Let's Encrypt Certificates on Rocky Linux w/FIPS enabled

Help
21

Well I did this after reading, Error “curl: (1) Received HTTP/0.9 when not allowed” (SOLVED):

kohanyim[.]com

root@vmxws1:~# curl -Iv --http0.9 https://kohanyim.com/404
*   Trying 67.0.88.50:443...
* Connected to kohanyim.com (67.0.88.50) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=kohanyim.com
*  start date: Apr 17 06:18:17 2022 GMT
*  expire date: Apr 17 06:18:16 2023 GMT
*  subjectAltName: host "kohanyim.com" matched cert's "kohanyim.com"
*  issuer: C=PA; O=TrustCor Systems S. de R.L.; CN=TrustCor DV SSL CA - G2 - RSA
*  SSL certificate verify ok.
> HEAD /404 HTTP/1.1
> Host: kohanyim.com
> User-Agent: curl/7.74.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (8) Weird server reply

what could be causing this "curl: (8) Weird server reply"?

and did this for www[.]kohanyim[.]com,


root@vmxws1:~# curl -Iv --http0.9 https://www.kohanyim.com/404
* Could not resolve host: www.kohanyim.com
* Closing connection 0
curl: (6) Could not resolve host: www.kohanyim.com
22

that's just your client's dns got broken:.\ for my side kohanyim.com works fine (with normal headers) but your op domain roaddriversplus.com still has same problem. that's the difference between those two site's config?

3 Likes
23

After doing further searching I found "C++ cURL "empty reply from server" every time" which lead me to "Cisco AnyConnect VPN Client May Block CORS AJAX OPTIONS Requests". I do have AirVPN install using Eddie GUI:

Kohan Network FULL
Kohan Network FULL815×956 82.9 KB

Could this be interfering with connections?

IMPORTANT TO NOTICE: Interfaces VLAN's on LAN

24

@nasheayahu It looks like your various errors are all caused by not sending any HTTP response headers. See my various curl combinations below. And, note right now both koyanyim and roaddriversplus fail in the same way. I don't know why some earlier results showed some headers but this is what I see now.

It looks like the "weird server reply" is related to using a HEAD request rather than GET

curl -I --http0.9 http://kohanyim.com
curl: (8) Weird server reply
(Me: wierd server reply could just be that there are no http response headers)

curl -i --http0.9 http://kohanyim.com
(Me: this "works" but note only see data and no response headers per -i)
<!doctype html>
<html>
  <head>
    <meta charset='utf-8'>
    <meta name='viewport' content='width=device-width, initial-scale=1'>
    <title>Server Maintenance Page powered by: Rocky Linux</title>
    <style type="text/css">
      /*<![CDATA[*/

(Me: Without the --http0.9 option that tolerates no http response headers I get:)
curl -i http://kohanyim.com
curl: (1) Received HTTP/0.9 when not allowed
(Me: no headers and no page data)

I don't have any suggestions off-hand. I just thought consolidating the various error combinations would help focus efforts.

2 Likes
25

Here are the results from four OS's within my intranet browsing to the domains:

From (1)Windows 10 Pro w/Hyper-V, (2)Windows 10 Pro

https://www.kohanyim.com/ (noip: TrustCor Premium Wildcard DV)
The connection has timed out

The server at www.kohanyim.com is taking too long to respond.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Waterfox is permitted to access the Web.

https://wwwkohanyimcom.kohanyim.com/ (noip: TrustCor Premium Wildcard DV, hostname: wwwkohanyimcom, Certificate: *.kohanyim.com)
Connected with the default page

https://kohanyim.com/ (noip: TrustCor Standard DV)
The connection has timed out

The server at kohanyim.com is taking too long to respond.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

https://kohanyimcom.kohanyim.com/ (noip: TrustCor Standard DV, hostname: kohanyimcom, Certificate: kohanyim.com) NOTE: I get the server "Test Page"
Warning: Potential Security Risk Ahead

Waterfox detected a potential security threat and did not continue to kohanyimcom.kohanyim.com. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

What can you do about it?

The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.

https://roaddriversplus.com/ (Let's Encrypt)
The connection has timed out

The server at roaddriversplus.com is taking too long to respond.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Waterfox is permitted to access the Web.

https://roaddriversplus.kohanyim.com/ (Let's Encrypt, hostname: roaddriversplus, Certificate: roaddriversplus.com) NOTE: I get the server "Test Page"
Warning: Potential Security Risk Ahead

Waterfox detected a potential security threat and did not continue to roaddriversplus. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

What can you do about it?

The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.

From (1)Windows 8.1 Pro, (2) MX Linux 21.1: AirVPN Connected via Canada

https://www.kohanyim.com/ (noip: TrustCor Premium Wildcard DV, Certificate: *.kohanyim.com)
I get the server "Test Page"

https://kohanyim.com/ (noip: TrustCor Standard DV, Certificate: kohanyim..com)
NOTE: I get the Frontend Error 503 "Maintenance Page"

https://roaddriversplus.com/ (Let's Encrypt, Certificate: roaddriversplus.com)
NOTE: I get the Frontend Error 503 "Maintenance Page"

NOTICE: In using the hostname is combined with DNS domain name kohanyim.com, I'm sure this is a problem, because this is not what I want within the intranet. I would like for both (private/public) to resolve to the correct server.

26

"::" ?

".." ?

Are those extra colons and dots really there?
OR did you add them into your post?

2 Likes
27

UPDATE: I did know if it would allow more than two links, so I purposely added the extra chars. There fixed now.

NOTE: The (1)Windows 10 Pro w/Hyper-V, (2)Windows 10 Pro are connected to the internet but not outside the ISP.

1 Like
28

I don't see any progess:

curl -Ii 67.0.88.50
curl: (52) Empty reply from server

curl -Ii www.kohanyim.com
curl: (52) Empty reply from server

curl -Ii wwwkohanyimcom.kohanyim.com
curl: (52) Empty reply from server
1 Like
29

Based on the diagram, it seems like HAProxy would be the logical choice to serve the multiple internal web sites via the single external IP.

So, does the router forward ports 80 and 443 to HAProxy?

1 Like
30

Good question, I assumed HAProxy once enabled it takes over HTTP(S) Ports. These are my WAN Firewall Rules:

Screenshot (18)
Screenshot (18)748×157 31.4 KB

32

The diagram shows the router separate to the HAProxy.

The diagram also shows the HAProxy IP as 192.168.x.x
Which implies there must be some other device with an Internet IP - i.e. the router.

And I repeat myself:

3 Likes
34

I believe I found the problem and need your feed back,

  1. I pointed the Backend's (www.kohanyim.com, kohanyim.com, roaddriversplus.com) to my Hyper-V Dev Rocky Server.

  2. Followed this instruction " Installing HAProxy on pfSense with SSL access to web server" and found he check marked Add ACL for certificate CommonName. (host header matches the "CN" of the certificate):

Screenshot (20)
Screenshot (20)1140×517 134 KB

in which I did not and now its working. So would you test it on your end?

35

I get the identical wrong results I saw in my post #24.

2 Likes
36

I did the same test again via VPN from Canada and getting good results:

root@vmxws1:~# curl -Iv --http0.9 https://kohanyim.com/
*   Trying 67.0.88.50:443...
* Connected to kohanyim.com (67.0.88.50) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=kohanyim.com
*  start date: Apr 17 06:18:17 2022 GMT
*  expire date: Apr 17 06:18:16 2023 GMT
*  subjectAltName: host "kohanyim.com" matched cert's "kohanyim.com"
*  issuer: C=PA; O=TrustCor Systems S. de R.L.; CN=TrustCor DV SSL CA - G2 - RSA
*  SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: kohanyim.com
> User-Agent: curl/7.74.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 09 May 2022 03:21:23 GMT
Date: Mon, 09 May 2022 03:21:23 GMT
< Server: Apache/2.4.37 (rocky) OpenSSL/1.1.1k mod_fcgid/2.3.9
Server: Apache/2.4.37 (rocky) OpenSSL/1.1.1k mod_fcgid/2.3.9
< Last-Modified: Sun, 08 May 2022 21:56:34 GMT
Last-Modified: Sun, 08 May 2022 21:56:34 GMT
< ETag: "1c86-5de872a400ceb"
ETag: "1c86-5de872a400ceb"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 7302
Content-Length: 7302
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8

<
* Connection #0 to host kohanyim.com left intact

and

root@vmxws1:~# curl -Iv https://kohanyim.com/
*   Trying 67.0.88.50:443...
* Connected to kohanyim.com (67.0.88.50) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=kohanyim.com
*  start date: Apr 17 06:18:17 2022 GMT
*  expire date: Apr 17 06:18:16 2023 GMT
*  subjectAltName: host "kohanyim.com" matched cert's "kohanyim.com"
*  issuer: C=PA; O=TrustCor Systems S. de R.L.; CN=TrustCor DV SSL CA - G2 - RSA
*  SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: kohanyim.com
> User-Agent: curl/7.74.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 09 May 2022 03:27:07 GMT
Date: Mon, 09 May 2022 03:27:07 GMT
< Server: Apache/2.4.37 (rocky) OpenSSL/1.1.1k mod_fcgid/2.3.9
Server: Apache/2.4.37 (rocky) OpenSSL/1.1.1k mod_fcgid/2.3.9
< Last-Modified: Sun, 08 May 2022 21:56:34 GMT
Last-Modified: Sun, 08 May 2022 21:56:34 GMT
< ETag: "1c86-5de872a400ceb"
ETag: "1c86-5de872a400ceb"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 7302
Content-Length: 7302
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8

<
* Connection #0 to host kohanyim.com left intact

and the same with www.kohanyim.com and roaddriversplus.com and HAProxy Backends are executing properly. . And now I will test it on my Rocky Server Box using each domain per VM.

38

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.