"Secure Connection Failed" Error when trying to connect to HTTPS

#1

I am trying to set up a Discourse VM (with Ubuntu Server 18.0.4.2 LTS as the main OS) that is reverse proxying through an Nginx VM (with Ubuntu Server 18.0.4.2 LTS as the main OS).

I can connect to the HTTP instance, but not HTTPS. I suspect the issue I’m running into is related to the Let’s Encrypt Key/Cert pair as I’m receiving Secure Connection Failed when I try logging into it. Please see THIS post (and the one below) from the Discourse Forum community for additional details (although there I use “myreserveddns.comin place ofepochgames.co.uk”).

My domain is: https://board.epochgames.co.uk (more accurately https://board.myreserveddns.com:2045)

I ran this command: Ran letsencrypt certonly on the Discourse server to create the key/cert pair, and SCPed them to /etc/nginx/ssl/ on the Nginx server. I have been following this guide.

It produced this output: “Secure Connection Failed” when I try to connect to the HTTPS site in a browser. No errors when I connect to the HTTP site (http://board.myreserveddns.com:2045)

My web server is (include version): I am setting up the Discourse and Nginx VMs on a Dell PowerEdge server with Proxmox VE 5.3 as the main OS. The “epochgames.co.uk” domain is registered with 123-Domains, the subdomains (“board” in this case) is set up in a Plesk Onyx 17.8.11 from UnlimitedWebHosting.

The operating system my web server runs on is (include version): I think I explained this enough up above, yes?

My hosting provider, if applicable, is: Again, I believe is explained above.

I can login to a root shell on my machine (yes or no, or I don’t know): Yes to the Proxmox Server and all the VMs inside it (the server is literally sitting in my home). The 123-Domains account and the UnlimitedWebHosting Plesk Server is all hosted in the Cloud, so no to those two.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): I think I’ve provided such details above.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I think I’ve provided such details above.

If you need me to provide details, please let me know.

#2

Hi @naupe1

that can’t work. This Plesk setting is only a local setting. Result: Your subdomain doesn’t exist ( https://check-your-website.server-daten.de/?q=boards.epochgames.co.uk ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
boards.epochgames.co.uk Name Error yes 1 0
www.boards.epochgames.co.uk Name Error yes 1 0

Same with your other domain.

You have to create that entry in your domain management menu of 123-Domains, if you want a certificate with that domain name.

#3

I’m an idiot, I meant to put board.epochgames.co.uk, not boards.epochgames.co.uk in the original post (which I’ve updated)

What about that Domain Name?

#4

There is a correct DNS entry ( https://check-your-website.server-daten.de/?q=board.epochgames.co.uk ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
board.epochgames.co.uk A 96.244.131.200 yes 1 0
AAAA yes
www.board.epochgames.co.uk Name Error yes 1 0

But from outside, there are only timeouts visible:

Domainname Http-Status redirect Sec. G
http://board.epochgames.co.uk/
96.244.131.200 -14 10.027 T
Timeout - The operation has timed out
https://board.epochgames.co.uk/
96.244.131.200 -14 10.024 T
Timeout - The operation has timed out
http://board.epochgames.co.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
96.244.131.200 -14 10.027 T
Timeout - The operation has timed out
Visible Content:

Same checking Port 2045.

So I don’t know if there is a working certificate.

#5

Right, so the server is actually down right now (and is, in fact, most of the day, as its not seeing active usage yet).

However, I now have these handy links to test this out myself. When I have time to turn on my server (and the VMs) I will test this out and post the results in this topic. Then from there I’m sure better troubleshooting results can occur.

1 Like
#6

So, I have my Server running now. I must admit I’m not really sure how this “check-your-website-server” site works. board.epochgames.co.uk is accurate, and when I type in www.board.epochgames.co.uk I get “No IP-Adresses found.”

Moving on to the Domain Name test, this is what I receive:

Domain Name What Happens?
http://board.epochgames.co.uk/ Redirects to https://board.epochgames.co.uk/
https://board.epochgames.co.uk/ Secure Connection Failed: The connection to board.epochgames.co.uk was interrupted while the page was loading.”
http://board.epochgames.co.uk:2045 Congratulations, you installed Discourse!” (the message I expect to see)
https://board.epochgames.co.uk:2045 Secure Connection Failed: An error occurred during a connection to board.epochgames.co.uk:2045. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG”

As I mentioned in the OP: I created the Key/Cert pair on the Discourse VM and then SCPed it to the Nginx VM. I then link to the Key/Cert Pair in the Nginx conf file as mentioned in this Discourse forum post.

Where did I go wrong?

#7

UPDATE: Ok @JuergenAuer, I think I’ve realized the problem is likely with the Key/Cert Pair. I have updated my Nginx CONF file as follows:

server {
    listen 80; listen [::]:80;
    server_name boards.epochgames.co.uk;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {
    # The IP that you forwarded in your router (nginx proxy)
    listen 443 ssl http2; listen [::]:443 ssl http2;

    # Make site accessible from http://localhost/
    server_name boards.epochgames.co.uk;
    root /home/lighttpd/http;

    # SSL config
    # ssl on;
    ssl_certificate /etc/nginx/ssl/0000_csr-certbot.pem;
    ssl_certificate_key /etc/nginx/ssl/0000_key-certbot.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # include /etc/nginx/snippets/ssl.conf;

# The internal IP of the VM that hosts your Apache config
    set $upstream 192.168.0.104:2045/;

    location / {
        # proxy_pass_header Authorization;
        proxy_pass http://$upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Forward-Proto $scheme; #X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        # proxy_set_header Connection "";
        # proxy_buffering off;
        # client_max_body_size 0;
        # proxy_read_timeout 36000s;
        proxy_redirect http://$upstream https://boards.epochgames.co.uk/;
    }
}

When I run nginx -t I receive the following:
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/ssl/0000_csr-certbot.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE) nginx: configuration file /etc/nginx/nginx.conf test failed

I don’t think I’m generating the Key/Cert pair properly. @JuergenAuer would you mind explaining how I would go about generating a proper Let’s Encrypt Key/Cert pair? And would I do it on the Discourse VM or on the Nginx VM?

#8

You have used

Checking the link you have installed “Letsencrypt”.

sudo apt install letsencrypt -y

That’s an old version, letsencrypt is renamed to Certbot.

Certbot creates the key pairs automatic.

#9

Isn’t that the certificate signing request instead of the certificate?

#10

UPDATE: I looked through some old notes of when I got Discourse working on a previous server (although Nginx was on that same server). I followed Step 3 of this guide for generating the Let’s Encrypt Key/Cert pair. Here is my Nginx conf file:

server {
    listen 80; listen [::]:80;
    server_name board.epochgames.co.uk;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {
    # The IP that you forwarded in your router (nginx proxy)
    listen 443 ssl http2; listen [::]:443 ssl http2;

    # Make site accessible from http://localhost/
    server_name board.epochgames.co.uk;
    root /home/lighttpd/http;

    # SSL config
    # ssl on;
    ssl_certificate /etc/nginx/ssl/fullchain1.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey1.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # include /etc/nginx/snippets/ssl.conf;

# The internal IP of the VM that hosts your Apache config
    set $upstream board.epochgames.co.uk;

    location / {
        # proxy_pass_header Authorization;
        proxy_pass http://$upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Forward-Proto $scheme; #X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        # proxy_set_header Connection "";
        # proxy_buffering off;
        # client_max_body_size 0;
        proxy_read_timeout 90; #36000s;
        proxy_redirect http://$upstream https://board.epochgames.co.uk;
    }
}

And here are the results after restarting Nginx:

Domain Name What Happens?
http://board.epochgames.co.uk/ Redirects to https://board.epochgames.co.uk/
https://board.epochgames.co.uk/ Apache2 Ubuntu Default Page" It’s identical to THIS page.
http://board.epochgames.co.uk:2045 Congratulations, you installed Discourse! ” (the message I expect to see)
https://board.epochgames.co.uk:2045 Secure Connection Failed: An error occurred during a connection to board.epochgames.co.uk:2045. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG”

Let me make this clear: Apache is not installed on either the Nginx VM nor the Discourse VM! Ran an apt purge apache on both and the “apache” package was not found!

So only difference now is https://board.epochgames.co.uk/. I remember running into the Apache Default Page before in a previous install of Discourse, but can’t remember what fixed it. Any ideas?

Thanks for the link @JuergenAuer, but I don’t believe this site is very straight-forward. So I sought out THIS guide to explain cerbot installation and went through the following steps:

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
sudo vim /etc/nginx/sites-available/default

Added boards.epochgames.co.uk to the default file. nginx -t brought up an error about port 80 already being called, so I commented out server { listen 80; ... } section in the board.epochgames.co.uk Nginx conf file. Now nginx -t reports no errors.

So now I ran certbot --nginx, where I “reinstalled” the existing certificate for board.epochgames.co.uk (and chose the Redirect option). Got the Congratulations! You have successfully enabled https://board.epochgames.co.uk message, restarted Nginx and tried out the site URLs again … same results as before certbot install.

I don’t think its the keys/certs anymore? I’m not really sure what to try next. I’m tempted to try installing Nginx straight to the Discourse VM itself and running through the Let’s Encrypt key/cert process on that server, see if that does any good. Any ideas?