I have a website that is only accessible to out company LAN. Certificates are managed via the DNS-01 challenge with certbot
. This works fine most of the time, but users are having several situations in which the site can't be reached (using the guest-WiFi instead of the employee-WiFi; or forgetting to enable the VPN when working from home; or even some not-understood behaviour of Google Chrome that can't reach the internal website, even when Safari or curl can).
So I thought to implement a public internet facing counterpart of the internal website, which will display some helpfull text, explaining the user the situation. Both have the domain name aiwa.archipunt.nl
, but our internal DNS resolves to a private IP address (10.x.y.z), and the public DNS system resolves to the public IP address.
For the public website to work, I shipped the certificates with scp
to the internet webserver (not sure this is the correct way of doing things). I put the certificates in ~/etc_shadow
to avoid misunderstandsings. I shipped all files in the archive
folder. For the live
folder, I recreated the symbolic links by determining the files in archive via readlink
.
When enabling the website, everything seemd fine. When at home, I got the internet facing website, and at work I got the internal one. As expected.
However, for some reason, another website on the same VM stopped working properly. The domain for this website is apawa.archipunt.nl
. The error message I got from Firefox is:
Secure Connection Failed
An error occurred during a connection to apawa.archipunt.nl. SSL peer rejected a handshake message for unacceptable content.
Error code: SSL_ERROR_ILLEGAL_PARAMETER_ALERT
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
And this happened with curl:
$ curl -v https://apawa.archipunt.nl/
* Host apawa.archipunt.nl:443 was resolved.
* IPv6: (none)
* IPv4: 93.184.96.199
* Trying 93.184.96.199:443...
* Connected to apawa.archipunt.nl (93.184.96.199) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (OUT), TLS handshake, Client hello (1):
* LibreSSL/3.3.6: error:1404B417:SSL routines:ST_CONNECT:sslv3 alert illegal parameter
* Closing connection
curl: (35) LibreSSL/3.3.6: error:1404B417:SSL routines:ST_CONNECT:sslv3 alert illegal parameter
As soon as I disabled the public facing aiwa.archipunt.nl
site (and reloaded nginx), the apawa.archipunt.nl
-site worked again.
This is the situation now. So when you open aiwa.archipunt.nl
, you will actually open the apawa.archipunt.nl
website, because that is nginx's first website to match the same ip/port, so that is to be expected.
For both public and private VM:
My web server is (include version): nginx/1.22.1
The operating system my web server runs on is (include version): Debian GNU/Linux 12 (bookworm)
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 2.1.0
Questions:
- how can enabling one website make the other one faulty?
- is shipping shipping certificates like this the right way?
- what is the "correct" way to have certificates for both a private and a public website?