Nginx SSL configuration not working on mobile browsers

问题

I've set up an Nginx server serving ssl, with an http server block redirecting to a secured server block. The certificate is issued by my domain provider (1&1). It works perfectly fine on most desktop browsers, but I get an SSL_ERROR_INTERNAL_ERROR_ALERT on Firefox on mobile, and an ERR_SSL_PROTOCOL_ERROR on Chrome mobile (Android Pie).

Here is the nginx configuration:

server {
         listen 80 deferred;
         listen [::]:80 deferred;
         server_name meetoko.com www.meetoko.com;

         return 301 https://meetoko.com$request_uri;
 }


server {

         listen 443 ssl;
         listen [::]:443 ssl;

        ssl on;
        ssl_certificate                 /etc/ssl/meetoko.com.pem;
        ssl_certificate_key             /etc/ssl/meetoko.com.key;

        root /var/www/html;
        
        server_name meetoko.com;
        server_name  www.meetoko.com;
        try_files $uri $uri/ /index.html;

        location / {
                try_files $uri $uri/ /index.html;
        }

        location /api/ {
                proxy_pass http://localhost:3000;
                proxy_http_version 1.1;
        }


        location /public/ {
                alias /root/oko-back/public/;
        }
}

                                                                                  

The .pem key is a concatenation of the primary and the intermediate issued certificates, and the .key is the private key.

All was working well before going to HTTPS on both mobiles and desktop, so it's hard to figure out what might be wrong... Any ideas?

Thanks !

回答1:

The site has an inconsistent configuration as shown by SSLLabs. It is properly configured for IPv4 but has no configuration for IPv6 although it has an IPv6 address.

My guess is that the tested desktop environment is IPv4 only (at least regarding internet access) and therefore no problem occurs. The mobile environment instead is IPv6 capable and in this case IPv6 is the preferred protocol. Only, accessing the site with IPv6 fails due to an incomplete configuration.

回答2:

try to set this option in config:

ssl_verify_client optional_no_ca;

ssl_verify_client

when ssl_verify_client optional or on nginx server asks client (mobile browser) to provide certificate with trusted CA. Several firmwares have no client certificates issued and signed by trusted CA.

The optional_no_ca parameter (1.3.8, 1.2.5) requests the client certificate but does not require it to be signed by a trusted CA certificate.

But mobile Opera browser don't work even with these settings. Opera asks user to offer certificate anyway. So to stop bothering client ssl_verify_client setting should be:

ssl_verify_client off;

来源：https://stackoverflow.com/questions/55187947/nginx-ssl-configuration-not-working-on-mobile-browsers