Getting SSL_PROTOCOL_ERROR

rg305 · August 23, 2021, 5:31pm

It looks like Google Cloud Platform doesn't support Port Address Translation (PAT).
And RPNow doesn't allow itself to be moved from port 80 (for HTTP).

So HTTP-01 authentication might be out of the question.

Next up is DNS-01 authentication.
to make that run smoothly, you will need a DNS Service Provider (DSP) that supports DNS zone updates via API.
So, who does your domains' DNS? (Google?)

Sam_Enby · August 23, 2021, 5:34pm

Yeah, I thought I'd keep it in one spot and got the domain on google too...

rg305 · August 23, 2021, 5:40pm

OK.
So if you don't already have one (probably not), you will need to setup an API key to allow certbot to add and remove the required TXT records for DNA authentication for your domain.

Then we can have certbot use those credentials to obtain a cert for your domain.

This might help:
Welcome to certbot-dns-google’s documentation! — certbot-dns-google 0 documentation

Sam_Enby · August 23, 2021, 5:57pm

I really really really appreciate all your help!! Thank you so much!

I'll look into it once I'm back from work; I have to go now.
Thank you again! Some croissants for you

rg305 · August 23, 2021, 8:36pm

We might also be able to use certbot in standalone mode if you can shutdown RPNow temporarily and via a scriptable method.
Some food for thought...

And thanks for the s
They go well with

Sam_Enby · August 27, 2021, 11:37pm

Hey, so I've been trying to get a service account and such, but is security even an issue anymore? When I try to access loveinthedark.net it doesn't tell me it can't provide a secure connection, it tells me it can't be reached and that the website refuses to connect.
I'm asking now as if I've never heard about a "connection" before: what's the difference?

Thank you

rg305 · August 27, 2021, 11:48pm

Something is amiss.

The HTTP side works (but doesn't redirect to HTTPS):

curl -Iki http://loveinthedark.net/
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 27 Aug 2021 23:46:50 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Mon, 23 Aug 2021 15:45:22 GMT
Connection: keep-alive
ETag: "6123c292-264"
Accept-Ranges: bytes

But the HTTPS side refuses to even connect:

curl -Iki https://loveinthedark.net/
curl: (7) Failed to connect to loveinthedark.net port 443: Connection refused

Rip · August 28, 2021, 5:55pm

Hi @Sam_Enby @Osiris @rg305 !!

This is what I am seeing right now.

22/tcp   open     ssh
80/tcp   open     http
443/tcp  closed   https
8443/tcp filtered https-alt

Might have something to do with the issue.

rg305 · August 28, 2021, 6:29pm

2 posts were merged into an existing topic: My site is continuously unreachable

Sam_Enby · August 30, 2021, 3:27pm

Okay, I am really confused. I just tried to start the server and it can't.

✔ test server
########################
 TESTING RPNOW SERVER
 (Press CTRL+C to stop)
########################
2021/08/30 15:23:28 Loaded config at /etc/rpnow.ini
2021/08/30 15:23:28 Listening on :443
2021/08/30 15:23:28 listen and serve: listen tcp :80: bind: address already in use
Server exited on error: exit status 1
server status... (server not running)

So the address is already in use... Is it because I installed nginx?

rg305 · August 30, 2021, 3:46pm

It is likely because nginx is running and using port 80.
Try:
systemctl stop nginx

Sam_Enby · August 30, 2021, 4:23pm

So I uninstalled and reinstalled nginx and now it's working?

I'll work on the service account now, decided to make a completely new one for this. Let's see how this will pan out.

rg305 · August 30, 2021, 4:38pm

If nginx is set to use port 80, then they will eventually conflict with each other again.

Sam_Enby · August 31, 2021, 1:51am

Yeah I just wanted to see what it did.

I installed (or think I installed) the DNS plugin for google. When I run one of the examples I get this:

akaspirin@smol-rpnow:~$ certbot certonlyThe following error was encountered:[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.Ask for help or search for solutions at [https://community.letsencrypt.org](https://community.letsencrypt.org/). See the logfile /tmp/tmpm9pg1bxw/log or re-run Certbot with -v for more details

rg305 · August 31, 2021, 1:55am

Try that again with sudo:
sudo certbot certonly

Sam_Enby · August 31, 2021, 1:28pm

lol never mind, I think I got it.
Now it's just the issue of nginx and rpnow both using port 80, right?

Sam_Enby · September 1, 2021, 3:54am

Things I tried to do:
Changed the nginx port from 80 to 3200.
Tested the server of rpnow, which works now.
nginx is also happily listening on 3200.

I'm still getting the connection refused error...
I probably did something wrong when I installed the dns plugin (I don't know if I did, but probably, knowing me), so I'm gonna take a look at it tomorrow. A new day, etc.
Did I say thank you already?

rg305 · September 1, 2021, 3:59am

Unless you have a NAT device (sorry I've forgotten most of this topic) to point the external inbound port 80 connections to your servers' port 3200...
The port 3200 will never been seen by anyone.
If you do have NAT/PAT control, then the problem can be solved:

point ext:80 to int:3200
use nginx to handle the LE challenge request and redirect all others to HTTPS.

If you don't, then we still need to learn how to:

So that certbot can use port 80 and satisfy the LE HTTP challenge requests.
[no need for nginx in this solution]

Sam_Enby · September 1, 2021, 10:04am

Hey,
I found the code for rpnow

If I get it on my account somehow, can I manipulate it?

rg305 · September 1, 2021, 1:48pm

That seems a bit extreme, but I suppose you could find and change where it uses port 80.

My suggestion was to find a way to turn RPNow off and then back on to allow certbot to use port 80.