Cloudflare SSL握手失败(错误525)
[英]Cloudflare SSL Handshake Failed (Error 525)
问题描述
I have a problem with my website (and host). 
我的网站(和主机)有问题。 I am using full(strict) crypto setting for my website. 我正在为我的网站使用完整(严格)加密设置。 And I don't know why it is encountering error since last month the web just work fine. 而且我不知道为什么它会遇到错误,因为上个月网络运行正常。
Here is the debug 这是调试
Using curl -sv -o command : 使用curl -sv -o命令:
curl -sv -o /dev/null https://<domain>.com/ --resolve <domain>.com:<<port>>:<<ip>>
* Added <domain>.com:<<port>>:<<ip>> to DNS cache
* Hostname <domain>.com was found in DNS cache
* Trying <<vps_ip>>...
* TCP_NODELAY set
* Connected to <domain>.com (<<vps_ip>>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/etc/openssl/cert.pem
CApath: /usr/local/etc/openssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* stopped the pause stream!
* Closing connection 0
Using openssl s_client command : 使用openssl s_client命令:
openssl s_client -connect <<vps_ip>>:443 | openssl x509 -text -noout
52457:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/ssl/s23_clnt.c:618: unable to load certificate
52458:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE
And here is the VHost config : 这是VHost配置:
Listen 80
<VirtualHost *:80>
ServerName <domain>
ServerAlias <alias>
ServerAdmin -alreadyset-
DocumentRoot -alreadyset-
SSLEngine off
SSLCertificateFile -alreadyset-/mikata.pem
SSLCertificateKeyFile -alreadyset-/mikata.key
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
<Directory /home/emtetour/public_html>
Options Indexes FollowSymLinks Multiviews
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
ErrorLog -alreadyset-
CustomLog -alreadyset-
</VirtualHost>
Listen 443
<VirtualHost *:443>
ServerName <domain>
ServerAlias <alias>
ServerAdmin -alreadyset-
DocumentRoot -alreadyset-
SSLEngine on
SSLCertificateFile -alreadyset-/mikata.pem
SSLCertificateKeyFile -alreadyset-/mikata.key
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
<Directory /<directory>/public_html>
Options Indexes FollowSymLinks Multiviews
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
Anybody can help me? 有人可以帮助我吗? It's already 4 days and I have no clue what to fix... Thanks.. 已经四天了,我不知道该怎么解决...谢谢..
PS The Server is running Apache2.4.25 with UbuntuOS. PS服务器正在使用UbuntuOS运行Apache2.4.25。 Cipher and protocol is compatible with cloudflare SSL. 密码和协议与cloudflare SSL兼容。
Found the solution 找到了解决方案
This is probably a very late edit, but apparently Apache need a default VirtualHost settings for 443 port. 这可能是一个很晚的编辑,但是显然Apache需要443端口的默认VirtualHost设置。
So you must add somethings like 111-default.conf then only write server admin, document root, and the SSL config (since mine is a wild-certificate, I used the same config as the website). 因此,您必须添加诸如111-default.conf之类的内容,然后仅编写服务器admin,文档根目录和SSL配置(因为我的是通配证书,所以我使用了与网站相同的配置)。
Hope this is helpful for others who encounter similar problem. 希望这对遇到类似问题的其他人有所帮助。
2 个解决方案
解决方案1
0 2017-10-06 17:34:01
根据您提供的错误消息,看来您的证书不正确:
Expecting: TRUSTED CERTIFICATE
解决方案2
0 2019-02-22 10:46:18
I put 我放
<VirtualHost *:443></VirtualHost>
in 000-defaults.conf with only DocumentRoot defined and got the same error. 在000-defaults.conf中,仅定义了DocumentRoot并得到了相同的错误。 So after removing that, it was totally fine. 因此,将其删除后,一切都很好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.