Help our site is inaccessible from the outside

Hello,

Our site is not accessible from the outside but it is accessible locally. I don't know what is the problem.
The whynopadlock site tells me that the SSL certificate tests failed and it asks me to be sure that we can connect to our site via SSL
Our site is accessible in https inside the university. Can you give me an idea of what it could be

My domain is:
https://elearning.univ-bejaia.dz/

Thank you in advance for your help

1 Like

It looks to me that when trying to connect, the connection just closes immediately without TLS being negotiated. Probably, you have some firewall in place or the like stopping the connection, or the server isn't actually running properly. I'm not sure if there's much people here can do in order to help you; you'd need to look at logs on your firewalls and on your servers to see where the packets are going and what is closing the connection.

3 Likes

thank you very much for your answer, our site is accessible inside the university (locally) in https, it is not accessible from the outside (from the internet). The problem occurred right after the firewall manager updated the firewall. I would like to know if the firewall can cause this problem.
I'll check in the server logs, I don't have access to the firewall, I'll ask his manager to check.
Thank you very much for your help.

1 Like

I'm not sure what you've managed to do in 1 hour time in the later afternoon / early evening, but from my point of view (Europe), your site is perfectly reachable through HTTPS.

3 Likes

Yes, it is accessible just now because the firewall manager has just restarted the firewall. But, it becomes inaccessible again after a while, I don't know why. So I guess it's not a certificate issue. Maybe the firewall is blocking connections after a certain number of users access the site?

2 Likes

I have no idea why your firewall is acting up so strangely, but I indeed agree with you that this most likely is NOT a problem with the certificate.

3 Likes

Thank you very much for your help
I'll keep looking, hoping I find something.

2 Likes

unfortunately, the site is inaccessible again

The connection is terminated by your IP address (from my point of view unknown if that's the firewall or something else behind that IP address) after the client has send its "ClientHello" message from the TLS protocol.

It's impossible to know why from here. There could be something in the webservers log or there could be something in the firewalls log.

3 Likes

what is strange is that other sites are accessible for example

I did not find anything special in the server logs knowing that the site is accessible inside the university at the moment
I will see with the manager of the firewall if he finds something in the logs of the firewall

Hi @pipa_85

Problems found:

  • You use a 302 redirect . This means, that the actually content is temporary not reachable and will come back soon. To use a 302 redirection for generally moved pages is a bad idea. Search engine bot might not follow it or handle it as temporary. For SEO this is also a bad idea, because no link juice will be transferred to the linked page.

Hope this sheds some light on the issue at hand...

2 Likes

Would using a 302 redirect instead of a 301 redirect make a firewall malfunction? :question:

2 Likes

I don't know what 301 and 302 redirects mean I have to search the internet

host elearning.univ-bejaia.dz => 
elearning.univ-bejaia.dz has address 193.194.94.10
traceroute lands on 193.194.94.10 after 25 hops from my location.

My pings are successful to 193.194.94.10.

Doesn't make me lean on a firewall as a first suspect.

However:

PORT    STATE    SERVICE  VERSION
22/tcp  filtered ssh
80/tcp  open     ssl/http
443/tcp open     https?

Is interesting. Should look more like this:

PORT    STATE    SERVICE   VERSION
22/tcp  filtered ssh
80/tcp  open     http 
443/tcp open     ssl/https
2 Likes

Excuse me, I don't know if I understood correctly. do you mean that our firewall is misconfigured?

1 Like

@Osiris has suggested the possibility. As did @petercooperjr
It is possible.

Doesn't make sense to me.
So whoever maintains the servers and/or firewall(s) for elearning.univ-bejaia.dz should be consulted to discover more information.

I fall the side of a mis-configuration on the server. But again to quote @petercooperjr ,

4 Likes

I manage the server, I haven't changed anything today. The problem appeared right after the firewall manager updated the firewall (today). When the administrator restarts the firewall, the platform becomes accessible again for a while and then becomes inaccessible again. I did not find anything interesting in the server logs and the site is accessible inside the university (locally) at this moment, I will ask the administrator to show me the firewall logs and I will keep you informed.
Thank you all very much for your very precious help.

1 Like

Hello,

The firewall manager is on leave. With the system administrator we deactivated the IPS in the firewall policy of our site, so, our site became accessible again from the outside. Apparently, it was the IPS that was blocking access to our site, I wonder why. The IPS is activated on the other sites and these sites are accessible from the outside but you should know that these sites are not secured with https. So, I deduce that the IPS only blocks SSL connections.
In the ssl logs of the firewall, we found lines that display the content of the attached image. I don't know if it's serious.
I wonder why the IPS is blocking SSL access to our site? I will search on that.
So the problem is caused by the firewall and not by the server, right?

Maybe your server doesn't recognise the "ISRG Root X1" root certificate as trusted?

Which would be weird, as the "ISRG Root X1" root is already in all major root stores since 2016. But perhaps this would be the reason? I dunno.

Are more Let's Encrypt sites behind that firewall?

3 Likes

You mean the firewall doesn't recognise the "ISRG Root X1" root certificate as trusted?
because our site worked very well with let's encrypt, this problem appeared after updating the firewall.
unfortunately, only our site is secured with https which makes it difficult to understand this problem.

1 Like