У меня есть сервер, работающий в NodeJS (экспресс), и у меня возникла проблема при попытке сделать его https. Мне удалось вручную создать сертификат с помощью Certbot
certbot certonly --manual
после этого я настроил свое экспресс-приложение
const fs = require('fs');
var http = require('http');
var https = require('https');
var express = require('express');
const credentials = {
key: fs.readFileSync('/etc/letsencrypt/live/example/privkey.pem', 'utf8'),
cert: fs.readFileSync('/etc/letsencrypt/live/example/cert.pem', 'utf8'),
ca: fs.readFileSync('/etc/letsencrypt/live/example/chain.pem', 'utf8')
};
const app = express();
// Starting both http & https servers
const httpServer = http.createServer(app);
const httpsServer = https.createServer(credentials, app);
httpServer.listen(80, () => {
console.log('HTTP Server running on port 80');
});
httpsServer.listen(443, () => {
console.log('HTTPS Server running on port 443');
});
но теперь, когда я пытаюсь получить доступ к своей странице по протоколу https, я получаю ошибки
в Chrome:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
в Firefox:
SSL_ERROR_NO_CYPHER_OVERLAP
и когда я запускаю curl -I
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
или curl -Iv
* Rebuilt URL to: https://example.com/
* Trying 90.80.200.30...
* TCP_NODELAY set
* Connected to example.com (90.80.200.30) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
У меня есть сервер, работающий на NodeJS (экспресс), и у меня возникает проблема при попытке сделать его https. Мне удалось вручную создать сертификат с помощью Certbot
certbot certonly --manual
после этого я настроил свое экспресс-приложение
const fs = require('fs');
var http = require('http');
var https = require('https');
var express = require('express');
const credentials = {
key: fs.readFileSync('/etc/letsencrypt/live/example/privkey.pem', 'utf8'),
cert: fs.readFileSync('/etc/letsencrypt/live/example/cert.pem', 'utf8'),
ca: fs.readFileSync('/etc/letsencrypt/live/example/chain.pem', 'utf8')
};
const app = express();
// Starting both http & https servers
const httpServer = http.createServer(app);
const httpsServer = https.createServer(credentials, app);
httpServer.listen(80, () => {
console.log('HTTP Server running on port 80');
});
httpsServer.listen(443, () => {
console.log('HTTPS Server running on port 443');
});
но теперь, когда я пытаюсь получить доступ к своей странице по протоколу https, я получаю ошибки
в Chrome:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
в Firefox:
SSL_ERROR_NO_CYPHER_OVERLAP
curl -I
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
curl -Iv
* Rebuilt URL to: https://example.com/
* Trying 90.80.200.30...
* TCP_NODELAY set
* Connected to example.com (90.80.200.30) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem --noout --text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
30:44:02:20:4A:48:E9:34:36:94:72:A9:DD:65:D0:3F
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Oct 31 12:53:53 2018 GMT
Not After : Jan 29 12:53:53 2019 GMT
Subject: CN = example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
30:44:02:20:4A:48:E9:34:36:94:72:A9:DD:65:D0:3F:
…
3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
30:44:02:20:4A:48:E9:34:36:94:72:A9:DD:65:D0:3F:65:D0:3F:65:D0:3F:D0:3F:65:D0
X509v3 Authority Key Identifier:
keyid:30:44:02:20:4A:48:E9:34:36:94:72:A9:DD:65:D0:3F:65:D0:3F:65:D0:3F
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:example.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 30:44:02:20:4A:48:E9:34:36:94:72:A9:DD:65:D0:3F:
30:44:02:20:4A:48:E9:34:36:94:72:A9:DD:65:D0:3F
Timestamp : Oct 31 13:53:53.601 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:4A:48:E9:34:36:94:72:A9:DD:65:D0:3F:
…
3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 30:44:02:20:4A:48:E9:34:36:94:72:A9:DD:65:D0:3F:
30:44:02:20:4A:48:E9:34:36:94:72:A9:DD:65:D0:3F:
Timestamp : Oct 31 13:53:53.593 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:4A:48:E9:34:36:94:72:A9:DD:65:D0:3F:
…
3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
Signature Algorithm: sha256WithRSAEncryption
30:44:02:20:4A:48:E9:34:36:94:72:A9:DD:65:D0:3F:
…
3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
openssl s_client -connect example.com:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
0 s:/CN=example.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
Ui1+nIYuYX9pfi+lQMchiMS90xsM7g0LtHP2ya1/2IgizLY4IjM/MXO6ykVa6JU8
…
eXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AOJp
-----END CERTIFICATE-----
subject=/CN=example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3429 bytes and written 302 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 99A2269E79E79E762624A77229E762629E79E7BE1C19E7CB30499E7092269E72620A6C9E7
Session-ID-ctx:
Master-Key: 9E79451F4C469E79E7925ED689E79EAB79E7989E799E799E79213779E799E799E799E799E799E79EFCC152D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - c4 6d 99 ee 27 d7 e6 c7-ad 67 d2 e9 f4 5c 74 67 .m..'....g...\tg
0000 - c4 6d 99 ee 27 d7 e6 c7-ad 67 d2 e9 f4 5c 74 67 .m..'....g...\tg
0000 - c4 6d 99 ee 27 d7 e6 c7-ad 67 d2 e9 f4 5c 74 67 .m..'....g...\tg
0000 - c4 6d 99 ee 27 d7 e6 c7-ad 67 d2 e9 f4 5c 74 67 .m..'....g...\tg
0000 - c4 6d 99 ee 27 d7 e6 c7-ad 67 d2 e9 f4 5c 74 67 .m..'....g...\tg
0000 - c4 6d 99 ee 27 d7 e6 c7-ad 67 d2 e9 f4 5c 74 67 .m..'....g...\tg
0000 - c4 6d 99 ee 27 d7 e6 c7-ad 67 d2 e9 f4 5c 74 67 .m..'....g...\tg
0000 - c4 6d 99 ee 27 d7 e6 c7-ad 67 d2 e9 f4 5c 74 67 .m..'....g...\tg
0000 - c4 6d 99 ee 27 d7 e6 c7-ad 67 d2 e9 f4 5c 74 67 .m..'....g...\tg
0000 - c4 6d 99 ee 27 d7 e6 c7-ad 67 d2 e9 f4 5c 74 67 .m..'....g...\tg
Start Time: 1541064686
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
nmap --script ssl-enum-ciphers example.com
Starting Nmap 7.40 ( https://nmap.org ) at 2018-11-01 10:36 CET
Nmap scan report for example.com (90.80.200.30)
Host is up (0.0047s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DH_anon_WITH_AES_256_CBC_SHA - F
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| TLSv1.1:
| ciphers:
| TLS_DH_anon_WITH_AES_256_CBC_SHA - F
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| TLSv1.2:
| ciphers:
| TLS_DH_anon_WITH_AES_256_CBC_SHA - F
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
|_ least strength: F
1433/tcp filtered ms-sql-s
1723/tcp open pptp
2000/tcp open cisco-sccp
8082/tcp filtered blackice-alerts
8291/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 15.81 seconds
Я пытался выяснить, что может быть причиной этой проблемы и или как я мог ее решить, но я не смог ничего понять, я попытался обновить OpenSSL до последней версии, я попытался восстановить сертификат, но ничего не помогло Я был бы очень рад любой помощи.