Secure Connection Failed

My domain is: shizuoka-kikoesupport.jp

I ran this command: (sudo certbot --nginx) I have obtained a certificate but continue to get a Secure Connection Failed error.

It produced this output: Error code: SSL_ERROR_ILLEGAL_PARAMETER_ALERT

My web server is (include version): Nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Kagoya (in Japan)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I have Webmin installed but can also access via SSH

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.29.0

I have another site running on this domain (sub domain) with a Letsencrypt certificate and it works without issue. The domain is: screen.shizuoka-kikoesupport.jp

Currently I have the site at www.shizuoka-kikoesupport.jp running in the html directory of Nginx (not a subdirectory) using port 80 because every time I attempt to set it up using 443 I get the SSL_ERROR_ILLEGAL_PARAMETER_ALERT error (in Firefox). With Safari I simply get an error indicating that the connection cannot be established.

I've tried this several times and even deleted and reissued the certificate once because I suspected it was corrupted but that did not solve my problem. I decided it might be a good idea to stop hammering away at this and step back and ask for advice/help here. The last time I was on the forums I received AMAZING support from several members who spent quite a bit of time walking me through the process of getting everything up and running. :slight_smile:

Jason

Welcome back. First, you should avoid re-creating more certs. Unless you manually damaged the cert it would not happen. And, would produce different error if it was. Recreating certs may result in you becoming rate limited and that causes larger problems.

I see all the domains you show using HTTPS. The main problem is they all return the same cert and it only has one domain name in it. So, an error about "mismatched domain name" will occur.

That is, your www.screen.shizuoka-kikoesupport.jp works but use this SSL Decoder test site for all your domains and you will see what is happening (https connects ok but your server returns wrong cert).

To help with this and possible connection problems with some clients it is probably best to see your nginx config. Please show the output of sudo nginx -T command. Add 3 backticks before and after the output so it is formatted properly. On a US keyboard the backtick is in upper left next to the 1 key. Like this:
```
output of: sudo nginx -T
```

6 Likes

MikeMcQ,

Thanks for your help. Let's see, yes, I was a bit nervous about deleting the certificate but was simultaneously getting desperate so I thought it was worth a try. I will refrain from doing that again. :wink:

I'm not sure that I understand what you mean by "they all return the same cert".

I have re-enabled the www.shizuoka-kikoesupport.jp site, which breaks my site so I'd rather not leave it like that indefinitely and used the SSL Decoder tool you set for both domains:

www.screen.shizuoka-kikoesupport.jp

and

www.shizuoka-kikoesupport.jp

I'm probably missing something with the tool but it appears to me that both are ok...no?

I guess...maybe...my nginx configuration for the www.shizuoka-kikoesupport.jp is wrong but I cannot figure out why I've done wrong...it's the same, as far as I can tell, as other configs that I use successfully on a different site.

Let's see, the output of nginx -T is: (Note - I deleted the majority of the commented out lines to clean it up a bit) The first config is for ERPNext. The second one is for the site that I've enabled (www.shizuoka-kikoesupport.jp) but am unable to access. ERPNext is running at screen.shizuoka-kikoesupport.jp and the other site at shizuoka-kikoesupport.jp. I will disable the shizuoka-kikoesupport.jp site (the one with SSL) and revert back to the one that works for now.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes  auto;
worker_rlimit_nofile 65535;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections 1024;
    multi_accept on;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;

    # keepalive_timeout  10;
    # keepalive_requests 10;

    gzip on;
    gzip_disable "msie6";
    gzip_http_version 1.1;
    gzip_comp_level 5;
    gzip_min_length 256;
    gzip_proxied any;
    gzip_vary on;
    gzip_types
        application/atom+xml
        application/javascript
        application/json
        application/rss+xml
        application/vnd.ms-fontobject
        application/x-font-ttf
        application/font-woff
        application/x-web-app-manifest+json
        application/xhtml+xml
        application/xml
        font/opentype
        image/svg+xml
        image/x-icon
        text/css
        text/plain
        text/x-component
        ;

    server_names_hash_max_size 4096;

    open_file_cache max=65000 inactive=1m;
    open_file_cache_valid 5s;
    open_file_cache_min_uses 1;
    open_file_cache_errors on;

    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers     ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
    ssl_prefer_server_ciphers   on;

##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    client_max_body_size 50m;
    large_client_header_buffers 4 32k;

    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=web-cache:8m max_size=1000m inactive=600m;

    include /etc/nginx/conf.d/*.conf;
}

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/erpnext:
upstream frappe-bench-frappe {
	server 127.0.0.1:8000 fail_timeout=0;
}

upstream frappe-bench-socketio-server {
	server 127.0.0.1:9000 fail_timeout=0;
}

# setup maps

map $host $site_name_hicnffj {
	www.screen.shizuoka-kikoesupport.jp site1.local;
	[www.screen.shizuoka-kikoesupport.jp] site1.local;
	default $host;
	
}

# server blocks

server {
	
	listen 443 ssl;

	server_name
		www.screen.shizuoka-kikoesupport.jp
		;

	root /home/frappe/frappe-bench/sites;
	
	proxy_buffer_size 128k;
	proxy_buffers 4 256k;
	proxy_busy_buffers_size 256k;
    ssl_certificate /etc/letsencrypt/live/www.screen.shizuoka-kikoesupport.jp/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.screen.shizuoka-kikoesupport.jp/privkey.pem; # managed by Certbot
	ssl_session_timeout  5m;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
	ssl_ecdh_curve secp384r1;
	ssl_prefer_server_ciphers on;
	
	add_header X-Frame-Options "SAMEORIGIN";
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin";

	location /assets {
		try_files $uri =404;
	}

	location ~ ^/protected/(.*) {
		internal;
		try_files /$host/$1 =404;
	}

	location /socket.io {
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header X-Frappe-Site-Name $host;
		proxy_set_header Origin $scheme://$http_host;
		proxy_set_header Host $host;

		proxy_pass http://frappe-bench-socketio-server;
	}

	location / {

 		rewrite ^(.+)/$ $1 permanent;
  		rewrite ^(.+)/index\.html$ $1 permanent;
  		rewrite ^(.+)\.html$ $1 permanent;

		location ~ ^/files/.*.(htm|html|svg|xml) {
			add_header Content-disposition "attachment";
			try_files /$host/public/$uri @webserver;
		}

		try_files /$host/public/$uri @webserver;
	}

	location @webserver {
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Frappe-Site-Name $host;
		proxy_set_header Host $host;
		proxy_set_header X-Use-X-Accel-Redirect True;
		proxy_read_timeout 120;
		proxy_redirect off;

		proxy_pass  http://frappe-bench-frappe;
	}

	# error pages
	error_page 502 /502.html;
	location /502.html {
		root /home/frappe/.local/lib/python3.8/site-packages/bench/config/templates;
		internal;
	}

	# optimizations
	sendfile on;
	keepalive_timeout 15;
	client_max_body_size 50m;
	client_body_buffer_size 16K;
	client_header_buffer_size 1k;

	# enable gzip compresion
	# based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
	gzip on;
	gzip_http_version 1.1;
	gzip_comp_level 5;
	gzip_min_length 256;
	gzip_proxied any;
	gzip_vary on;
	gzip_types
		application/atom+xml
		application/javascript
		application/json
		application/rss+xml
		application/vnd.ms-fontobject
		application/x-font-ttf
		application/font-woff
		application/x-web-app-manifest+json
		application/xhtml+xml
		application/xml
		font/opentype
		image/svg+xml
		image/x-icon
		text/css
		text/plain
		text/x-component
		;
		# text/html is always compressed by HttpGzipModule

}

# http to https redirect
	server {
    if ($host = www.screen.shizuoka-kikoesupport.jp) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

		listen 80;
		server_name
			www.screen.shizuoka-kikoesupport.jp
			;

		return 301 https://$host$request_uri;
	
}

server {
    set $host_path /var/www/html/oldkikoesupport;
	server_name  www.shizuoka-kikoesupport.jp;
	root /var/www/html/oldkikoesupport;
    charset utf-8;
    try_files $uri $uri/ /index.php?r=$uri&$args;
    index index.html index.php index.htm index.nginx-debian.html

	location / {
		try_files $uri $uri/ /index.php?$args;
	}

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.shizuoka-kikoesupport.jp/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.shizuoka-kikoesupport.jp/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = www.shizuoka-kikoesupport.jp) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80;
	listen [::]:80;
	server_name www.shizuoka-kikoesupport.jp;
    return 404; # managed by Certbot


}

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

That second include is redundant [and should be removed].

Not sure what this does exactly, but it seems unneccessary:

5 Likes

rg305,

Thanks. I have removed the second redundant include statement.

Regarding:

set $host_path /var/www/html/oldkikoesupport;

That is in a different config file I have on a different server so, out of desperation, I added it to see if it would affect anything but it didn't.

What is this supposed to do?:

map $host $site_name_hicnffj {
	www.screen.shizuoka-kikoesupport.jp site1.local;
	[www.screen.shizuoka-kikoesupport.jp] site1.local;
	default $host;
}
5 Likes

I'm afraid that I'm not exactly sure. It is part of the default config for ERPNext. site1.local is the the title of the site, within that framework, that is served at the screen.shizuoka-kikoesupport.jp address.

I have several test sites running on a different server with a very similar configuration.

https://www.screen.kyouikulogistics.com
https://www.support.kyouikulogistics.com

The first one, screen, is an instance of ERPNext.
The second one, support, is a Moodle site.

The only difference between how I have those sites setup and the ones I'm now trying to setup, as far as I can see, is that in the case of the two above, they are both running on subdomains. What I am trying to do now is have one served on a subdomain and the other on the main domain. I didn't think doing so was problematic but...

The second HTTPS server block contains:

    ssl_certificate /etc/letsencrypt/live/www.shizuoka-kikoesupport.jp/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.shizuoka-kikoesupport.jp/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

But the first block doesn't contain those last two line.

Tell me more about the error you are having and how to reproduce it.

5 Likes

The large HTTPS server block contains sections that are repeated from the main HTTP block.
[or should belong in the main HTTP block]
Like:

	# optimizations
	sendfile on;
	keepalive_timeout 15;
	client_max_body_size 50m;
	client_body_buffer_size 16K;
	client_header_buffer_size 1k;

	# enable gzip compresion
	# based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
	gzip on;
	gzip_http_version 1.1;
	gzip_comp_level 5;
	gzip_min_length 256;
	gzip_proxied any;
	gzip_vary on;
	gzip_types
		application/atom+xml
		application/javascript
		application/json
		application/rss+xml
		application/vnd.ms-fontobject
		application/x-font-ttf
		application/font-woff
		application/x-web-app-manifest+json
		application/xhtml+xml
		application/xml
		font/opentype
		image/svg+xml
		image/x-icon
		text/css
		text/plain
		text/x-component
		;
		# text/html is always compressed by HttpGzipModule
5 Likes

Thanks again. When I enable the second site (www.shizuoka-kikoesupport.jp) to use SSL, the site is inaccessible. If accessed with Firefox, I get the "Secure Connection Failed" message. With Safari, I get

"Safari can't open the page "https://www.shizuoka-kikoesupport.jp" because Safari can't establish a secure connection to the server "www-shizuoka-kikoesupport.jp".

I had the site enabled without SSL but have just now switched back (reenabled) to the site that should be using SSL (the one in the config file attached previously) and disabled the one using 80.

1 Like

Show me the file for the site you are enabling.

4 Likes

Regarding that mess in the ERPNext config file, I'm not sure why there are redundancies there. I haven't messed with that one...but will work to clean it up...just hope I don't mess that site up since its working without issue. :slight_smile:

I need to see "the problem file".

4 Likes

It is the one that was include in the nginx -T output. This one:

server {
    set $host_path /var/www/html/oldkikoesupport;
	server_name  www.shizuoka-kikoesupport.jp;
	root /var/www/html/oldkikoesupport;
    charset utf-8;
    try_files $uri $uri/ /index.php?r=$uri&$args;
    index index.html index.php index.htm index.nginx-debian.html;

	location / {
		try_files $uri $uri/ /index.php?$args;
	}

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.shizuoka-kikoesupport.jp/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.shizuoka-kikoesupport.jp/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = www.shizuoka-kikoesupport.jp) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

	listen 80;
	listen [::]:80;
	server_name www.shizuoka-kikoesupport.jp;
    return 404; # managed by Certbot

}

P.S. I just commented out:

set $host_path /var/www/html/oldkikoesupport;

And restarted nginx in the odd case that it might be causing a problem but nothing changed.

What is (an example of) the URL that has "the problem"?
I'd like to see the problem firsthand.

4 Likes

Sorry, I'm not sure I follow you....Oh, I see. The site is currently enabled so if you attempt to access the following URL you should see the problem.

What....that is odd. The page preview that appears here is for a different site...

Which site?
[sorry, I can't read it]
[that could be a clue]

4 Likes

This is very odd. So, when I add a url here (the url is 'www.shizuoka-kikoesupport.jp') a preview appears (in Japanese). The preview is for the hospital that this site (the one I'm trying to get to work with an SSL cert) is affiliated with but the url for the hospital is different ('www.shizuoka-pho.jp/sogo/').

I don't understand why that text is appearing. Interestingly though, it is information about the "Kikoetokotoba Center" (Hearing and Language Support Center). The site I am trying to get up and running is the Hearing and Language Support Center.

Wait...I just recently (last week) had this domain transferred from the previous registrar and I believe it had an associated SSL certificate prior to the transfer. Is there any chance of some kind of certificate conflict...or is that even a thing?

Not likely...
But there might be some browser cached elements.
Try clearing that.

I checked DNS and that all looks fine.

Please show:
netstat -pant | grep -i listen | grep -E '80|443'

4 Likes