Nginx ERR_SSL_PROTOCOL_ERROR


#1

My domain is: status.dozecloud.com, ipv6.dozecloud.com

My web server is (include version):nginx 1.14.0

ssl only works when i go to my ipv6 address but when go to my ipv4 address i get
ERR_SSL_PROTOCOL_ERROR


#2
@Web-Server:/home/server# openssl s_client -connect 127.0.0.1:443 -servername status.dozecloud.com
CONNECTED(00000003)
140084209840576:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 205 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1532854355
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

#3
@Web-Server:/home/server# openssl s_client -connect ipv6.dozecloud.com:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=dozecloud.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGODCCBSCgAwIBAgISA9I7YmGZcY7JlMiNMTkRVRNYMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MjQxNjU1NDZaFw0x
ODEwMjIxNjU1NDZaMBgxFjAUBgNVBAMTDWRvemVjbG91ZC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7TZ4NvbKb1hpK2xArBv2D9ZQ03HLP4e3O
BJ9wP//hhl4nBc9DWBSLQd69w8GvTIeQ//wyfeabZKrviC1Owqkfkdl7cvyFf0Yg
GRKV+k4Zy8cK9iFLmrwyAMfRMHPTXJjHZpBfKDXFXjaOFT1+xeNcSxiI7lZ1o4qq
GjEuZwZPf6Zrp9BLg6sNDKXYiIJnKQPghbH05mk0QW/LNnxlXY7E84hs3FGxyleu
4qWtdwmQ7X/onXJzeIM7x/8T43coNUJNEDZ/8c+sU5w+zSXX2UeX/Dws9eTB6HTB
Y3HkKYCZCxJ/EEjNwaYcSKwT3lcth485emDHiEksEbLNyXL0tvSLAgMBAAGjggNI
MIIDRDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKFL5uO1U/qb3/uxV0S3oUBKN2uB
MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMw
YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y
ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wTQYDVR0RBEYwRIIRKi5kb3plLWNsb3VkLnRlY2iCDyouZG96ZWNsb3VkLmNv
bYIPZG96ZS1jbG91ZC50ZWNogg1kb3plY2xvdWQuY29tMIH+BgNVHSAEgfYwgfMw
CAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0
aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRp
ZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQ
b2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9y
eS8wggECBgorBgEEAdZ5AgQCBIHzBIHwAO4AdQApPFGWVMg5ZbqqUPxYB9S3b79Y
eily3KTDDPTlRUf0eAAAAWTNbsczAAAEAwBGMEQCIGFhaWYFBr57hLPFQTDVeKR4
f41ALWux0mQShZ3pnpWbAiBz5l7xfRXdP2tzeUoDZOxQUTUGNh+BeG79jPRH3WaB
VQB1AMEWSuCnctLUOS3ICsEHcNTwxJvemRpIQMH6B1Fk9jNgAAABZM1uyRQAAAQD
AEYwRAIgKjQifi27u3QG9AXF3ZLizFI80mWIR0Cy/ugI4hoWeF0CID1oFN3QVq0I
J1F0cmJLrXj1btakITK2F9U1CDaujtA8MA0GCSqGSIb3DQEBCwUAA4IBAQAgMkab
RoRdJmPj+CO5iSUPL+A1J+iF9O5WBjNd2TwJaYrldi0I/bvkO6EW72BSjIjAo+C+
mdYVMf9mXvdI9vwERcV2RTDHRtC8JFFRt7PjqRpk1+cueV7sOcjy3+MMb2i1970p
5yqADDUOdOjEOaujIAQNgj+izq8ao0C2Wv90OQxVk3PCfqEZPkRa5knBewDU7cqB
6ktrI/J+O/pUF86zB9gvtQg89jT8JfZxIvInzgZ0lFECGXWKoyqCLgEolX5zYaUB
mkpRpacY2xC/j40hJf3YjVPUDbTtWJG5+I9j8yA7XTJawi+kh4IKPGyK/O3fbeIh
njT/xnTf/o6snKyd
-----END CERTIFICATE-----
subject=/CN=dozecloud.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3406 bytes and written 261 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: ADF5D7004439D422B94BEC4028CDDFB5C933E169AF9B656AFC93500C463E380D
    Session-ID-ctx:
    Master-Key: FA8F40FDBC3E32589ED5CAE824F503F73B20426A654F646081779658FDFE03BC5B3A1E124D7ADB3065EFD044C39301F4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 94 af 5e 85 cf bb ba 16-93 41 0b b7 70 19 66 8c   ..^......A..p.f.
    0010 - 36 07 cf 35 4b 08 00 47-f9 66 a8 43 8e 53 32 f2   6..5K..G.f.C.S2.
    0020 - 33 25 fa 8e 27 b3 f3 68-7c a5 88 e8 cf 84 eb a9   3%..'..h|.......
    0030 - 5c f8 cc b6 c6 75 f7 69-99 75 08 db 00 8e 87 cb   \....u.i.u......
    0040 - 2e 02 b5 33 3d 5e 48 b5-7d 3a ca ec 26 c2 08 fa   ...3=^H.}:..&...
    0050 - 29 60 c7 0f c3 2d 73 60-29 e9 eb 2c 75 9a bd aa   )`...-s`)..,u...
    0060 - 5c d8 d9 f8 cd 14 15 59-04 0c 28 29 95 b1 8f 05   \......Y..()....
    0070 - 95 3c b9 62 9a 7b 1b 90-f3 b5 e8 12 1f a4 71 c7   .<.b.{........q.
    0080 - 6a cb 0b 20 43 b8 55 07-1a b3 a7 eb 52 05 1c 54   j.. C.U.....R..T
    0090 - c5 0f 08 23 4c 0a 4c ee-ab 84 a6 b2 ca 0c d7 ac   ...#L.L.........
    00a0 - 0b f5 e1 a1 c2 10 e1 c6-c2 f2 0d ff 60 72 1f 9f   ............`r..

    Start Time: 1532854395
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---

#4

Can you run “nginx -T” and provide the entire Nginx configuration?

Unconfirmed wild theory: What if IPv4 is doing unencrypted HTTP/2? Like with an accidental “listen 443 http2;” directive?

Edit: I confirmed it. The first few bytes of the response look like an HTTP/2 SETTINGS frame, and it’s consistent with this example.


#5

Hi @jsargent7089,

Could you please post the server blocks configured in nginx for domain status.dozecloud.com?.

Cheers,
sahsanu


#6

Hi @jsargent7089

whant’s your nginx - configuration?

Testing

D:>download http://status.dozecloud.com/ -h
Connection: keep-alive
Content-Length: 194
Content-Type: text/html
Date: Sun, 29 Jul 2018 09:17:29 GMT
Location: https://status.dozecloud.com/
Server: nginx/1.14.0 (Ubuntu)

Status: 301 MovedPermanently

works, so I can connect your server using http / port 80 and ipv4.

So your port 80 looks ok, but your 443 doesn’t work.


#7
server {
    listen 80;
    listen [::]:80;

    server_name status.dozecloud.com;
    return 301 https://$host$request_uri;
}


server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
    server_name status.dozecloud.com;
index index.php index.html index.htm;
    root /var/www/Cachet/public;

ssl_certificate /certs/letsencrypt/live/dozecloud.com/fullchain.pem;
ssl_certificate_key /certs/letsencrypt/live/dozecloud.com/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /certs/letsencrypt/live/dozecloud.com/chain.pem;
ssl_session_cache shared:SSL:10m;
ssl_ecdh_curve X25519:secp521r1:secp384r1:secp256k1;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_dhparam /ssl/dhparam.pem;	

add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy no-referrer-when-downgrade;
    

  client_max_body_size 100M;

    location / {
        try_files $uri $uri/ /index.php?$args;        
    }

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
    }
}

#8

@jsargent7089, your server block looks fine. Are you sure you are forwarding port 443 from your router to the nginx server?. Because trying to reach your domain using IPv4 on port 443 I only receive garbage.

$ curl -4IkL http://status.dozecloud.com:443
curl: (8) Weird server reply

#9

When i did it i got
curl -4IkL https://status.dozecloud.com:443
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number


#10

Keep in mind that i used http to connect to port 443 instead of https.


#11


#12

If the private address is the one where nginx is running the redirect rule looks fine. Maybe the router’s web server is listening on port 443 on the Wan address and you should disable it, I don’t know, maybe you should restart the router just in case. Also, run nginx -t to double check that your conf is ok.


#13

nginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size
nginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful


#14

The port is open because it has been working that way for for almost 2 years. Until yesterday it stop working.


#15

I fix it by just restarting the nginx. I have done this 50 times before still did not work. I even reinstall Ubuntu still did not work. I guess the nginx went vacation. Thank you for all your help.


#16

Want to write something. But now it works :wink:

But it’s a Comodo-certificate.


#17

I am using Cloudflare that why its Comodo-certificate.

Update: It still does it on and off. :rage:


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.