我正在使用NGINX作为DNS over TLS服务器。
然而,所有设备上的Android“私人DNS”突然停止工作。
使用kdig仍按预期工作。
kdig -d @my.dns.server +tls-ca +tls-host=my.dns.server example.org
然而,Android的请求失败了,我在NGINX日志中看到了以下错误
SSL_do_handshake() failed (SSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:SSL alert number 45) while SSL handshaking, client: **.**.**.**, server: 0.0.0.0:853
证书仍然有效,但我不确定为什么会出现此错误。
我的NGINX SSL配置为:
ssl_certificate /etc/letsencrypt/live/my.dns.server/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.dns.server/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
ssl_handshake_timeout 10s;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
--preferred-chain "ISRG Root X1"
添加到certbot
CLI 命令中。现在可以正常工作了。再次感谢 @PatrickMevzek - Atrox1449