nginx: [emerg] cannot load certificate "/etc/nginx/ssl/domain.io.chain.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:Type=X509 error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib)
我收到这个神秘的错误,但找不到任何相关信息。
openssl verify domain.io.chain.pem
domain.io.chain.pem: OK
我已尽力确保它与权限无关,例如 setenforce 0,将文件移动到 /etc/nginx/ssl,对它们使用 0644 模式并确保父目录具有 0755,还尝试将 nginx 用户设置为组所有者,确保工作者以 nginx 用户身份运行,nginx 用户是 nginx 组的成员,并且在运行 useradd 后完全关闭 nginx 以结束所有用户会话。
还确保我没有在 nginx 配置中设置任何类似 ssl_protocols 或 ssl_ciphers 的内容。
.pem 文件是我从 CA 获得的三个证书。前两个是中级 CA 证书,第三个是“Web 服务器证书”。
如果我先移动 Web 服务器证书,openssl verify 会失败。但是更改两个中间证书的顺序对 openssl verify 结果没有任何影响。
我也尝试删除两个中间证书,只是为了看看 nginx 是否会接受它。
这是该虚拟主机的完整 nginx 配置。其余部分是 nginx 1.16.1 的原始 CentOS 7 安装。
server {
listen 80;
server_name domain.io;
proxy_connect_timeout 120s;
proxy_send_timeout 120s;
proxy_read_timeout 120s;
send_timeout 120s;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k; # Must always be proxy_buffer_size*2
#proxy_ignore_client_abort on;
client_max_body_size 1024M;
location / {
try_files $uri @backend;
}
location @backend {
client_max_body_size 1024m;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
proxy_pass http://staging_backend;
}
access_log /var/log/nginx/domain.io-access.log;
error_log /var/log/nginx/domain.io-error.log notice;
}
# TLS
server {
listen 443 ssl;
server_name domain.io;
ssl_certificate /etc/ssl/domain.io.chain.pem;
ssl_certificate_key /etc/ssl/domain.io.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 5m;
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
proxy_connect_timeout 120s;
proxy_send_timeout 120s;
proxy_read_timeout 120s;
send_timeout 120s;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k; # Must always be proxy_buffer_size*2
#proxy_ignore_client_abort on;
client_max_body_size 1024M;
location / {
try_files $uri @backend;
}
location @backend {
client_max_body_size 1024m;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://staging_backend;
}
access_log /var/log/nginx/domain.io-access.log;
error_log /var/log/nginx/domain.io-error.log notice;
}