Step 4 "Verify Ownership" fails

Help
#21

I modified the configuration as follows:

server {
    #listen 80;
    listen 443 ssl;
    server_name  ggc.world www.ggc.world;
    ssl on;
    ssl_certificate /etc/ssl/certs/chained.pem;
    ssl_certificate_key /etc/ssl/private/domain.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-  
    draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }
    location / {
         proxy_pass http://192.168.1.7:8080;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
    }

}

But still I see in https://check-your-website.server-daten.de/?q=ggc.world
“Misconfiguration: https over port 80. Wrong port forwarding port 80 to port 443 or wrong vHost-definition” : can you please explain me what is wrong with my nginx configuration, according to your tool?
An important aspect is that without this proxy_pass, I definetely cannot use nginx with Beego:

    location / {
         proxy_pass http://192.168.1.7:8080;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
    }
#22

See your raw answer:

http://ggc.world/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
37.116.210.44
	400
	
	0.073
	M
Bad Request
Visible Content: 400 Bad Request The plain HTTP request 
was sent to HTTPS port nginx/1.15.12

Sending http on port 80 your server says: “Hey, I’m a https host”.

So my tool tries to send https to port 80 (normally, that should fail), but your server answers with a http status 200 and content.

https://www.ggc.world:80/
37.116.210.44
	200
	
	0.330
	Q
Visible Content: WebRTC samples getUserMedia ⇒ canvas Take snapshot 
Draw a frame from the video onto the canvas element using the drawImage() 
method. The variables canvas , video and stream are in global scope, so 
you can inspect them from the console. View source on GitHub

But I can’t see if only your port forwarding is wrong (if you send port 80 to port 443) or if you don’t have a correct port 80.

What says

nginx -T

Your https is now correct, both connections are secure, both connections use the certificate with both domain names.

#23

This is the entire port Mapping of my Vodafone’s configuration:

image
image.png715×571 37 KB

This is where in nginx configuration file the ports are defined:

server {
#listen 80;
listen 443 ssl;

location / {
     proxy_pass http://192.168.1.7:8080;
}

}

And this is where, in Beego, I defined the ports used :
app.conf:

httpaddr = 192.168.1.7
httpport = 8080

I do not know any other places where the ports are called.

#24

You can proxy your port 443.

But that looks that you don’t have a port 80.

So create one - independend of your port 443.

#25

in Beego’s app.conf file I modified the port assignment:

httpaddr = 192.168.1.7
#httpport = 8080
httpport = 80

And in the /etc/nginx/conf.d/default.conf file:
location / {
#proxy_pass http://192.168.1.7:8080;
proxy_pass http://192.168.1.7:80;

But then it says:

2019/05/13 18:10:30.564 [I] [asm_amd64.s:2361]  http server Running on   
http://192.168.1.7:80
2019/05/13 18:10:30.564 [C] [asm_amd64.s:2361]  ListenAndServe:  listen tcp   
192.168.1.7:80: bind: permission denied

So, I left httpport = 8080 in app.conf of Beego, and added a server listening to port 80 in /etc/nginx/conf.d/default.conf :

server {
    listen 443 ssl;
    server_name  ggc.world www.ggc.world;

So, I left httpport = 8080 in app.conf of Beego, and added a server listening to port 80 in /etc/nginx/conf.d/default.conf :

server {
listen 443 ssl;
server_name ggc.world www.ggc.world;
ssl on;
ssl_certificate /etc/ssl/certs/chained.pem;
ssl_certificate_key /etc/ssl/private/domain.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;

access_log /var/log/nginx/ggcworld-access.log combined;

add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
     proxy_pass http://192.168.1.7:8080;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
}

}

server {
listen 80;
server_name ggc.world www.ggc.world;
ssl on;
ssl_certificate /etc/ssl/certs/chained.pem;
ssl_certificate_key /etc/ssl/private/domain.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;

access_log /var/log/nginx/ggcworld-access.log combined;

add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
     proxy_pass http://192.168.1.7:8080;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
}

}
ssl on;
ssl_certificate /etc/ssl/certs/chained.pem;
ssl_certificate_key /etc/ssl/private/domain.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;

access_log /var/log/nginx/ggcworld-access.log combined;

add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
     proxy_pass http://192.168.1.7:8080;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
}

}

server {
listen 80;
server_name ggc.world www.ggc.world;

ssl on;
ssl_certificate /etc/ssl/certs/chained.pem;
ssl_certificate_key /etc/ssl/private/domain.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;

access_log /var/log/nginx/ggcworld-access.log combined;

add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
     proxy_pass http://192.168.1.7:8080;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
}

}

But https://check-your-website.server-daten.de/?q=ggc.world" still says “Misconfiguration: https over port 80. Wrong port forwarding port 80 to port 443 or wrong vHost-definition”.
So I guess something else has to be modified…

#26

That’s completely wrong.

Your nginx may be a proxy to this other application.

But then you don’t need to proxy port 80, it’s enough if port 80 answers correct.

But if port 80 has a SSL configuration, that’s the problem (and the output of my tool).

#27

I removed all references to SSL for port 80:

/etc/nginx/conf.d :

server {
listen 443 ssl;
server_name ggc.world www.ggc.world;

ssl on;
ssl_certificate /etc/ssl/certs/chained.pem;
ssl_certificate_key /etc/ssl/private/domain.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;

access_log /var/log/nginx/ggcworld-access.log combined;

add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
     proxy_pass http://192.168.1.7:8080;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
}

}

server {
listen 80;
server_name ggc.world www.ggc.world;

access_log /var/log/nginx/ggcworld-access.log combined;

add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
     proxy_pass http://192.168.1.7:8080;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
}

}

Now, checking with https://check-your-website.server-daten.de/?q=ggc.world

the previous error message has gone, but I still have some error to remove:
https://drive.google.com/open?id=1QnvuPFFmr8UcIqdiJmeRvocAnkE89YLC

Can you please explain me what these error messages mean, and, possibly, some hints about how to solve them?

  1. “fatal error: http result with http-status 200, no encryption”
  2. “Error - more then one version with Http-Status 200”
  3. https://ggc.world/ 37.116.210.44 - 200 - Content problems - mixed, files doesn’t exist, different Content-Type definitions”
  4. https://www.ggc.world/ 37.116.210.44 - 200 - Content problems - mixed, files doesn’t exist, different Content-Type definitions”
  5. "Error - no preferred version www or non-www
#28

Now the basics are good.

You don’t have redirects http -> https. But don’t redirect /.well-known/acme-challenge to your special https host. And you don’t have a preferred version (non-www or www).

Check all red things.

link
	stylesheet
	../../../css/main.css
	404
2001 Bytes	Not Found
	1
	missing file

missing file - there is no such file, so the link is wrong.

You can ignore the

Cross-Origin Resource Sharing (CORS) supported
missing crossorigin=anonymous|use-credentials and integrity - attribute, possible hash-values:
sha256-qNcUKMnme5sujEfmbJD0UwScRinMowDNm1DAzVNI2R4=
sha384-sLfbIJNbwTdFTjHNynT+8jI2OpM/W6wmzhYfLvsNbg1yuaW2rbGaeMpoe9QDITRJ
sha512-H7uz8NSEA/yUtVsUDP145QCyR4zal/+ev62KgXt6T+SjPojmJxKn4vCw3bhNynPDHEdNMVWHPqDABTdE8OhCQA==
<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Roboto:300,400,500,700" crossorigin="anonymous" integrity="sha256-qNcUKMnme5sujEfmbJD0UwScRinMowDNm1DAzVNI2R4= " />

that’s very new (added last weekend) and isn’t (currently) used to calculate the range.

#29

Based on NGINX-Cookbook-2019 : https://drive.google.com/open?id=1DVwUT2WYQfOlUrN__C661r2cDrMVeBzd
and : https://drive.google.com/open?id=1VWW-INoZgJm02uManxdQ27T14KXxq3e9

I modified /etc/nginx/conf.d/default.conf as follows:

server {
listen 443 http2 default_server;
server_name ggc.world www.ggc.world;

ssl on;
ssl_certificate /etc/ssl/certs/chained.pem;
ssl_certificate_key /etc/ssl/private/domain.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;

access_log /var/log/nginx/ggcworld-access.log combined;

add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
     proxy_pass http://192.168.1.7:8080;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
}

}
server {
#listen 80 default server;
listen [::]:80 default_server;
server_name ggc.world www.ggc.world;
return 443 https://$host$request_uri;

access_log /var/log/nginx/ggcworld-access.log combined;

add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
     proxy_pass http://192.168.1.7:8080;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
}

}

But the above errors message still appear

#30

You have to recheck your domain.

The last check

Checked: 14.05.2019 10:20:20

is 5 hours old.

#31

Actually the above errors message finally disappeared.
But now, suddenly appears this problem :
the TCP connection failure due to probably a firewall: https://drive.google.com/open?id=1JtRAGFwSv__WCMdkvvWePtW8IgIfGO15

I checked also with PacketSender application: https://drive.google.com/open?id=1bnZBb4YXFXaqmh7tPc1x-kZuDwq-VxkJ

What “drives me crazy” is the fact that the Vodafone Firewalls are all disabled:

and the laptopìs firewall is disabled:

riccardo@riccardo-HP-Laptop-15-da0xxx:~$ sudo ufw status
Status: inactive

And this is the /etc/nginx/conf.d/default.conf file:

server {
listen 443 http2 default_server;
server_name ggc.world www.ggc.world;

ssl on;
ssl_certificate /etc/ssl/certs/chained.pem;
ssl_certificate_key /etc/ssl/private/domain.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;

access_log /var/log/nginx/ggcworld-access.log combined;

add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
     proxy_pass http://192.168.1.7:8080;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
}

}
server {
#listen 80 default server;
#listen [::]:80 default_server;
listen [::]:80;
server_name ggc.world www.ggc.world;
return 443 https://$host$request_uri;

access_log /var/log/nginx/ggcworld-access.log combined;

add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
     proxy_pass http://192.168.1.7:8080;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
}

}

And Beego’s configuration file doesn’t contain any reference to whatever Firewalls :
appname = MyPage
httpaddr = 192.168.1.7
httpport = 8080
runmode = dev

Should “Allow ping to WAN interface” in the Vodafone’s configuration?

#32

In the morning, you had a Grade I

Checked: 14.05.2019 10:20:20

Without any firewall or other problem. So you should change your settings back.

#33

What really worries me is that from our last chat I didn’t do anything (I just went to the swimming pool!)

#34

@JuergenAuer
Since the nginx configuration above gave good grades, I copied it. But still “connect failure -perhaps firewall” . And even worse “Fatal error: Nameserver doesn’t support TCP connection” : https://drive.google.com/open?id=1KME3F9cOP2y_x9sXjZvsCUgHIgkziCAx

I again checked all the possible sources of firewalls:

So, please let me know what other sources of possible Firewalls I’m missing.

#35

You don’t manage this nameserver of the world zone:

X Fatal error: Nameserver doesn’t support TCP connection: demand.alpha.aridns.net.au: Fatal error (-14). Details: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. - An existing connection was forcibly closed by the remote host

This is an informational message, nothing you can change.

This morning it worked. I have no idea what you have changed.

#36

I didn’t change anything from this morning. That’s what worries me.
The only possible sources of firewalls I can see are these ones:

All these settings remained unchanged, that’s why I would like to learn which other sources of firewall I could check, if exists.

#37

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.