Ubuntu NginX:HTTPS连接被拒绝
我已经使用Ubuntu NginX:HTTPS连接被拒绝,ubuntu,ssl,nginx,lets-encrypt,Ubuntu,Ssl,Nginx,Lets Encrypt,我已经使用让我们加密创建了SSL证书,现在尝试使用NginX进行设置。NginX使用我的配置,重新启动并很好地处理HTTP,但拒绝HTTPS连接 另外,我的服务器没有防火墙。我用netstat-peant | grep“和NMap检查了443端口,没有问题 我有以下SSL文件: ca bundle.crt,27行,以----开始证书------ ca.crt,35行,以----开始证书------ private\u rsa.key,27行,以开头------BEGIN rsa private
让我们加密创建了SSL证书,现在尝试使用NginX进行设置。NginX使用我的配置,重新启动并很好地处理HTTP,但拒绝HTTPS连接
另外,我的服务器没有防火墙。我用netstat-peant | grep“
和NMap检查了443端口,没有问题
我有以下SSL文件:
ca bundle.crt
,27行,以----开始证书------
ca.crt
,35行,以----开始证书------
private\u rsa.key
,27行,以开头------BEGIN rsa private key------
private.key
,28行,以开头------开始私钥------
server {
listen 80;
listen 443 ssl;
server_name domain.ru www.domain.ru;
ssl_certificate /var/www/SSL/ca.crt;
ssl_certificate_key /var/www/SSL/private.key;
access_log /var/www/Ret/Returner/logs/nginx.access.log;
error_log /var/www/Ret/Returner/logs/nginx.error.log;
proxy_read_timeout 950s;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /var/www/Ret/Returner/;
}
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
ssl_certificate /aivanf/ssl/ca_chain.crt;
ssl_certificate_key /aivanf/ssl/ca.key;
如何解决这个问题
我的操作系统是Ubuntu 16.04。NginX版本:1.10.3,内置OpenSSL 1.0.2g,启用TLS SNI支持
更新。
为了生成证书,我使用了两种不同的方法:
使用www.sslforfree.com并获得DNS所有权批准
使用以下OpenSSL命令:
openssl genrsa 4096>/var/www/Ret/account.key
openssl rsa-in/var/www/Ret/account.key-pubout
不幸的是,两个证书文件集都不起作用。我个人不喜欢将80和443放在同一个服务器中。
我也不确定这是否是一个问题。但是你能试试这样的吗
# Redirect all http to https
server {
listen 80 default_server;
rewrite ^ https://$host$request_uri? permanent;
}
# Handle https
server {
server_name domain.ru www.domain.ru;
listen 443 ssl http2;
# Certificates
ssl_certificate /var/www/SSL/ca.crt;
ssl_certificate_key /var/www/SSL/private.key;
# Logs
access_log /var/www/Ret/Returner/logs/nginx.access.log;
error_log /var/www/Ret/Returner/logs/nginx.error.log;
proxy_read_timeout 950s;
# Static Content
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /var/www/Ret/Returner/;
}
# Reverse Proxy
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
我找到了解决办法。它是关于创建ca_chain.crt
的,它应该包含您的证书和ca包的数据。它的结构很简单,如下所示:
-----BEGIN CERTIFICATE-----
MIIFXTCCBEWgAwIBAgISA1jUznaa6AUn/4wyOV49e1QBMA0GCSqGSIb3DQEBCwUA
// content of the ca.crt //
2PxVU6WNy9wOVgGdO5TaxRQgO2p04AYJpovREYCuOctz
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
// content of the ca_bundle.crt //
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
然后,在NginX配置中:
server {
listen 80;
listen 443 ssl;
server_name domain.ru www.domain.ru;
ssl_certificate /var/www/SSL/ca.crt;
ssl_certificate_key /var/www/SSL/private.key;
access_log /var/www/Ret/Returner/logs/nginx.access.log;
error_log /var/www/Ret/Returner/logs/nginx.error.log;
proxy_read_timeout 950s;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /var/www/Ret/Returner/;
}
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
ssl_certificate /aivanf/ssl/ca_chain.crt;
ssl_certificate_key /aivanf/ssl/ca.key;
ca.key
与我之前所说的private.key
是如何生成SSL证书的?你能用你运行的命令更新你的问题吗?Let's Encrypt的输出应该输出fullchain.pem
、privkey.pem
和其他文件,但在大多数情况下只需要这两个文件。@dr.dimitru感谢您的回复!我已经在Q中添加了这些细节。我使用这些方法是因为我觉得它们最方便。你找到解决方案了吗?我也一样issue@SaraTibbetts是的,我很久以前就找到了解决办法!我刚刚为你写的谢谢你的回复!我已经尝试了你分离端口和禁用监听80的两种方法,但结果都是一样的:verni-verni.ru意外地关闭了连接
(谷歌浏览器)