Postfix
Certbot — 握手後新會話票到達
在協商開始時,
Secure Renegotiation IS NOT supported
發生。在最後一次Session Ticket
(也可能是之前的一次)中,似乎 SSL 連接成功了。你能告訴我這裡發生了什麼嗎?我應該擔心這一點,還是可以以任何方式“改善”談判?另外,為什麼會發生兩次
Session Ticket
?這是正常的嗎?# openssl s_client -connect mail.domainname.com:993
CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = domainname.com verify return:1 --- Certificate chain 0 s:CN = domainname.com i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFfTCCBGWgAwIBAgISA3ypOrf4bJNOWeDv4Ie2YB9MMA0GCSqGSIb3DQEBCwUA ... nqq9VzUEakWQsLfHhNVwUe8= -----END CERTIFICATE----- subject=CN = domainname.com issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3148 bytes and written 401 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 2148B9B6ABD8587E0B0975A132BBAFD41F2FD476396BB26433165D3C Session-ID-ctx: Resumption PSK: C5ACAAACC034516A9E7868D4666840A9B1DC7ADBD3CBD466B3A7889082677FB995B6013E7FA7CC2BF0757D2D PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 35 0c 32 9e 9f 21 39 fc-6c 4d ae 2c c8 cb d3 58 5.2..!9.lM.,...X ... 00d0 - 54 76 45 9a a4 f0 dc e0-6d 2b 7d fa 9a 63 2e 12 TvE.....m+}..c.. Start Time: 1600415053 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 957C17A0A528F7D53C47CE7C8FDAF0A78E725DBA498D3DF91D39AB54 Session-ID-ctx: Resumption PSK: 31EDFF053862FD02E7C85973084FA2F26FE8A021F9EDF1DB51100B18B21D2F8A7F5AB7A43899B1A0507DD2E2 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 35 0c 32 9e 9f 21 39 fc-6c 4d ae 2c c8 cb d3 58 5.2..!9.lM.,...X ... 00d0 - 55 db 93 6b 34 96 9d 95-13 e1 67 c8 5b 27 1c 60 U..k4.....g.['.` Start Time: 1600415053 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
最終,經過一番痛苦,我意識到這裡的問題與 certbot/Letsencrypt 無關(正如 Michael Hampton 在上面的評論中所說),而是與 Virtualmin 有關,它有“自己的方式”通過 Apache 提供證書.
因此,在通過 手動頒發證書後
certbot
,這裡的解決方案是通過 Virtualmin 本身更新/刷新證書。就我而言,我剛剛更新了 CA 證書:Virtualmin -> domain.com -> Server Configuration -> SSL Certificate -> CA Certificate (enter the full path of the ssl.ca cert) -> Save Certificate
.我確信可以讓 Virtualmin 處理 Letsencrypt 證書的整個證書創建/更新,但我還沒有檢查過。