Nginx
Searx(基於 Nginx)“Let’s Encrypt”SSL 證書對 Safari(iPhone 和 MacOS)無效,對世界其他地區有效
我在以下位置定制了 Searx ( https://searx.me/ ) 安裝: https://ricercaalternativa.mydissent.net/
多年來,它一直與 Letsencrypt 一起正常工作。然而,就在幾天前,Letsencrypt 提供的證書與除 Apple(iPhone 和 macOS 上的 Safari)之外的所有東西都兼容。
此測試顯示“鏈問題”: https ://www.ssllabs.com/ssltest/analyze.html?d=ricercaalternativa.mydissent.net
我不知道如何解決這個問題(實際上這個問題的含義是什麼),也是因為 SSL 證書的安裝一直是完全自動化的,使用以下 Bash 腳本:
#!/bin/bash YOUR_DOMAIN="ricercaalternativa.mydissent.net" certbot certonly -d ${YOUR_DOMAIN} --manual --preferred-challenges dns service uwsgi restart service nginx restart
無論如何,
--preferred-challenges dns
似乎被忽略了:它沒有要求我部署 DNS 記錄。這是輸出:# ./updateSSL.sh Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Cert not yet due for renewal You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. (ref: /etc/letsencrypt/renewal/ricercaalternativa.mydissent.net.conf) What would you like to do? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Keep the existing certificate for now 2: Renew & replace the cert (limit ~5 per 7 days) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Renewing an existing certificate IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/ricercaalternativa.mydissent.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/ricercaalternativa.mydissent.net/privkey.pem Your cert will expire on 2022-01-05. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
這是 certbot 的版本:
# apt-cache policy certbot | grep Installed Installed: 0.31.0-2~deb10u1+ubuntu18.04.1+certbot+3
您的問題源於您的網路伺服器沒有發送任何帶有葉證書的鏈證書。這就是 SSL Labs 測試在顯示“此伺服器的證書鏈不完整”時試圖告訴您的內容。
瀏覽器和其他客戶端必須猜測如何驗證您發送的證書,並且在執行此操作時,有些客戶端比其他客戶端更有能力/更寬鬆。Safari 不是。由於最近的根 CA 證書到期,這只是最近才開始發生的。
在您的 nginx 配置中,您可能有如下一行:
ssl_certificate /etc/letsencrypt/live/ricercaalternativa.mydissent.net/cert.pem;
如果是這樣,請更改
cert.pem
並fullchain.pem
重新啟動 nginx。然後通過 SSL Labs 重新檢查,看看它對您的鏈的描述。