访问 a.com 会报错 ERR_SSL_PROTOCOL_ERROR,但访问 www.a.com 没有问题,可能是哪些方面的错误?

2018-06-13 18:24:00 +08:00
 fourstring

如题。web server 使用的是 nginx-1.15.0,证书是用 certbot 签发的普通 SAN 证书,只包含了 a.comwww.a.com

nginx -V 输出如下:

nginx version: nginx/1.15.0
built by gcc 7.3.0 (Ubuntu 7.3.0-16ubuntu3)
built with OpenSSL 1.1.1-pre7 (beta) 29 May 2018
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=../openssl-1.1.1-pre7 --with-openssl-opt=enable-tls1_3 --add-module=../nginx-ct

nginx 配置如下:

server {
    server_name a.com www.a.com;
    listen               443 ssl http2;
    root /home/wwwroot/hexo;
    server_tokens        off;
    ssl_ct on;
    ssl_certificate      /etc/letsencrypt/a.com.rsa.pem;
    ssl_certificate_key  /etc/letsencrypt/a.com.rsa.key;
    ssl_ct_static_scts   /etc/letsencrypt/scts/a.com;

    ssl_certificate      /etc/letsencrypt/a.com.ecc.pem;
    ssl_certificate_key  /etc/letsencrypt/a.com.ecc.key;
    ssl_ct_static_scts   /etc/letsencrypt/scts/a.com;
    ssl_dhparam          /etc/letsencrypt/dhparams.pem;
    ssl_ciphers 'TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers  on;
    ssl_ecdh_curve secp384r1;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_session_cache          shared:SSL:50m;
    ssl_session_timeout        1d;
    ssl_session_tickets        on;
    ssl_stapling               on;
    ssl_stapling_verify        on;
    resolver                   8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout           10s;
    add_header    Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header    Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM=";max-age=2592000; includeSubDomains';
    index index.html;
    location / {
        expires 120s;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|ico)$ {
    expires 30d;
    access_log off;
    }
location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
    }
}

请问可能存在哪些方面的问题?多谢各位指点。

4005 次点击
所在节点    NGINX
21 条回复
wql
2018-06-14 08:58:23 +08:00
@fourstring 对的,证书开始嵌入 SCT 了

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/462860

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX