骆言 2022-03-24 22:53 采纳率: 91.7%
浏览 3682
已结题

nginx https error_log日志:SSL_do_handshake() failed SSL: error:14094416 routines:ssl3_read_bytes:sslv3

nginx https error_log debug 日志:SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46)

基本功能就是反向代理,8443端口识别各种location做proxy_pass

但是,今天不知道为什么,发现nginx错误日志error_log里面全是这个错误

2022/03/24 22:31:53 [info] 19881#0: *183 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 192.168.1.10, server: 0.0.0.0:8443

网上看了各种解决方法,试了没用。

从原理入手,但也搞不懂https是怎么握手的,有哪些握手错误。

大家帮忙看看,找找什么问题
(至少告诉我这个错误是什么意思,好让我有解决的思路)

访问链接:https://192.168.1.1:8443/netdata/

下面是nginx的配置

# This file is re-created when Nginx starts.
# Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
# Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
# For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx

worker_processes auto;

user root;

events {}

http {

        access_log off; # logd openwrt
        log_format openwrt
                '$request_method $scheme://$host$request_uri => $status'
                ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';

        include mime.types;
        default_type application/octet-stream;
        sendfile on;

        client_max_body_size 128M;
        large_client_header_buffers 2 1k;

        gzip on;
        gzip_vary on;
        gzip_proxied any;

        root /www;

        server { #see uci show 'nginx._lan'
                listen 8443 ssl default_server;
                listen [::]:8443 ssl default_server;
                server_name _lan;
                include restrict_locally;
                include conf.d/*.locations;
                ssl_certificate /etc/sslcert/nginx_lan.crt;
                ssl_certificate_key /etc/sslcert/nginx_lan.key;
                ssl_session_cache shared:SSL:32k;
                ssl_session_timeout 64m;
                access_log /var/log/nginx/access_log.log openwrt;
                error_log /var/log/nginx/error_log.log info;
        }

        server { #see uci show 'nginx._redirect2ssl'
                listen 8880;
                listen [::]:8880;
                server_name _redirect2ssl;
                return 302 https://$host:8443$request_uri;
        }

  。。。。。。

        include conf.d/*.conf;
}

locations的目录结构

root@openwrt_d2550:~# ll /etc/nginx/conf.d/
drwxr-xr-x    1 root     root          4096 Mar 24 22:30 ./
drwxr-xr-x    1 root     root          4096 Mar 24 20:50 ../
-rw-------    1 root     root           653 Mar 24 19:24 luci.locations
-rw-------    1 root     root           553 Mar 24 19:24 luci.locations.bak
-rw-r--r--    1 root     root           441 Mar 24 22:30 reverse_proxy.locations
root@openwrt_d2550:~#

reverse_proxy.locations

root@openwrt_d2550:~# cat /etc/nginx/conf.d/reverse_proxy.locations
location /netdata/ {
      # proxy_ssl_session_reuse on;
      proxy_set_header Host                             $host;
      proxy_set_header X-Real-IP                        $remote_addr;
      proxy_set_header X-Forwarded-For                  $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto                $scheme;
      proxy_pass       http://127.0.0.1:19999/;
      # return 302 https://$host:8443$request_uri;

}

luci.locations

root@openwrt_d2550:~# cat /etc/nginx/conf.d/luci.locations
location /cgi-bin/luci {
                index  index.html;
                include uwsgi_params;
                uwsgi_param SERVER_ADDR $server_addr;
                uwsgi_modifier1 9;
                uwsgi_pass unix:////var/run/luci-webui.socket;
        # default_type "application/octet-stream";
        # default_type "text/html";
        # return 200 "haha";
}
location ~ /cgi-bin/cgi-(backup|download|upload|exec) {
                include uwsgi_params;
                uwsgi_param SERVER_ADDR $server_addr;
                uwsgi_modifier1 9;
                uwsgi_pass unix:////var/run/luci-cgi_io.socket;
}

location /luci-static {
                error_log stderr crit;
}

location /ubus {
        ubus_interpreter;
        ubus_socket_path /var/run/ubus/ubus.sock;
        ubus_parallel_req 2;
}

证书

-----BEGIN CERTIFICATE-----
MIICBjCCAYugAwIBAgIUPo3JJztnNeIDD5CTKvhW99DPeuowCgYIKoZIzj0EAwIw
ZDELMAkGA1UEBhMCWloxEjAQBgNVBAgMCVNvbWV3aGVyZTENMAsGA1UEBwwETm9u
ZTEQMA4GA1UEAwwHT3BlbldydDEgMB4GA1UECgwXT3BlbldydDc4NUI2MzZEMkIw
QkNDQjkwHhcNMjIwMzI0MTAwNjE5WhcNMjUwNjI0MTAwNjE5WjBkMQswCQYDVQQG
EwJaWjESMBAGA1UECAwJU29tZXdoZXJlMQ0wCwYDVQQHDAROb25lMRAwDgYDVQQD
DAdPcGVuV3J0MSAwHgYDVQQKDBdPcGVuV3J0Nzg1QjYzNkQyQjBCQ0NCOTB2MBAG
ByqGSM49AgEGBSuBBAAiA2IABCyu2IUgOv2RmdCgjkZB13+0xZjQDBTrvHnh+QbG
Jl5b6SNaEQ5bo7tjMecS3hH/g6hbA1JyUJmh6uJav/PqKMY+UbYYqVeeTusQCpAT
GzM+4/ljR+rCCAyOTkHnrBo3lTAKBggqhkjOPQQDAgNpADBmAjEA4ZMel7fx6vI9
uJJeV2HNqPeK4r+6zwyT7LbJU0nhB02vHSmO/0WEw/TACn4SHTtLAjEAnyWCQso7
dRh56SoDwKyIDa/1am9fcQAUdPMdWQOYACDbTPoKNH+9ebBvTjB8l4rr
-----END CERTIFICATE-----

虽然报错了,页面也还是能正常访问

img

img

  • 写回答

2条回答 默认 最新

  • 叼不起的烟斗 2022-03-25 09:59
    关注

    访问地址需要和对应的证书签证地址匹配,如果自签证书还需要像系统内导入证书信息,不然也会报错不安全

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

问题事件

  • 系统已结题 4月2日
  • 已采纳回答 3月25日
  • 修改了问题 3月25日
  • 修改了问题 3月25日
  • 展开全部

悬赏问题

  • ¥20 机器学习能否像多层线性模型一样处理嵌套数据
  • ¥20 西门子S7-Graph,S7-300,梯形图
  • ¥50 用易语言http 访问不了网页
  • ¥50 safari浏览器fetch提交数据后数据丢失问题
  • ¥15 matlab不知道怎么改,求解答!!
  • ¥15 永磁直线电机的电流环pi调不出来
  • ¥15 用stata实现聚类的代码
  • ¥15 请问paddlehub能支持移动端开发吗?在Android studio上该如何部署?
  • ¥20 docker里部署springboot项目,访问不到扬声器
  • ¥15 netty整合springboot之后自动重连失效