Common deployment problems and solutions for HTTPS

In recent years, I have written many articles about HTTPS and HTTP/2, covering all aspects of certificate applications, Nginx compilation and configuration, and performance optimization. In the comments of these articles, a lot of readers raised a variety of questions, my mailbox also often received similar mail. This article is used to list some of the issues that are representative and I know the solution.

In order to control the length, this article as far as possible only to give the conclusion and the citation link, does not carry on the discussion, if has the question or the different opinion, welcome the message discussion. This article will continue to update, you are welcome to contribute to the problems and solutions you encounter.

In fact, it is recommended to run a test with Qualys SSL Labs ' SSL Server test before encountering any problems with deploying HTTPS or HTTP/2, most of which can be diagnosed.

You have been unable to verify the Encrypt certificate by

This kind of problem is generally because let's Encrypt cannot access your server, it is recommended to try the acme.sh DNS authentication mode, generally can solve.

Website inaccessible, Prompt err_certificate_transparency_required

This error message is likely to occur when you use Chrome 53 to access websites that use Symantec certificates. This issue is caused by a Bug in Chrome, and the best solution now is to upgrade to the latest version of Chrome. RELATED links:

• Out of date Chrome results in err_certificate_transparency_required for Symantec operated sites;
• Warning | Certificate Transparency error with Chrome 53;

Browser Prompt certificate has error checking certificate chain is complete

First make sure that the site is using a valid certificate issued by a legitimate CA, and then check the integrity of the certificate in the Web Server configuration (be sure to include the site certificate and all intermediate certificates). If the intermediate certificate is missing, some browsers can obtain it automatically but severely affect the TLS handshake performance; some browsers report a certificate error directly.

Check if the browser supports SNI

If only older browsers (for example, IE8 on Windows XP) Prompt This error, it is mostly because your server deploys multiple HTTPS sites with different certificates at the same time, which does not support SNI (server Name Indication) browsers usually get the wrong certificate and cannot be accessed.

To solve the problem that the browser does not support SNI, you can deploy an HTTPS site with a different certificate on a different server, or you can use the SAN (Subject alternative name) mechanism to place multiple domain names in the same certificate, but you can also ignore these old browsers directly. In particular, using a browser that does not support SNI to access a commercial HTTPS CDN is basically not available because of a certificate error.

For more information about SNI, see "some experience sharing about enabling HTTPS (ii)".

Check system time

If the user's computer time is not correct, also cause the browser prompts the certificate to have the problem, then the browser generally has the explicit prompt, for example Chrome's err_cert_date_invalid.

Web site cannot be accessed after enabling HTTP/2, prompting err_spdy_inadequate_transport_security

This problem is usually caused by ciphersuite configuration errors. It is recommended to modify Nginx configuration items against authoritative configurations such as "mozilla's recommended configuration, CloudFlare configuration, and so on ssl_ciphers .

For specific reasons for this issue, see "Starting from the HTTP/2 cause Web site cannot be accessed."

Website inaccessible, Prompt err_ssl_version_or_cipher_mismatch

This error usually occurs when an insecure SSL version is configured or ciphersuite--such as a server that only supports SSLV3, or Ciphersuite is only configured with the RC4 series, which can be accessed using Chrome. The solution is the same as in the previous section.

There is another scenario where this error can occur-access to a Web site that provides ECC certificates only with a browser that does not support ECC. For example, in Windows XP, Web sites that use ECC certificates are accessible only by Firefox (Firefox does not rely on the operating system), and Android 4+ is required to support ECC certificates. If this is the case, there's a perfect solution, see "Getting Started with ECC certificates."

The browser still uses http/1.1 after the Nginx HTTP/2 is enabled

Chrome 51+ removes support for NPN, supports ALPN only, and the browser and server support NPN or ALPN, which is the premise of HTTP/2. In other words, HTTP/2 cannot be used if the service side does not support Alpn,chrome 51+.

OpenSSL 1.0.2 only started to support alpn--many of the major server systems have their own OpenSSL below this version, so it is recommended that you specify the location of OpenSSL when compiling the WEB server.

See "Why we should support alpn" as soon as possible. "

Site partial resource does not load or is not safe after upgrading to HTTPS

Remember a principle: all the external links of the HTTPS website (CSS, JS, pictures, audio, font files, asynchronous interfaces, form action addresses, etc.) need to be upgraded to HTTPS, you will not encounter this problem.

See "Some experience sharing on HTTPS enabled (iii)".

Only Safari, IOS and other browsers cannot access

If your HTTPS website with PC Chrome and Firefox access is all right, but MacOS Safari and IOS are inaccessible to various browsers, there may be Certificate Transparency configured incorrectly. Of course, if you have not previously enabled Certificate Transparency through the TLS extension, please skip this section.

The specific symptom is: through the Wireshark grasping packet analysis, usually can see the Alert information named illegal Parameter; through curl -v troubleshooting, you can generally see Unknown SSL protocol error in connection errors Tips.

At this time, please go to the Nginx ssl_ct_static_scts configuration specified directory, check the size of the SCT file is normal, especially to pay attention to the existence of empty files.

Note that, according to the official announcement, from December 1, 2016, Google's Aviator CT Log service will no longer accept new certificate requests. When you manually obtain the SCT file with tools such as Ct-submit, do not use the Aviator service, or you will get an empty file.

This article links: https://imququ.com/post/troubleshooting-https.html, participating in the comments»

--eof--

Posted on 2016-12-12 23:50:26 and added "nginx, HTTPS, http2" tags, last modified in 2016-12-25 15:26:07. View Markdown versions of this article»

This site uses "Attribution 4.0 International" Creative sharing agreement, related instructions»

Featured "web Server" other articles»

• Start using Verynginx (DEC)
• Start using ECC certificate
• Why should we upgrade to HTTPS as soon as possible? (May)
• This blog Nginx configuration of the complete chapter (Mar)
• From the inability to open OCSP stapling (Mar)
• Certificate Transparency those things (FEB)
• Let's Encrypt, free and easy to use HTTPS certificate (DEC)
• From Nginx default uncompressed http/1.0 speaking (DEC)
• TLS handshake Optimization in detail (Nov)
• Using BORINGSSL to optimize HTTPS encryption algorithm selection (OCT)

Common deployment problems and solutions for HTTPS