preface
By the way, this past Saturday afternoon (we’re on vacation, not 996), the test student suddenly yelled,
Website, small procedures, how all the functions do not work!
At that time, it was really panic ah >_<!!
Fortunately, the powerful Chrome first prompts that the site’s SSL certificate has expired. Contact CTO immediately, give certificate thread a fee. Then the operation and maintenance students updated the certificate for the server and CDN service in turn. When they saw that the website and small program could be accessed again, they all felt relieved, made fun of it and went to spend the weekend happily.
I don’t know, when I came back on Monday, I heard that some clients reported that some crawlers and client service programs were not working.
screening
Several students at the back end quickly checked a log, and found that a lot of long-resident services in the background, as well as client programs are failed when calling the login interface.
The strange thing is that the same HTTPS interface, the browser front-end program call is no problem, the backend students using postman call is failed. According to Postman, turn off SSL and everything will be fine again.
For a while, everyone was confused. Although my intuition told me that it must be related to the expiration of the certificate, but all the places that should be updated are updated. What could be the problem? Is there something you forgot to update?
All morning, Baidu, Bing, Google, search a lot of Nginx + HTTPS articles, but little difference.
Is there a problem with the certificate? The moment the thought flashed through my mind, I noticed that there was a 5KB difference between the size of the new certificate and the backup file. 3KB vs. 8KB, that’s not a negligible difference!
I quickly asked the operation and maintenance students to download the certificate file again.
+ + yi? It should be no coincidence that the second and third files add up to exactly 8KB. ++
Wanting to be a dead horse, he merged the two files and threw them into the service. Once nginx-s reload hit, the problem that had been bothering me all morning was solved!
Having worked on blockchain projects before and having some basic knowledge of cryptography, I know that this 5KB file should be an intermediate certificate. (Background: The difference between root and intermediate certificates)
Using the intermediate certificate +nginx+ HTTPS to search, I quickly found the reason.
The certificate chain attribute is used to specify intermediate certificates.
Nginx does not have a Certificat Chain parameter. If an intermediate certificate is available, you need to combine the domain name certificate with the intermediate certificate and specify ssl_certificate.
Again, the important things,
Use Nginx to configure HTTPS certificates. If an intermediate certificate exists, merge it with the domain name certificate and assign it to SSL_certificate.
In other words, our certificate was purchased from Go Daddy. There was no nginx option when downloading, so WE chose Apache. The middle certificate is separated, so we step on this hole. If the certificate vendor provides the nginx download option, the downloaded certificate should be merged and there should be no problem.
Summary and reflection
Although, this problem is almost solved, but it is worth reflecting and summarizing:
- The company has only been established for a year, but many mechanisms are still not sound enough. The certificate was not found until it expired without prior warning.
- In the server configuration file operation, be sure to back up, the critical moment to compare the size of the file also has magic effect! 🙂
- Finally, when configuring HTTPS certificates with Nginx, the intermediate certificate must be merged with the domain certificate!