Getting "Your connection is not private"

dyoung418 · February 21, 2021, 8:00am

My domain is: foundry.dyoung.page
I ran this command: certbot (ran successfully and Let's Debug passes)
My web server is (include version): nginx Version: 1.18.0-0ubuntu1
The operating system my web server runs on is (include version): Linux Mint 20.1 (Ulyssa)
My hosting provider, if applicable, is: None - self hosting
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

My nginx config file in sites-available reads as follows:

server {

    # Adjust this to your the FQDN you chose!
    server_name                 foundry.dyoung.page;

    access_log                  /var/log/nginx/foundry/access.log;
    error_log                   /var/log/nginx/foundry/error.log;

    location ^~ /.well-known/acme-challenge {
        allow all;
        root /var/www/letsencrypt;
        auth_basic off;
    }

    location / {
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;

        # Adjust the port number you chose!
        proxy_pass              http://127.0.0.1:30000;

        proxy_http_version      1.1;
        proxy_set_header        Upgrade $http_upgrade;
        proxy_set_header        Connection "Upgrade";
        proxy_read_timeout      90;

        # Again, adjust both your FQDN and your port number here!
        proxy_redirect          http://127.0.0.1:30000 http://foundry.dyoung.page;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/foundry.dyoung.page/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/foundry.dyoung.page/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = foundry.dyoung.page) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name                 foundry.dyoung.page;
    return 404; # managed by Certbot


}

_az · February 21, 2021, 8:11am

Looks fine to me!

Can you take a screenshot of the error message?

dyoung418 · February 21, 2021, 7:05pm

Thank you for your help @_az . I can't get a screenshot of the error message in Chrome, but here is the text:

Your connection is not private
Attackers might be trying to steal your information from foundry.dyoung.page (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID

To get Chrome’s highest level of security, turn on enhanced protection

foundry.dyoung.page normally uses encryption to protect your information. When Google Chrome tried to connect to foundry.dyoung.page this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be foundry.dyoung.page, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit foundry.dyoung.page right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Osiris · February 21, 2021, 7:08pm

Are you connecting to https://foundry.dyoung.page at the default port? Or perhaps on a different port than 443? Because your regular HTTPS port 443 is fine.

rg305 · February 21, 2021, 11:34pm

Are you connect to the same IP that we are connecting to?:

Name:    foundry.dyoung.page
Address: 75.147.128.194

When you ping foundry.dyoung.page, what IP is shown?

dyoung418 · February 22, 2021, 12:54am

I believe I'm connecting on the standard port (I'm not specifying any alternative port, I'm just using https://foundry.dyoung.page)

When I ping foundry.dyoung.page, I get 75.147.128.194 as the IP address.

_az · February 22, 2021, 12:58am

I wonder if the problem is that you don't have hairpin NAT on your modem/router.

If you skip past the NET::ERR_CERT_AUTHORITY_INVALID security warning, what do you see? Your website, or your router's admin page?

dyoung418 · February 22, 2021, 1:07am

It's strange because usually when there is a certificate error, you can click advanced and ignore the warning and go forward anyway, but this error message is different and doesn't give me that option. Here is a picture of the screen I'm getting (sorry, my screen capture extension isn't working for this page either...)

_az · February 22, 2021, 1:08am

Ah yes, because your domain is also configured with HSTS.

You can get past the warning, by typing this, with the page open:

thisisunsafe

dyoung418 · February 22, 2021, 1:10am

Wait, there is a complicating factor I've been forgetting. The server is running as a virtual machine on a proxmox server. This is my first time using proxmox and I am realizing I haven't looked into network routing for that. If any of you happen to know what is needed there, I'd appreciate a pointer, but otherwise, I'll do some digging in that direction and get back.

dyoung418 · February 22, 2021, 1:11am

Ooh, that is helpfu @_az and when I type that, I get my comcast router.

_az · February 22, 2021, 1:12am

OK, I think the NAT theory is probably correct then!

If you can, try re-assigning the web admin port on your Comcast Router from port 443, to something else. If this is possible, it should be somewhere with the settings.

I don't know how locked-down Comcast routers are so I can't tell you whether it's possible, but I hope it is.

dyoung418 · February 22, 2021, 1:15am

My network is set up with a Comcast cable modem/router hooked to only one device: which is my Nest/Google wifi router.

I was getting tired of doing port configuration in both the comcast router and in the Nest router, so I tried setting the comcast to use a DMZ which points to the Nest/Google router and then I do all the port forwarding only on the Nest router (in this case, 443 and 80 to my internal foundry.dyoung.page server). Is that a broken setup?

rg305 · February 22, 2021, 1:22am

Can you add an entry into the client hosts file?
[for Windows: c:\windows\system32\drivers\etc\hosts]
[for Linux: /etc/hosts]
If so, try adding something like:
192.168.1.100 foundry.dyoung.page

[replacing "192.168.1.100" with the actual internal IP of the foundry server]

dyoung418 · February 22, 2021, 1:27am

@rg305 do you mean to add that /etc/hosts entry to the computer I'm trying to attach with, or to the computer which serves foundry.dyoung.page?

rg305 · February 22, 2021, 1:28am

Add that to the client - not the server.
[the server already knows where he is]

dyoung418 · February 22, 2021, 1:37am

I tried adding that /etc/hosts entry and now when I try to go to foundry.dyoung.page, it hangs at "connecting" and ultimately times out.

rg305 · February 22, 2021, 5:31am

Are you able to access that IP directly?
Like are you on the same network with it?
Or do you have to cross a router/firewall?
[pardon my lack of understanding (your setup)]

Some simple tests:
ping IP.IP.IP.IP
traceroute IP.IP.IP.IP
http://IP.IP.IP.IP/
https://IP.IP.IP.IP/
[replace IP.IP.IP.IP with actual local IP of server]

dyoung418 · February 23, 2021, 4:00am

Thanks @rg305 here is my setup:

My LAN (I have full access)
1a. PC on LAN running Proxmox (a linux distro that runs VMs) (at 192.168.86.100)
1a1. A VM running the foundry server I'm trying to reach (VM is given ip of 192.168.86.86 on local LAN)
1b. A laptop from which I'll run the commands you gave me (using the local LAN IP of 1a1)

RESULTS

> traceroute 192.168.86.86
traceroute to 192.168.86.86 (192.168.86.86), 64 hops max
  1   192.168.86.86  9.072ms  7.142ms  8.325ms 
> ping 192.168.86.86
PING 192.168.86.86 (192.168.86.86) 56(84) bytes of data.
64 bytes from 192.168.86.86: icmp_seq=1 ttl=64 time=6.50 ms
64 bytes from 192.168.86.86: icmp_seq=2 ttl=64 time=6.48 ms
^C
--- 192.168.86.86 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 6.478/6.487/6.496/0.009 ms

http://IP.IP.IP.IP/ gets me a 404 error
https://IP.IP.IP.IP/ gets me an error page ("Your connection not private") from Chrome, but unlike when I try to do this from outside the LAN, it let's me override and connect to the site instead of making me type "thisisunsafe". I then get my server app successfully.

When I do https://publicIPaddress, I get a "Your connection not private", but because the .page domain is HSTS, it doesn't include an (obvious) option for overriding and connecting anyway. If I type "thisisunsafe", I get my router config screen instead of the server.

dyoung418 · February 23, 2021, 4:03am

I should mention that I have both 80 and 443 port forwarded on both my Comcast router (which faces the internet and has only one internal connection to my Google router) and my Google router (which provides my local LAN with the systems above and assigns fixed IP addresses for the systems on my LAN)