SSL Certificate DNS Error

Arao · July 9, 2021, 9:12am

Thanks a lot for this again but I didn't see this message. at all.

8081 is the HTTP port
6443 is the HTTPS port.

This is what I have at the end of osticket.conf

server
{
   listen [::]:6443 ssl; # managed by Certbot
    listen 6443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/support.konspec.in/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/support.konspec.in/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

 # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}

Arao · July 9, 2021, 9:22am

Hi @griffin,

HTTPS not working. If I do a https://support.konspec.in:6443, I get a NGINX default web page saying it is fine. HTTP connection to Osticket stopped working because I made the mistake of saying 'Force HTTPS' in the setup.

On my firewall device, I have forwarded all internet traffic landing at my 2 public IPs to be forwarded to 8081 and 6443 respectively.

This is what I see in nginx/error.log

2021/07/09 13:27:01 [error] 223305#223305: *59 directory index of "/var/www/crmstaging/" is forbidden, client: 60.217.75.69, server: crmapitest.konspec.in, request: "GET / HTTP/1.1", host: "117.247.188.128"
2021/07/09 14:05:29 [notice] 224249#224249: signal process started
2021/07/09 14:05:31 [notice] 224254#224254: signal process started
2021/07/09 14:06:48 [error] 224255#224255: *13 directory index of "/var/www/crmstaging/" is forbidden, client: 172.25.1.1, server: crmapitest.konspec.in, request: "GET / HTTP/1.1", host: "support.konspec.in"

Watch the first error at 13:27 and then again at 14:06. The end part, "host" has the support.konspec.in

Arao · July 9, 2021, 10:33am

Entries from the /var/log/nginx/access.log,

172.25.1.1 - - [09/Jul/2021:15:58:25 +0530] "GET / HTTP/1.1" 302 23 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.25.1.1 - - [09/Jul/2021:15:58:46 +0530] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xF4b2\xDB\x02<\xF9\xA3\xF0J6\x05\xA8\x229\xC7\xA3\xF5\xDBf\xBCE\x09\x81U\xF2@\x8E\xD3\xE2\xC8\x80 \xDC\x9A\xE7m\xB9\xE4\xF7\xDE\x17\xB8\xB7y" 400 166 "-" "-"
172.25.1.1 - - [09/Jul/2021:15:58:47 +0530] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03$O\xC6\xDB" 400 166 "-" "-"
172.25.1.1 - - [09/Jul/2021:15:59:07 +0530] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xA5\xB0\x06\x19\x02R\xAE\xEDbq$\xC0\x14hp\xFC\xB24\x133\x1F\xA1v\xD4\x08\x8D2\x0B\x9C\xA7\x84r \x84\xD1\x98\xBC\x99RnKn" 400 166 "-" "-"
172.25.1.1 - - [09/Jul/2021:15:59:08 +0530] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x16\xB7\xBE\xC1\x83\xA2/\xB1\x11\x85(\xEA/\xD5\x83\xB4\xB5\xB8#\xCD\x8A\xF9\xA6\xFD\xA3\xD5\xCF R\xD1\xD2L \xA6&\x06E\xC2p\x13T\xBA\xAE\x98C\xE4e\x05\xA0\xB1\xEC\x02\x8F)\xCE\xC8\xA1vj\xB05\x9Ent_\x00\x22JJ\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00" 400 166 "-" "-"

No pertinent entries in error.log.

Arao · July 9, 2021, 11:41am

Hi,

I have gotten as far as having no errors in the error.log but accessing the https link on 6443 downloads the index.php. Accessing the site on http doesn't work because it tries to auto-forward to https (as per my settings in Osticket).

Posting the relevant sections of the ost-config file.

server {
listen 8081;
server_name support.konspec.in;
root /var/www/osticket/upload;
index index.php index.html index.htm;

location / {
try_files $uri $uri/ index.php;
autoindex on;
autoindex_exact_size on;
}

server
{
    root /var/www/osticket/upload;
    index index.php index.html index.htm;
    listen [::]:6443 ssl; # managed by Certbot
    listen 6443 ssl; # managed by Certbot
    server_name support.konspec.in;

griffin · July 9, 2021, 2:06pm

Hmm...

I find myself wondering a couple of things...

Whence came this port 6443 server block?
What happened to your certbot to go from version 1.16.0 back to version 0.40.0?

I believe that /etc/nginx/sites-available/osticket.conf should look something like this:

server {
listen 8081;
listen [::]:8081;
server_name support.konspec.in;   ## change server_name as per your domain name.

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

if ($host = support.konspec.in) {
    return 301 https://$host:6443$request_uri;
} # managed by Certbot

return 404; # managed by Certbot
}

server {
listen 6443 ssl;
listen [::]:6443 ssl;
server_name support.konspec.in;   ## change server_name as per your domain name.
root /var/www/osticket/upload;

ssl_certificate /etc/letsencrypt/live/support.konspec.in/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/support.konspec.in/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot 

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
index index.php index.html index.htm;

set $path_info "";

location ~ /include {
deny all;
return 403;
}

if ($request_uri ~ "^/api(/[^\?]+)") {
set $path_info $1;
}

location ~ ^/api/(?:tickets|tasks).*$ {
try_files $uri $uri/ /api/http.php?$query_string;
}

if ($request_uri ~ "^/scp/.*\.php(/[^\?]+)") {
set $path_info $1;
}

location ~ ^/scp/ajax.php/.*$ {
try_files $uri $uri/ /scp/ajax.php?$query_string;
}

location / {
try_files $uri $uri/ index.php;
}

location ~ \.php$ {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
}

Arao · July 9, 2021, 2:45pm

@griffin

You rock! thanks a ton for helping out. The configuration you gave works perfectly and I am able to use the site without issues and it does auto-redirect if I use the http site.

I added the 6443 server block somewhere midway after I managed to generate the certificates. Sorry I did not update the changes on this thread. I really don't know how cerbot managed to downgrade itself as I sure didn't touch the executables or try any install/uninstall.

It is all good now. Many thanks again for all your help

Regards,
Anand

griffin · July 9, 2021, 5:38pm

You are quite welcome and I'm very happy it worked out so well!

As for certbot , I suspect that you might have multiple versions installed. You only want the snapd version installed if possible. The others should be uninstalled. See the instructions in the link below for the installation steps, which include uninstalling the old versions. You can repeat them if necessary without harming any of your certificate data or webserver configuration.

Arao · July 9, 2021, 7:00pm

Thanks again @griffin.

apt-cache policy certbot | grep -i Installed
Installed: 0.40.0-1ubuntu0.1

I didn't want to touch certbot after seeing this. Probably, the message you see in the output earlier is in the config files for the websites before a system update was done. 2 websites have been using Letsencrypt for 3 months now. A system update to Ubuntu was done a few weeks back which must have updated cerbot version from 1.16 to .40. Although I can't figure out how the version numbers are going down!

If I see the /etc/letsencrypt/renewal/support.konspec.in.conf, it shows version=0.40.0.

Anyway, I will let this rest for now.

Thank you once again for all the guidance.

Cheers,
Anand

Arao · July 9, 2021, 7:14pm

@griffin

While I was at it, I tried a certbot renew --dry-run and got this result for all 3 websites.

The following errors were reported by the server:

   Domain: crmapitest.konspec.in
   Type:   connection
   Detail: Fetching
   http://crmapitest.konspec.in/.well-known/acme-challenge/geI6hT1e5hkbCuG6r678dkU3tyeNvDUlL62vdGhFCyU:
   Timeout during connect (likely firewall problem)
...
Domain: crmtest.konspec.in
   Type:   connection
   Detail: Fetching
   http://crmtest.konspec.in/.well-known/acme-challenge/bj_8A0TzwY2x_soXpmtZOopwukMuLXpfrln63bkCcIc:
   Timeout during connect (likely firewall problem)
...
 Domain: support.konspec.in
   Type:   connection
   Detail: Fetching
   http://support.konspec.in/.well-known/acme-challenge/SdXEtzTGDyrsyzBQ8XdDALLjMtdYhVn1Dg24oPeUhSs:
   Timeout during connect (likely firewall problem)
...

If it were a firewall issue, my websites would not work but all of them are functional. Is it the same issue of 2 gateway IPs present and being chosen in some round robin fashion by validation servers?

Sorry if this is getting to be a drag!

Regards,
Anand

griffin · July 9, 2021, 7:21pm

It most likely is the same issue.

Arao · July 9, 2021, 7:22pm

Thanks. Please consider this problem solved and the thread can be closed.

griffin · July 9, 2021, 7:56pm

Perhaps nginx isn't binding correctly to both IP addresses?

You could try shutting down nginx then killing all remaining nginx processes. This would let you start nginx fresh with all processes being on the same page.

You might also check you IP address routing rules for both IP addresses. There might be something amiss there.

Arao · July 10, 2021, 7:16am

Thanks @griffin. Tried rebooting the server and also the routing on the firewall, etc. Nothing fancy or out of the ordinary. The best option I know is to shutdown one of the gateway IPs and also remove DNS entry at the registrar and then do the certbot renewal.

Best Regards,
Anand

rg305 · July 10, 2021, 4:40pm

You could catch the HTTP challenge requests and redirect them to another name that only resolves to one of those IPs.
[You would still be validating the original name (with multiple IPs), but at a name with a single IP]

Arao · July 11, 2021, 3:36am

Thanks @rg305. I am not well versed with redirection techniques. Could you please throw more light on that?

Do you mean I can setup a rule in our firewall device (Sophos)? Or is this something we have to do in the DNS settings of our Domain Registrar's admin panel?

rg305 · July 11, 2021, 4:47am

NO.

Actually, yes and no.
Yes = you will need a new DNS A record entry that only resolves to one IP.
No = the redirection isn't done in DNS (it's done in HTTP).

For nginx try something like this:
[replace all HTTP vhosts with this single HTTP vhost config file]

server {
# default server
  listen 80 default;      # make it the default for all HTTP requests IPv4
  listen [::]:80 default; # make it the default for all HTTP requests IPv6
  server_name _;
  location ^/(?!\.well-known) {            # skip challenge requests
    return 301 https://$host$request_uri;  # send all requests to HTTPS
  }# location
  location / {
    # send challenge requests to a single IP name.
    return 301 http://one-ip-only-name.your.domain$request_uri;
  }# location
}# server

server {
# ACME challenge requests ONLY server
  listen 80;
  listen [::]:80;
  server_name one-ip-only-name.your.domain; # used for challenge requests only.
  location / {
    root /some/unique/path/only/for/challenge/files; # make new path
  }# location
}# server

rg305 · July 11, 2021, 4:49am

Replace
one-ip-only-name.your.domain
with a real FQDN.

Replace
/some/unique/path/only/for/challenge/files
with a real path.
[don't forget to create this path and use it when using --webroot]

Arao · July 11, 2021, 4:52am

Thanks a lot @rg305. I will try these and let you know how it goes.

Arao · July 11, 2021, 9:55am

Hi @rg305 ,

Your solution worked and the dry run completed successfully. Thanks for your help!

Best Wishes,
Anand

rg305 · July 11, 2021, 7:53pm

Very glad to heat that!
Cheers from Miami

Topic		Replies	Views
Failed authorization procedure. (tls-sni-01): Help	25	5749	September 28, 2017
Certbot --nginx failed with 404 Help	12	4404	March 7, 2023
Failed Authentication Help	12	4129	August 1, 2019
Let's debug says everything is OK, But certbot keeps failing Help	33	1256	November 19, 2022
Error Type: connection Detail: Fetching Help	34	6371	July 28, 2020

SSL Certificate DNS Error

Related topics