Comments (11)
Hi @ashkov, I just push a new commit which revert 1c4fb7a, and please wait for this action complete then you can try to reinstall nginx-ui.
from nginx-ui.
Try to pull this image: uozi/nginx-ui: v2.0.0-beta.18-patch.1 or uozi/nginx-ui:latest
from nginx-ui.
Can you provide more details about this issue, like the configuration file of your site and the reproduce steps of this problem.
from nginx-ui.
我也遇到了,在firefox里首次访问会有问题,刷新一下又好了。可以用无痕模式稳定复现,OCSP这里出了问题,不知道怎么解决。
Secure Connection Failed
An error occurred during a connection to admin.creatly.team. A required TLS feature is missing.
Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
点一下 try again 就好了
from nginx-ui.
from nginx-ui.
This issue may cause by certificate "must staple", introduced in 1c4fb7a.
I think I should a switcher in frontend for user to chose whether they need "must staple" or not.
https://community.letsencrypt.org/t/ssl-cert-issue-mozilla-pkix-error/194269
from nginx-ui.
server {
set $server 172.25.10.240;
set $creation_port 8811;
set $fab_frog_port 11020;
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name admin.creatly.team;
ssl_certificate /etc/nginx/ssl/*.creatly.team_creatly.team/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/*.creatly.team_creatly.team/private.key;
include /etc/nginx/include/server_ssl.conf;
access_log /var/log/nginx/local/admin.creatly.team_access.log main if=$loggable;
error_log /var/log/nginx/local/admin.creatly.team_error.log warn;
include /etc/nginx/include/server_security.conf;
root /var/www/creatly-admin;
index index.html;
# 服务端接口
location /api/admin {
include /etc/nginx/include/location_proxy.conf;
proxy_pass http://$server:$creation_port$request_uri;
}
location /creation/api/admin/ {
include /etc/nginx/include/location_proxy.conf;
proxy_pass http://$server:$creation_port/api/admin/;
}
location /miaowa/api/admin/ {
include /etc/nginx/include/location_proxy.conf;
proxy_pass http://$server:$fab_frog_port/api/admin/;
}
location / {
try_files $uri $uri/ /index.html;
}
}
我配置了 ssl_stapling 的,就是首次访问有问题,第2次就好了。因为首次访问,nginx会去异步请求ocsp装订信息并缓存到内存里,这里有一个异步时差,导致首次访问返回给firefox浏览器没有ocsp信息,第2次访问就有了。
但是chrome为什么不报错呢,不知道
from nginx-ui.
我已经被这个问题困扰了很久,貌似无解,期待大神找到解决方法
from nginx-ui.
我有几个很挫的解决方案,仅供参考:
在 Nginx 中配置 ssl_stapling on
并 reload 后,Nginx 并不会马上获取 OCSP Response,它要等第一个请求过来,再发起异步 OCSP 请求,所以刚开始几个响应,很可能不带 OCSP Stapling。另外,有时候由于 OCSP 域名无法解析,或者服务器无法访问造成 OCSP Response 获取失败,也会导致 OCSP Stapling 无法生效。
如何在 Nginx 启动时就进行 OCSP 装订?
相关问答
- How to make OCSP stapling on nginx work:https://matthiasadler.info/blog/ocsp-stapling-on-nginx-with-comodo-ssl/
- Priming the OCSP cache in Nginx:https://unmitigatedrisk.com/?p=241
- [Can I make Nginx automatically OCSP staple certificates at reload/restart?](https://serverfault.com/questions/806329/can-i-make-nginx-automatically-ocsp-staple-certificates-at-reload-restart)
解决方案
两种方案:
- 在 Nginx 启动后,立刻去访问每个域名,从而能触发 Nginx 去异步请求 OCSP 服务器。
- 手动获取 OCSP 响应以 DER 编码格式写入到文件里,再使用 'ssl_stapling_file' 指令指向该文件,并定期更新 OCSP 响应。
from nginx-ui.
Please, help, what can I do to request certificate right now without staple, by hands?
I can setup NGINX, but I must copy cert to MailCow, and It does not support staple at all.
So my problem - I can't use IMAPs right now after update.
This issue may cause by certificate "must staple", introduced in 1c4fb7a.
I think I should a switcher in frontend for user to chose whether they need "must staple" or not.
from nginx-ui.
Hi @ashkov, I just push a new commit which revert 1c4fb7a, and please wait for this action complete then you can try to reinstall nginx-ui.
I use docker image
from nginx-ui.
Related Issues (20)
- 修改Server的证书,点击确定后,回显没有变化 HOT 2
- 手动上传的证书,建议增加即将到期的通知提醒 HOT 1
- 一键轻松部署并自动续签 Let's Encrypt 证书。有具体说明文档吧,没明白如何做 HOT 10
- 二级域名的反向代理可随意访问 HOT 3
- 证书无法获取 HOT 12
- 到期SSL证书重复申请 | SSL certificate repeat application in beta.23 HOT 10
- 网站管理建议增加自定义分类并以多个TAB显示 HOT 2
- 终端鉴权优化 HOT 4
- 请求DNS 服务商增加华为云 HOT 1
- 如何管理集群里每个节点上的静态网站文件? HOT 1
- 申请证书显示如下错误请问如何解决 HOT 12
- 向 Telegram bot 发送证书续签通知
- docker 挂载 window目录,无法申请证书 HOT 1
- docker是只要映射80和443?那监听也是这两个端口吗,UI和80监听端口放在一起了? HOT 4
- 证书自动续期失败 HOT 1
- ACME error - Could not find solver for: tls-alpn-01 HOT 18
- 控制nginx 的重启和重载无效果 HOT 7
- Syncing certificates between nodes in a cluster
- Browser Search not working properly HOT 2
- Basic options missed HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nginx-ui.