Searx(基于 Nginx)“Let's Encrypt” SSL 证书不适用于 Safari(iPhone 和 MacOS),但适用于世界其他地区

tag-icon tag-icon nginx ssl-certificate lets-encrypt
Searx(基于 Nginx)“Let's Encrypt” SSL 证书不适用于 Safari(iPhone 和 MacOS),但适用于世界其他地区

我有一个定制的 Searx 安装(https://searx.me/) 在: https://ricercaalternativa.mydissent.net/

多年来,它一直与 Letsencrypt 配合良好。然而,几天前,Letsencrypt 提供的证书与除 Apple(iPhone 上的 Safari 和 macOS)之外的所有设备都兼容。

此项测试显示了“连锁问题”: https://www.ssllabs.com/ssltest/analyze.html?d=ricercaalternativa.mydissent.net

我不知道如何解决这个问题(以及这个问题实际上意味着什么),也因为 SSL 证书安装一直是使用以下 Bash 脚本完全自动化的:

#!/bin/bash
YOUR_DOMAIN="ricercaalternativa.mydissent.net"
certbot certonly -d ${YOUR_DOMAIN} --manual --preferred-challenges dns
service uwsgi restart
service nginx restart

无论如何,--preferred-challenges dns似乎被忽略了:它没有要求我部署 DNS 记录。这是输出:

# ./updateSSL.sh 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/ricercaalternativa.mydissent.net.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ricercaalternativa.mydissent.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ricercaalternativa.mydissent.net/privkey.pem
   Your cert will expire on 2022-01-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

这是 certbot 的版本:

# apt-cache policy certbot | grep Installed
  Installed: 0.31.0-2~deb10u1+ubuntu18.04.1+certbot+3

答案1

您的问题源于您的 Web 服务器未随您的叶证书发送任何链证书。SSL Labs 测试显示“此服务器的证书链不完整”,就是想告诉您这一点。

浏览器和其他客户端必须猜测如何验证您发送的证书,有些浏览器比其他浏览器更有能力/更宽容。Safari 则不然。这种情况最近才开始发生,因为最近的根 CA 证书过期。

在你的 nginx 配置中,你可能会有如下一行:

ssl_certificate  /etc/letsencrypt/live/ricercaalternativa.mydissent.net/cert.pem;

如果是,请更改cert.pemfullchain.pem并重新启动 nginx。然后通过 SSL Labs 重新检查,看看它对您的链有何评价。

相关内容