我正在 AWS 托管的 RHEL 服务器中设置 AEM 应用程序的 https 连接。遵循 Adobe 提供的文档。对于第一个作者实例,它成功运行,但在我的第二台服务器和第三台服务器上,它没有成功。
我尝试了几次调试,以确保连接正常工作并且没有防火墙阻止。
当我尝试在调试模式下使用 openssl 时,我得到以下信息:
它只是挂起并且不会像第一台服务器那样继续到下一个:
第二台服务器(有问题):
openssl s_client -connect localhost:5433 -debug -msg
CONNECTED(00000003)
write to 0xfb16d0 [0xff5270] (249 bytes => 249 (0xF9))
0000 - 16 03 01 00 f4 01 00 00-f0 03 03 57 fe bd 40 06 ...........W..@.
0010 - 00 bf 15 c5 e0 83 79 18-b4 a3 f8 f0 2f b6 a8 70 ......y...../..p
0020 - b7 4f fc 48 6f e6 c6 0a-ef 08 de 00 00 84 c0 30 .O.Ho..........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a3 00 9f 00 6b .,.(.$.........k
0040 - 00 6a 00 39 00 38 00 88-00 87 c0 32 c0 2e c0 2a .j.9.8.....2...*
0050 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f .&.......=.5.../
0060 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a2 00 9e 00 67 .+.'.#.........g
0070 - 00 40 00 33 00 32 c0 12-c0 08 00 9a 00 99 00 45 [email protected]
0080 - 00 44 00 16 00 13 c0 31-c0 2d c0 29 c0 25 c0 0e .D.....1.-.).%..
0090 - c0 04 c0 0d c0 03 00 9c-00 3c 00 2f 00 96 00 41 .........<./...A
00a0 - 00 0a 00 07 c0 11 c0 07-c0 0c c0 02 00 05 00 04 ................
00b0 - 00 ff 01 00 00 43 00 0b-00 04 03 00 01 02 00 0a .....C..........
00c0 - 00 08 00 06 00 19 00 18-00 17 00 23 00 00 00 0d ...........#....
00d0 - 00 22 00 20 06 01 06 02-06 03 05 01 05 02 05 03 .". ............
00e0 - 04 01 04 02 04 03 03 01-03 02 03 03 02 01 02 02 ................
00f0 - 02 03 01 01 00 0f 00 01-01 .........
>>> TLS 1.2 Handshake [length 00f4], ClientHello
01 00 00 f0 03 03 57 fe bd 40 06 00 bf 15 c5 e0
83 79 18 b4 a3 f8 f0 2f b6 a8 70 b7 4f fc 48 6f
e6 c6 0a ef 08 de 00 00 84 c0 30 c0 2c c0 28 c0
24 c0 14 c0 0a 00 a3 00 9f 00 6b 00 6a 00 39 00
38 00 88 00 87 c0 32 c0 2e c0 2a c0 26 c0 0f c0
05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0
23 c0 13 c0 09 00 a2 00 9e 00 67 00 40 00 33 00
32 c0 12 c0 08 00 9a 00 99 00 45 00 44 00 16 00
13 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 c0 0d c0
03 00 9c 00 3c 00 2f 00 96 00 41 00 0a 00 07 c0
11 c0 07 c0 0c c0 02 00 05 00 04 00 ff 01 00 00
43 00 0b 00 04 03 00 01 02 00 0a 00 08 00 06 00
19 00 18 00 17 00 23 00 00 00 0d 00 22 00 20 06
01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04
03 03 01 03 02 03 03 02 01 02 02 02 03 01 01 00
0f 00 01 01
服务器 1(没有问题):
>>> TLS 1.2 Handshake [length 00f4], ClientHello
01 00 00 f0 03 03 57 fe cb 7b 28 ba ea e1 89 71
ad fb 1d 8b 97 e9 83 2b dc e4 53 c5 bf 75 8f 58
74 42 63 29 6b 20 00 00 84 c0 30 c0 2c c0 28 c0
24 c0 14 c0 0a 00 a3 00 9f 00 6b 00 6a 00 39 00
38 00 88 00 87 c0 32 c0 2e c0 2a c0 26 c0 0f c0
05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0
23 c0 13 c0 09 00 a2 00 9e 00 67 00 40 00 33 00
32 c0 12 c0 08 00 9a 00 99 00 45 00 44 00 16 00
13 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 c0 0d c0
03 00 9c 00 3c 00 2f 00 96 00 41 00 0a 00 07 c0
11 c0 07 c0 0c c0 02 00 05 00 04 00 ff 01 00 00
43 00 0b 00 04 03 00 01 02 00 0a 00 08 00 06 00
19 00 18 00 17 00 23 00 00 00 0d 00 22 00 20 06
01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04
03 03 01 03 02 03 03 02 01 02 02 02 03 01 01 00
0f 00 01 01
read from 0x17796d0 [0x17c27d0] (7 bytes => 7 (0x7))
0000 - 16 03 03 06 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x17796d0 [0x17c27da] (1587 bytes => 1587 (0x633))
0000 - 00 4d 03 03 57 fe cb 7b-51 64 70 bc 08 c8 91 24 .M..W..{Qdp....$
0010 - c4 da 8c cf 94 94 7d c5-0f 45 ee 2c 86 99 1d ff ......}..E.,....
0020 - b6 a9 3e 66 20 57 fe cb-7b e7 b2 a4 56 15 3b 46 ..>f W..{...V.;F
0030 - 98 92 b4 95 56 7f 95 4e-4e f3 cd ce d8 cd 98 29 ....V..NN......)
0040 - c7 fe 1e 6f 8b 00 9f 00-00 05 ff 01 00 01 00 0b ...o............
0050 - 00 03 cd 00 03 ca 00 03-c7 30 82 03 c3 30 82 02 .........0...0..
0060 - ab a0 03 02 01 02 02 04-6e 0d a4 0f 30 0d 06 09 ........n...0...
0070 - 2a 86 48 86 f7 0d 01 01-0b 05 00 30 81 91 31 0b *.H........0..1.
这是MTU问题 更改 MTU 大小
ifconfig ens160 mtu 1400
它是你的防火墙。 您需要添加一条从源Default GW到目标IP地址的路由或规则。
我还遇到了 MTU 大小的问题。我有 PPPoE 连接,因此该接口少于 1500 字节。但我没有减少任何其他接口的 mtu 大小,而是使用了 mss 钳位。
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
注意 我从 docker 容器发起了连接。但是docker在iptables中有自己的链式规则。所以你必须在docker相关的规则之前添加MSS限制规则:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.9.2 tcp dpt:1723 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.9.8 tcp dpt:ssh state NEW,RELATED,ESTABLISHED