求专治疑难杂症的老中医帮助,SSL证书无效的问题

好多年前给客户做了个系统,客户一直正在用,本系统每年就1月初用几天。网站使用的https协议,ssl证书有效期是一年。
今年使用前ssl证书已更换为新的证书,但用户反馈部分苹果用户使用时会提示证书存在问题,并提示已过期49天(该用户浏览器端加载到的还是更换之前的证书,新证书没有生效)。

这里是因为缓存的问题吗?应该做怎样的处理避免这个问题?

微信中提示:
SSL证书无效的问题,求经验丰富的大佬帮助

浏览器中提示:
SSL证书无效的问题,求经验丰富的大佬帮助

客户电脑提示:
SSL证书无效的问题,求经验丰富的大佬帮助

nginx配置

server {
  listen 80;
  listen 443 ssl http2;
  ssl_certificate /usr/local/nginx/conf/ssl/*******.cn.crt;
  ssl_certificate_key /usr/local/nginx/conf/ssl/*******.cn.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 1400;
  add_header Strict-Transport-Security max-age=15768000;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_name *******.cn;
  access_log /data/wwwlogs/*******.cn_nginx.log combined;
  index index.html index.htm index.php;
  root /data/wwwroot/*******.cn/public;

  include /usr/local/nginx/conf/rewrite/laravel.conf;
  #error_page 404 /404.html;
  #error_page 502 /502.html;

  location ~ [^/]\.php(/|$) {
    #fastcgi_pass remote_php_ip:9000;
    fastcgi_pass unix:/dev/shm/php-cgi.sock;
    fastcgi_index index.php;
    include fastcgi.conf;
  }

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
    expires 30d;
    access_log off;
  }
  location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
  }
  location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) {
    deny all;
  }
}
《L04 微信小程序从零到发布》
从小程序个人账户申请开始,带你一步步进行开发一个微信小程序,直到提交微信控制台上线发布。
《L03 构架 API 服务器》
你将学到如 RESTFul 设计风格、PostMan 的使用、OAuth 流程,JWT 概念及使用 和 API 开发相关的进阶知识。
讨论数量: 10

重启一下nginx服务器。每次更换配置都要重启

3周前 评论
mmx (楼主) 3周前

你更换证书之后重启nginx没

3周前 评论
mmx (楼主) 3周前
zjason (作者) 3周前

如果觉得麻烦可以用阿里云的负载均衡,监听服务器上的80,把域名解析到负载均衡上,在负载均衡上绑定证书就行

3周前 评论
66

检查服务器时间

3周前 评论
安卓用户没反馈这个问题,苹果用户有反馈这个问题

排除服务器问题。找个iOS资讯下,苹果会不会缓存证书或者下载证书到本地

3周前 评论

还有一个办法,你换一个免费的https证书试试。确保不是证书的问题。 具体可以用 来此加密 这个网站来申请证书,可以申请泛域名证书,百度一下就行,我试过了很好用。

3周前 评论

首先在出现问题的 PC 上看获得的证书有效期是否正常:
安装 Smallstep CLI

$ step certificate inspect https://YOUR_DOMAIN

# Example

$ step certificate inspect https://george.betterde.com
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 277028619957168996496866148377847610215553 (0x32e1d2b7678a3cde0a0aff3d8973da00c81)
    Signature Algorithm: SHA256-RSA
        Issuer: C=US,O=Let's Encrypt,CN=R3
        Validity
            Not Before: Nov 15 07:22:21 2022 UTC
            Not After : Feb 13 07:22:20 2023 UTC
        Subject: CN=george.betterde.com
        Subject Public Key Info:
            Public Key Algorithm: RSA
                Public-Key: (4096 bit)
                Modulus:
                    a3:5d:2a:3c:6c:f7:b0:d6:6d:c1:97:0f:42:c4:7c:
                    7e:76:f7:5a:02:30:8b:12:fb:52:ca:aa:14:f3:a1:
                    45:90:48:41:27:76:4a:14:be:a8:28:24:45:d8:4f:
                    8f:dd:a5:0e:56:bb:f8:a1:65:05:cd:f5:fb:a3:0b:
                    77:da:89:30:64:c5:4e:ec:f4:be:b4:ae:6a:75:24:
                    25:6b:61:12:3d:df:ef:47:60:f9:fd:20:d0:d3:3e:
                    57:c8:c4:73:7e:ea:89:c3:df:6e:f8:a9:72:60:b3:
                    d4:b9:83:27:74:c4:cb:19:49:c2:1f:87:a8:a2:72:
                    50:11:f0:4f:4a:dc:1d:4f:3b:f7:df:a0:e3:07:e6:
                    33:45:cf:96:0a:ab:4f:90:ad:5e:8b:25:bb:c5:0d:
                    93:bb:7c:da:88:ae:c0:97:e9:f4:1d:a4:c1:82:00:
                    9b:3a:cb:a7:75:72:1f:12:ee:22:63:de:49:e9:dc:
                    fe:d3:79:ec:e5:a1:18:19:5b:ae:c2:a1:19:d8:73:
                    78:3d:45:9b:d1:32:f3:c8:a0:39:c3:f4:fc:80:7a:
                    70:de:c1:ac:a4:bf:92:b2:d7:d1:66:d6:b3:1a:de:
                    80:ed:53:6a:45:ef:87:4f:d1:c7:3a:1a:60:98:1d:
                    e6:f6:7d:17:07:38:4d:91:29:4c:9b:01:ef:f4:d3:
                    ea:d8:c5:15:e2:aa:01:a5:c7:fb:7e:fb:eb:7d:7a:
                    0f:7f:cc:41:cf:c9:31:a7:2e:2e:8a:c1:2e:f3:55:
                    7f:3b:aa:b5:76:58:b2:dd:a1:81:b8:1c:9d:f7:57:
                    56:93:a3:61:88:07:23:4c:86:bc:38:15:bd:17:0a:
                    88:f1:bc:4f:b7:83:b7:f8:0b:81:46:41:b4:a8:ac:
                    38:96:b9:8b:8a:32:98:8b:0c:fb:26:07:b9:c7:38:
                    c1:f8:f3:92:6a:b4:f2:38:aa:2c:78:18:ae:05:3c:
                    78:e1:4d:c9:5a:2f:8e:14:a1:e4:bf:2e:5a:f0:a0:
                    a6:37:56:e2:c0:76:d1:df:f4:8b:49:12:f2:f4:40:
                    ae:a6:63:44:cb:22:df:c9:7a:72:61:0a:68:56:1b:
                    da:a5:6a:21:98:3e:a3:d7:11:36:fa:82:f2:e8:43:
                    83:b0:b7:5a:ba:7c:b6:54:6b:cf:b6:bb:64:b1:17:
                    a6:6f:74:e2:af:51:62:af:63:d3:37:03:a7:23:f3:
                    25:15:bd:fa:0e:e1:25:b3:20:48:98:d6:45:8c:70:
                    3f:30:84:f4:83:8d:96:ad:b9:7f:f4:ac:a3:b8:08:
                    9c:55:8c:df:61:e1:d1:67:05:cf:63:82:ae:a4:96:
                    97:4e:ad:b3:15:33:20:ec:32:a9:c9:fd:0a:20:07:
                    4a:db
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                Server Authentication, Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                91:AC:86:05:F8:94:F1:26:6F:4A:CE:DA:04:F2:69:52:00:55:81:D2
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name:
                DNS:george.betterde.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
            RFC6962 Certificate Transparency SCT:
                SCT [0]:
                    Version: V1 (0x0)
                    LogID: tz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJk=
                    Timestamp: Nov 15 08:22:21.996 2022 UTC
                    Signature Algorithm: SHA256-ECDSA
                      30:44:02:20:2a:3f:27:09:57:5c:f2:09:95:59:1c:8b:7b:c3:
                      f0:52:71:b1:39:49:05:4d:9b:fd:6a:f5:da:43:e0:21:af:b5:
                      02:20:29:90:1c:36:36:db:8f:0d:15:79:b7:66:50:48:22:7d:
                      6d:e0:f3:6c:64:88:8c:77:9a:ae:bb:ad:3f:32:16:2c
                SCT [1]:
                    Version: V1 (0x0)
                    LogID: ejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61I=
                    Timestamp: Nov 15 08:22:22.064 2022 UTC
                    Signature Algorithm: SHA256-ECDSA
                      30:44:02:20:11:01:00:93:31:9e:b6:f5:28:bd:2d:c2:88:f0:
                      d2:c7:43:a9:c4:4b:89:ab:c2:76:53:55:27:60:b7:e4:e0:e8:
                      02:20:3d:a6:ec:68:1a:e2:60:6d:a7:62:87:70:be:de:c2:08:
                      86:03:07:ee:4d:b4:c0:b8:c0:32:8e:80:9b:c9:fd:67

如果证书没问题,那么可能是客户端的系统时间有问题!

还有一种可能就是:

苹果公司在第 49 届 CA/浏览器论坛(CA/Browser)会议上宣布:为了提高网络安全性,任何有效期超过了 398 天的新网站证书都将不会受到 Safari 浏览器的信任。但是,在截止日期(2020年9月1日)之前颁发的证书不受此规则的影响。

简单来说当 SSL 证书同时满足以下条件时,将不会被 Safari 信任:

  1. 在2020年9月1日之后签发
  2. 有效期超过398天

在 2020年9月1日前签发的证书不受影响。此举目的是通过确保开发者使用最新加密标准的证书来提高网站的安全性,并减少被忽视的旧证书的数量,这些证书有可能被盗窃,并被用于网络钓鱼和驱动器恶意软件攻击。

另外我在较老的 Windows 设备上使用 Chrome 发现由 Let’s Encrypt 签发的证书不被信任,可能是较老的系统中没有 CA 的 Root 证书!

3周前 评论

讨论应以学习和精进为目的。请勿发布不友善或者负能量的内容,与人为善,比聪明更重要!