两天前我购买了 COMODO Positive SSL Wildcard,并一直在努力让它与我的 Nginx 配合使用。但我不知道为什么它不起作用。以下是我所做的。
1.在我的服务器中创建私钥
我通过此命令在我的服务器上创建了我的example_com.csr文件example_com.key
openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr
这些文件存储在/etc/ssl
2. 发送我的example_com.csr至 COMODO
在我发送csr文件并验证域名后,我收到了 3 个文件,如下所示:
ssl_1540054330.ca-bundle
ssl_1540054330.crt
ssl_1540054330.key
我把内容放在ssl_1540054330.crt一起ssl_1540054330.ca-bundle形成一个完整的文件,名为ssl_1540054330-bundle-full.crt
3.添加到Nginx
我上传ssl_1540054330-bundle-full.crt到 /etc/ssl` 并通过此配置添加到 Nginx
server
{
listen 80;
listen 443 ssl;
server_name subdomain.example.com;
# SSL
ssl_certificate /etc/ssl/ssl_1540054330-bundle-full.crt;
ssl_certificate_key /etc/ssl/example_com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AES128:EECDH+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RSA+3DES:!DSS';
之后,我通过运行检查 Nginx 配置nginx -t,输出为
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
命令systemctl restart nginx运行正常。我还禁用了它firewalld以确保我的443端口也能正常工作
不幸的是,它不起作用,Chrome 说“无法访问此网站”,我openssl通过此命令在我的服务器上进行了测试
openssl s_client -connect subdomain.example.com:443
输出是
CONNECTED(00000003)
140363396503456:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1540084821
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
我已经在谷歌上搜索了两天并试图解决这个问题,但没有找到任何解决方案,所以我在这里问希望有人能帮忙。
这是我的服务器详细信息
Nginx 信息
root@vnf ~]# nginx -V
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
我的 OpenSSL 信息
[root@vnf ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
我的操作系统版本
[root@vnf ~]# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core)
任何想法?