nginx https error_log debug 日志:SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46)
基本功能就是反向代理,8443端口识别各种location做proxy_pass
但是,今天不知道为什么,发现nginx错误日志error_log里面全是这个错误
2022/03/24 22:31:53 [info] 19881#0: *183 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 192.168.1.10, server: 0.0.0.0:8443
网上看了各种解决方法,试了没用。
从原理入手,但也搞不懂https是怎么握手的,有哪些握手错误。
大家帮忙看看,找找什么问题
(至少告诉我这个错误是什么意思,好让我有解决的思路)
访问链接:https://192.168.1.1:8443/netdata/
下面是nginx的配置
# This file is re-created when Nginx starts.
# Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
# Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
# For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx
worker_processes auto;
user root;
events {}
http {
access_log off; # logd openwrt
log_format openwrt
'$request_method $scheme://$host$request_uri => $status'
' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';
include mime.types;
default_type application/octet-stream;
sendfile on;
client_max_body_size 128M;
large_client_header_buffers 2 1k;
gzip on;
gzip_vary on;
gzip_proxied any;
root /www;
server { #see uci show 'nginx._lan'
listen 8443 ssl default_server;
listen [::]:8443 ssl default_server;
server_name _lan;
include restrict_locally;
include conf.d/*.locations;
ssl_certificate /etc/sslcert/nginx_lan.crt;
ssl_certificate_key /etc/sslcert/nginx_lan.key;
ssl_session_cache shared:SSL:32k;
ssl_session_timeout 64m;
access_log /var/log/nginx/access_log.log openwrt;
error_log /var/log/nginx/error_log.log info;
}
server { #see uci show 'nginx._redirect2ssl'
listen 8880;
listen [::]:8880;
server_name _redirect2ssl;
return 302 https://$host:8443$request_uri;
}
。。。。。。
include conf.d/*.conf;
}
locations的目录结构
root@openwrt_d2550:~# ll /etc/nginx/conf.d/
drwxr-xr-x 1 root root 4096 Mar 24 22:30 ./
drwxr-xr-x 1 root root 4096 Mar 24 20:50 ../
-rw------- 1 root root 653 Mar 24 19:24 luci.locations
-rw------- 1 root root 553 Mar 24 19:24 luci.locations.bak
-rw-r--r-- 1 root root 441 Mar 24 22:30 reverse_proxy.locations
root@openwrt_d2550:~#
reverse_proxy.locations
root@openwrt_d2550:~# cat /etc/nginx/conf.d/reverse_proxy.locations
location /netdata/ {
# proxy_ssl_session_reuse on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:19999/;
# return 302 https://$host:8443$request_uri;
}
luci.locations
root@openwrt_d2550:~# cat /etc/nginx/conf.d/luci.locations
location /cgi-bin/luci {
index index.html;
include uwsgi_params;
uwsgi_param SERVER_ADDR $server_addr;
uwsgi_modifier1 9;
uwsgi_pass unix:////var/run/luci-webui.socket;
# default_type "application/octet-stream";
# default_type "text/html";
# return 200 "haha";
}
location ~ /cgi-bin/cgi-(backup|download|upload|exec) {
include uwsgi_params;
uwsgi_param SERVER_ADDR $server_addr;
uwsgi_modifier1 9;
uwsgi_pass unix:////var/run/luci-cgi_io.socket;
}
location /luci-static {
error_log stderr crit;
}
location /ubus {
ubus_interpreter;
ubus_socket_path /var/run/ubus/ubus.sock;
ubus_parallel_req 2;
}
证书
-----BEGIN CERTIFICATE-----
MIICBjCCAYugAwIBAgIUPo3JJztnNeIDD5CTKvhW99DPeuowCgYIKoZIzj0EAwIw
ZDELMAkGA1UEBhMCWloxEjAQBgNVBAgMCVNvbWV3aGVyZTENMAsGA1UEBwwETm9u
ZTEQMA4GA1UEAwwHT3BlbldydDEgMB4GA1UECgwXT3BlbldydDc4NUI2MzZEMkIw
QkNDQjkwHhcNMjIwMzI0MTAwNjE5WhcNMjUwNjI0MTAwNjE5WjBkMQswCQYDVQQG
EwJaWjESMBAGA1UECAwJU29tZXdoZXJlMQ0wCwYDVQQHDAROb25lMRAwDgYDVQQD
DAdPcGVuV3J0MSAwHgYDVQQKDBdPcGVuV3J0Nzg1QjYzNkQyQjBCQ0NCOTB2MBAG
ByqGSM49AgEGBSuBBAAiA2IABCyu2IUgOv2RmdCgjkZB13+0xZjQDBTrvHnh+QbG
Jl5b6SNaEQ5bo7tjMecS3hH/g6hbA1JyUJmh6uJav/PqKMY+UbYYqVeeTusQCpAT
GzM+4/ljR+rCCAyOTkHnrBo3lTAKBggqhkjOPQQDAgNpADBmAjEA4ZMel7fx6vI9
uJJeV2HNqPeK4r+6zwyT7LbJU0nhB02vHSmO/0WEw/TACn4SHTtLAjEAnyWCQso7
dRh56SoDwKyIDa/1am9fcQAUdPMdWQOYACDbTPoKNH+9ebBvTjB8l4rr
-----END CERTIFICATE-----
虽然报错了,页面也还是能正常访问