Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
P
P
p4s8x2016-12-20 19:52:04
Java
p4s8x, 2016-12-20 19:52:04

Nginx, SSLHandshakeException. How to win?

Sometimes (~0.5% of requests) it happens that the first connection to the server falls into SSL_ERROR. Browser and OS dependencies were not identified, but the sample is not very large.
External services are still connecting to our server, they sometimes also cannot connect to us and sent us reports:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
unable to find valid certification path to requested target

We don’t know if this has anything to do with us or if these are different problems, it’s impossible to achieve some kind of repeatability of the error.
Our service is something - api, moderately loaded, CPU 5-10%, traffic 100Mbps-200Mbps on average.
The nginx settings over SSL are as follows:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_certificate /etc/nginx/ssl/shared.crt;
    ssl_certificate_key /etc/nginx/ssl/shared.key;
    add_header Strict-Transport-Security "max-age=31536000";

Where can you dig? How to test this?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
K
ky0, 2016-12-21
@ky0

The root certificate was simply not found. Let them update the jdk or just take a fresher keystore if the update fails.

Similar questions
N
Nikita Shchypylov2016-06-17 19:32:29
How to solve the problem with an external monitor? 3Reply
A
Artyom Pinul2016-08-10 12:56:16
How to configure FTP in Centos 7.2 + VestaCP? 2Reply
M
Michael2018-10-22 14:42:05
How to finally get into a Java junior developer interview? 8Reply
K
Konstantin2021-12-23 21:36:50
How much is .NET in demand in Russia now? 3Reply
H
HVV7772020-09-04 18:56:45
The question is rather theoretical: how to write a failover database connection pool? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question