[求助]在阿里云 ECS Nginx 安装 godaddy SSL 证书后， Windows 的浏览器可以访问， iOS/MacOS 的浏览器打不开

证书不全。 五个字。

@hefish 可是 Windows 上的浏览器可以看到完整的证书链哎

@insomniowl 你这事儿我碰到过，一模一样。最后确认是合证书的时候没合全。

macOS Chrome 呢？

证书链不全

openssl s_client 的返回绝对不止这么几行，你把重要的东西给去掉了

1. 证书链不全 openssl 也会返回证书的，因此不是证书链不全。
2. 国内的 ecs 使用 https 需要域名备案。没备案的话，阿里云会阻断 https 连接的。国内 ecs 确保域名已备案。
3. 关闭 nginx ，再用 openssl 去测试，应该是连不上，而不是：connected 不返回证书。如果关闭 nginx 能 connected ，检查网络和服务器配置。
4. 你的 windows 可以访问，是不是开了科学上网了？ 关闭再测试，或者换一台 windows 试试。

@hefish
@imlonghao
@yinmin
原文中服务器上的 openssl s_client 的输出做了截取，附上在服务器上的完整输出，请各位大佬再帮忙分析分析
（从本地电脑远程 openssl s_client 确实只输出了原文中提到的那些信息）

```
]# openssl s_client -connect 127.0.0.1:443 -servername <mydomain> -tls1_2
Connecting to 127.0.0.1
CONNECTED(00000003)
depth=2 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 CN=<mydomain>
verify return:1
---
Certificate chain
0 s:CN=<mydomain>
i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 20 15:21:22 2025 GMT; NotAfter: May 17 16:36:03 2026 GMT
1 s:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 3 07:00:00 2011 GMT; NotAfter: May 3 07:00:00 2031 GMT
2 s:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2
i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 1 00:00:00 2009 GMT; NotAfter: Dec 31 23:59:59 2037 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGnTCCBYWgAwIBAgIIGPt1YDQrjy0wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
...
<这里是证书链中我的域名证书部分>
...
s8wbaC5EDsx+8JgXnfkrV+Nmu1Otjk8J5S5XC5QKRAPJHt9bgQqyip3TqMUv2GK+
Rd8r/UvGlDdOcD9PjbumtlY=
-----END CERTIFICATE-----
subject=CN=<mydomain>
issuer=C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4585 bytes and written 306 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: C96377F72C65D5EC8DAF9C91D0140D712E8D57ACDAD9EDC068093B8B2A31B157
Session-ID-ctx:
Master-Key: <master-key>
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 53 90 67 e5 c4 27 ff a2-27 85 5a 1e c4 23 da 66 S.g..'..'.Z..#.f
0010 - 20 90 d9 9c 30 02 03 33-36 2c c0 60 be 35 5b ef ...0..36,.`.5[.
...
<这里是一串 ticket>
...
00b0 - 83 5a 7b 04 a4 24 4f 78-30 13 3d dc b4 d6 cf 5b .Z{..$Ox0.=....[
00c0 - 23 1b 6f 13 3c d1 cd 2b-27 10 e9 73 98 14 12 88 #.o.<..+'..s....

Start Time: 1747870061
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
```

```
]# openssl s_client -connect 127.0.0.1:443 -servername <mydomain> -tls1_3
Connecting to 127.0.0.1
CONNECTED(00000003)
depth=2 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 CN=<mydomain>
verify return:1
---
Certificate chain
0 s:CN=<mydomain>
i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 20 15:21:22 2025 GMT; NotAfter: May 17 16:36:03 2026 GMT
1 s:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 3 07:00:00 2011 GMT; NotAfter: May 3 07:00:00 2031 GMT
2 s:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2
i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 1 00:00:00 2009 GMT; NotAfter: Dec 31 23:59:59 2037 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGnTCCBYWgAwIBAgIIGPt1YDQrjy0wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
...
<这里是证书链中我的域名证书部分>
...
s8wbaC5EDsx+8JgXnfkrV+Nmu1Otjk8J5S5XC5QKRAPJHt9bgQqyip3TqMUv2GK+
Rd8r/UvGlDdOcD9PjbumtlY=
-----END CERTIFICATE-----
subject=CN=<mydomain>
issuer=C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4472 bytes and written 337 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 1AA499F79A02004C1CE7A8ABB10442C98368AB4E9785F41CF5D437814A650E87
Session-ID-ctx:
Resumption PSK: <psk1>
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 53 90 67 e5 c4 27 ff a2-27 85 5a 1e c4 23 da 66 S.g..'..'.Z..#.f
...
<这里是一串 ticket>
...
00e0 - 6a 84 8c 80 38 33 bf ce-1d 90 cd 0f 46 15 85 d7 j...83......F...

Start Time: 1747871955
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 1025C633FC134C05A436C162715C67318105374FE8AC4A34D99A296059DCC20C
Session-ID-ctx:
Resumption PSK: <psk2>
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 53 90 67 e5 c4 27 ff a2-27 85 5a 1e c4 23 da 66 S.g..'..'.Z..#.f
0010 - d2 c5 3c 4c 7b 8d 26 95-27 ae d4 e4 49 cf 6a 8c ..<L{.&.'...I.j.
0020 - 7b 70 d3 5d d6 17 ca 4a-a4 f1 b2 3a d2 6d 0d e6 {p.]...J...:.m..
...
<这里是一串 ticket>
...
00d0 - 66 42 54 82 9d 48 5f 90-00 6e 7b 64 29 11 75 99 fBT..H_..n{d).u.
00e0 - a1 91 0e 0d 35 2b 0e 65-d4 ea c9 30 6a 61 f5 16 ....5+.e...0ja..

Start Time: 1747871955
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
```

@yinmin 把 Windows 科学关了也可以访问的，昨天用其他人的 Windows 电脑尝试也可以访问

@ysc3839 刚试了下，MacOS 的 Chrome/Edge 都可以访问...没开科学

1. 在不同的电脑上 ping 域名，看看返回的 ip 是否有异常

2. 查一下域名的 dns 是不是设置了 type65 （ https ），如果有的删掉试试

我看了你的域名，未备案域名解析到国内云了