首頁 » Firefox 安全連線失敗

Firefox 安全連線失敗

Firefox 安全連線失敗-之前轉換IP時,就發生過一次,Chrome與Safari都沒事,但是Firefox認為網站有問題,不給瀏覽的狀況,別問我IE…沒機器那種東西。這次應該是前幾天Webinoly自動更新SSL,但起來一切都沒事,門想到今天就有使用者回報網站進不去,來修吧~

Firefox 錯誤信息

只要是同一主機上的網站,都有一樣的狀況,主流瀏覽器沒事,Firefox就有問題,桌面上回應如下:

安全連線失敗

連線到 nubaby.cc 時發生錯誤。缺少必需的 TLS 功能。 錯誤碼: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING 

nubaby.cc 連不上

https://arthurlin.net 也無法用firefox連

Firefox手機版

手機版給的資訊真少,火狐你也太不友善了~還好我有電腦 哼

更新SSL

因為用Webinoly,所以用內建的SSL更新功能,其實用letsencrypt的指令也可以,當初換IP火狐不認認證時,就是用certbot更新的。

sudo site nubaby.cc -ssl=force-renewal

得到下面成功更新資訊

*************************************************************************************************
**  Please, be careful with the number of intents or certificates you try to get.              **
**  Let’s Encrypt provides rate limits to ensure fair usage by as many people as possible.     **
**                                                                                             **
**  If you are getting errors or having issues when trying to get a new certificate            **
**  read about the Let's Encrypt rate limit - https://letsencrypt.org/docs/rate-limits/        **
*************************************************************************************************

Please, be sure that nubaby.cc and www.nubaby.cc are both currently pointing (DNS) to this server. 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/nubaby.cc/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/nubaby.cc/privkey.pem
   Your cert will expire on 2019-12-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

SSL Cert - nubaby.cc$ - has been Forced to Renew!

網站SSL正常囉~

只是我不能理解,為何更新 nubaby.cc 的SSL,結果不只 nubaby.cc正常了,連其他網站也都正常。

哎~反正能用就好,不追究!

Firefox手機版也正常

後記-前一天收到的E-mail

明明就說不用更新,也沒做啥事,不知道為何Firefox就是出事…..加上火狐用的人少,出事很難察覺的。

有人說要在apache設定裡加幾行設定,不過我用的是 nginx ,而且SSL測試也都通過,就這樣紀錄一下,有同樣問題的朋友,請更新SSL自動就會好。

Cron <root@arthur-server12> certbot renew --post-hook "service nginx restart"

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/arthurlin.net/fullchain.pem expires on 2019-12-11 (skipped)
  /etc/letsencrypt/live/chickenflydoggyjump.com/fullchain.pem expires on 2019-10-25 (skipped)
  /etc/letsencrypt/live/nubaby.cc/fullchain.pem expires on 2019-11-27 (skipped)
  /etc/letsencrypt/live/nubaby.co/fullchain.pem expires on 2019-11-27 (skipped)
  /etc/letsencrypt/live/nubaby.com.tw/fullchain.pem expires on 2019-11-27 (skipped)
  /etc/letsencrypt/live/nubaby.org/fullchain.pem expires on 2019-11-27 (skipped)
  /etc/letsencrypt/live/nubaby.tw/fullchain.pem expires on 2019-11-27 (skipped)
  /etc/letsencrypt/live/nubabycare.com/fullchain.pem expires on 2019-11-27 (skipped)
  /etc/letsencrypt/live/nubabynail.com/fullchain.pem expires on 2019-11-27 (skipped)
  /etc/letsencrypt/live/nubabyonline.com/fullchain.pem expires on 2019-11-27 (skipped)
  /etc/letsencrypt/live/nubabyspa.com/fullchain.pem expires on 2019-11-27 (skipped)
  /etc/letsencrypt/live/nubabystore.com/fullchain.pem expires on 2019-11-27 (skipped)
  /etc/letsencrypt/live/nubabyteach.com/fullchain.pem expires on 2019-11-27 (skipped)
No renewals were attempted.
No hooks were run.

20191111 更新資訊

有另一種解法,在nginx設定檔裡面,加一些OCSP設定,在我這邊測試也可以解決

sudo nano /etc/nginx/nginx.conf

在ssl的區塊中,加入以下設定值

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 5s;

然後重啟nginx

sudo systemctl restart nginx

內部連結

宣傳一下自己的網站

妮寶貝-問題指甲文章

Leave a Comment

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *