Simon, parece que você conhece a situação descrita em esta postagem . Não há problema com a configuração, parece que é o comportamento do nginx. Além disso, pode haver problemas com o Let's Encrypt OCSP .
Estamos vendo alguns erros nos últimos dias semelhantes a este, em nossos registros de erros do nginx:
/var/log/nginx/error.log.2.gz:2017/01/30 16:11:46 [crit] 13114#13114: *139338 SSL_do_handshake() failed (SSL: error:14094459:SSL routines:SSL3_READ_BYTES:tlsv1 bad certificate status response:SSL alert number 113) while SSL handshaking, client: X.X.X.X, server: 0.0.0.0:443
Estamos usando o Let's Encrypt para este certificado. Nós não podemos reproduzir este problema, até agora não conseguimos obter nenhuma informação sobre o que pode estar causando isso do lado do cliente.
RFC 6066 diz que isso está relacionado ao OSCP:
Clients requesting an OCSP response and receiving an OCSP response in a "CertificateStatus" message MUST check the OCSP response and abort the handshake if the response is not satisfactory with bad_certificate_status_response(113) alert. This alert is always fatal.
Temos isso em nossa configuração do nginx:
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
O domínio recebe um A + do SSL Labs e não podemos reproduzir isso por nós mesmos. O que poderia causar esse erro?
Editar : Nas três vezes que isso aconteceu nos últimos dias, apenas um deixou uma entrada para o endereço IP no log de acesso:
/var/log/nginx/access.log:X.X.X.X - - [01/Feb/2017:12:12:51 -0500] "GET /images/foo/bar.png HTTP/1.1" 200 6174 "-" "Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2639 Mobile Safari/537.35+"
Editar 2 : esta é a saída de openssl s_client -connect <address>:<port> -showcerts -status :
$ openssl s_client -connect foo.bar.com:443 -showcerts -status
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Feb 2 02:49:00 2017 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 0320C25EEBD8FE0BBC3678CC437E182E6D82
Cert Status: good
This Update: Feb 2 02:00:00 2017 GMT
Next Update: Feb 9 02:00:00 2017 GMT
Signature Algorithm: sha256WithRSAEncryption
6b:10:31:84:c6:ec:32:2f:60:b2:5e:a9:a9:af:96:09:0d:53:
7d:1d:9d:25:4e:2a:c2:46:72:51:57:ae:62:d0:6f:b8:ae:0c:
50:d1:6f:f1:84:1f:8b:c8:fb:ed:08:8b:2f:8f:9d:d4:39:31:
dc:6c:f5:99:27:d1:39:cb:f6:e8:c0:db:5e:99:e8:df:74:96:
79:5a:19:ae:b7:84:bc:e2:ff:66:da:1d:dc:ad:d5:90:af:d7:
30:83:28:65:fa:12:0e:46:5d:b4:4d:e0:a2:b8:75:3c:f9:15:
9e:b3:12:28:34:01:0c:53:05:ee:2a:26:d4:81:fb:9c:62:9b:
d6:43:15:ab:a1:cb:f7:ca:e5:6b:4b:7d:79:dd:72:39:93:1e:
3f:e7:74:70:c5:de:79:27:db:79:bf:16:c8:ea:c4:a0:c7:d8:
f1:5c:91:61:dd:4f:67:65:2f:4d:eb:76:8e:9d:ff:99:32:3d:
41:7d:35:e9:25:5b:c1:c6:b3:30:c4:8c:9f:56:8b:86:65:4f:
16:5f:b2:84:d3:f5:24:d9:9e:4f:b2:57:2a:e0:ee:67:01:e8:
72:1b:ad:fd:c8:fd:a9:d5:7c:a4:bb:aa:be:96:22:83:c7:d5:
36:82:51:27:f0:9f:00:9b:51:63:6c:39:02:29:dd:cc:7b:a9:
62:7a:03:ee
======================================
---
Certificate chain
0 s:/CN=foo.bar.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFAjCCA+qgAwIBAgISAyDCXuvY/gu8NnjMQ34YLm2CMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAyMDIwMTUwMDBaFw0x
NzA1MDMwMTUwMDBaMBoxGDAWBgNVBAMTD2FwcC5nZXRtYXBsZS5jYTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALc4sKh6QmYPj78RZHBv07OCH0dPLNAj
PGRUoIMfKInZnKw3ue88PHTIVxxLeUF7c+yWrEtR2LF9BesO7XWpz9jdGXmOmHyj
KV/ThDtOvglO7c2foucATuziWcm/L/12ydPhJ3rHjHagXGrghEVxJSQwpLmgboAx
LzQup9A7HVrh/fafmnCkEZVXm+HQxIFfsLBS0Cg4VRecstyeSduK/P19XxS/DJDx
Rn3Ci09WRxfw2/gerDp8N4sAV1R7k7aI+j+mOWBpfOiGxyXKDErm9ZpULeahGo2Q
AbwkZQTlnPlVzd2DeNLwPvL9PVzZpr+Xdn+mmyZZERQZv8A5zIRqfhMCAwEAAaOC
AhAwggIMMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUUN66DA00cIF4jJJ6nfpLy8Gg
lvYwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEE
ZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wGgYDVR0RBBMwEYIPYXBwLmdldG1hcGxlLmNhMIH+BgNVHSAEgfYwgfMw
CAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0
aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRp
ZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQ
b2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9y
eS8wDQYJKoZIhvcNAQELBQADggEBAAZB906DvRm88EojJtMPR4j8JaqS9tMjIrR7
lJz0o+y2CS8IVW3hGStlOc6lnxar0w9K6TO5OJXPVF1oaqZhtQuOTgxFPL/KObcd
SIVpKwGNK83NwHSHhu/KrOQBUuTFCkEpH2rEgCDzvKLYwruWD1I3yXstdvmrZY0z
LgrUWSq9Oy/1OK/r/W+t3Igr6uv+PXQPNPz7/Wf6h52h60JnbmnwJjQYhkoGbFKI
ZLjsDnwKMvsZqw6ya9NscebsQAwo07/DTlKuY4Gvo+vBmhVxliBjvs5TkXMpWGr+
E1qIzL+vYDborgOFwPBiDW1cpqrNCf6RdPYCbcmiq5YpHd6qD/0=
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=foo.bar.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 4125 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 4F251FC1206A7455B45ABB58137F8EBFE0E23980C8C5FA2185F849AC92E99E39
Session-ID-ctx:
Master-Key: 0C7B5BA714DAFA5791BA956DBC4BD642B6CABA21CB6622172B65AC3BACB063D910F38DA1D63E5A90B2C209FE442B5294
Key-Arg : None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 6e fe 98 71 de f9 22 6f-c6 6c b2 75 fb 94 96 3b n..q.."o.l.u...;
0010 - 8e 35 66 14 6c c5 01 29-29 b8 fc 19 f7 dd 5a d8 .5f.l..)).....Z.
0020 - 6f 5b 5d f9 0c 55 f5 61-af 7e a3 fa 71 f1 7e a8 o[]..U.a.~..q.~.
0030 - 61 26 ac ab fc a8 6a b0-43 da 47 fe 73 88 85 5e a&....j.C.G.s..^
0040 - 05 c5 15 30 3a 24 35 dc-60 30 eb 08 1a 1a 96 73 ...0:$5.'0.....s
0050 - 08 98 83 56 86 cf b4 c5-17 42 8c fd a3 f9 02 89 ...V.....B......
0060 - 2d d3 75 1d 54 10 91 04-37 65 41 a2 02 7a 6d 4d -.u.T...7eA..zmM
0070 - db 52 b2 46 67 cb ab 32-39 5f e8 e2 3f 98 5f 1b .R.Fg..29_..?._.
0080 - 69 e7 91 9a cd 76 03 85-09 79 cb c0 85 96 b1 f1 i....v...y......
0090 - c4 bc 18 31 a5 0a 46 d5-4f 22 fd 70 7e 5d 68 08 ...1..F.O".p~]h.
00a0 - 38 5b 36 66 8c ad e9 3a-e5 51 1a aa db 77 08 7d 8[6f...:.Q...w.}
Start Time: 1486065610
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
Simon, parece que você conhece a situação descrita em esta postagem . Não há problema com a configuração, parece que é o comportamento do nginx. Além disso, pode haver problemas com o Let's Encrypt OCSP .
Tags ssl nginx https lets-encrypt