Common Name invalid with NGINX


#1

Hi Guys

I have a ubuntu 18 server with NGINX.

I have a LE cert and theres no issues with that, however when navigating the page I get this error:

Your connection is not private

Attackers might be trying to steal your information from automate.nsautomate.com.au (for example, passwords, messages or credit cards). Learn more

NET::ERR_CERT_COMMON_NAME_INVALID

My host has a private IP address and uses a public address for access using NAT on a non standard port, 6701 for HTTPS. My server block also listens on this.

Can anyone assist in working out why this error exists. Server has hostname

Thanks

server {
listen 80;
server_name automate.nsautomate.com.au;
root /var/www/openhab-cloud;
location ~ /.well-known {
    allow all;
}
access_log /var/log/nginx/certbox.log;
error_log /var/log/nginx/certbox.err;

}
server {
listen *:6701 ssl;
ssl_certificate /etc/letsencrypt/live/automate.nsautomate.com.au/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/automate.nsautomate.com.au/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security “max-age=63072000; includeSubdomains”;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
server_name automate.nsautomate.com.au;
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;

if ( scheme = "http" ) { rewrite ^/(.*) https://$host/$1 permanent;
}

charset utf-8;

access_log /var/log/nginx/openhabcloud-access.log;
error_log /var/log/nginx/openhabcloud-error.log;

location /css {
alias /var/www/openhab-cloud/public/css;
}
location /js {
alias /var/www/openhab-cloud/public/js;
}
location /img {
alias /var/www/openhab-cloud/public/img;
}
location /bootstrap {
alias /var/www/openhab-cloud/public/bootstrap;
}
location /font-icons {
alias /var/www/openhab-cloud/public/font-icons;
}
location /fonts {
alias /var/www/openhab-cloud/public/fonts;
}
location /js-plugin {
alias /var/www/openhab-cloud/public/js-plugin;
}
location /downloads {
alias /var/www/openhab-cloud/public/downloads;
}
location / {
proxy_pass http://localhost:3000;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_set_header X-Forwarded-Proto scheme; } location ~ .html {
expires off;
proxy_pass http://localhost:3000;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}


#2

Navigating which page?

https://automate.nsautomate.com.au:6701 works fine for me.


#3

When you login, which you won’t be able to I’m presented with the error. Theres a link inside that I click which goes to: https://automate.nsautomate.com.au/start/index

that fails


#4

Right, but this is a problem with your web application generating absolute links/redirects instead of relative ones.

Either your application has to have knowledge that you are using an alternate port, or it needs to use only relative URLs.

Nothing that your webserver or Certbot can do to solve that.


#5

Thank you, I understand. So im forced to revert back to 443. Thats totally fine but Im running two instances of this, one production (works on 443) and this one (development) that runs on 6701.

No way to run both if I have the same Public IP it would seem


#6

Well, the standard approach to solving this problem is to put them on separate domain names, pointing to the same IP address and using the same port.

That way, you can use virtualhosting/SNI to route to the correct instance.


#7

I do have different domain names with different providers, both resolve to the same Public IP

Problem is, when the packet hits my router I can only have a static NAT for 443 to one inside IP address, right?

Ie: I can divert 443 from the web to only 1 server (production in this instance)


#8

One way is:

[Router] --tcp/443--> [nginx load balancer] --tcp/3000--> [OpenHAB-1]
                                            --tcp/3000--> [OpenHAB-2]

The nginx load balancer will look at domain and proxy the traffic to the correct internal instance.


#9

I see. But I have two VMs. NGINX is on both Units.

Prod (192.168.0.3, 443) works fine, static nat 443 to 443
Dev (192.168.0.7, 443) static nat 6701 to 443, fails

Where would the load balancer sit?


#10

You only really need a single nginx instance. You can put it on either VM, or even on a third VM.

Conceptual configuration:

server {
  server_name automate-prod.nsautomate.com.au;
  listen 443 ssl http2;
  # etc
  location / {
    proxy_pass http://192.168.0.3:3000;
    # ... etc
  }
}

server {
  server_name automate-dev.nsautomate.com.au;
  listen 443 ssl http2;
  # etc
  location / {
    proxy_pass http://192.168.0.7:3000;
    # ... etc
  }
}

#11

Thanks az, I’m a little scared ha! Sorry I’m new to unix/nginx.

So effectively I can just take my whole configuration from Dev and place it into my Production server nginx configuration. I dont require http2, so i figure I leave that as default?

What about references to the certificates for each domain? they will be different,. Sorry im confused


#12

Pretty much.

  1. Decide what your “dev” domain will be (distinct to your prod domain).
  2. Clone the port 80 and port 443 server blocks on your prod nginx, changing the server_name to your dev domain, and changing the proxy IP address to your dev OpenHAB.
  3. Issue a Certbot certificate on your prod server for your dev domain.
  4. Update the dev server block to use the dev domain certificate.

#13
  1. Decide what your “dev” domain will be (distinct to your prod domain). - already defined, oh2.domain.net is my working Prod domain. automate.nsautomate.com.au is my Dev Domain

  2. Clone the port 80 and port 443 server blocks on your prod nginx, changing the server_name to your dev domain, and changing the proxy IP address to your dev OpenHAB. - Got it, I think i can do that :slight_smile:

  3. Issue a Certbot certificate on your prod server for your dev domain. - AHH! Right, so I put NEW certs onto my Prod server

  4. Update the dev server block to use the dev domain certificate. - Roger

OK, ill back up my Prod configuration and give this a go :slight_smile:
Thank you! ill report back


#14

Hi az notified you’re a fellow Aussie :wink:

Would you mind vetting my configuration once I prepare it to see if you see any issues?

Cheers


#15

:australia: :partying_face:

Sure, no problem.


#16

How best to send you my configuration? :smiley:


#17

The simplest is to click on his icon.
Then click message.
That will start a direct private message.
If you can’t upload it there…
Then…
You can crate a tar file of it and place it on your server somewhere with an obscure/randomized name.
Send him the link (via private message) to it and then delete the file once he has downloaded it.


#18

If you’re ok sending it publicly, dpaste.de , or if you want to send it privately, you can try send a private message to me. You might not have permissions to do that as a new user and a moderator might have to raise your privilege, no idea.

Edit: got a private thread going, no need for mods


#19

Yep, I’ve got no rights to send you a message laugh


#20

Yes, it looks correct and it works fine when I test the config out locally.

One problem you might have is that you’ve maxed out the rate limits for certificates for your dev domain. So if you haven’t yet generated it on your prod server, that might be a problem. You could try copy the dev certificate from your dev server to your prod server, until the rate limit elapses.