服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Nginx在一段时间后无法validation上游证书
Intereting Posts
硬件RAID1是否在高度冗余的计算机群集中为S / W RAID提供显着的优势? 如何减less使用W3 Total Cache的hibernateWordPress站点的服务器负载? 通过防火墙访问多个FTP服务器 如何恢复到Vmware ESXi上的增量文件(磁盘) 550 SMTP错误:邮箱不可用 Windows 2008和远程pipe理控制台 使用<Directory>和<Location>的Apacheconfiguration问题 在ASP.NET 2.0中使用跨域的会话 如果路由刷新协商BGP硬复位不会发生? 升级SQLServer 2008硬件 将交换数据库移动到另一个Exchange 2003 有关Linux LSB初始化脚本指令的问题 Ubuntu服务器SSH 什么是我的Apache服务器的瓶颈? Centos 7.3 Quagga(ospf)configuration在重新启动后更改

Nginx在一段时间后无法validation上游证书

我正在野蛮应用服务器前运行一个nginx代理服务器。 两者都通过https通信。 Nginxconfiguration为validation上游证书的签名: 

listen 443 ssl http2; server_name _; ssl_certificate_key /etc/nginx/ssl/private/ssl.key.pem; ssl_password_file /etc/nginx/ssl/private/ssl.key.passphrase.txt; proxy_ssl_verify on; proxy_ssl_trusted_certificate /tmp/chain.crt; proxy_ssl_verify_depth 10; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; proxy_buffering off; error_log /proc/self/fd/2; access_log /proc/self/fd/1; # some routes omitted location /orbis-4u/ { proxy_pass https://trrswv056.agfahealthcare.com:8843/orbis-4u/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port 443; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }

所有的作品罚款几个小时/天。 经过一段随机的时间后,nginx开始抛出validation错误: 

 proxy | 2017/04/03 14:40:12 [debug] 12#12: epoll: fd:11 ev:0001 d:00007FEFC638EB60 proxy | 2017/04/03 14:40:12 [debug] 12#12: timer delta: 8718 proxy | 2017/04/03 14:40:12 [debug] 12#12: worker cycle proxy | 2017/04/03 14:40:12 [debug] 12#12: epoll timer: 13649 proxy | 2017/04/03 14:40:12 [debug] 12#12: epoll: fd:17 ev:0004 d:00007FEFC638EA71 proxy | 2017/04/03 14:40:12 [debug] 12#12: timer delta: 2 proxy | 2017/04/03 14:40:12 [debug] 12#12: worker cycle proxy | 2017/04/03 14:40:12 [debug] 12#12: epoll timer: 13647 proxy | 2017/04/03 14:40:12 [debug] 12#12: epoll: fd:17 ev:0005 d:00007FEFC638EA71 proxy | 2017/04/03 14:40:12 [error] 12#12: *2424 upstream SSL certificate verify error: (19:self signed certificate in certificate chain) while SSL handshaking to upstream, client: 172.25.33.10, server: _, request: "GET /orbis-4u/application.wadl HTTP/2.0", upstream: "https://172.25.32.6:8843/orbis-4u/application.wadl", host: "trrsuv042.agfahealthcare.com", referrer: "https://trrsuv042.agfahealthcare.com/auth/realms/orbis/protocol/openid-connect/auth?response_type=code&client_id=orbis-u-webclient&redirect_uri=https%3A%2F%2Ftrrsuv042.agfahealthcare.com%2Forbis-4u%2Fapplication.wadl&state=e6df5055-c90f-44c4-8422-2a108a6241cc&login=true&scope=openid" proxy | 2017/04/03 14:40:12 [debug] 12#12: timer delta: 4 proxy | 2017/04/03 14:40:12 [debug] 12#12: posted event 00007FEFC57314A0 proxy | 2017/04/03 14:40:12 [debug] 12#12: worker cycle proxy | 2017/04/03 14:40:12 [debug] 12#12: epoll timer: 13643 proxy | 172.25.33.10 - - [03/Apr/2017:14:40:12 +0200] "GET /orbis-4u/application.wadl HTTP/2.0" 502 640 "https://trrsuv042.agfahealthcare.com/auth/realms/orbis/protocol/openid-connect/auth?response_type=code&client_id=orbis-u-webclient&redirect_uri=https%3A%2F%2Ftrrsuv042.agfahealthcare.com%2Forbis-4u%2Fapplication.wadl&state=e6df5055-c90f-44c4-8422-2a108a6241cc&login=true&scope=openid" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36" proxy | 2017/04/03 14:40:12 [debug] 12#12: epoll: fd:11 ev:0001 d:00007FEFC638EB60 proxy | 2017/04/03 14:40:12 [debug] 12#12: timer delta: 61 proxy | 2017/04/03 14:40:12 [debug] 12#12: worker cycle proxy | 2017/04/03 14:40:12 [debug] 12#12: epoll timer: 13582 proxy | 2017/04/03 14:40:12 [debug] 12#12: epoll: fd:17 ev:0004 d:00007FEFC638EA70 proxy | 2017/04/03 14:40:12 [debug] 12#12: timer delta: 1 proxy | 2017/04/03 14:40:12 [debug] 12#12: worker cycle proxy | 2017/04/03 14:40:12 [debug] 12#12: epoll timer: 13581 proxy | 172.25.33.10 - - [03/Apr/2017:14:40:12 +0200] "GET /favicon.ico HTTP/2.0" 502 640 "https://trrsuv042.agfahealthcare.com/orbis-4u/application.wadl" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36" proxy | 2017/04/03 14:40:12 [debug] 12#12: epoll: fd:17 ev:0005 d:00007FEFC638EA70 proxy | 2017/04/03 14:40:12 [error] 12#12: *2424 upstream SSL certificate verify error: (19:self signed certificate in certificate chain) while SSL handshaking to upstream, client: 172.25.33.10, server: _, request: "GET /favicon.ico HTTP/2.0", upstream: "https://172.25.32.6:8843/favicon.ico", host: "trrsuv042.agfahealthcare.com", referrer: "https://trrsuv042.agfahealthcare.com/orbis-4u/application.wadl" proxy | 2017/04/03 14:40:12 [debug] 12#12: timer delta: 4 proxy | 2017/04/03 14:40:12 [debug] 12#12: posted event 00007FEFC57314A0 proxy | 2017/04/03 14:40:12 [debug] 12#12: worker cycle proxy | 2017/04/03 14:40:12 [debug] 12#12: epoll timer: 13577

当我重新启动,它再次正常工作(至less一段时间)。 /tmp/chain.crt文件具有以下内容: 

 -----BEGIN CERTIFICATE----- MIIFEjCCAvqgAwIBAgIFFIlIIwYwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UEAwwW T1JCSVMtUk9PVC1DRVJUSUZJQ0FURTAeFw0xNzAzMTQwOTA2MjNaFw0yNzAzMTIw OTA2MjNaMA8xDTALBgNVBAMMBGRlbW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw ggIKAoICAQDAxGLoOeno8bl1sr1Qd/HZdM8kPHK4+WhAtJUmmFDZC/0QD/I0N/Bv fJmkyCctsM862qT+91edRy9xc8RAyIAgB2WrLypy+V/R3gbuaYFbZkGm7XnzTUlz yAOXIWETrnzxBuJkb+KzBJyjFBI+I9hrgRemXRaaP6FhePdcbmZCHpG2o9O5sWdc 9UTSm381xGc6kdN+eOzF2i+CGcfD+Y4V811CWMWA+x+etoKbtzSV6qja2e4sIdHL cWdZrmqQp8Cwk0++1pcH0YAtKWjQzgIvD0T0/3yEticKlxfRTDHAvaoy21Shy98H KM1aB3pV1fylsMq6Am/xlF3SUO69Lzj1HBuV6OY/gFOruPGjEnFKbaTXZwlciu2a zlUQOdw3WpLObzaYkJOYvCuu63LoXDnxh1crcPo5AJkZUoGmgvpepVRwvxfmXQIC RxPkxjbLj+fdfJMYzv3bDq9vzmouv79fS4RUVumjSIAc65tCaxtalIqrCNjQ6uEn Lh6svLQxf9owLo029ZMvta7SCBjnDq3+Fv69qw/nXGnTfGKoTHijEUPyFjLIvSMe 20yPS12TH+dJM9y/XR9INOh3w2gvX0hhjj1o7A5J2nWwtFfoXcKISTUVqrjWcT0H ciKPb926zvMPo/OIxGiRePKAxWpbL2NPpV0DzdmX7X2iDujnKz5ySQIDAQABo2Mw YTAdBgNVHQ4EFgQUeFB5oWJ0mUajCqbya/IdRhBDupcwHwYDVR0jBBgwFoAUKAzf IzKNEbK9Tc6sl+Z7az7HL0owDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC AYYwDQYJKoZIhvcNAQELBQADggIBACPpsChure7wT+IzkADkimXMWrWN1Ks+QIZe TsHs0Ots9QvdYzBbVBJrJPTBzutF+CVtIb5me65Kg8czSqpYpGWQjhP71wMK+AfH MGpYsQ5CnZtOiY+Fx5aphMDWN3N8liDUnqSj0P88BEFmFw9U5fXZ++LQ5KdwKxKr KZb67yjzpmfOD3fBWCccfSvb3hr0ruDirAvt7hRMu91OjIfyeLtSBsyO0VVL4qns 7/AL+mZ8nUWqtresjL3U9lUwm5ma+sKOJW8Q6tTyCPhvhb26wT7xPgvuj8FWNj6M FJ+eTj/5k40X4CpGlCEkxh2XpTlWrHk2Zx7S+0DzLMZKnyYqz+sjFtzuuHAj6g0T 3lYMorGI5LB3DLS70T51VQNSawqo46plVEMYxughLvB1z+FgW1U2XAKvGQzEFXhs +sEDL+kx/CFniqayPpMIBJnDzIKFWnSIxW6NNsyjx/QTFFU6MQKVh/VL6NtrnVg5 +5SQaGMRGKUi8Ae1ppuL9PxxDXruZR2eggNwm4lDVY7XRb3dfU5VZee+MuF56uFu s1AX9Pu8CHfAjqg/GAY4ILyuikZkLmOlHr1JplV0df/X1Q6JIUKORCK96BRUIiF8 4g3rrpliI8f3iwUkQmoM/Z1mxr7ZSNot4wub466DkzkI6rwpWDBYdBJUwHLRxK4J bqED5NWH -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFKDCCAxCgAwIBAgIJAKYi7UbJu/Z/MA0GCSqGSIb3DQEBCwUAMCExHzAdBgNV BAMMFk9SQklTLVJPT1QtQ0VSVElGSUNBVEUwHhcNMTcwMjE1MTAyNzE0WhcNMzcw MjEwMTAyNzE0WjAhMR8wHQYDVQQDDBZPUkJJUy1ST09ULUNFUlRJRklDQVRFMIIC IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzFOpEQts/BWsdPnw2gcMoUEG q3aoRKiNKPo3bu7BD8tyxS2rPjYDj3JOkmrwMQ/Ohm39Cp+dBS09FzgXSzxa8iKn VlkK5rENOZlDu1YXO5rKZcV/csMTF03RMEjGgAFlerA6iZt95VmJUllWoMN+MHgp TVQwlvqAfsbcCMODvW18VhVnRXfL8JeHFUAh1bO2qN+VBHGakIrY6ZIcU4tRNv3U hh2fi1lXTUUgVkoV9dfTK+aHfYDa2+2t86HwvQwt+8M3LxD22NBCuPg2KABwJlKe zu3tOqDtiOiOIABrSOSd5hRuzFvodvhkYDoag0fYKBYv55MFICtuiUXv1ROuuLJM MpjLyNWkxwPpGH97eYXRHNmPTgstHiEpV5xM0mGAn5csQh7CfHjAUqLPq3C3ZtP/ 5PwuUJwOimBR+hUVwgvvMRNlncJtwdEkv2fHWVNo7Hc7EH4ZBI+3pyQKuIQ4IZep EVRazt/P6DXd5s0ALIsZ5gTI+A0+cCl+3L3dLzBRnEs7yvIApuVw6Vgl1OggqnIv bkUVFulmSkCXgiJeSMqfHEFlt2VLReCsereK95AD9pPwDnnPVQCuZnuo6UAg3K1O EubusaquvpD7HnSu2j2xy0khD7mTfWVXqf3MldugiZ8spoD9uqUeVDHF3/NNO5Fd JManw4XiZ0veITCorecCAwEAAaNjMGEwHQYDVR0OBBYEFCgM3yMyjRGyvU3OrJfm e2s+xy9KMB8GA1UdIwQYMBaAFCgM3yMyjRGyvU3OrJfme2s+xy9KMA8GA1UdEwEB /wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDKCyN1 4yOgjW9Yi6kuviwiYm4RJsUGsfB+Rh36BHGKgFk5N68DIpG1M1JJcEuzc2KfTILE 8WltwxNGyxDg5rtFQ1M3aXioXhCoClPnSclL1VVIUyWQG8QPKFHHlra4INO5liuF UgoLFKrdRCcS4cHx2thZziOa6WK1nD67fMGCcTbfrnLg6rIm33hp71Mp8UrfkDnp JdZ3wlzq1+rykHPv8BL8gxATLe4717k4j2Mdee1dKYAvSuvaRgzbAVnnmanIb8wG wXlrclCs8fXiFdsQF36GCD5+TMqjWobxPWrSw7LLIW9+WFDpVSIRl41MrgUtwp8M m8ks0YIv84WkeH/TMk0P239gU9mEMJquxtoPJajbim5tgfHWzbz+svR18aHXPMG6 5N+Jb/W/XwJcZpan1uqEBooyUvN2bPCROnSZRWRhrWkad5SOboY7NMliH6wli5ap YtCJqr+TEljg9uZhY0oTG8iC8Llo84l/umJrX2n4lU8xhZd3oSylcJNHCrWau7TL 90/x9LleMkh6PbcIUJYqnoekiIIDhWdLeugJ/EC6InPGdmyR8DJNHvqPrFA6asVG wt2rgMvgBmQm+hj5ZA4bn68bW6TCnMW0uh9ReOJmTFWpBNdSJYrjZNm9SlknjjOZ imm1Jk0Q9/NGi7LY7M4YikHCiriIE5zE0UaZcQ== -----END CERTIFICATE-----

上游返回正确的证书链: 

 openssl s_client -connect trrswv056.agfahealthcare.com:8843 CONNECTED(00000003) depth=2 CN = ORBIS-ROOT-CERTIFICATE verify return:1 depth=1 CN = demo verify return:1 depth=0 CN = trrswv056.agfahealthcare.com verify return:1 --- Certificate chain 0 s:/CN=trrswv056.agfahealthcare.com i:/CN=demo 1 s:/CN=demo i:/CN=ORBIS-ROOT-CERTIFICATE 2 s:/CN=ORBIS-ROOT-CERTIFICATE i:/CN=ORBIS-ROOT-CERTIFICATE --- Server certificate -----BEGIN CERTIFICATE----- MIIExDCCAqygAwIBAgICEAUwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEZGVt bzAeFw0xNzAzMDcwODI1MTJaFw0yNzAzMDUwODI1MTJaMCcxJTAjBgNVBAMMHHRy cnN3djA1Ni5hZ2ZhaGVhbHRoY2FyZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCwdJ+Ab6yhhkVXNSuX6aI/mMkcPvDo6rslrRJxvCEvmBQOaTVt Cn29xby3B4MEBEDGpLQ8ihbJKnoQUxE50yfbb+XAu1b5T8Zg5Fo3mxQd6lp6otAC 0Ff5pw9wH8TBLkF6iRKMVceremivC4yW9FwSUJIaci2yuld7YFebSOrOVVkbRG+4 +ch6yXV/VVlape0u8wris9+fOsOGYV//Kj4BHw5iDCFO9bIefESsWj0eNxD/SYNP dnwFmk88ITCI3BXneG/Sz7g0RxWui+dzhhYtOIA/FMcLnkTJDmV988WqRSHVsBZS 1vGfNuyceDZc1hFQLZOghGvP6TySf9oZwqUxAgMBAAGjggEQMIIBDDAJBgNVHRME AjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBH ZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBQ9Yxm91o8zsMY5 aasQpIL61zGPVTBKBgNVHSMEQzBBgBQDxGBBTFAr9ji0cw46imHmY3GLMaElpCMw ITEfMB0GA1UEAwwWT1JCSVMtUk9PVC1DRVJUSUZJQ0FURYICEAUwDgYDVR0PAQH/ BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMCcGA1UdEQQgMB6CHHRycnN3djA1 Ni5hZ2ZhaGVhbHRoY2FyZS5jb20wDQYJKoZIhvcNAQELBQADggIBAMEVQ/3clniF 8J0KV51iEifmCruntHDudRaam3Mr7CqOo1+1kG6pH6ECMg1nMICrO/LJnscXbN4h xDDWPEIEnWh0frQtmua4NABlAYQXY41JVBcajb0lvcGygop/kw4nxLSgySjd1jtZ 5MFCLo2BLg/Wqfn64gvoF4oF63eC1Cfi9PxqrDqdI6Dp/UqChhB1Q60cZC4rVjwM o0uUW3X+g/Yy9ssA4X65d9KaJQSXBhTZO2yRKVZrjEEx3uSz49Touw/t6uRRl1o8 oAsO/RcN/uZvRdP/9lXRcnBERxldVzWFOxv6QUwNbHIUwQmX4kg65W5MteKikp+q eX0YmB0HRKlNQHVoS/MqAufnMGX/ujIz+2WJFif0VsG1j5GoXJgPwMEwRLZNCjLG 0SWMTMO56WRp1Me2KBCsohmNPC81Fr/xSfW86SOh1XaxQJmiBh/jOjLMVcFIXjk2 yPvvjPjMqcC5NHyQ6NGStf4fYliBHTWrp3mLdStvElfMjrVzC5ykCEmrEFoGYPKo SiGJ2JyczNVgc0P/gPhWgFcUCM4f6o3yM+/BEM3Fnb4ZzaepYmj2DolVnPGE1POq al+kcmzru1eh3AHz+fqt+ZKdrvaXW0Tzv6SNwDqmAh2xgfUVROI3yq1KdtzkcuRE mEccxp95Zuath6FrCf31xPUo5GXxwVQl -----END CERTIFICATE----- subject=/CN=trrswv056.agfahealthcare.com issuer=/CN=demo --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4337 bytes and written 433 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 58E249C1A8D2311CDD1CE823EBD07E7E80855A7D40298581CFB0802503C868E3 Session-ID-ctx: Master-Key: 7A3D1E88CC714B23EE93830B69534E3AA70BDBD2FB4FA6AC38D18622DC569CCF3993934352DE509F21A77A8CD7775BAB Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1491225025 Timeout : 300 (sec) Verify return code: 0 (ok) ---

Nginx的版本是1.11.10,在一个Docker容器(Alpine linux)中运行。

我的问题是:

  1. 为什么nginx在一段时间后无法validation我的证书?
  2. 有没有办法来debugging呢? 我已经打开debugging日志,你可以看到…但它并没有真正的帮助。