Lynx doesn't recognize Let's encrypt certs


#1

I ran this command: lynx www.stonek.com

It produced this output: SSL error:self signed certificate-Continue? (y)

That self-signed cert is created when Webmin/Virtualmin is installed.

If I run: lynx -dump https://www.stonek.com/

Looking up www.stonek.com
Making HTTPS connection to www.stonek.com
Retrying connection without TLS.
Looking up www.stonek.com
Making HTTPS connection to www.stonek.com
Alert!: Unable to make secure connection to remote host.
lynx: Can’t access startfile https://www.stonek.com/

/etc/lynx.cfg contains:
STARTFILE:file://path-to/public_html/index.php

Reading other forum posts I added:
SSL_CERT_FILE=/etc/letsencrypt/live/www.stonek.com/cert.pem
I have to say that SSL_CERT_FILE is not a variable in default lynx.cfg file

Still the same problem. It happens only with SSL. Other domains with no certs work okay.

Lynx Version 2.8.6rel.5 (09 May 2007)
libwww-FM 2.14, SSL-MM 1.4.1, OpenSSL 1.0.0-fips, ncurses 5.7.20090207(wide)
Built on linux-gnu Aug 25 2010 15:17:35

My web server is Apache 2.2.14

The operating system my web server runs on is Centos 6.10

I can login to a root shell on my machine

I’m using a control panel to manage my site: Webmin/Virtualmin


#2

Lynx 2.8.6rel.5 doesn’t support SNI. So it can’t tell the server how to select the correct certificate before sending the HTTP request containing the hostname.

You could try making www.stonek.com the default VirtualHost for the server, although I don’t know how to do that with Webmin/Virtualmin.


#3

I suspected that SNI isn’t supported.
You mean change the default virtual server in httpd.conf ?


#4

Yeah, essentially change the order of virtual hosts so that the one with the cert you want to use is the first.

You may have to combine multiple domains in a single cert if you want them all to work with pre-SNI clients.


#5

Hi @marciano

it’s curious. Loading a Windows-Lynx, checked two of my own sites (same server).

Both with Letsencrypt certificate, one with SNI, the other without SNI (the standard binding).

Both sites worked correct.

But checking your site:

Looking up www.stonek.com
Making HTTPS connection to www.stonek.com
Retrying connection without TLS.
Looking up www.stonek.com
Making HTTPS connection to www.stonek.com
Alert!: Unable to make secure connection to remote host.

lynx: Can’t access startfile https://www.stonek.com/

So if you use a Lynx with SNI-support, there is an error.

You have some blocked urls / mixed content.

http://pagead2.googlesyndication.com/pagead/show_ads.js

But I don’t know if this is the problem.

PS: You have a redirect.

D:\temp>download https://www.stonek.com/ -h
SSL-Zertifikat is valide
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=200
Connection: Keep-Alive
Content-Length: 0
Cache-Control: max-age=86400, private
Content-Type: text/html; charset=ISO-8859-1
Date: Mon, 22 Oct 2018 22:32:02 GMT
Expires: Mon, 22 Oct 2018 22:32:02 GMT
Location: index_banco_es.php
Server: Apache
X-Powered-By: PHP/5.3.3

Status: 301 MovedPermanently

580,60 milliseconds
0,58 seconds

But a redirect without a domain name. Change your redirect location to

https://www.stonek.com/index_banco_es.php


#6

Hmm, that’s odd - I tried lynx 2.8.9dev.16 on Ubuntu and https://www.stonek.com/ seemed to work fine… it did complain about the relative Location, but loaded anyway.

There may be some other incompatibilities with older lynx versions, I guess, protocol versions or cipher suites or something like that?


#7

Yep, it’s a problem of this Windows-Lynx.

Tested with one of my own domains - Windows-Lynx supports only Tls.1.0.

Checked stonek.com via Ssllabs -> Tls.1.0 is inactive.


#8

Yes, Only TLS 1.1 and 1.2 are enabled


#9

I installed lynx in my desktop Ubuntu 18.04
Lynx Version 2.8.9dev.16 (11 Jul 2017)
libwww-FM 2.14, SSL-MM 1.4.1, GNUTLS 3.5.17, ncurses 6.1.20180127(wide
And I also have no problem with that domain


#10

I changed relative Location to absolute but nothing changed.
I also tried lynx tl.stonek.com lynx uruguaydesdeloalto.com
They have their own cert.
lynx imprentaexpress.com.uy (does not use SSL) works okay
I also tried with elinks.
Despite I get a green padlock in Firefox https://www.whynopadlock.com/results/0e868f0a-054e-4a47-90cd-cfed22c1c570 shows what you have stated.
Fixed but doesn’t fix the issue.
elinks www.stonek.com -> Unable to retrieve https… SSL error

At lynx.cfg I also changed from
STARTFILE:file://path-to/public_html/index.php
to
STARTFILE:file://path-to/public_html/index_banco_es.php
which is the redirected file