SSL证书生成成功但是无法访问
1、chrome访问提示This site can’t provide a secure connectionxxx.com sent an invalid response.ERR_SSL_PROTOCOL_ERROR\2、运行openssl s_client -connect 域名:443 错误如下:
你自己写的配置文件还是自动生成的?自己写的配置贴出来看看,自动生成的话是否改动过? 本帖最后由 reecho 于 2019-6-1 06:29 编辑
nginx.conf
--------------------------------------------------------
userwww www;
worker_processes auto;
error_log/home/wwwlogs/nginx_error.logcrit;
pid /usr/local/nginx/logs/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
multi_accept on;
}
http
{
include mime.types;
default_typeapplication/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE \.";
#limit_conn_zone $binary_remote_addr zone=perip:10m;
##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.
server_tokens off;
#log format
log_formataccess'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
access_log off;
server
{
listen 80 default_server;
#listen [::]:80 default_server ipv6only=on;
server_name www.lnmp.org;
index index.html index.htm index.php;
root/home/wwwroot;
#error_page 404 /404.html;
include enable-php.conf;
location /nginx_status
{
stub_status on;
access_log off;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known
{
allow all;
}
location ~ /\.
{
deny all;
}
access_log/home/wwwlogs/access.logaccess;
}
include vhost/*.conf;
}
--------------------------------------------------
xxxxx.com.conf
---------------------------------------------------server
{
listen 443 http2;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/xxxxxx.com/xxxxxx.com.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/xxxxxx.com/xxxxxx.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
#ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
server_name xxxxxx.com ;
index index.html index.htm index.php default.html default.htm default.php;
root/home/wwwroot/xxxxxx.com;
include exmuseum.conf;
#error_page 404 /404.html;
location ~ [^/]\.php(/|$)
{
# comment try_files $uri =404; to enable pathinfo
try_files $uri =404;
fastcgi_passunix:/tmp/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
#include pathinfo.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
access_log off;
}
军哥,有空帮忙看看。
licess 发表于 2019-5-31 09:25
你自己写的配置文件还是自动生成的?自己写的配置贴出来看看,自动生成的话是否改动过? ...
基本无修改,nginx.conf 和 xxxxx.com.conf配置如下
nginx.conf
--------------------------------------------------------
userwww www;
worker_processes auto;
error_log/home/wwwlogs/nginx_error.logcrit;
pid /usr/local/nginx/logs/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
multi_accept on;
}
http
{
include mime.types;
default_typeapplication/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE \.";
#limit_conn_zone $binary_remote_addr zone=perip:10m;
##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.
server_tokens off;
#log format
log_formataccess'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
access_log off;
server
{
listen 80 default_server;
#listen [::]:80 default_server ipv6only=on;
server_name www.lnmp.org;
index index.html index.htm index.php;
root/home/wwwroot;
#error_page 404 /404.html;
include enable-php.conf;
location /nginx_status
{
stub_status on;
access_log off;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known
{
allow all;
}
location ~ /\.
{
deny all;
}
access_log/home/wwwlogs/access.logaccess;
}
include vhost/*.conf;
}
--------------------------------------------------
xxxxx.com.conf
---------------------------------------------------server
{
listen 443 http2;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/xxxxxx.com/xxxxxx.com.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/xxxxxx.com/xxxxxx.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
#ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
server_name xxxxxx.com ;
index index.html index.htm index.php default.html default.htm default.php;
root/home/wwwroot/xxxxxx.com;
include exmuseum.conf;
#error_page 404 /404.html;
location ~ [^/]\.php(/|$)
{
# comment try_files $uri =404; to enable pathinfo
try_files $uri =404;
fastcgi_passunix:/tmp/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
#include pathinfo.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
access_log off;
}
军哥,有空帮忙看看。 reecho 发表于 2019-6-1 06:32
基本无修改,nginx.conf 和 xxxxx.com.conf配置如下
nginx.conf
你这还叫基本无修改啊
开ssl啥最重要,肯定是ssl,只写个http2不带ssl啥用不管
再次再次再次强调不会自己写配置或不是太明白不要自己修改,直接 lnmp vhost add 生成配置文件 licess 发表于 2019-6-1 10:03
你这还叫基本无修改啊
开ssl啥最重要,肯定是ssl,只写个http2不带ssl啥用不管
因之前用 lnmp ssh add命令增加过,想用lnmp vhost add重新生成,于是用acme.sh 对自己域名用了revoke remove等命令
添加的时候acme.sh.log错误如下:
_main_domain='exmuseum.com'
_alt_domains='no'
Using config home:/usr/local/acme.sh
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
DOMAIN_PATH='/usr/local/nginx/conf/ssl/exmuseum.com'
Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
_init api for server: https://acme-v02.api.letsencrypt.org/directory
GET
url='https://acme-v02.api.letsencrypt.org/directory'
timeout=
_CURL='curl -L --silent --dump-header /usr/local/acme.sh/http.header-g '
ret='0'
ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
ACME_NEW_AUTHZ
ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
ACME_VERSION='2'
Le_NextRenewTime
_on_before_issue
_chk_main_domain='exmuseum.com'
_chk_alt_domains
Le_LocalAddress
d='exmuseum.com'
Check for domain='exmuseum.com'
_currentRoot='/home/wwwroot/exmuseum.com'
d
_saved_account_key_hash is not changed, skip register account.
Read key length:
_createcsr
Single domain='exmuseum.com'
Getting domain auth token for each domain
d
url='https://acme-v02.api.letsencrypt.org/acme/new-order'
payload='{"identifiers": [{"type":"dns","value":"exmuseum.com"}]}'
RSA key
HEAD
_post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
_CURL='curl -L --silent --dump-header /usr/local/acme.sh/http.header-g '
_ret='0'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
_CURL='curl -L --silent --dump-header /usr/local/acme.sh/http.header-g '
_ret='0'
code='429'
Le_LinkOrder
Le_OrderFinalize
Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many certificates already issued for exact set of domains: exmuseum.com: see https://letsencrypt.org/docs/rate-limits/",
"status": 429
}
pid
No need to restore nginx, skip.
_clearupdns
dns_entries
skip dns.
_on_issue_err
Please check log file for more details: /usr/local/acme.sh/acme.sh.log "detail": "Error creating new order :: too many certificates already issued for exact set of domains: exmuseum.com: see https://letsencrypt.org/docs/rate-limits/",
超了官网限制,这个没办法解决,唯一就是等到时间自动解禁 谢谢军哥
页:
[1]