Please rerun with
curl -k -Ii https://192.168.1.102
1 Like
root@myrkur:/usr/local/docs # curl -k -Ii https://192.168.1.102
HTTP/1.1 403 Forbidden
Date: Thu, 16 Mar 2023 16:15:28 GMT
Server: Apache/2.4.56 (FreeBSD) OpenSSL/1.1.1o-freebsd PHP/8.2.0
Content-Type: text/html; charset=iso-8859-1
Thanks for the replies
2 Likes
Observe that your local IPv4 Address (i.e. 192.168.1.102) is not yielding the same results as your Publicly Facing Internet Domain Name (i.e. www.myrkur.net); is that explainable by your Apache configuration?
1 Like
What does this show
openssl s_client -connect 192.168.1.102:443
2 Likes
I can't see a difference on the web browser, both yield 403 Forbidden for me [pic related].
Is this not the case for you?
Thanks
2 Likes
root@myrkur:/usr/local/docs # openssl s_client -connect 192.168.1.102:443
CONNECTED(00000004)
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = myrkur.net
verify return:1
---
Certificate chain
0 s:CN = myrkur.net
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIETzCCAzegAwIBAgISA27m4/TVh2xAHY922hEV3HeeMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzAzMTYxMjUyNDhaFw0yMzA2MTQxMjUyNDdaMBUxEzARBgNVBAMT
Cm15cmt1ci5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQJUpultBjTWobp
rdAs2wS7gWOwu2EThulkMfb7Fli9zIQA2osBsAao34LDyf4oBOsTFMuC0whj4clJ
vQ/FYN0Bo4ICRTCCAkEwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSm5dyE59xvKi4h
3x+I1aDXLxv5PDAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggr
BgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAi
BggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAVBgNVHREEDjAMggpt
eXJrdXIubmV0MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgw
JgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYB
BAHWeQIEAgSB9QSB8gDwAHYAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXt
tJkAAAGG6rHWKQAABAMARzBFAiA6FNdB/nqO2t85z3bvXc40oYweVZUmscu3KuzJ
PeUjJgIhAP4yH4FpIQBjP04iT+bHKSCoPnjdvQJPXC9ATnplVyLnAHYArfe++nz/
EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGG6rHWbgAABAMARzBFAiBxlAQ5
vtHMtAcatbeD5zP4R8clO2N+zBiz6KHy3tHJxgIhANpTEM7AlVh3mCNvDhuJW91Y
AGEyLUwPUK+UOjsgJIPtMA0GCSqGSIb3DQEBCwUAA4IBAQCnS1LoMqNy6BWXcBpQ
1HoDt8Aq00Yicmg7BhkOGfO4MpZSjgASSU+FQFQScpJnzMWCZ8JlqobIMsUMUVpm
/iDdBNHpKnhe++w9EnocMmTmJVGoHUSgs/3G3eZ4s9no5+3GrqKoh1bB794ceEx4
rMTPet11Zrj0wVexQEsKPEVfFdFNkp7rVnLTTuRHFPG+sQ/xqijwxg6ztotRLfSN
EGqKcsbOh+0Ic3iBVUHe91dXs6OWUl0FEV0WyssesyluA3FE5ifeLDFR6nx7v3xc
0bHIAB4Js1HWdNqyQQlBMaSU3sYO8SWW1hbBdCEAbjl6RF3a3rjELAZbq+czmeUd
w/VI
-----END CERTIFICATE-----
subject=CN = myrkur.net
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4175 bytes and written 373 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 248B24C664B9E40DFC3069C45FB94118D549C13BF459ABAB6E76554B28ABB9B6
Session-ID-ctx:
Resumption PSK: E067298823CD470AB19A21E2A41F92E023938B42D5EB394AB74B97BED3587DB32BE43F6CA0008D65D524CB30CF574597
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 41 ea 33 bd 6b 15 47 33-82 1a f0 5a d8 bf 9b c9 A.3.k.G3...Z....
0010 - 4a 43 d0 2d 1b df 72 42-85 2e 78 ce 42 67 65 d5 JC.-..rB..x.Bge.
0020 - ed b2 6a bc 28 f4 7c c1-f0 e5 9e 29 86 d6 22 7f ..j.(.|....)..".
0030 - 1e 8d b6 3d 9e 64 cb 23-a2 27 99 c5 0d 31 63 6b ...=.d.#.'...1ck
0040 - 16 06 72 d4 18 26 69 5f-10 ee 94 b1 e1 40 8e ce ..r..&i_.....@..
0050 - 5c 8f 59 b7 fa 6b 21 ca-c9 c6 bf 21 53 68 80 f3 \.Y..k!....!Sh..
0060 - fc 7f f2 00 7a 91 85 a8-ff 09 68 3e 2b 47 74 9c ....z.....h>+Gt.
0070 - 52 66 f6 19 97 a6 ff 5f-a5 2c 57 e2 84 63 85 08 Rf....._.,W..c..
0080 - 3c a9 f7 54 be 46 b0 fa-4c fa 88 7e 14 5b 81 e3 <..T.F..L..~.[..
0090 - 57 2a 18 68 b0 0f 79 69-cd d9 80 7b ed a4 76 b8 W*.h..yi...{..v.
00a0 - 2d 68 7e 65 2a 5c d6 a2-fa 72 f6 c9 56 66 5c e5 -h~e*\...r..Vf\.
00b0 - f6 09 c8 c3 46 1b 8f 9d-02 e0 7f 7f 1f 27 cf c7 ....F........'..
00c0 - d6 12 fc 8a a3 3f 32 09-e7 8c d6 b3 62 92 db ed .....?2.....b...
00d0 - 35 14 e9 3e 3a 7d db 8e-9d db e6 28 fd 95 65 2a 5..>:}.....(..e*
Start Time: 1678983733
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: E88348F3D9056308066B4FC79A0F1D1062E3483C702597FC573A96A92BAF2DA3
Session-ID-ctx:
Resumption PSK: 2347B9BCE6ADA0B2780C561B36D6C4E28F38528A97DF3D32ED7B9648253A682ECB6E8F36CFEC76EBCCD9CFA4FFAED8F2
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 41 ea 33 bd 6b 15 47 33-82 1a f0 5a d8 bf 9b c9 A.3.k.G3...Z....
0010 - e6 3a 0a 2a e5 a9 1e d2-cb d6 91 9b 01 b1 2b 7d .:.*..........+}
0020 - e5 20 85 0f ad 30 9c e0-28 4c dc d3 4b f0 47 2a . ...0..(L..K.G*
0030 - 0c c3 b8 e6 48 6a 56 96-21 52 10 cb ee 7c 1d 33 ....HjV.!R...|.3
0040 - 4e 56 1d 71 ea ca d9 b1-27 f4 c2 46 5c a6 e7 bb NV.q....'..F\...
0050 - 3d d0 aa da 6c 82 cc 6a-27 29 9b 4a cb 3b 9e 49 =...l..j').J.;.I
0060 - 46 fb 43 cd 99 83 58 b7-40 ed 6f ab 50 3f 8b de F.C...X.@.o.P?..
0070 - 56 7b 71 9c 85 bf d6 04-bf a9 27 6b 78 62 d8 c9 V{q.......'kxb..
0080 - 70 14 ad 12 6b 29 7b 68-12 47 3b e1 fe 67 85 f6 p...k){h.G;..g..
0090 - 42 44 c5 d9 8e 26 4f 0d-a0 3c 82 cf 77 dc 8f 7a BD...&O..<..w..z
00a0 - ea 8d 2b db 27 81 9d dd-a1 c3 d4 42 38 0a d1 f5 ..+.'......B8...
00b0 - 75 2f c3 02 bb 86 2e 9a-d2 3a 2c 8a d5 86 cb 30 u/.......:,....0
00c0 - d0 4a 35 be 4e 31 1e b8-8b 93 0c 7b 91 b4 93 b1 .J5.N1.....{....
00d0 - c8 ea 4a c4 21 67 7a f6-25 0b e5 13 ba e3 c5 49 ..J.!gz.%......I
Start Time: 1678983733
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
Thanks
1 Like
What does this show you?
ping -c 3 www.myrkur.net
1 Like
Thanks. I wanted to confirm it was the Apache VHost with the right cert on that port. This confirms what we saw earlier with the various curl requests.
It still points to something wrong in the router that does not pass along HTTPS requests properly back to Apache on port 443.
3 Likes
root@myrkur:/usr/local/docs # ping -c 3 www.myrkur.net
PING myrkur.net (153.92.146.57): 56 data bytes
64 bytes from 153.92.146.57: icmp_seq=0 ttl=64 time=0.584 ms
64 bytes from 153.92.146.57: icmp_seq=1 ttl=64 time=0.435 ms
64 bytes from 153.92.146.57: icmp_seq=2 ttl=64 time=0.414 ms--- myrkur.net ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.414/0.477/0.584/0.076 ms
root@myrkur:/usr/local/docs #
Thanks
2 Likes
This confirms your local system DNS Resolver is getting the same IPv4 Address as I do. 
Thanks!
1 Like
So does that mean the router is forwarding port 443 to my server?
Indications are your router is NOT forwarding Port 443 to your server.
3 Likes
full circle:
3 Likes
Do you have any idea why I'm getting the 403 Forbidden? When I enabled ssl and virtualhosts it changed from "It works!" to 403 Forbidden.
Thanks
1 Like
I will contact my ISP and ask whether it is possible to open port 443. Thanks for all the replies.
2 Likes
HTTPS to an IP would require the certificate being served by that IP to contain that IP in the SAN.
If not, then your browser will complain about that security issue.
Also, if your secure website was set to require authentication, then you must authenticate or you will receive a 403 error.
Both said, neither of those things has much to do with this forum.
3 Likes
Okay thanks for all the replies. I will contact my ISP and see if they can help me with the router.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.