wildfly 应用服务器前面运行了一个 nginx 代理服务器。两者通过 https 进行通信。Nginx 配置为验证上游证书的签名:

listen 443 ssl http2;
server_name _;
ssl_certificate_key /etc/nginx/ssl/private/ssl.key.pem;
ssl_password_file   /etc/nginx/ssl/private/ssl.key.passphrase.txt;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /tmp/chain.crt;
proxy_ssl_verify_depth  10;

ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;
proxy_buffering off;
error_log /proc/self/fd/2;
access_log /proc/self/fd/1;

# some routes omitted

location /orbis-4u/ {
    proxy_pass  https://trrswv056.agfahealthcare.com:8843/orbis-4u/;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port 443;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

几个小时/几天内一切正常。经过一段随机时间后,nginx 开始抛出验证错误:

proxy                       | 2017/04/03 14:40:12 [debug] 12#12: epoll: fd:11 ev:0001 d:00007FEFC638EB60
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: timer delta: 8718
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: worker cycle
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: epoll timer: 13649
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: epoll: fd:17 ev:0004 d:00007FEFC638EA71
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: timer delta: 2
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: worker cycle
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: epoll timer: 13647
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: epoll: fd:17 ev:0005 d:00007FEFC638EA71
proxy                       | 2017/04/03 14:40:12 [error] 12#12: *2424 upstream SSL certificate verify error: (19:self signed certificate in certificate chain) while SSL handshaking to upstream, client: 172.25.33.10, server: _, request: "GET /orbis-4u/application.wadl HTTP/2.0", upstream: "https://172.25.32.6:8843/orbis-4u/application.wadl", host: "trrsuv042.agfahealthcare.com", referrer: "https://trrsuv042.agfahealthcare.com/auth/realms/orbis/protocol/openid-connect/auth?response_type=code&client_id=orbis-u-webclient&redirect_uri=https%3A%2F%2Ftrrsuv042.agfahealthcare.com%2Forbis-4u%2Fapplication.wadl&state=e6df5055-c90f-44c4-8422-2a108a6241cc&login=true&scope=openid"
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: timer delta: 4
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: posted event 00007FEFC57314A0
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: worker cycle
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: epoll timer: 13643
proxy                       | 172.25.33.10 - - [03/Apr/2017:14:40:12 +0200] "GET /orbis-4u/application.wadl HTTP/2.0" 502 640 "https://trrsuv042.agfahealthcare.com/auth/realms/orbis/protocol/openid-connect/auth?response_type=code&client_id=orbis-u-webclient&redirect_uri=https%3A%2F%2Ftrrsuv042.agfahealthcare.com%2Forbis-4u%2Fapplication.wadl&state=e6df5055-c90f-44c4-8422-2a108a6241cc&login=true&scope=openid" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36"
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: epoll: fd:11 ev:0001 d:00007FEFC638EB60
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: timer delta: 61
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: worker cycle
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: epoll timer: 13582
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: epoll: fd:17 ev:0004 d:00007FEFC638EA70
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: timer delta: 1
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: worker cycle
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: epoll timer: 13581
proxy                       | 172.25.33.10 - - [03/Apr/2017:14:40:12 +0200] "GET /favicon.ico HTTP/2.0" 502 640 "https://trrsuv042.agfahealthcare.com/orbis-4u/application.wadl" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36"
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: epoll: fd:17 ev:0005 d:00007FEFC638EA70
proxy                       | 2017/04/03 14:40:12 [error] 12#12: *2424 upstream SSL certificate verify error: (19:self signed certificate in certificate chain) while SSL handshaking to upstream, client: 172.25.33.10, server: _, request: "GET /favicon.ico HTTP/2.0", upstream: "https://172.25.32.6:8843/favicon.ico", host: "trrsuv042.agfahealthcare.com", referrer: "https://trrsuv042.agfahealthcare.com/orbis-4u/application.wadl"
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: timer delta: 4
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: posted event 00007FEFC57314A0
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: worker cycle
proxy                       | 2017/04/03 14:40:12 [debug] 12#12: epoll timer: 13577

当我重新启动时,它又可以正常工作了(至少在一段时间内)。该/tmp/chain.crt文件具有以下内容:

-----BEGIN CERTIFICATE-----
MIIFEjCCAvqgAwIBAgIFFIlIIwYwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UEAwwW
T1JCSVMtUk9PVC1DRVJUSUZJQ0FURTAeFw0xNzAzMTQwOTA2MjNaFw0yNzAzMTIw
OTA2MjNaMA8xDTALBgNVBAMMBGRlbW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDAxGLoOeno8bl1sr1Qd/HZdM8kPHK4+WhAtJUmmFDZC/0QD/I0N/Bv
fJmkyCctsM862qT+91edRy9xc8RAyIAgB2WrLypy+V/R3gbuaYFbZkGm7XnzTUlz
yAOXIWETrnzxBuJkb+KzBJyjFBI+I9hrgRemXRaaP6FhePdcbmZCHpG2o9O5sWdc
9UTSm381xGc6kdN+eOzF2i+CGcfD+Y4V811CWMWA+x+etoKbtzSV6qja2e4sIdHL
cWdZrmqQp8Cwk0++1pcH0YAtKWjQzgIvD0T0/3yEticKlxfRTDHAvaoy21Shy98H
KM1aB3pV1fylsMq6Am/xlF3SUO69Lzj1HBuV6OY/gFOruPGjEnFKbaTXZwlciu2a
zlUQOdw3WpLObzaYkJOYvCuu63LoXDnxh1crcPo5AJkZUoGmgvpepVRwvxfmXQIC
RxPkxjbLj+fdfJMYzv3bDq9vzmouv79fS4RUVumjSIAc65tCaxtalIqrCNjQ6uEn
Lh6svLQxf9owLo029ZMvta7SCBjnDq3+Fv69qw/nXGnTfGKoTHijEUPyFjLIvSMe
20yPS12TH+dJM9y/XR9INOh3w2gvX0hhjj1o7A5J2nWwtFfoXcKISTUVqrjWcT0H
ciKPb926zvMPo/OIxGiRePKAxWpbL2NPpV0DzdmX7X2iDujnKz5ySQIDAQABo2Mw
YTAdBgNVHQ4EFgQUeFB5oWJ0mUajCqbya/IdRhBDupcwHwYDVR0jBBgwFoAUKAzf
IzKNEbK9Tc6sl+Z7az7HL0owDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwDQYJKoZIhvcNAQELBQADggIBACPpsChure7wT+IzkADkimXMWrWN1Ks+QIZe
TsHs0Ots9QvdYzBbVBJrJPTBzutF+CVtIb5me65Kg8czSqpYpGWQjhP71wMK+AfH
MGpYsQ5CnZtOiY+Fx5aphMDWN3N8liDUnqSj0P88BEFmFw9U5fXZ++LQ5KdwKxKr
KZb67yjzpmfOD3fBWCccfSvb3hr0ruDirAvt7hRMu91OjIfyeLtSBsyO0VVL4qns
7/AL+mZ8nUWqtresjL3U9lUwm5ma+sKOJW8Q6tTyCPhvhb26wT7xPgvuj8FWNj6M
FJ+eTj/5k40X4CpGlCEkxh2XpTlWrHk2Zx7S+0DzLMZKnyYqz+sjFtzuuHAj6g0T
3lYMorGI5LB3DLS70T51VQNSawqo46plVEMYxughLvB1z+FgW1U2XAKvGQzEFXhs
+sEDL+kx/CFniqayPpMIBJnDzIKFWnSIxW6NNsyjx/QTFFU6MQKVh/VL6NtrnVg5
+5SQaGMRGKUi8Ae1ppuL9PxxDXruZR2eggNwm4lDVY7XRb3dfU5VZee+MuF56uFu
s1AX9Pu8CHfAjqg/GAY4ILyuikZkLmOlHr1JplV0df/X1Q6JIUKORCK96BRUIiF8
4g3rrpliI8f3iwUkQmoM/Z1mxr7ZSNot4wub466DkzkI6rwpWDBYdBJUwHLRxK4J
bqED5NWH
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFKDCCAxCgAwIBAgIJAKYi7UbJu/Z/MA0GCSqGSIb3DQEBCwUAMCExHzAdBgNV
BAMMFk9SQklTLVJPT1QtQ0VSVElGSUNBVEUwHhcNMTcwMjE1MTAyNzE0WhcNMzcw
MjEwMTAyNzE0WjAhMR8wHQYDVQQDDBZPUkJJUy1ST09ULUNFUlRJRklDQVRFMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzFOpEQts/BWsdPnw2gcMoUEG
q3aoRKiNKPo3bu7BD8tyxS2rPjYDj3JOkmrwMQ/Ohm39Cp+dBS09FzgXSzxa8iKn
VlkK5rENOZlDu1YXO5rKZcV/csMTF03RMEjGgAFlerA6iZt95VmJUllWoMN+MHgp
TVQwlvqAfsbcCMODvW18VhVnRXfL8JeHFUAh1bO2qN+VBHGakIrY6ZIcU4tRNv3U
hh2fi1lXTUUgVkoV9dfTK+aHfYDa2+2t86HwvQwt+8M3LxD22NBCuPg2KABwJlKe
zu3tOqDtiOiOIABrSOSd5hRuzFvodvhkYDoag0fYKBYv55MFICtuiUXv1ROuuLJM
MpjLyNWkxwPpGH97eYXRHNmPTgstHiEpV5xM0mGAn5csQh7CfHjAUqLPq3C3ZtP/
5PwuUJwOimBR+hUVwgvvMRNlncJtwdEkv2fHWVNo7Hc7EH4ZBI+3pyQKuIQ4IZep
EVRazt/P6DXd5s0ALIsZ5gTI+A0+cCl+3L3dLzBRnEs7yvIApuVw6Vgl1OggqnIv
bkUVFulmSkCXgiJeSMqfHEFlt2VLReCsereK95AD9pPwDnnPVQCuZnuo6UAg3K1O
EubusaquvpD7HnSu2j2xy0khD7mTfWVXqf3MldugiZ8spoD9uqUeVDHF3/NNO5Fd
JManw4XiZ0veITCorecCAwEAAaNjMGEwHQYDVR0OBBYEFCgM3yMyjRGyvU3OrJfm
e2s+xy9KMB8GA1UdIwQYMBaAFCgM3yMyjRGyvU3OrJfme2s+xy9KMA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDKCyN1
4yOgjW9Yi6kuviwiYm4RJsUGsfB+Rh36BHGKgFk5N68DIpG1M1JJcEuzc2KfTILE
8WltwxNGyxDg5rtFQ1M3aXioXhCoClPnSclL1VVIUyWQG8QPKFHHlra4INO5liuF
UgoLFKrdRCcS4cHx2thZziOa6WK1nD67fMGCcTbfrnLg6rIm33hp71Mp8UrfkDnp
JdZ3wlzq1+rykHPv8BL8gxATLe4717k4j2Mdee1dKYAvSuvaRgzbAVnnmanIb8wG
wXlrclCs8fXiFdsQF36GCD5+TMqjWobxPWrSw7LLIW9+WFDpVSIRl41MrgUtwp8M
m8ks0YIv84WkeH/TMk0P239gU9mEMJquxtoPJajbim5tgfHWzbz+svR18aHXPMG6
5N+Jb/W/XwJcZpan1uqEBooyUvN2bPCROnSZRWRhrWkad5SOboY7NMliH6wli5ap
YtCJqr+TEljg9uZhY0oTG8iC8Llo84l/umJrX2n4lU8xhZd3oSylcJNHCrWau7TL
90/x9LleMkh6PbcIUJYqnoekiIIDhWdLeugJ/EC6InPGdmyR8DJNHvqPrFA6asVG
wt2rgMvgBmQm+hj5ZA4bn68bW6TCnMW0uh9ReOJmTFWpBNdSJYrjZNm9SlknjjOZ
imm1Jk0Q9/NGi7LY7M4YikHCiriIE5zE0UaZcQ==
-----END CERTIFICATE-----

上游返回正确的证书链:

openssl s_client -connect trrswv056.agfahealthcare.com:8843
CONNECTED(00000003)
depth=2 CN = ORBIS-ROOT-CERTIFICATE
verify return:1
depth=1 CN = demo
verify return:1
depth=0 CN = trrswv056.agfahealthcare.com
verify return:1
---
Certificate chain
 0 s:/CN=trrswv056.agfahealthcare.com
   i:/CN=demo
 1 s:/CN=demo
   i:/CN=ORBIS-ROOT-CERTIFICATE
 2 s:/CN=ORBIS-ROOT-CERTIFICATE
   i:/CN=ORBIS-ROOT-CERTIFICATE
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIExDCCAqygAwIBAgICEAUwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEZGVt
bzAeFw0xNzAzMDcwODI1MTJaFw0yNzAzMDUwODI1MTJaMCcxJTAjBgNVBAMMHHRy
cnN3djA1Ni5hZ2ZhaGVhbHRoY2FyZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCwdJ+Ab6yhhkVXNSuX6aI/mMkcPvDo6rslrRJxvCEvmBQOaTVt
Cn29xby3B4MEBEDGpLQ8ihbJKnoQUxE50yfbb+XAu1b5T8Zg5Fo3mxQd6lp6otAC
0Ff5pw9wH8TBLkF6iRKMVceremivC4yW9FwSUJIaci2yuld7YFebSOrOVVkbRG+4
+ch6yXV/VVlape0u8wris9+fOsOGYV//Kj4BHw5iDCFO9bIefESsWj0eNxD/SYNP
dnwFmk88ITCI3BXneG/Sz7g0RxWui+dzhhYtOIA/FMcLnkTJDmV988WqRSHVsBZS
1vGfNuyceDZc1hFQLZOghGvP6TySf9oZwqUxAgMBAAGjggEQMIIBDDAJBgNVHRME
AjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBH
ZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBQ9Yxm91o8zsMY5
aasQpIL61zGPVTBKBgNVHSMEQzBBgBQDxGBBTFAr9ji0cw46imHmY3GLMaElpCMw
ITEfMB0GA1UEAwwWT1JCSVMtUk9PVC1DRVJUSUZJQ0FURYICEAUwDgYDVR0PAQH/
BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMCcGA1UdEQQgMB6CHHRycnN3djA1
Ni5hZ2ZhaGVhbHRoY2FyZS5jb20wDQYJKoZIhvcNAQELBQADggIBAMEVQ/3clniF
8J0KV51iEifmCruntHDudRaam3Mr7CqOo1+1kG6pH6ECMg1nMICrO/LJnscXbN4h
xDDWPEIEnWh0frQtmua4NABlAYQXY41JVBcajb0lvcGygop/kw4nxLSgySjd1jtZ
5MFCLo2BLg/Wqfn64gvoF4oF63eC1Cfi9PxqrDqdI6Dp/UqChhB1Q60cZC4rVjwM
o0uUW3X+g/Yy9ssA4X65d9KaJQSXBhTZO2yRKVZrjEEx3uSz49Touw/t6uRRl1o8
oAsO/RcN/uZvRdP/9lXRcnBERxldVzWFOxv6QUwNbHIUwQmX4kg65W5MteKikp+q
eX0YmB0HRKlNQHVoS/MqAufnMGX/ujIz+2WJFif0VsG1j5GoXJgPwMEwRLZNCjLG
0SWMTMO56WRp1Me2KBCsohmNPC81Fr/xSfW86SOh1XaxQJmiBh/jOjLMVcFIXjk2
yPvvjPjMqcC5NHyQ6NGStf4fYliBHTWrp3mLdStvElfMjrVzC5ykCEmrEFoGYPKo
SiGJ2JyczNVgc0P/gPhWgFcUCM4f6o3yM+/BEM3Fnb4ZzaepYmj2DolVnPGE1POq
al+kcmzru1eh3AHz+fqt+ZKdrvaXW0Tzv6SNwDqmAh2xgfUVROI3yq1KdtzkcuRE
mEccxp95Zuath6FrCf31xPUo5GXxwVQl
-----END CERTIFICATE-----
subject=/CN=trrswv056.agfahealthcare.com
issuer=/CN=demo
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4337 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 58E249C1A8D2311CDD1CE823EBD07E7E80855A7D40298581CFB0802503C868E3
    Session-ID-ctx: 
    Master-Key: 7A3D1E88CC714B23EE93830B69534E3AA70BDBD2FB4FA6AC38D18622DC569CCF3993934352DE509F21A77A8CD7775BAB
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1491225025
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Nginx 的版本是 1.11.10,在 Docker 容器(Alpine linux)内运行。

我的问题是:

  1. 为什么 nginx 一段时间后无法验证我的证书?
  2. 有办法调试吗?如您所见,我已打开调试日志……但它并没有真正起到帮助作用。

相关内容