Certbot SSL_do_handshake() failed megoldás?
Sziasztok! Van egy EC2 instance-em AWS-en (ubuntu), amin van egy Flask app és egy mysql szerver. Van egy domainem regiszrálva (rackhost.hu-n) és kértem egy certet a certbottól. Nginx és gunicorn van a gépen.
A probléma a következő:
Újraindítás után kb. 1 óráig minden tökéletesen megy. Utána a Flask dob egy
Internal server errort MINDEN POST REQUESTNÉL, A GET REQUEST TUDOMÁSOM SZERINT JÓL MEGY. Az nginx error.log fájlban ez van:
2023/12/27 03:15:31 [crit] 1360#1360: *808 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 212.102.40.218, server: 0.0.0.0:443
Iyenekkel van tele az error.log. Én sem tudom elérni a weboldalt ilyenkor. Amint mondtam, egy sudo reboot megoldj a problémát kb 1-3 óráig. Az interneten semmit nem találtam ami segítene. Kérdeztem stackoverflow-n is, de semmi. Hátha itt okosabb emberek vannak :)
válasza: válasza: válasza:A videókban kimaradt egy
sudo apt upgrade
parancs (ez végzi el a tényleges frissítést), bár valószínűleg ez nem okoz problémát egyébként
Mik vannak a certbot servicek logjaiban? Frissíti naponta kétszer a certet?
Esetleg meg tudod próbálni, hogy ezt a két sort hozzáadod az nginx confhoz (a http blokkon belül):
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
De egyébként hogy néz ki az nginx conf a certbot módosítása után?
Ezt beírtam: sudo cat /var/log/letsencrypt/letsencrypt.log
Eredmény:
2024-01-03 01:09:04,816:DEBUG:urllib3.connectionpool: http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2024-01-03 01:09:05,816:DEBUG:certbot._internal.main:certbot version: 2.8.0
2024-01-03 01:09:05,817:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/3566/bin/certbot
2024-01-03 01:09:05,817:DEBUG:certbot._internal.main:Arguments: ['-q', '--preconfigured-renewal']
2024-01-03 01:09:05,817:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-01-03 01:09:05,866:DEBUG:certbot._internal.log:Root logging level set at 40
2024-01-03 01:09:05,870:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/logs.appflix.hu.conf
2024-01-03 01:09:05,873:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-01-03 01:09:05,873:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-01-03 01:09:05,934:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2024-01-03 01:09:05,966:DEBUG:urllib3.connectionpool: [link] "POST / HTTP/1.1" 200 503
2024-01-03 01:09:05,969:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/logs.appflix.hu/cert1.pem is signed by the certificate's issuer.
2024-01-03 01:09:05,970:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/logs.appflix.hu/cert1.pem is: OCSPCertStatus.GOOD
2024-01-03 01:09:05,978:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2024-01-03 01:09:05,980:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2024-01-03 01:09:05,981:DEBUG:certbot._internal.plugins.selection:Selecting plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: EntryPoint(name='nginx', value='certbot_nginx._internal.configurator:NginxConfigurator', group='certbot.plugins')
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fc123afefd0>
2024-01-03 01:09:05,982:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-01-03 01:09:05,983:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2024-01-03 01:09:05,983:DEBUG:certbot._internal.display.obj:Notifying user: /etc/letsencrypt/live/logs.appflix.hu/fullchain.pem expires on 2024-04-01 (skipped)
2024-01-03 01:09:05,983:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2024-01-03 01:09:05,983:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-01-03 01:09:05,984:DEBUG:certbot._internal.renewal:no renewal failures
Bocs nagyon hosszú. Ezt beírtam: sudo journalctl -u certbot
Erre eredmény: -- No entries --
Nginx konfig: sudo cat /etc/nginx/sites-available/default
upstream flaskapp {
server 127.0.0.1:8000;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: [link]
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: [link]
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass http://flaskapp;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: [link]
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: [link]
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name logs.appflix.hu; # managed by Certbot
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass http://flaskapp;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/logs.appflix.hu/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/logs.appflix.hu/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = logs.appflix.hu) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name logs.appflix.hu;
return 404; # managed by Certbot
}
válasza: válasza:Kapcsolódó kérdések:
Minden jog fenntartva © 2024, www.gyakorikerdesek.hu
GYIK | Szabályzat | Jogi nyilatkozat | Adatvédelem | Cookie beállítások | WebMinute Kft. | Facebook | Kapcsolat: info(kukac)gyakorikerdesek.hu
Ha kifogással szeretne élni valamely tartalommal kapcsolatban, kérjük jelezze e-mailes elérhetőségünkön!