hyemst
September 20, 2022, 2:13am
1
Hello,
I need some help SSL is not working.
After installing certbot on AWS lightsail sail machine OS ubuntu 20.4 Ubuntu 20.04 LTS - Focal-NGINX web server it is getting this error SSL_ERROR_RX_RECORD_TOO_LONG for https connection.
It is not redirecting from http to https
My domain is: contabilidad.tbeotours.com
I tested the installation of the SSL on https://www.ssllabs.com and got A grade.
I am using this odoo conf.
#odoo server
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name contabilidad.tbeotours www.contabilidad.tbeotours;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name contabilidad.tbeotours ww.contabilidad.tbeotours;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
#uncategorized Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
HERE (I put them here)
#ssl_prefer_server_ciphers off;
# log
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Redirect longpoll requests to odoo longpolling port
location /longpolling {
proxy_pass http://odoochat;
}
# Redirect requests to odoo backend server
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
# common gzip
gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
I am a basic user. I would like to receive specific instructions or examples.
Best regards
danb35
September 20, 2022, 4:02am
2
That's not what I'm seeing; I'm getting a redirect to https://odoo , which will never work. Your hostname correctly redirects to https:
dan@Dan-MBP-2013 ~ curl -v http://contabilidad.tbeotours.com
* Trying 23.22.103.250...
* TCP_NODELAY set
* Connected to contabilidad.tbeotours.com (23.22.103.250) port 80 (#0)
> GET / HTTP/1.1
> Host: contabilidad.tbeotours.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
< Date: Tue, 20 Sep 2022 03:58:17 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://contabilidad.tbeotours.com/
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
* Connection #0 to host contabilidad.tbeotours.com left intact
* Closing connection 0
But the https page then redirects to https://odoo :
dan@Dan-MBP-2013 ~ curl -v https://contabilidad.tbeotours.com/
* Trying 23.22.103.250...
* TCP_NODELAY set
* Connected to contabilidad.tbeotours.com (23.22.103.250) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=contabilidad.tbeotours.com
* start date: Sep 16 22:24:38 2022 GMT
* expire date: Dec 15 22:24:37 2022 GMT
* subjectAltName: host "contabilidad.tbeotours.com" matched cert's "contabilidad.tbeotours.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: contabilidad.tbeotours.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 303 SEE OTHER
< Server: nginx/1.18.0 (Ubuntu)
< Date: Tue, 20 Sep 2022 03:58:37 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 215
< Connection: keep-alive
< Location: http://odoo/web
< Set-Cookie: session_id=6983daacc9f4b937d1b9c61ebed26fcbf72c491d; Expires=Mon, 19-Dec-2022 03:58:37 GMT; Max-Age=7776000; HttpOnly; Path=/
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
* Connection #0 to host contabilidad.tbeotours.com left intact
<p>You should be redirected automatically to target URL: <a href="/web">/web</a>. If not click the link.* Closing connection 0
You should check with whatever support mechanisms exist for Ubuntu or Odoo; your problem has nothing to do with Let's Encrypt.
4 Likes
rg305
September 20, 2022, 5:17am
3
I see a couple of TYPOs:
Both lines are missing ".com
"
One line is missing one "w
" (from "www
")
3 Likes
hyemst
September 20, 2022, 10:15am
4
Hello
Odoo uses the port 8069
When you type http://contabilidad.tbeotours.com:8069/ it takes you the login session.
When you tipe https://contabilidad.tbeotours.com:8069/ then get the error SSL_ERROR_RX_RECORD_TOO_LONG
SERVER CONFIG
#odoo server
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name contabilidad.tbeotours.com www.contabilidad.tbeotours.com;
return 301 https://contabilidad.tbeotours.com$request_uri;
}
server {
listen 443 ssl;
server_name contabilidad.tbeotours.com www.contabilidad.tbeotours.com;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl_certificate /etc/letsencrypt/live/contabilidad.tbeotours.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/contabilidad.tbeotours.com/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
#ssl_prefer_server_ciphers off;
# log
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Redirect longpoll requests to odoo longpolling port
location /longpolling {
proxy_pass http://odoochat;
}
# Redirect requests to odoo backend server
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
# common gzip
gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
rg305
September 20, 2022, 10:28am
5
Is there a NAT or port forwarding setting?
2 Likes
Osiris
September 20, 2022, 10:40am
6
That's to be expected. If port 8069 isn't configured for TLS (as it works with http://
), it will error when you try to use TLS by using https://
.
3 Likes
rg305
September 20, 2022, 11:22am
10
What was the point of putting the odoo
server behind a proxy, if you are allowing it to be hit directly?:
I suspect it was to encrypt a connection that was otherwise unencryptable.
3 Likes
danb35
September 20, 2022, 1:04pm
11
You can't speak both protocols on the same port, so as @Osiris said, this is exactly as expected. But I'll echo Rudy's question: what's the point of the reverse proxy if you're exposing port 8069 to the Internet?
And in this case, it seems your Nginx configuration is utterly irrelevant, as Nginx isn't listening on port 8069. The more you say, the less it has to do with Let's Encrypt. You need support for Nginx, Odoo, and/or Ubuntu; we provide none of those here.
4 Likes
MikeMcQ
September 20, 2022, 1:57pm
12
I agree with the other posters that I think you need general help with nginx, udoo, and AWS configuration. The way you have it configured in nginx is with a proxy to http://odoo which means this:
https://contabilidad.tbeotours.com
should have nginx satisfying the TLS connection and then proxy to odoo (http://127.0.0.1:8069 ).
But, this fails (right now) because port 443 is closed. You might not have it open in your EC2 Security Group.
And, you don't need port 8069 open to the internet if you proxy like this.
3 Likes
system
Closed
October 20, 2022, 1:58pm
13
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.