LawssssCat
2022-03-24 22:53
采纳率: 62.5%
浏览 2.5k
已结题

nginx https error_log日志:SSL_do_handshake() failed SSL: error:14094416 routines:ssl3_read_bytes:sslv3

nginx https error_log debug 日志:SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46)

基本功能就是反向代理,8443端口识别各种location做proxy_pass

但是,今天不知道为什么,发现nginx错误日志error_log里面全是这个错误

2022/03/24 22:31:53 [info] 19881#0: *183 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 192.168.1.10, server: 0.0.0.0:8443

网上看了各种解决方法,试了没用。

从原理入手,但也搞不懂https是怎么握手的,有哪些握手错误。

大家帮忙看看,找找什么问题
(至少告诉我这个错误是什么意思,好让我有解决的思路)

访问链接:https://192.168.1.1:8443/netdata/

下面是nginx的配置

# This file is re-created when Nginx starts.
# Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
# Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
# For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx

worker_processes auto;

user root;

events {}

http {

        access_log off; # logd openwrt
        log_format openwrt
                '$request_method $scheme://$host$request_uri => $status'
                ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';

        include mime.types;
        default_type application/octet-stream;
        sendfile on;

        client_max_body_size 128M;
        large_client_header_buffers 2 1k;

        gzip on;
        gzip_vary on;
        gzip_proxied any;

        root /www;

        server { #see uci show 'nginx._lan'
                listen 8443 ssl default_server;
                listen [::]:8443 ssl default_server;
                server_name _lan;
                include restrict_locally;
                include conf.d/*.locations;
                ssl_certificate /etc/sslcert/nginx_lan.crt;
                ssl_certificate_key /etc/sslcert/nginx_lan.key;
                ssl_session_cache shared:SSL:32k;
                ssl_session_timeout 64m;
                access_log /var/log/nginx/access_log.log openwrt;
                error_log /var/log/nginx/error_log.log info;
        }

        server { #see uci show 'nginx._redirect2ssl'
                listen 8880;
                listen [::]:8880;
                server_name _redirect2ssl;
                return 302 https://$host:8443$request_uri;
        }

  。。。。。。

        include conf.d/*.conf;
}

locations的目录结构

root@openwrt_d2550:~# ll /etc/nginx/conf.d/
drwxr-xr-x    1 root     root          4096 Mar 24 22:30 ./
drwxr-xr-x    1 root     root          4096 Mar 24 20:50 ../
-rw-------    1 root     root           653 Mar 24 19:24 luci.locations
-rw-------    1 root     root           553 Mar 24 19:24 luci.locations.bak
-rw-r--r--    1 root     root           441 Mar 24 22:30 reverse_proxy.locations
root@openwrt_d2550:~#

reverse_proxy.locations

root@openwrt_d2550:~# cat /etc/nginx/conf.d/reverse_proxy.locations
location /netdata/ {
      # proxy_ssl_session_reuse on;
      proxy_set_header Host                             $host;
      proxy_set_header X-Real-IP                        $remote_addr;
      proxy_set_header X-Forwarded-For                  $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto                $scheme;
      proxy_pass       http://127.0.0.1:19999/;
      # return 302 https://$host:8443$request_uri;

}

luci.locations

root@openwrt_d2550:~# cat /etc/nginx/conf.d/luci.locations
location /cgi-bin/luci {
                index  index.html;
                include uwsgi_params;
                uwsgi_param SERVER_ADDR $server_addr;
                uwsgi_modifier1 9;
                uwsgi_pass unix:////var/run/luci-webui.socket;
        # default_type "application/octet-stream";
        # default_type "text/html";
        # return 200 "haha";
}
location ~ /cgi-bin/cgi-(backup|download|upload|exec) {
                include uwsgi_params;
                uwsgi_param SERVER_ADDR $server_addr;
                uwsgi_modifier1 9;
                uwsgi_pass unix:////var/run/luci-cgi_io.socket;
}

location /luci-static {
                error_log stderr crit;
}

location /ubus {
        ubus_interpreter;
        ubus_socket_path /var/run/ubus/ubus.sock;
        ubus_parallel_req 2;
}

证书

-----BEGIN CERTIFICATE-----
MIICBjCCAYugAwIBAgIUPo3JJztnNeIDD5CTKvhW99DPeuowCgYIKoZIzj0EAwIw
ZDELMAkGA1UEBhMCWloxEjAQBgNVBAgMCVNvbWV3aGVyZTENMAsGA1UEBwwETm9u
ZTEQMA4GA1UEAwwHT3BlbldydDEgMB4GA1UECgwXT3BlbldydDc4NUI2MzZEMkIw
QkNDQjkwHhcNMjIwMzI0MTAwNjE5WhcNMjUwNjI0MTAwNjE5WjBkMQswCQYDVQQG
EwJaWjESMBAGA1UECAwJU29tZXdoZXJlMQ0wCwYDVQQHDAROb25lMRAwDgYDVQQD
DAdPcGVuV3J0MSAwHgYDVQQKDBdPcGVuV3J0Nzg1QjYzNkQyQjBCQ0NCOTB2MBAG
ByqGSM49AgEGBSuBBAAiA2IABCyu2IUgOv2RmdCgjkZB13+0xZjQDBTrvHnh+QbG
Jl5b6SNaEQ5bo7tjMecS3hH/g6hbA1JyUJmh6uJav/PqKMY+UbYYqVeeTusQCpAT
GzM+4/ljR+rCCAyOTkHnrBo3lTAKBggqhkjOPQQDAgNpADBmAjEA4ZMel7fx6vI9
uJJeV2HNqPeK4r+6zwyT7LbJU0nhB02vHSmO/0WEw/TACn4SHTtLAjEAnyWCQso7
dRh56SoDwKyIDa/1am9fcQAUdPMdWQOYACDbTPoKNH+9ebBvTjB8l4rr
-----END CERTIFICATE-----

虽然报错了,页面也还是能正常访问

img

img

2条回答 默认 最新

相关推荐 更多相似问题