Protocol error after renewal - nginx

MikeMcQ · June 25, 2022, 3:13pm

Well, your redirects are working now. Did you change that server block as I showed?

As for the other, I think it's likely your nginx binary could be faulty. A pattern I see is that individual requests succeed (curl, wget, ...). Browsers fail but they multi-thread their requests so you will see multiple requests simultaneously. You could use the Dev Tools / Network in the browser and see if it gives hints about which request in the page is failing. Maybe something has gone wrong with how you process multi requests (I have no idea what exactly - just guessing. And I dont know nchan).

ianhobson · June 25, 2022, 3:28pm

Yes I did update the redirect/challenge block as you gave me. Thanks for that.

I agree - I also suspect that my compile of nginx contains the fault. Further I suspect it is in openSSL, but the maintainer has not responded to pleas for help.

nchan is a module to pass messages from one visitor to another, and run a chat room. The code using web_rtc for the heavy lifting, (audio and video) and that requires SSL.

ianhobson · June 26, 2022, 10:53am

I can now report that the following versions of nginx all fail with the same protocol error
My compile of Oct 21,
Official version 1.20.0
Official version 1.22 with openSSL.1.1.1n
My compile of 1.22.0 with openSSL1.1.1p
My compile of nginx 1.23 with openSSL1.1.p
I really doubt that the version I was running from Oct21 until 10 days ago without any problem, is the problem.
So where can we go from here?
star.thecompanycoachltd.com is really simple, so I shall strip everything unnecessary out of its configuration and test that. Update to follow.

ianhobson · June 26, 2022, 12:02pm

The simplest https site I can create fails with a protocol error!

Osiris · June 26, 2022, 12:03pm

I did some Wireshark dumps to see what's going on, but I'm not very wiser.. Your server sends a "change cipher spec" message to the client after the ClientHello and the client tries again afterwards.. But I can't find out why.

ianhobson · June 26, 2022, 12:20pm

If you need me to tweak something for a test, just ask.

Osiris · June 26, 2022, 12:39pm

I wouldn't know what to tweak. You might have more insight yourself with Wireshark though, just a debugging tip.

MikeMcQ · June 26, 2022, 1:56pm

I might be missing something but I (continue to) make single requests using curl just fine. Yet, a request from a browser gets protocol error.

curl -I https://star.thecompanycoachltd.com/.well-known/acme-challenge/TestForum123
HTTP/1.1 404 Not Found
Server: nginx/1.22.0
Date: Sun, 26 Jun 2022 13:52:59 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

curl -I https://star.thecompanycoachltd.com
HTTP/1.1 200 OK
Server: nginx/1.22.0
Date: Sun, 26 Jun 2022 13:53:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: PHPSESSID=g4qg01rlcsrpmfnnluduv1gr4q; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: deny

ianhobson · June 26, 2022, 2:01pm

The results you get with curl are what I would expect. The html page is a log in screen,

How are the TLS 1.2 ciphers specified? Could it be that curl manages TLS 1.3, but the browsers cant yet, try to swap back to TLS 1.2 and fails to get a new cipher offered?

MikeMcQ · June 26, 2022, 2:03pm

I tried curl with --tls-max 1.2 and it still works so not that. I will check network activity in browser shortly.

ianhobson · June 26, 2022, 2:31pm

Cracked it!
I had a dummy site set up for https requests for sites I don't host - which has a self signed cert.
When I took this out, all started to work!

I don't understand what was going wrong - but it isn't any more!

MikeMcQ · June 26, 2022, 2:40pm

Hmmm. Glad you fixed it. There must be more to that story than just a self-signed cert.

I had much earlier used SSL Labs and you got an A+ which could not happen with self-signed cert. curl reports them too.

ianhobson · June 26, 2022, 2:56pm

I had a site with this configuration

        server {
            listen 443 ssl;
            listen [::]:443 ssl;
            include snippets/self-signed.conf;
            include snippets/ssl-params.conf;
            server_name _;
            location / {
                try_files /index.htm =404;
            }
        }

The idea being that is would show the visitor a "not on this server" message.
However it managed to mess up all the https sites!
It might work if I just listen on 443 and don't have any ssl going on. Must test. Tomorrow!

kuchlog25 · July 1, 2022, 5:13pm

I have shutdown and restarted the server (a VM). Problem not sorted.

rg305 · July 1, 2022, 6:54pm

Hi @kuchlog25, and welcome to the LE community forum

Is your post specifically related to this topic (and FQDN)?

ianhobson · July 2, 2022, 1:33am

For those who find this thread when they trigger a similar problem....

All listen 443 ssl; directives MUST be paired with valid certificates. Self signed certificates will not do.
Listen 443 without the ssl parameter is not valid and will fail validation.

Also, your investigation will be confused due to pages being cached.

To @kuchlog25 - If your problem is the same as mine, then I hope the above helps. If not, then you would be well advised to start a new thread.

MikeMcQ · July 2, 2022, 2:45am

That's not true. Self-signed certs will cause warning or error messages in various clients (browsers, ...) but a connection to nginx can be made. You must specify the self-signed cert and its key though (just like a CA cert/key).

ianhobson · July 2, 2022, 9:26am

I guess I was not clear. In my testing and experience, if you have any "listen 443 ssl" directives paired with a self signed certificate, then yes indeed, visitors can accept the warning, and visit that site. BUT

ALL visitors using a browser who come to every other https:// site hosted on the same instance of nginx will receive a protocol error and not be able to visit the site they want. Pages can be downloaded with curl, but browsers do not work.

I feel this may be a bug in the current version of nginx.

Osiris · July 2, 2022, 11:19am

I'm not sure about other browsers, but Chrome/Chromium [defaults to HTTPS for a while now]. So that could be an issue indeed.

It's default webserver behaviour to resort to a default vhost, so not a bug.

MikeMcQ · July 2, 2022, 2:02pm

No, I beg to differ again I have a production server with a self-signed cert and LE certs and each server works fine.

I have seen what may be (is probably) a bug in nginx though. It is not exactly what you are describing but shows a pattern that could be involved in your peculiar results

Let's say you have multiple servers with listen 443 ssl.
And, one of these ssl servers (and not the first) does not have the ssl_certificate and ssl_certificate_key lines
Then, that server will inherit the ssl certs from the prior ssl server

So, perhaps there are other ssl related settings that might inherit from server to server? And, maybe you had such a setting in your self-signed server config?

Inheriting settings from the higher http level is normal. But, inheriting from prior server seems wrong to me. I don't see this kind of inheriting with other settings so seems a bug with nginx ssl setting inheritance. I never found any docs about it.