Self-signed certificate (maybe ipv6)

Hi,

recently I ran into trouble with my certificate - few days ago some of the requests (mainly ran by curl) started to fail, returning error (for e.g. command curl -X GET https://oenergetice.cz/)

curl: (60) SSL certificate problem: self signed certificate.

I tried to renew the certificate, but it did not help.

Anyway it seems to be related to ipv6, since when I run the same curl command with --ipv4 flag, it runs as expected.

I dont know exactly, what could be the issue, since this error begins to appear surprisingly, without any changes regarding to ssl certificate.

Does any of you have an idea, what could be wrong with the server or certificate? Or how to fix the issue described above?

Below I filled some details regarding the web server, but I will be more than happy to provide some more in order to get this working.

Thanks a lot for your help in advance!


When I run the

My domain is: oenergetice.cz

I ran this command: echo | openssl s_client -showcerts -servername oenergetice.cz -connect oenergetice.cz:443 2>/dev/null | openssl x509 -inform pem -noout -text

It produced this output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = HTTPS-Self-Signed-Certificate-423fc6c30b423061
Validity
Not Before: Jan 1 00:03:21 2011 GMT
Not After : Dec 27 00:03:21 2030 GMT
Subject: CN = HTTPS-Self-Signed-Certificate-423fc6c30b423061
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e0:1f:f5:8f:e5:78:2c:48:5a:b8:6c:6c:5b:53:
88:03:eb:7a:1d:89:16:72:47:7f:2f:ff:da:40:31:
f1:ae:55:2d:88:3d:13:d2:cc:66:e7:4e:c5:11:53:
21:38:63:7f:2d:dc:3f:83:a0:3d:25:92:eb:b5:4f:
59:d5:db:60:2f:16:98:41:d3:e4:9b:12:fd:b1:ad:
a5:62:8f:d3:d5:21:30:66:c2:5a:77:9c:d3:a4:8a:
8a:57:0f:4f:ec:e7:e8:d8:89:45:c3:d5:28:c7:03:
63:7b:92:aa:b9:4d:83:8e:61:26:fb:3a:01:38:ce:
14:f3:e4:ca:a6:5d:55:cf:63:91:4a:4c:bc:97:42:
88:2c:d7:0d:bf:f8:de:56:a0:d8:84:c9:b1:51:4d:
80:75:79:19:a6:68:7f:2e:aa:a6:87:1f:87:50:37:
22:d2:fc:c9:e9:4f:59:40:b3:db:f7:1c:e0:3c:4b:
4b:c8:5a:67:f9:75:cd:20:21:1d:b0:99:b7:19:d6:
a4:28:f3:9b:78:4d:83:f8:73:95:87:86:f7:15:ae:
e6:25:aa:d0:9f:bb:01:5c:eb:d1:de:33:cf:c1:e3:
6a:6d:1d:2b:4c:d1:60:89:a9:f7:bf:d9:c4:94:c3:
2b:54:0b:72:f2:42:a8:ae:c3:1a:2e:50:17:0f:22:
0e:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
09:ba:14:de:96:81:eb:5a:73:65:73:fe:9d:ad:5d:2a:4e:d6:
f7:63:e1:3b:bd:d3:ff:ab:76:17:c4:4f:0f:ce:6b:97:d2:91:
f3:9d:b3:c1:27:3c:86:e6:cd:79:db:3a:f8:50:4a:a1:08:b7:
5b:19:fa:b5:61:7b:b1:f8:1f:5a:dc:e7:47:17:84:3a:c1:c6:
65:ae:2e:0d:39:11:a3:da:d4:cd:01:e7:c1:80:a1:59:e1:10:
a8:0d:cc:b2:4c:46:d2:fe:4b:9f:57:0a:99:2f:a6:43:38:92:
d9:51:dc:12:87:79:c9:c1:da:53:32:18:52:99:e3:8a:3b:c3:
a3:21:77:c8:a4:69:39:55:86:b4:87:5c:9b:b8:82:0e:3d:be:
26:7f:e6:50:dc:97:4f:5c:79:4c:c1:cc:b2:4d:85:7e:ff:55:
fa:f3:51:3b:59:26:5b:6e:1e:bc:32:1f:77:fc:66:20:46:cd:
b4:c8:83:91:8d:2b:bf:b0:c9:32:40:21:6f:07:84:50:a8:cc:
1d:8e:87:84:9a:c1:9e:df:92:bc:93:84:d6:7c:34:ac:59:17:
5e:8a:d0:b8:b9:f0:c8:01:da:3c:1e:af:53:88:63:32:b1:67:
e6:4d:24:06:14:1e:b9:ea:ab:a7:c5:d8:81:e2:4e:f1:4d:0b:
eb:21:eb:ee

My web server is (include version): nginx/1.15.8

The operating system my web server runs on is (include version): Debian 8

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.33.1

Hi @vorisekmartin,

I can confirm that the certificate is valid in IPv4 and invalid in IPv6. Have you tried looking in your nginx configuration? Probably you have different server blocks that apply to IPv4 and IPv6 addresses.

Hi @vorisekmartin

there are different problems ( https://check-your-website.server-daten.de/?q=oenergetice.cz ):

Domainname Http-Status redirect Sec. G
http://oenergetice.cz/
31.31.76.239 301 https://oenergetice.cz/ 0.090 A
http://www.oenergetice.cz/
31.31.76.239 301 https://www.oenergetice.cz/ 0.094 A
http://oenergetice.cz/
2a02:2b88:2:1::1 -2 1.077 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a02:2b88:2:1::1]:80
http://www.oenergetice.cz/
2a02:2b88:2:1::1 -2 1.070 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a02:2b88:2:1::1]:80
https://www.oenergetice.cz/
31.31.76.239 301 https://oenergetice.cz/ 0.533 B
https://oenergetice.cz/
31.31.76.239 200 0.883 B
https://oenergetice.cz/
2a02:2b88:2:1::1 404 0.324 N
Not Found
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://www.oenergetice.cz/
2a02:2b88:2:1::1 404 0.290 N
Not Found
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

http + port 80 + ipv6 doesn't answer, looks like a firewall. https + ipv4 works with the correct certificate:

CN=oenergetice.cz
	03.04.2019
	02.07.2019
expires in 88 days	
oenergetice.cz, www.oenergetice.cz - 2 entries

And ipv6 has a self signed and a http status 404 - not found.

There are two different servers (ipv4 vs. ipv6):

Server: nginx/1.15.8
Server: HTTPD

Are you sure that IPv6 address is correct?

It looks like it might be the network router address, or something, rather than your own computer’s IP.

1 Like

The self signed certificate has the following name:

CN=HTTPS-Self-Signed-Certificate-423fc6c30b423061
	01.01.2011
	27.12.2030
expires in 4284 days	

Guys, the speed of the support is awesome, thanks a lot!

Anyways, I just ran the nginx -V command with this output:

nginx version: nginx/1.15.8 built by gcc 4.9.2 (Debian 4.9.2-10+deb8u2) built with OpenSSL 1.1.1a 20 Nov 2018 TLS SNI support enabled configure arguments: --add-module=/root/incubator-pagespeed-ngx-latest-stable --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

I can unfortunately see the --with-ipv6 configuration, this could be at least one of the problems, right?

I would first check if the ipv6 is really correct.

That

Server: HTTPD

doesn’t look like a service of your server. Try sudo netstat or another tool to check your ports.

Nginx supports IPv6 by default (if the platform does). To use IPv6 you have to set the appropriate listen directives.

Guys, @JuergenAuer, @mnordhoff ( and schoen - I can unfortunately tag only two users in this post) - thanks a lot, indeed you were correct. The IPV6 was wrong in the dns AAAA entries. I changed it to the correct one and this was enough to fix the problem.

Thanks for the awesome job.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.