Https url, chrome ok, curl fail

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:www.ptcgpgodpack.top

I ran this command: URL https://www.ptcgpgodpack.top/search chrome is ok to display, but curl failed. curl -v 'https://www.ptcgpgodpack.top/search'

It produced this output:

  • Host www.ptcgpgodpack.top:443 was resolved.
  • IPv6: (none)
  • IPv4: 60.205.120.211
  • Trying 60.205.120.211:443...
  • Connected to www.ptcgpgodpack.top (60.205.120.211) port 443
  • ALPN: curl offers h2,http/1.1
  • (304) (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/cert.pem
  • CApath: none
  • Recv failure: Connection reset by peer
  • LibreSSL/3.3.6: error:02FFF036:system library:func(4095):Connection reset by peer
  • Closing connection
    curl: (35) Recv failure: Connection reset by peer

My web server is (include version):nginx -v
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):uname -a
Linux iZ2ze7lxfqfvowuj4ppadqZ 5.4.0-182-generic #202-Ubuntu SMP Fri Apr 26 12:29:36 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: Aliyun ecs, vps

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot --version
certbot 3.0.1

2

Hi @wljackhero,

Port 443 is serving HTTP only, no HTTPS!

HTTP on Port 80

$ curl -Ii http://www.ptcgpgodpack.top
HTTP/1.1 403 Forbidden
Server: Beaver
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 635
Connection: close

HTTPS on Port 443 FAILED!

$ curl -k -Ii https://www.ptcgpgodpack.top:443
curl: (35) Recv failure: Connection reset by peer

HTTP on Port 443

$ curl -k -Ii http://www.ptcgpgodpack.top:443
HTTP/1.1 403 Forbidden
Server: Beaver
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 635
Connection: close
2 Likes
3

Perhaps Chrome ignored HTTPS and got thru on HTTP.

But, your Beaver server is definitely not configured properly. Or, perhaps you misdirect HTTPS requests inbound on port 443 to your Beaver server port 80?

You should work on getting that curl result to succeed. See also: https://decoder.link/sslchecker/www.ptcgpgodpack.top/443

2 Likes
4

i reinstall nginx and reconfigure the proxy pass, here is what i just found

(echo -ne "GET /search?kw=111 HTTP/1.1\r\nHost: www.ptcgpgodpack.top\r\n\r\n") | openssl s_client -tls1_3 -quiet -connect www.ptcgpgodpack.top:443
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = www.ptcgpgodpack.top
verify return:1
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 06 Jan 2025 05:49:03 GMT
Content-Type: application/json
Content-Length: 59
Connection: keep-alive

[
{
"id": 5,
"source": "test-package11111"
}
]

which is correct, but if run with -tls1 or -tls1_1 i got error

8373158464:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/b11baf73-9ee0-11ef-b7b4-7aebe1f78c73/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:129:SSL alert number 70

it works with -tls1_2 or -tls1_3, but not -tls1 or -tls1_1

curl fails

shareit@bogon ~ # curl -k -Ii https://www.ptcgpgodpack.top:443
curl: (35) Recv failure: Connection reset by peer
shareit@bogon ~ # curl https://www.ptcgpgodpack.top:443
curl: (35) Recv failure: Connection reset by peer

5

shareit@bogon ~ # curl -v 'https://www.ptcgpgodpack.top/search'

  • Host www.ptcgpgodpack.top:443 was resolved.
  • IPv6: (none)
  • IPv4: 60.205.120.211
  • Trying 60.205.120.211:443...
  • ALPN: curl offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • Recv failure: Connection reset by peer
  • TLS connect error: error:00000000:lib(0)::reason(0)
  • OpenSSL SSL_connect: Connection reset by peer in connection to www.ptcgpgodpack.top:443
  • closing connection #0
    curl: (35) Recv failure: Connection reset by peer

curl tlsv1.3 also fail

6

yes i start nginx on port 443 and proxy pass all https request to 127.0.0.1:1080 which runs a python http server

7

i have nginx listened on port 443 and proxy pass all https request to my 127.0.0.1:1080 which runs a python http server

(echo -ne "GET /search?kw=111 HTTP/1.1\r\nHost: www.ptcgpgodpack.top\r\n\r\n") | openssl s_client -tls1_3 -quiet -connect www.ptcgpgodpack.top:443
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = www.ptcgpgodpack.top
verify return:1
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 06 Jan 2025 05:49:03 GMT
Content-Type: application/json
Content-Length: 59
Connection: keep-alive

[
{
"id": 5,
"source": "test-package11111"
}
]

does this means my https works fine on port 443? and i have seen the logs in nginx and my python http server for this request

8

and also chrome shows https ok on url bar, all certificates are well by chrome

9

Yes, that looks good. Although tests from the public internet (outside of China) are not working.

See: SSL Server Test: www.ptcgpgodpack.top (Powered by Qualys SSL Labs)

2 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.