ERR_SSL_WRONG_VERSION_NUMBER but good Certs?

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
Realmplay.com
I ran this command:

It produced this output:

  1. {error: {,…}}
  2. error: {,…}
    1. cause: {library: "SSL routines", reason: "wrong version number", code: "ERR_SSL_WRONG_VERSION_NUMBER"}
    1. code: "ERR_SSL_WRONG_VERSION_NUMBER"
    2. library: "SSL routines"
    3. reason: "wrong version number"

I ran this command: certbot renew --dry-run -v
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/realmplay.ai.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer None
Simulating renewal of an existing certificate for *.realmplay.ai
Performing the following challenges:
dns-01 challenge for realmplay.ai
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/realmplay.ai/fullchain.pem (success)

The same appears when I do --force-renewal

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 20.04.5 LTS (GNU/Linux 5.15.0-91-generic x86_64)

My hosting provider, if applicable, is:
vercel
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

2

realmplay.com is parked page: what you have is realmplay.ai
I don't see any error on your site: so I don't know whats the problem

1 Like
3

I concur with @orangepizza

No TLS/SSL problem with https://realmplay.ai

$ curl -k -i https://realmplay.ai
HTTP/2 308
date: Fri, 26 Apr 2024 03:40:15 GMT
content-type: text/plain
location: https://www.realmplay.ai/
cache-control: public, max-age=0, must-revalidate
refresh: 0;url=https://www.realmplay.ai/
strict-transport-security: max-age=63072000
x-vercel-id: pdx1::28cjp-1714102815177-6b292536a987
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FShvoGx8cB2RUZK30y%2BSXofdfTdbVuocdxzeLmCa%2Fa%2BZi%2Bng8qLsTweKZwiKj11gT9noFs4wbjgW5w8msMdIuPHmX%2FH7dIox9SzTKWIb2ZZLQ3QSsj%2Bl6c7l1%2BaExSU%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 87a38ce29a91720b-SEA
alt-svc: h3=":443"; ma=86400

Redirecting...

Ports 80 & 443 OPEN for realmplay.ai

$ nmap -Pn -p80,443 realmplay.ai
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-26 03:40 UTC
Nmap scan report for realmplay.ai (172.67.184.111)
Host is up (0.016s latency).
Other addresses for realmplay.ai (not scanned): 104.21.19.12 2606:4700:3030::ac43:b86f 2606:4700:3030::6815:130c

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

Port 80 OPEN, Port 443 filtered for realmplay.com

$ nmap -Pn -p80,443 realmplay.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-26 03:40 UTC
Nmap scan report for realmplay.com (213.171.195.105)
Host is up (0.17s latency).
rDNS record for 213.171.195.105: mail.domain-holding.co.uk

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.73 seconds

Side note there may be some redirection error

image
image968×795 55.7 KB

1 Like
4

It would be good to know exactly what software produced that error message, and exactly what you were trying to do with it at the time.

One source of an error message similar to that can be trying to connect to an HTTP (unencrypted) service with an HTTPS (encrypted) client application, for example when mistakenly running HTTP instead of HTTPS on port 443, among other combinations. But it's hard to know without more context.

Another thing is that some scanners (and maybe some actual client applications) think of the old versions of the TLS protocol as so bad that they will mark allowing them as an error. That is effectively saying that you have "too much backward compatibility" (with old technology now regarded as flawed). When I test your site on https://ssllabs.com/, I do see a warning about this (that your site continues to support TLSv1.0 and TLSv1.1, which are now deprecated), and so that might also be relevant in some other context.

3 Likes
5

Hi Schoen,

The site has been working for an about a year now and just started throwing that error when the cert renewed.

The error occurs in the websites network inspector when I login and visit the site’s conversation page. That page automatically goes to our backend to get user data.

Would that TLS issue just up and start?

Here is the code that calls it:


export const listSessionsForUser = async (
  userId: string
): Promise<SessionType[]> => {
  try {
    const response = await fetch('/api/list_sessions', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({ user_id: userId }),
    });

    if (response.ok) {
      const sessions = await response.json();
      return sessions.map((session: { name: any; uuid: any }) => ({
        name: session.name,
        uuid: session.uuid,
      }));
    } else {
      console.error('Failed to fetch sessions for user');
      return [];
    }
  } catch (error) {
    console.error('Error fetching sessions for user:', error);
    return [];
  }
};

Regards,
Caz

6

Is there anything else I can look at to troubleshoot?

7

tell what subdomain API actually calls?

4 Likes
8

for api.realmplay.ai it currently answers plain http on port 443, not TLS
main page has this string but it looks out of context:
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11

3 Likes
9

That would also do it!

10

Do you have port 443 mapped to port 22 (ssh)? Because it kind of looks like that

curl -i http://api.realmplay.ai:22
curl: (1) Received HTTP/0.9 when not allowed

curl -i http://api.realmplay.ai:443
curl: (1) Received HTTP/0.9 when not allowed

It is common to see the "http/0.9 when not allowed" sending HTTP to an ssh port 22. But nginx usually sends a "400 Bad Request" when sending HTTP to a properly configured port 443 for TLS.

3 Likes
11 
 ssh test@api.realmplay.ai -p 443
The authenticity of host '[api.realmplay.ai]:443 ([159.89.240.111]:443)' can't be established.
ED25519 key fingerprint is SHA256:cnNWd2TLOvonHIc85VUPT1fcCY1gJu71T/+CJA0zd94.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[api.realmplay.ai]:443' (ED25519) to the list of known hosts.
test@api.realmplay.ai's password:

yes it is

4 Likes
12

So that could be the problem! Is the solution to unmap something?

The only place I see 443 is in the server startup code.


# Configure Nginx
cat << EOF > /etc/nginx/sites-available/default
server {
    listen 443 ssl;
    server_name realmplay.ai www.realmplay.ai localhost;

    ssl_certificate /etc/letsencrypt/live/realmplay.ai/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/realmplay.ai/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    location / {
        proxy_pass http://localhost:5000;
        proxy_pass_header Access-Control-Allow-Origin;
        proxy_pass_header Access-Control-Allow-Methods;
        proxy_pass_header Access-Control-Allow-Headers;
        add_header Access-Control-Allow-Origin * always;
    }

    location /api {
        if (\$request_method = OPTIONS) {
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,Secret-Key";
            add_header Access-Control-Max-Age 1728000;
            add_header Content-Type "text/plain; charset=utf-8";
            add_header Content-Length 0;
            return 204;
        }
        proxy_pass http://localhost:5000;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_hide_header Access-Control-Allow-Origin;
        add_header Access-Control-Allow-Origin * always;
    }
}
EOF

# Setup Certbot and get SSL certificates
if [ ! -f "/etc/letsencrypt/live/realmplay.ai/fullchain.pem" ]; then
    sudo apt install python3 python3-venv libaugeas0
    sudo python3 -m venv /opt/certbot/
    sudo /opt/certbot/bin/pip install --upgrade pip
    sudo /opt/certbot/bin/pip install certbot
    sudo /opt/certbot/bin/pip install certbot-dns-cloudflare
    sudo ln -sf /opt/certbot/bin/certbot /usr/bin/certbot
    sudo mkdir -p /etc/certbot
    sudo touch /etc/certbot/credential
    echo "dns_cloudflare_api_token = $DNS_CLOUDFLARE_API_TOKEN" | sudo tee -a /etc/certbot/credentials
    sudo chmod 600 /etc/certbot/credentials
    sudo certbot certonly --email support@realmplay.ai --non-interactive --agree-tos --dns-cloudflare --dns-cloudflare-credentials /etc/certbot/credentials -d *.realmplay.ai
fi

sudo mkdir -p /etc/letsencrypt/live/realmplay.ai
sudo cp -R certs/* /etc/letsencrypt/live/realmplay.ai/

# Restart Nginx
sudo service nginx restart
13

Openssh answers on port 443, so I think you screwed some firewall setting: you are currently using digitalocean for api sibdomain, right?
That nginx config doesn't handle API subdomain so it's from wrong server

Does IP 159.89.240.111 ring a bell to you?

4 Likes
14

Yes, that’s all correct.
I see it in Digital ocean and also cloudflare has an A record to that address.

IMG_6772
IMG_67721290×363 54.2 KB

Every time I think I’m starting to understand networking I don’t.

15

On your nginx server, what does this show

sudo netstat -pant | grep -E ':22|:80|:443' | grep -i listen
3 Likes
16

I dont have netstat installed but I think this is the same. Here is the output from the server:

root@C.9872956:/var/log/letsencrypt$ sudo ss -ltn | grep -E ':22|:80|:443'
LISTEN   0        128              0.0.0.0:22            0.0.0.0:*
LISTEN   0        511              0.0.0.0:443           0.0.0.0:*
LISTEN   0        128                 [::]:22               [::]:*

And this is on the droplet:

root@ubuntu-s-4vcpu-8gb-amd-nyc3-01:~# sudo ss -ltn | grep -E ':22|:80|:443'
LISTEN 0      511          0.0.0.0:443       0.0.0.0:*          
LISTEN 0      511          0.0.0.0:80        0.0.0.0:*          
LISTEN 0      4096               *:22              *:*          
LISTEN 0      511             [::]:80           [::]:*
17

Try this instead. We want to see what is listening on those ports

sudo ss -pant | grep -E ':22|:80|:443'

or pltn if that doesn't work on yours. Works on my Ubuntu

4 Likes
18

What's the ip of the server you typing? ip -a
That api subdomain uses nginx 1.22, bit ubuntu 20.04 has nginx 1.18-ubuntu14 or so: do you have any Ubuntu 22.10 or 23.04?

4 Likes
19

this is the droplet:

sudo ss -pant | grep -E ':22|:80|:443'
LISTEN    0      511                   0.0.0.0:443                   0.0.0.0:*     users:(("nginx",pid=3832526,fd=17),("nginx",pid=3832525,fd=17),("nginx",pid=3832524,fd=17),("nginx",pid=3832523,fd=17),("nginx",pid=2650,fd=17))
LISTEN    0      511                   0.0.0.0:80                    0.0.0.0:*     users:(("nginx",pid=3832526,fd=6),("nginx",pid=3832525,fd=6),("nginx",pid=3832524,fd=6),("nginx",pid=3832523,fd=6),("nginx",pid=2650,fd=6))     
ESTAB     0      0               104.236.67.38:443               178.62.39.8:48450 users:(("nginx",pid=3832526,fd=11))                                                                                                             
ESTAB     0      0                   10.17.0.5:443               178.62.39.8:58858 users:(("nginx",pid=3832526,fd=13))                                                                                                             
SYN-RECV  0      0               104.236.67.38:443             118.69.60.214:49074                                                                                                                                                 
LISTEN    0      4096                        *:22                          *:*     users:(("sshd",pid=1785,fd=3),("systemd",pid=1,fd=121))                                                                                         
LISTEN    0      511                      [::]:80                       [::]:*     users:(("nginx",pid=3832526,fd=7),("nginx",pid=3832525,fd=7),("nginx",pid=3832524,fd=7),("nginx",pid=3832523,fd=7),("nginx",pid=2650,fd=7))     
SYN-RECV  0      0      [::ffff:104.236.67.38]:22     [::ffff:43.131.233.62]:37634                                                                                                                                                 
ESTAB     0      0      [::ffff:104.236.67.38]:22    [::ffff:162.243.190.66]:53570 users:(("sshd",pid=3883549,fd=4))

and this is the server:

 sudo ss -pant | grep -E ':22|:80|:443'
LISTEN       0        128              0.0.0.0:22               0.0.0.0:*        users:(("sshd",pid=32,fd=3))
LISTEN       0        511              0.0.0.0:443              0.0.0.0:*        users:(("nginx",pid=479,fd=6))
ESTAB        0        0             172.17.0.2:40164      18.235.86.254:22       users:(("ssh",pid=75589,fd=3))
CLOSE-WAIT   25       0             172.17.0.2:48792       104.18.6.192:443      users:(("python",pid=450,fd=38))
CLOSE-WAIT   25       0             172.17.0.2:53876       3.161.213.58:443      users:(("python",pid=450,fd=18))
CLOSE-WAIT   25       0             172.17.0.2:33936      104.18.38.107:443      users:(("python",pid=450,fd=37))
ESTAB        0        0             172.17.0.2:35296     172.64.149.149:443      users:(("python",pid=449,fd=39))
CLOSE-WAIT   25       0             172.17.0.2:49534       104.18.7.192:443      users:(("python",pid=449,fd=38))
ESTAB        0        80            172.17.0.2:22           72.92.42.67:60582    users:(("sshd",pid=75592,fd=4))
ESTAB        0        0             172.17.0.2:55216     172.64.149.149:443      users:(("python",pid=450,fd=40))
CLOSE-WAIT   25       0             172.17.0.2:33902      104.18.38.107:443      users:(("python",pid=448,fd=27))
CLOSE-WAIT   25       0             172.17.0.2:57186     172.64.149.149:443      users:(("python",pid=449,fd=37))
CLOSE-WAIT   25       0             172.17.0.2:41784      104.18.38.107:443      users:(("python",pid=449,fd=40))
CLOSE-WAIT   25       0             172.17.0.2:33916      104.18.38.107:443      users:(("python",pid=448,fd=28))
CLOSE-WAIT   25       0             172.17.0.2:33928      104.18.38.107:443      users:(("python",pid=450,fd=39))
CLOSE-WAIT   25       0             172.17.0.2:35418       3.161.213.11:443      users:(("python",pid=449,fd=18))
LISTEN       0        128                 [::]:22                  [::]:*        users:(("sshd",pid=32,fd=4))

so much going on!

20

digitalocean happens to have web based firewall outside your VM: did you checked rules there?

5 Likes