https SSL 握手时间过长，大于 3 秒

看一下 conf

curl 网站 https 地址 -vvv

上 cdn

估计是 CA 验证在国外导致的，nginx 配置一下 ocsp stapling 吧。

OCSP 域名被污染了，需要换证书或者客户端翻墙
可能直接换证书最快
加 OCSP Stapling 也不一定有效

@jaylee4869

### 1. ngxin.conf 配置如下

```conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
```

### 2. 网站 dev.example.com 配置如下：

```conf
server {
listen 80;
listen [::]:80;

server_name dev.example.com;

location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://112.74.113.106:8090;
}

listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
```conf

### 3. curl -vvv https://dev.example.com 输出如下：

```conf
* Rebuilt URL to: https://dev.example.com/
* Trying 112.74.90.77...
* TCP_NODELAY set
* Connected to dev.example.com (112.74.90.77) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=*.example.com
* start date: Apr 29 13:04:41 2020 GMT
* expire date: Jul 28 13:04:41 2020 GMT
* subjectAltName: host "dev.example.com" matched cert's "*.example.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: dev.example.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Mon, 18 May 2020 10:38:26 GMT
< Content-Type: text/html
< Content-Length: 2878
< Last-Modified: Sun, 17 May 2020 10:44:30 GMT
< Connection: keep-alive
< ETag: "5ec1158e-b3e"
< Accept-Ranges: bytes
```

* 域名和 IP 进行了替换，还请谅解。 *

@jacklin96
"更换证书"是指换其他 CA 比如 Symantec 、GlobalSign 、GeoTrust 还是用 Let's Encrypt 重新生成证书？

let's encrypt 的证书 服务端配置一下 ocsp stapling 吧
或者买其他家的证书 就是买 Symantec 、GlobalSign 、GeoTrust 之类的

我也有同样的问题。

开一下 ocsp 装订试试 虽然我觉得可能没用 chrome 应该是不检查 ocsp 的

ocsp 服务器坏了

被迫换了阿里云免费证书。

OCSP 服务器连接不上, ping ocsp.int-x3.letsencrypt.org 超时

通过 openssl 验证超时：

```
openssl ocsp -issuer fullchain.pem -cert cert.pem -text -url http://ocsp.int-x3.letsencrypt.org
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: 25AA0A105713B51AB5A49554679566211FA63FCF
Serial Number: 03638E20AC5D648DA7DB51EA00638CFAEF33
Request Extensions:
OCSP Nonce:
0410053BDB6861C216D9924BC81A9295430F
Error connecting BIO
Error querying OCSP responder
4733388396:error:02FFF03C:system library:func(4095):Operation timed out:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/bio/bss_conn.c:244:host=ocsp.int-x3.letsencrypt.org:80
4733388396:error:20FFF067:BIO routines:CRYPTO_internal:connect error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/bio/bss_conn.c:247:
```

@constructor 换其他 CA 就行，国内目前只能远离 Let's Encrypt

LE 现在不稳定