We’ve been encountering a strange anomaly lately. And we need your help urgently.
There’s a standart Vesta CP installed on our Debian powered VDS and Let’s Encrypt SSL is properly configured. Our domain https://old.grantlar.uz (whose DNS is also properly and completely configured) is functioning normally when opened anywhere around the globe, except for Uzbekistan.
Whenever we try to access https://old.grantlar.uz from inside Uzbekistan Chrome (and other majorly used browsers) show ERR_SSL_PROTOCOL_ERROR error. But if you turn on VPN which is based in USA or Europe, the website opens properly and browser shows it as “secure”, which means SSL works perfectly.
We have no clue what is going on and how we can solve this puzzle.
If you have any suggestions or assistance to guide is in setting up our SSL, it would be much appreciated. Also, please check out our dummy page located in https://old.grantlar.uz It should open without any problems AND it should have a browser-trusted SSL certificate.
We thought our domain might be blocked in Uzbekistan and upon request from the VDS host we ran MTR and NMAP tests from both ends: US based VDS to Uzbekistan based computer and vice versa. Results came out fine.
We’re utterly confused and need your help, please.
The site is working fine from my side so the problem could be a transparent proxy, a firewall issue blocking ips geo located on UZ, a dns problem pointing your domain to another ip… etc.
Could you please show the output of these commands from a computer located in UZ?.
First command gave me this:
unable to load certificate
140584742950144:error:0906D06C:PEM routines:PEM_read_bio:no start
line:…/crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE
Others:
old.grantlar.uz has address 198.58.114.191
Using domain server:
Name: 1.0.0.1
Address: 1.0.0.1#53
Aliases:
old.grantlar.uz has address 198.58.114.191
Or it could be a site-specific block by the ISP if it doesn’t happen for other sites.
@axodjakov, could you save the certificate from a browser so we can look at it? Browsers should provide an option to save the site’s certificate as a PEM text file, although you might have to click through a few windows to get to that option.
@rg305, it’s a good point that the error was ERR_SSL_PROTOCOL_ERROR rather than a certificate error, but I’m still curious about the country-specific behavior here.
@axodjakov, another thing to look at would be to run openssl s_client -connect old.grantlar.uz:443 -servername old.grantlar.uz both with and without the VPN, which will give a little bit more technical information about what the TLS handshake looks like in both circumstances. It would be very interesting to see the output.
OK, that is a serious low-level failure (suggesting that it’s not even using the TLS protocol at all). This strongly suggests ISP interference of some kind to me, given that the site works fine from elsewhere.
I tried this command from outside of Uzbekistan, and it showed a successful TLS session negotiation and key exchange with a valid Let’s Encrypt certificate presented in the handshake.
You could also try curl -v http://old.grantlar.uz:443/ just out of curiosity to see if it thinks it’s speaking HTTP on port 443.
I think this is most likely ISP interference. Can you see in your web server logs whether the requests originating in Uzbekistan actually reach your server?
I’m amazed, my requests from Uzbekistan don’t show up in the access log. All other requests made by you and others are present. There’s the complete access log for yesterday:
Web server logs would only show requests after a connection was made.
Like: GET, HEAD, POST
But your having issues establishing a connection.
For those “attempts”, you would have to look at your firewall logs.
Additionally, you might want to increase the detail in the web server logging…
Try including:
%{SSL_PROTOCOL}x %{SSL_CIPHER}x