[求助]在阿里云 ECS Nginx 安装 godaddy SSL 证书后, Windows 的浏览器可以访问, iOS/MacOS 的浏览器打不开
insomniowl · 109 天前 · 1250 次点击这是一个创建于 109 天前的主题,其中的信息可能已经有所发展或是发生改变。
现象:
Windows Edge/Chrome/Firefox 都可以正常访问,浏览器地址栏安全锁显示正常
iPhone Safari 提示“Safari 浏览器打不开该网页,因为已丢失网络连接。”
iPhone Edge 提示“此站点的连接不安全”
MacOS Safari 提示“Safari can't open the page "https://<mydomain>/xx/xxx" because Safari can't establish a secure connection to the server "<mydomain>"”.
问了 OpenAI 家,目前一直在 tls 方向上努力
在服务器
]# openssl s_client -connect 127.0.0.1:443 -servername <mydomain> -tls1_2
]# openssl s_client -connect 127.0.0.1:443 -servername <mydomain> -tls1_3
都可以正常输出 Protocol 、Cipher 、证书链、证书等信息
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
在本机( Windows wsl/MacOS Terminal ) 具体信息如下
$ openssl s_client -connect <myip>:443 -servername <mydomain> -tls1_2
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 213 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1747836333
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
$ openssl s_client -connect <myip>:443 -servername <mydomain> -tls1_3
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 240 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
ECS 后台安全组确认过没问题,443 端口全放
OS 部署的 AlmaLinux 9
Nginx 信息
]# nginx -V
nginx version: nginx/1.27.5
built by gcc 11.5.0 20240719 (Red Hat 11.5.0-5) (GCC)
built with OpenSSL 3.2.2 4 Jun 2024
TLS SNI support enabled
有没有大佬有什么思路,指导一下~~
 |
1
hefish 109 天前
证书不全。 五个字。
|
 |
2
insomniowl OP @hefish 可是 Windows 上的浏览器可以看到完整的证书链哎
|
|
3
hefish 109 天前
@insomniowl 你这事儿我碰到过,一模一样。最后确认是合证书的时候没合全。
|
 |
4
ysc3839 109 天前
macOS Chrome 呢?
|
 |
5
imlonghao 109 天前 via iPhone
证书链不全
|
|
6
imlonghao 109 天前 via iPhone
openssl s_client 的返回绝对不止这么几行,你把重要的东西给去掉了
|
 |
7
yinmin 109 天前 via iPhone
1. 证书链不全 openssl 也会返回证书的,因此不是证书链不全。
2. 国内的 ecs 使用 https 需要域名备案。没备案的话,阿里云会阻断 https 连接的。国内 ecs 确保域名已备案。 3. 关闭 nginx ,再用 openssl 去测试,应该是连不上,而不是:connected 不返回证书。如果关闭 nginx 能 connected ,检查网络和服务器配置。 4. 你的 windows 可以访问,是不是开了科学上网了? 关闭再测试,或者换一台 windows 试试。 |
|
8
insomniowl OP @hefish
@imlonghao @yinmin 原文中服务器上的 openssl s_client 的输出做了截取,附上在服务器上的完整输出,请各位大佬再帮忙分析分析 (从本地电脑远程 openssl s_client 确实只输出了原文中提到的那些信息) ``` ]# openssl s_client -connect 127.0.0.1:443 -servername <mydomain> -tls1_2 Connecting to 127.0.0.1 CONNECTED(00000003) depth=2 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2 verify return:1 depth=1 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 verify return:1 depth=0 CN=<mydomain> verify return:1 --- Certificate chain 0 s:CN=<mydomain> i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 20 15:21:22 2025 GMT; NotAfter: May 17 16:36:03 2026 GMT 1 s:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 3 07:00:00 2011 GMT; NotAfter: May 3 07:00:00 2031 GMT 2 s:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2 i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 1 00:00:00 2009 GMT; NotAfter: Dec 31 23:59:59 2037 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIGnTCCBYWgAwIBAgIIGPt1YDQrjy0wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV ... <这里是证书链中我的域名证书部分> ... s8wbaC5EDsx+8JgXnfkrV+Nmu1Otjk8J5S5XC5QKRAPJHt9bgQqyip3TqMUv2GK+ Rd8r/UvGlDdOcD9PjbumtlY= -----END CERTIFICATE----- subject=CN=<mydomain> issuer=C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4585 bytes and written 306 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: C96377F72C65D5EC8DAF9C91D0140D712E8D57ACDAD9EDC068093B8B2A31B157 Session-ID-ctx: Master-Key: <master-key> PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 53 90 67 e5 c4 27 ff a2-27 85 5a 1e c4 23 da 66 S.g..'..'.Z..#.f 0010 - 20 90 d9 9c 30 02 03 33-36 2c c0 60 be 35 5b ef ...0..36,.`.5[. ... <这里是一串 ticket> ... 00b0 - 83 5a 7b 04 a4 24 4f 78-30 13 3d dc b4 d6 cf 5b .Z{..$Ox0.=....[ 00c0 - 23 1b 6f 13 3c d1 cd 2b-27 10 e9 73 98 14 12 88 #.o.<..+'..s.... Start Time: 1747870061 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- ``` ``` ]# openssl s_client -connect 127.0.0.1:443 -servername <mydomain> -tls1_3 Connecting to 127.0.0.1 CONNECTED(00000003) depth=2 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2 verify return:1 depth=1 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 verify return:1 depth=0 CN=<mydomain> verify return:1 --- Certificate chain 0 s:CN=<mydomain> i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 20 15:21:22 2025 GMT; NotAfter: May 17 16:36:03 2026 GMT 1 s:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 3 07:00:00 2011 GMT; NotAfter: May 3 07:00:00 2031 GMT 2 s:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2 i:C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 1 00:00:00 2009 GMT; NotAfter: Dec 31 23:59:59 2037 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIGnTCCBYWgAwIBAgIIGPt1YDQrjy0wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV ... <这里是证书链中我的域名证书部分> ... s8wbaC5EDsx+8JgXnfkrV+Nmu1Otjk8J5S5XC5QKRAPJHt9bgQqyip3TqMUv2GK+ Rd8r/UvGlDdOcD9PjbumtlY= -----END CERTIFICATE----- subject=CN=<mydomain> issuer=C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4472 bytes and written 337 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 1AA499F79A02004C1CE7A8ABB10442C98368AB4E9785F41CF5D437814A650E87 Session-ID-ctx: Resumption PSK: <psk1> PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 53 90 67 e5 c4 27 ff a2-27 85 5a 1e c4 23 da 66 S.g..'..'.Z..#.f ... <这里是一串 ticket> ... 00e0 - 6a 84 8c 80 38 33 bf ce-1d 90 cd 0f 46 15 85 d7 j...83......F... Start Time: 1747871955 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 1025C633FC134C05A436C162715C67318105374FE8AC4A34D99A296059DCC20C Session-ID-ctx: Resumption PSK: <psk2> PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 53 90 67 e5 c4 27 ff a2-27 85 5a 1e c4 23 da 66 S.g..'..'.Z..#.f 0010 - d2 c5 3c 4c 7b 8d 26 95-27 ae d4 e4 49 cf 6a 8c ..<L{.&.'...I.j. 0020 - 7b 70 d3 5d d6 17 ca 4a-a4 f1 b2 3a d2 6d 0d e6 {p.]...J...:.m.. ... <这里是一串 ticket> ... 00d0 - 66 42 54 82 9d 48 5f 90-00 6e 7b 64 29 11 75 99 fBT..H_..n{d).u. 00e0 - a1 91 0e 0d 35 2b 0e 65-d4 ea c9 30 6a 61 f5 16 ....5+.e...0ja.. Start Time: 1747871955 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK ``` |
|
9
insomniowl OP @yinmin 把 Windows 科学关了也可以访问的,昨天用其他人的 Windows 电脑尝试也可以访问
|
|
10
insomniowl OP @ysc3839 刚试了下,MacOS 的 Chrome/Edge 都可以访问...没开科学
|
|
11
yinmin 109 天前 via iPhone
1. 在不同的电脑上 ping 域名,看看返回的 ip 是否有异常
2. 查一下域名的 dns 是不是设置了 type65 ( https ),如果有的删掉试试 |
 |
12
Simmons 109 天前 via iPhone
我看了你的域名,未备案域名解析到国内云了
|
Select Language