SSL if pointing at wrong ipaddress

i have created the certs and i keep getting the same error when connecting to https.

“identifier”: {
“type”: “dns”,
“value”: “ssltest.oilgear.com
},
“status”: “valid”,
“expires”: “2017-12-27T10:15:14Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/951XMWhCeKpYJsHvrn_HUc9uQDBjl8bvw6McD19gZKA/2577931122”,
“token”: “”
},
{
“type”: “http-01”,
“status”: “valid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/951XMWhCeKpYJsHvrn_HUc9uQDBjl8bvw6McD19gZKA/2577931123”,
“token”: “”,
“keyAuthorization”: “”,
“validationRecord”: [
{
“url”: “http://ssltest.oilgear.com/.well-known/acme-challenge/WG9MHLxVc8qBqs78VwP2qttNJn83rO2-UI5VAQ8BxFA”,
“hostname”: “ssltest.oilgear.com”,
“port”: “80”,
“addressesResolved”: [
""
],
“addressUsed”: “”,
“addressesTried”: []
}
]
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/951XMWhCeKpYJsHvrn_HUc9uQDBjl8bvw6McD19gZKA/2577931124”,
“token”: “<token data here”
}
],

sudo wget https://ssltest.oilgear.com/index.php
–2017-11-27 21:12:49-- https://ssltest.oilgear.com/index.php
Resolving ssltest.oilgear.com (ssltest.oilgear.com)…
Connecting to ssltest.oilgear.com (ssltest.oilgear.com)||:443… connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

My domain is:ssltest.oilgear.com

I ran this command:
/opt/certbot/certbot-auto certonly --webroot -w /var/www/vhosts/ssltest.oilgear.com/httpdocs/ -d ssltest.oilgear.com --non-interactive --agree-tos --debug-challenges --email sdavey@oilgear.com --force-renew -v

It produced this output:

My web server is (include version):nginx

The operating system my web server runs on is (include version):unbunto14

My hosting provider, if applicable, is:AZUR

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

Your nginx isn’t using TLS on port 443. With the certonly method, you’ll need to configure nginx yourself.

Thank you for you response, i really do appreciate your replying

I have already configured the nginx server for ssltest.oilgear.com to work on 443 i also had to configure a second ip address for the server and configure the nginx server along with a A record so i could host ssltest.oilgear.com to run on it’s own ip adress.

oilgear.com usess the primary ip,
and the ssltest.oilgear.com is configured to use the secound ip address.

I tested the new ip for ssltest.oilgear.com on port 80 and it works like a dream.

then created cert with certbot and add this to the ssltest.oilgear.com.conf

both the cert and he key.

server {

    if ($http_user_agent ~ WordPress) { return 444; }

    access_log /var/log/nginx/ssltest.oilgear.com_access_log combined;
    error_log  /var/log/nginx/ssltest.oilgear.com_error_log;

    listen <ipaddress here>:80;
    listen <ipaddress here>:443 ssl;


    server_name ssltest.oilgear.com;

    root /var/www/vhosts/ssltest.oilgear.com/httpdocs;

    ssl on;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                <stuff>


    ssl_certificate      /etc/letsencrypt/live/ssltest.oilgear.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/ssltest.oilgear.com/privkey.pem;

location / {
root /var/www/vhosts/ssltest.oilgear.com/httpdocs;
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$args;

        client_max_body_size 50M;
   proxy_set_header Connection "";
   proxy_set_header Host $http_host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header X-Frame-Options "SAMEORIGIN";
   proxy_buffers 256 16k;
   proxy_buffer_size 16k;
   proxy_read_timeout 600s;
   proxy_cache_min_uses 2;
   proxy_cache_use_stale timeout;
   proxy_cache_lock on;
    }

    location @handler {
        rewrite / /index.php;
    }

    location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
        access_log off;
        log_not_found off;
        expires max;
    }

}

Did you remove the actual IP from that post?
If not, there seems to be a problem resolving your domain name to an IP.

i remove the actual ip from the post. i have change them all now. but the ip address is showing as the primary ip for the server but i also set up a second ip address on the server.

If you ping ssltest.oilgear.com and ping oilgear.com you get different ip address, this is correct .

but when i create the cert the Certbot is sending ip address associated with oilgear.com not ssltest.oilgear.com hope this make scene

For what it's worth, this will cause Nginx to do SSL on port 80 and port 443. You need to remove "ssl on;".


Regardless, both of your sites are instead doing HTTP on port 80 and on port 443.

http://oilgear.com:443/

http://ssltest.oilgear.com/
http://ssltest.oilgear.com:443/

You need to check your Nginx configuration, any sort of port forwarding or load balancer, etc.

1 Like

I'm not sure what you mean. Where do you see the wrong IP address? Certbot doesn't send your IP address to Let's Encrypt; when doing HTTP-01 or TLS-SNI-01 validation, Let's Encrypt looks it up afresh in the DNS, without caching.

If an older IP address is in the "addressesResolved" and "addressUsed" fields in the authorization in your first post, that's not necessarily a problem. That authorization is valid, after all. And it's hours old. If you've changed your IPs since then, your ACME client may continue using the same authorization until it expires, without validating again, whether or not the DNS records logged in it have changed since.

1 Like

ok that’s great so Certbot is not sending ip address but just using the ip saved in the cert from the first run, (because its not expires) ok this makes sense completely.

I will create a new url, dns settings and point that at the new ip address then i will do the cert process again.

i’m feeling the problem was from my first cert request using SNI one ip address but Virtual sites. ssltest.oilgear.com and oilgear.com. but now i have added a new ip address to the server.

i will create all the stuff above and i will report my progress good or bad just in case some one else finds this helpful…

Thanks you so much for you help !!!

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers

Can i ask another question??

What should i put in for ssl_ciphers
i’m using certbot_auto with the --webroot plugin

PLEASE HELP!! What am i doing wrong ..

This still Error's losing my mind.

i changed the url to testssl.oilgear.com. i'm doing a wget on https://testssl.oilgear.com the results are below.

wget https://testssl.oilgear.com
--2017-11-28 12:55:44-- https://testssl.oilgear.com/
Resolving testssl.oilgear.com (testssl.oilgear.com)... 52.237.158.185
Connecting to testssl.oilgear.com (testssl.oilgear.com)|52.237.158.185|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

my config is

server {

         if ($http_user_agent ~ WordPress) { return 444; }

        #access_log off;
        access_log /var/log/nginx/testssl.oilgear.com_access_log combined;

        error_log  /var/log/testssl.oilgear.com_error_log;

#       listen 52.237.258.185:80;
        listen 52.237.158.185:443 ssl;
        server_name testssl.oilgear.com;
        root /var/www/vhosts/testssl.oilgear.com/httpdocs;

        ssl on;
        ssl_certificate      /etc/letsencrypt/live/testssl.oilgear.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/testssl.oilgear.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256$



  location / {
    root   /var/www/vhosts/testssl.oilgear.com/httpdocs;
    index  index.php index.html index.htm;
    try_files $uri $uri/ /index.php?$args;
  }

  location @handler {
    rewrite / /index.php;
  }

  location ~ .php/ {
    rewrite ^(.*.php)/ $1 last;
  }

  location ~ .php$ {
    try_files $uri /index.php;
    expires off;
   fastcgi_pass 127.0.0.1:443;
    fastcgi_buffers 256 4k;
    fastcgi_buffer_size 32k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_read_timeout 3600s;
#    fastcgi_param HTTPS $fastcgi_https;
    fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param MAGE_RUN_CODE default;
    fastcgi_param MAGE_RUN_TYPE store;
    include fastcgi_params;
 }
# WordPress single site rules.
# Designed to be included in any server {} block.

# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule

   # Add trailing slash to */wp-admin requests.
  rewrite /wp-admin$ $scheme://$host$uri/ permanent;

   # Directives to send expires headers and turn off 404 error logging.
  location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
    access_log off; log_not_found off; expires max;
  }

}

Blockquote

It seems to speak http on port 443 instead of https.
You don’t need ssl on; according to the documentation as long as there is a listen directive with ssl enabled. Did you restart your web server (nginx)?

Yes rebooted server

and to test you idea. i did

wget http://testssl.oilgear.com:443
results

–2017-11-28 13:18:32-- http://testssl.oilgear.com:443/
Resolving testssl.oilgear.com (testssl.oilgear.com)… 52.237.158.185
Connecting to testssl.oilgear.com (testssl.oilgear.com)|52.237.158.185|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.1’

[ <=>                                                                                                                                                                                      ] 66,794      --.-K/s   in 0.09s

2017-11-28 13:18:33 (689 KB/s) - ‘index.html.1’ saved [66794]

But not sure where this leaves me :frowning:

Hmm, I wonder if your configuration gets applied correctly. I can e.g. connect to port 80 to your machine although your configuration has commented out the listen directive for that port.

Are there any other configuration files for nginx? Is there something relevant in the error logfile?

that's correct there is another 2 website on this box running sni

as soon as i have and ssl working i will move the others to dedicated ips..

but i have just run site through fiddler and its returned .

No Proxy-Authenticate Header is present.

No WWW-Authenticate Header is present.

The connection to 'testssl.oilgear.com' failed.
System.Security.SecurityException Failed to negotiate HTTPS connection with server.fiddler.network.https> HTTPS handshake to testssl.oilgear.com (for #9) failed. System.IO.IOException The handshake failed due to an unexpected packet format.

Like already said, https is not advertised on port 443. Are there other server-blocks? Please post them.

ok give me a minuet and i will post them
Thanks

if i try and remove oilgear.com listen 443 default _server
i get this error when testing config.

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 52.237.158.185:443 failed (99: Cannot assign requested address)
nginx: configuration file /etc/nginx/nginx.conf test failed

server {

  #access_log off;
  access_log /var/log/nginx/oilgear.com_access_log combined;
  error_log  /var/log/oilgear.com_error_log;
  root /var/www/vhosts/oilgear.com/httpdocs;

  listen 80 default_server;
  listen 443 default_server;

  server_name   oilgear.com ;

  location / {
    root   /var/www/vhosts/oilgear.com/httpdocs;
    index  index.php index.html index.htm;
    try_files $uri $uri/ /index.php?$args;
  }

  location @handler {
    rewrite / /index.php;
  }

  location ~ .php/ {
    rewrite ^(.*.php)/ $1 last;
  }

  location ~ .php$ {
    try_files $uri /index.php;
    expires off;
    fastcgi_pass 127.0.0.1:8080;
    fastcgi_buffers 256 4k;
    fastcgi_buffer_size 32k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_read_timeout 3600s;
#   fastcgi_param HTTPS $fastcgi_https;
    fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param MAGE_RUN_CODE default;
    fastcgi_param MAGE_RUN_TYPE store;
    include fastcgi_params;
 }
}

staging.oilgear.com

server {

         #access_log off;
        access_log /var/log/nginx/staging.oilgear.com_access_log combined;
        error_log  /var/log/staging.oilgear.com_error_log;

        listen 80;
        server_name staging.oilgear.com;
        root /var/www/vhosts/staging.oilgear.com/httpdocs;



  location / {
    root   /var/www/vhosts/staging.oilgear.com/httpdocs;
    index  index.php index.html index.htm;
    try_files $uri $uri/ /index.php?$args;
  }

  location @handler {
    rewrite / /index.php;
  }

  location ~ .php/ {
    rewrite ^(.*.php)/ $1 last;
  }

  location ~ .php$ {
    try_files $uri /index.php;
    expires off;
    fastcgi_pass 127.0.0.1:8080;
    fastcgi_buffers 256 4k;
    fastcgi_buffer_size 32k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_read_timeout 3600s;
#    fastcgi_param HTTPS $fastcgi_https;
    fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param MAGE_RUN_CODE default;
    fastcgi_param MAGE_RUN_TYPE store;
    include fastcgi_params;
 }
}

nginx.conf
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset UTF-8;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log main;
    error_log  /var/log/nginx/error.log warn;

    add_header X-Server oilgearazureprod;

    sendfile on;
    autoindex off;
    tcp_nopush on;
    tcp_nodelay off;
    keepalive_timeout 5s;
    keepalive_requests 100;
    client_header_timeout 1460s;
    client_body_timeout 1460s;
    client_max_body_size 300m;
    reset_timedout_connection on;
    fastcgi_read_timeout 3600s;
    proxy_connect_timeout 3600s;
    proxy_send_timeout 3600s;
    proxy_read_timeout 3600s;
    send_timeout 1460s;

#    ssl_session_cache shared:SSL:10m;
#    ssl_session_timeout 10m;

# SSL on server
#    map $scheme $fastcgi_https { ## Detect when HTTPS is used
#       default off;
#        https on;
#    }

# SSL on load balancer
#  map $http_x_forwarded_proto $fastcgi_https { ## Detect when HTTPS is used
#        default off;
#        https on;
#   }

    gzip on;
    gzip_http_version 1.1;
    gzip_vary on;
    gzip_proxied any;
    gzip_min_length 256;
    gzip_comp_level 4;
    gzip_buffers 16 8k;
    gzip_types text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    open_file_cache max=100000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

Please double-check the ip address, or just use listen 443 ssl; without address.

ping testssl.oilgear.com
PING testssl.oilgear.com (52.237.158.185) 56(84) bytes of data.

This is correct for testssl.oilgear.com
oilgear.com has lb in front (52.237.156.55)

my server has 2 ip's
52.240.136.155
52.237.158.185

You can only bind to local addresses. If you are running a load balancer in front, you cannot use his address.