Hi everyone!
My domain is:
embracetherain.at / www.embracetherain.at
I got the Let’s Encrypt certificates with certbot for both domains.
the www domain redirect via DNS-CNAME to the non-www domain
also there is a 301 redirect in the nginx/conf.d/.
In Safari and Firefox (on Mac) everything works great. Chrome, when going to the non-www domain shows the ERR_SSL_PROTOCOL_ERROR. But if I go first to the www-domain then it redirect correctly to the non-www domain and everything works great.
On mobile (android) browser Firefox the same behavior.
On mobile browser Chrome both the www and the non-www domain show the ERR_SSL_PROTOCOL_ERROR.
My web server is (include version):
Ghost 2.1 on Ubuntu 16.04 with nginx
My hosting provider, if applicable, is:
digital ocean
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I have solved it.
It was the redirect.conf file that caused this misbehaviour. After I deleted it everything worked fine.
Hi @rauschilein
I saw the error, but had no idea. Can you share your wrong redirect.conf?
Well. It was not the complete solution. I had to add some lines to the nginx config because there were some problems when accessing the www-domain via http.
the old (and now deleted) redirect.conf:
server {
if ($host = www.embracetherain.at) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name www.embracetherain.at;
listen 80;
return 404; # managed by Certbot
}
the updated embracetherain.at.conf:
server {
server_name www.embracetherain.at;
return 301 $scheme://embracetherain.at$request_uri;
} # this block was added
server {
if ($host = embracetherain.at) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name embracetherain.at;
root /var/www/ghost/system/nginx-root;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2369;
}
location ~ /.well-known {
allow all;
}
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2369;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
}
I don't see why that produces an error. I saw a "ERR_SSL_PROTOCOL_ERROR", so your server sends data Chrome doesn't understand.
Is it possible that one of your headers
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
are not set? My Chrome said:
The connection-part
Connection - secure (strong TLS 1.2) The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with P-384 (a strong key exchange), and AES_128_GCM (a strong cipher).
is missing. So Chrome loads the certificate, but isn't able to create a TLS.1.2 connection.
SSLLabs
had (this morning) a curious error:
So it looks that your http - connection is broken, Chrome needs that to establish a https - connection.
PS: "below" - there is nothing. Only
https://embracetherain.at/ (Request failed)
A windows-tool couldn't open a https - connection.
Yeah, I don’t really understand the code. I am just tinkering around with some basic knowledge.
Now everything works fine
Maybe because this broken http-connection is now correctly redirected? I have no idea.
Yes, now it works fine. In the morning:
download https://embracetherain.at/ -h
Error (1): Die Anfrage wurde abgebrochen: Es konnte kein geschützter SSL/TLS-Kanal erstellt werden..
SecureChannelFailure
3
Now:
download https://embracetherain.at/ -h
SSL-Zertifikat is valide
Connection: keep-alive
Vary: Accept-Encoding
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Length: 26106
Cache-Control: public, max-age=0
Content-Type: text/html; charset=utf-8
Date: Wed, 12 Sep 2018 14:56:17 GMT
ETag: W/"65fa-x79dagbXzvo8uZZR5fiVPucpiq8"
Server: nginx/1.10.3 (Ubuntu)
X-Powered-By: Express
Status: 200 OK
I didn't see such an error before. First call - error, www + redirect - no error.
