ssl_error_internal_error_alert


#1

Hi.
Don*t know, what it is.

It works all fine with one domain (https://bd78.de).
But all the other domains causes errors in all browsers like in Firefox the ssl_error_internal_error_alert for https://www.eisbaer-blog.de/ as example.

The configuration for nginx:

ssl_certificate             /etc/letsencrypt/live/eisbaer-blog.de/fullchain.pem;
ssl_certificate_key        /etc/letsencrypt/live/eisbaer-blog.de/privkey.pem;
ssl_session_timeout         5m;
ssl_protocols               SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                 HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers   on;

And apache2:

    SSLEngine on
    SSLVerifyClient none
    SSLCertificateFile /etc/letsencrypt/live/eisbaer-blog.de/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/eisbaer-blog.de/privkey.pem
    SSLCACertificateFile /etc/letsencrypt/live/eisbaer-blog.de/fullchain.pem
    SetEnv PP_CUSTOM_PHP_INI /var/www/vhosts/system/eisbaer-blog.de/etc/php.ini
    SetEnv PP_CUSTOM_PHP_CGI_INDEX HE-5.6.6-fcgi

Don’t know, what I can do.

Tryed to restarrt the serrvices as well as the server and nothing worked. Services works fine, but…


ClientError: Unexpected response
#2

noone any idea?! :frowning:


ClientError: Unexpected response
#3
->openssl s_client -connect www.eisbaer-blog.de:443
CONNECTED(00000003)
140600623900320:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

You need to config virtual hosts for every servername. In every server section you need to config the SSL directives and you need to config the server_name, e.g.

server_name www.eisbaer-blog.de eisbaer-blog.de;

HTH!


#4

?

Well, (I though) I did that:

hhtpd.conf

<IfModule mod_ssl.c>

    <VirtualHost 92.51.135.16:7081 >
        ServerName "eisbaer-blog.de:443"
        ServerAlias "www.eisbaer-blog.de"
        ServerAlias "ipv4.eisbaer-blog.de"
        ServerAdmin "info@bd78.de"
        UseCanonicalName Off

        ...

        SSLEngine on
        SSLVerifyClient none
        SSLCertificateFile /etc/letsencrypt/live/eisbaer-blog.de/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/eisbaer-blog.de/privkey.pem
        SSLCACertificateFile /etc/letsencrypt/live/eisbaer-blog.de/fullchain.pem
        SetEnv PP_CUSTOM_PHP_INI /var/www/vhosts/system/eisbaer-blog.de/etc/php.ini
        SetEnv PP_CUSTOM_PHP_CGI_INDEX HE-5.6.6-fcgi

nginx.conf

server {
    listen 92.51.135.16:443 ssl;

    server_name eisbaer-blog.de;
    server_name www.eisbaer-blog.de;
    server_name ipv4.eisbaer-blog.de;

    ssl_certificate             /etc/letsencrypt/live/eisbaer-blog.de/fullchain.pem;
    ssl_certificate_key        /etc/letsencrypt/live/eisbaer-blog.de/privkey.pem;
    ssl_session_timeout         5m;

    ssl_protocols               SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                 HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    client_max_body_size 128m;

    root "/var/www/vhosts/eisbaer-blog.de/httpdocs";
    access_log "/var/www/vhosts/system/eisbaer-blog.de/logs/proxy_access_ssl_log";
    error_log "/var/www/vhosts/system/eisbaer-blog.de/logs/proxy_error_log";

    if ($host ~* ^eisbaer-blog.de$) {
        rewrite ^(.*)$ https://www.eisbaer-blog.de$1 permanent;
    }

    location / {
        proxy_pass https://92.51.135.16:7081;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        access_log off;
    }

    location @fallback {
        proxy_pass https://92.51.135.16:7081;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        access_log off;
    }

    location ~ ^/plesk-stat/ {
        proxy_pass https://92.51.135.16:7081;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        access_log off;
    }

    location ~ ^/(.*\.(ac3|avi|bmp|bz2|css|cue|dat|doc|docx|dts|exe|flv|gif|gz|htm|html|ico|img|iso|jpeg|jpg|js|mkv|mp3|mp4|mpeg|mpg|ogg|pdf|png|ppt|pptx|qt|rar|rm|swf|tar|tgz|txt|wav|xls|xlsx|zip))$ {
        try_files $uri @fallback;
    }

}

So, any guess what’s wrong and to do?


#5

Hi,

Im having the same issue with Nginx and a domain on www.
Any clues as to what the cause

I see that https://www.eisbaer-blog.de/5 is now working with Lets Encrypt, any cluse as to what the problem was / what the fix is ?


#6

This is an old topic.

What is your domain ?

You need to correctly set the configuration for nginx - to something like;

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /path/to/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    resolver <IP DNS resolver>;

    ....
}

#7

Thanks for the reply serverco

h t t p s://ekatb.ru/ works fine, h t t p s://www.ekatb.ru/ does not

(sorry for the spaces im not allowed to post 2 links in one post … ) .

You can see on the certificate

The SAN’s
DNS Name: ekatb.ru
DNS Name: www.ekatb.ru

and the SSL vhost looks like :

=========================================================+
listen 443 ssl http2;
server_name ekatb.ru www.ekatb.ru ;
ssl_certificate /var/cpanel/ssl/installed/certs/ekatb_ru_c3bc2_70881_1465973280_d3260c808dcb4fc4cfc54fd17a412fba.crt.pem;
ssl_certificate_key /var/cpanel/ssl/installed/keys/c3bc2_70881_f6f33d61e4e21fe18ae348e51c9d48a8.key;
keepalive_timeout 60;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’;
ssl_prefer_server_ciphers on;

    ssl_dhparam  //usr/local/nginx/conf/dhparams.pem;

=========================================================+

ive tried defaulting the ciphers and dhparams to no success

best regards
Kev


#8

Hi Kev,

Your main problem here is that you include lots of images via http ( not via https )

Try using https://www.whynopadlock.com/check.php
it shows you have the following images loading with http;
ekatb.ru/wp-content/uploads/2016/02/shadow_bgnd.png
ekatb.ru/wp-content/uploads/logo/favicon.ico
ekatb.ru/wp-content/uploads/2016/02/herald_logo.png
ekatb.ru/wp-content/uploads/2016/02/herald_logo_mini.png
ekatb.ru/wp-content/uploads/2016/02/banner.jpg

The SSL installation itself looks fine - https://www.ssllabs.com/ssltest/analyze.html?d=ekatb.ru


#9

Hi serverco,

Actually the non www. version of the site is fine (im not concerned about that mixed content warning) the problem is when loading the site over https using www (eg https://www.ekatb.ru ) , you will see the ssl error there.


#10

Your www-site is actually behind CloudFlare, from my point of view and indeed gives an error. But because we’re not connecting to your IP, but to CloudFlares, I’ve got no idea where the problem is.


#11

OK, so https://ekatb.ru/ works OK ( apart from the http files) but https://www.ekatb.ru/ gives an error ( I missed that slightly above )

can you paste your complete nginx config file please ( http://pastebin.com/ is probably the easiest )

Although as @Osiris correctly points out - CloudFlare is messing things up slightly …


#12

When ‘manually’ connecting to your IP with the www-part as hostname, all is fine:

osiris@desktop ~ $ openssl s_client -connect ekatb.ru:443 -servername www.ekatb.ru
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
verify return:1
depth=0 CN = ekatb.ru
verify return:1
---
Certificate chain
 0 s:/CN=ekatb.ru
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
(...)

Works like a charm, so your server isn’t the problem I guess.


#13

Scrap this, its working well !

Seems that the www version of the site is using cloudflare and that is the cause of the problems !!

In future must check futher before thinking voodo is occuring !

best regards
Kev


#14

Thanks Andy for your help.