Nginx:无法加载证书

Nginx:无法加载证书
nginx: [emerg] cannot load certificate "/etc/nginx/ssl/domain.io.chain.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:Type=X509 error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib)

我收到这个神秘的错误,但找不到任何相关信息。

openssl verify domain.io.chain.pem
domain.io.chain.pem: OK

我已尽力确保它与权限无关,例如 setenforce 0,将文件移动到 /etc/nginx/ssl,对它们使用 0644 模式并确保父目录具有 0755,还尝试将 nginx 用户设置为组所有者,确保工作者以 nginx 用户身份运行,nginx 用户是 nginx 组的成员,并且在运行 useradd 后完全关闭 nginx 以结束所有用户会话。

还确保我没有在 nginx 配置中设置任何类似 ssl_protocols 或 ssl_ciphers 的内容。

.pem 文件是我从 CA 获得的三个证书。前两个是中级 CA 证书,第三个是“Web 服务器证书”。

如果我先移动 Web 服务器证书,openssl verify 会失败。但是更改两个中间证书的顺序对 openssl verify 结果没有任何影响。

我也尝试删除两个中间证书,只是为了看看 nginx 是否会接受它。

这是该虚拟主机的完整 nginx 配置。其余部分是 nginx 1.16.1 的原始 CentOS 7 安装。

server {

  listen 80;
  server_name domain.io;

  proxy_connect_timeout  120s;
  proxy_send_timeout     120s;
  proxy_read_timeout     120s;
  send_timeout           120s;

  proxy_buffer_size   4k;
  proxy_buffers   8 4k;
  proxy_busy_buffers_size  8k; # Must always be proxy_buffer_size*2
  #proxy_ignore_client_abort on;
  client_max_body_size 1024M;

  location / {
    try_files $uri @backend;
  }

  location @backend {
    client_max_body_size 1024m;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto http;
    proxy_redirect off;

    proxy_pass http://staging_backend;

  }

  access_log /var/log/nginx/domain.io-access.log;
  error_log /var/log/nginx/domain.io-error.log notice;

}

# TLS
server {

  listen 443 ssl;
  server_name domain.io;

  ssl_certificate         /etc/ssl/domain.io.chain.pem;
  ssl_certificate_key     /etc/ssl/domain.io.key;

  ssl_session_cache shared:SSL:20m;
  ssl_session_timeout 5m;
  #ssl_stapling on;
  #ssl_stapling_verify on;

  #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  #ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

  proxy_connect_timeout  120s;
  proxy_send_timeout     120s;
  proxy_read_timeout     120s;
  send_timeout           120s;

  proxy_buffer_size   4k;
  proxy_buffers   8 4k;
  proxy_busy_buffers_size  8k; # Must always be proxy_buffer_size*2
  #proxy_ignore_client_abort on;
  client_max_body_size 1024M;

  location / {
    try_files $uri @backend;
  }

  location @backend {
    client_max_body_size 1024m;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto https;
    proxy_redirect off;

    proxy_pass http://staging_backend;

  }

  access_log /var/log/nginx/domain.io-access.log;
  error_log /var/log/nginx/domain.io-error.log notice;

}

相关内容