Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
P
P
p4s8x2016-12-20 19:52:04
Java
p4s8x, 2016-12-20 19:52:04

Nginx, SSLHandshakeException. How to win?

Sometimes (~0.5% of requests) it happens that the first connection to the server falls into SSL_ERROR. Browser and OS dependencies were not identified, but the sample is not very large.
External services are still connecting to our server, they sometimes also cannot connect to us and sent us reports:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
unable to find valid certification path to requested target

We don’t know if this has anything to do with us or if these are different problems, it’s impossible to achieve some kind of repeatability of the error.
Our service is something - api, moderately loaded, CPU 5-10%, traffic 100Mbps-200Mbps on average.
The nginx settings over SSL are as follows:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_certificate /etc/nginx/ssl/shared.crt;
    ssl_certificate_key /etc/nginx/ssl/shared.key;
    add_header Strict-Transport-Security "max-age=31536000";

Where can you dig? How to test this?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
K
ky0, 2016-12-21
@ky0

The root certificate was simply not found. Let them update the jdk or just take a fresher keystore if the update fails.

Similar questions
D
del9937882017-06-05 11:04:18
Is it possible to put Windows home at work / in the office? 6Reply
A
Anton Peat2014-10-29 21:40:22
[Errors and crashes of the number system converter] How to avoid crashes and establish the program's performance? 2Reply
R
rsatarov2016-10-28 00:14:34
Is it possible to optimize sorting? 0Reply
N
Noortvel2016-10-29 16:22:59
Why doesn't adding an EventHandler from this (error) work? 0Reply
K
Kirill 12020-12-13 12:53:28
How to prescribe EMDK? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question