最近使用了acme.sh 生产了 Let's Encrypt 的https 证书,但是在实际服务器上测试遇到如下问题
$ curl "https://www.aaa.com"
如下错误
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option
最开始我还以为是我服务器配置哪里出错了。后来测试了下其他国内的域名都可以访问,我就想到应该是https证书配置这块问题。后来查询了一些资料是我自己nginx 关于https配置不对导致的
server {
listen 443 ssl;
ssl_certificate /home/www/.acme.sh/xxxxx/xxxx.cer;
ssl_certificate_key /home/www/.acme.sh/xxxxx/xxxx.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
ssl_session_cache shared:SSL:50m;
}
其中
ssl_certificate /home/www/.acme.sh/xxxxx/xxxx.cer; 错误
ssl_certificate /home/www/.acme.sh/xxxxx/fullchain.cer; 正确
不错
回复 @ apanly: 非常不错