Rails 日志记录:解释 API 的哪一端证书错误
该查看者对以下日志条目感到好奇:
app/controllers/telegram_webhooks_controller.rb:64:in `message'
Started POST "/telegram/[uniq_string]" for 91.108.6.62 at 2022-02-22 10:49:02 +0000
Processing by TelegramWebhooksController#message
Update: {"update_id":222555282,"message":{"message_id":393,"from":{"id" [...}}}
Responded with message
Completed in 7ms
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)):
• Webhook 收到请求。 注意:Webhook 已重新验证,结果为 {"ok":true,"result":true,"description":"Webhook is already set"}
• Webhook 控制器接收并处理带有响应消息的请求。
• 行动已完成
• 然后引发 SSL 错误
根据日志的这一行,谁的证书有问题?应用程序的还是 Telegram 服务器的?
应用程序的证书已过期,这很奇怪,否则该网站将无法访问其所有其他功能,并且设置了 Webhook,大概是 Telegram 在这样做之前验证了证书。更奇怪的是,Telegram 会在没有证书的情况下运行其服务器。
更新与 @Yan 的讨论已经指出了解决方案的踪迹。审查了 nginx 配置并更新了证书。
openssl s_client -connect site.example.online:443 -cert certname
Error opening client certificate private key file certname
49295:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-52.8.4/src/crypto/bio/bss_file.c:356:fopen('certname','r')
49295:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-52.8.4/src/crypto/bio/bss_file.c:358:
unable to load client certificate private key file
$ openssl s_client -connect site.example.online:443 -certform format
CONNECTED(00000003)
49310:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:/SourceCache/OpenSSL098/OpenSSL098-52.8.4/src/ssl/s23_clnt.c:593:
openssl 版本 返回 OpenSSL 1.1.1f 同时,网页通过 https 提供服务,并验证通过浏览器提供的数据没有危险信号。
The following log entry is curious to this viewer:
app/controllers/telegram_webhooks_controller.rb:64:in `message'
Started POST "/telegram/[uniq_string]" for 91.108.6.62 at 2022-02-22 10:49:02 +0000
Processing by TelegramWebhooksController#message
Update: {"update_id":222555282,"message":{"message_id":393,"from":{"id" [...}}}
Responded with message
Completed in 7ms
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)):
• A webhook receives a request. note: the webhook was re-verified with result {"ok":true,"result":true,"description":"Webhook is already set"}
• The webhook controller receives and processes the request with a response message.
• The action is completed
• then an SSL error is raised
Who's certificate would be at fault according to this line of the log? The application's or the Telegram server's?
it would be odd that the application's cert were expired, as otherwise the site would not be accessible for all its other functions AND the webhook was set, presumably with the Telegram verifying the cert before doing so. Even odder that Telegram would operate its server without a cert.
Update the discussion with @Yan has pointed to a trace of solution. nginx configurations were reviewed and certs renewed.
openssl s_client -connect site.example.online:443 -cert certname
Error opening client certificate private key file certname
49295:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-52.8.4/src/crypto/bio/bss_file.c:356:fopen('certname','r')
49295:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-52.8.4/src/crypto/bio/bss_file.c:358:
unable to load client certificate private key file
$ openssl s_client -connect site.example.online:443 -certform format
CONNECTED(00000003)
49310:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:/SourceCache/OpenSSL098/OpenSSL098-52.8.4/src/ssl/s23_clnt.c:593:
openssl version returnsOpenSSL 1.1.1f
Meanwhile, the web pages are being served via https and verifying the data provided through the browser has no red flags.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论