SSL works on Desktop not LTE Mobile


#1

Quite a bizarre thing, SSL certs works perfectly across the board with an A+ at SSL Labs yet it doesn’t load correctly in Safari or Chrome on iOS when using T-Mobile’s LTE network.

Here’s the Nginx configuration

server {
  listen 80;
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name mydomain;

  ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/mydomain/fullchain.pem;

  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

  ssl_protocols TLSv1.2;
  ssl_ciphers EECDH+AESGCM:EECDH+AES;
  ssl_ecdh_curve secp384r1;
  ssl_prefer_server_ciphers on;

  ssl_stapling on;
  ssl_stapling_verify on;

  add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  if ($ssl_protocol = "") {
    rewrite ^ https://$host$request_uri? permanent;
  }

  location / {
    proxy_pass http://127.0.0.1:1337;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection upgrade;
    proxy_set_header Host $host;
  }

  location '/.well-known/acme-challenge/' {
    default_type "text/plain";
    root /home/j/www/mydomain;
  }

}

Any ideas?


#2

Unless you reveal your domain name, helping you is quite hard.


#4

Could you please clarify the misconfiguration regarding ports? I don’t see it.


#5

The domain is https://critical-mass.network not that it matters.

From what I’ve gathered is that T-mobile’s LTE network is strictly ipv6, but should work via ipv6 as well with the current config right?


#6

nevermind. I thought he misconfig the server by putting 80 and 443 in one config.


#7

Yes, it should.
However, you definitely misconfigured the server.
Please add :port 80 ipv6 on your config, or it wont load on my phone.
(As well on SSL labs)


#8
server {
  listen 80;
  listen [::]:80;
  server_name critical-mass.network;

   location / {
    return 301 https://critical-mass.network$request_uri;
  }
}

Adding this, still doesn’t pick it up, missing something?


#9

You should review your firewall rules for IPv6 or port forwarding if you are using it.


#10

Hi,

you have an ipv6 record and it’s not accessible.
T-Mo prefer v6 than v4, so, please check your config.

Thank you


#11

This ought to do it right?

~ » sudo ip6tables -L                                                                                                               j@criticalmass
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
REJECT     all      localhost            anywhere             reject-with icmp6-port-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     tcp      anywhere             anywhere             tcp dpt:http state NEW
ACCEPT     tcp      anywhere             anywhere             tcp dpt:https state NEW
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
LOG        all      anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "ip6tables_INPUT_denied: "
REJECT     all      anywhere             anywhere             reject-with icmp6-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all      anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "ip6tables_FORWARD_denied: "
REJECT     all      anywhere             anywhere             reject-with icmp6-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

will the proxy pass cause issues with nginx?


#12

That rule doesn’t make much sense to me, especially if you are using proxy pass.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.