Testing with OpenSSL and s_client - CloudFlare Proxying


#1

Hello,

When I try to open one of my site , it calls for certificate on another server in my vps.

and safari chrome gives be mismatch errors.

when i check

openssl s_client -connect

indeed i can see that wrong certificate is loading.

how can i correct this:


nginx web server
site is pratikk.net


#2

Hi @auludag,

I agree that your certificate is misconfigured. One thing to be aware of is that when testing with openssl s_client, you should also supply -servername in order to send SNI data and better match the behavior of browsers. In that case this would be

openssl s_client -servername pratikk.net -connect pratikk.net:443

However, that’s not the problem in this particular case…

The problem will have to do with your web server configuration. Did you configure the certificates yourself? Did you do it using a control panel or something, or by editing web server configuration files?


#3

Hi @schoen, thank you for reaching to solve this case.

I used a automation script called “easyengine” to create certificates.

[it is very simple command

ee site update example.com --letsencrypt
ee site update example.com --letsencrypt=off
]

at that time site is behind cloudflare and when i change cloudflare ssl settings to full, everything was working.

Aftter my latest debian OS update for vps,SSL stopped wordking. I updated debian packages with aptget update upgrade, finished successfully. to after that update cloudflare started to give 525 error.

so i removed pratikk.net from behind cloudflare.

And problem transformed from 525 error to wrong certificate.


#4

Hi @auludag,

Thanks for the information. I’m not familiar with easyengine and I’m not sure if anyone else here is.

You might want to look over existing threads on this forum that mention easyengine.

https://community.letsencrypt.org/search?q=easyengine

If none of them is relevant to your problem, you should probably try to find a different support forum that relates to easyengine, because I’m pretty sure that the trouble is that easyengine did not succeed in configuring your nginx server correctly.


#5

Hi @schoen, today i checked that search query you shared, thanks.

then since i believed, easyengine just creates necessary config files and certificates for the first time. and since it was working until debian update, the certificates can be generated again without easyengine. with more manual method.
Then i generated new certificate by using this link below.

and certificate generate successfully.

but it was again wrong site direct. i duplicated a working nginx site configs and changed sitenames with pratikk.net and voila! site started to work.

then i check again with the command you told me

openssl s_client -servername pratikk.net -connect pratikk.net:443

it was ok.

and it seems at the end it was nginx mumbling about conf files.

thank you for reaching out again and helping me think alternative approaches.

the interesting thing when i run
openssl s_client -connect pratikk.net:443 (not the command you told but my first tried command)

it gives still other sitename. it makes me wonder.


#6

Hi @auludag,

Several years ago, web servers (and browsers) didn’t support Server Name Indication so you could only have one certificate per ip address. Since SNI was implemented you can server multiple certificates per ip address, so when using this command:

openssl s_client -connect pratikk.net:443

Your web server doesn’t know what is the server name it should looking for a certificate and serves the default one that in your case is adnanuludag.net.

When adding the servername option to openssl:

openssl s_client -connect pratikk.net:443 -servername pratikk.net

You are telling the web server that the server name you are looking for is pratikk.net. If you have configured your web server for this domain, the web server finds it and serves the specific conf for it, in this case with the right certificate.

I don’t know whether I’ve explained it very well but I hope you can understand the difference :wink:

Cheers,
sahsanu


#7

hi @auludag

Sorry to be a pain but try to give all the facts. I have seen your domain before in this post Using CloudFlare with Let's Encrypt With CloudFlare - Issues with Reverse Proxying

There are several key bits of information missing from this post such as what certificates are being returned.

Andrei


#8

hi @ahaw021 sorry if i gave trouble. there was 2 different problems at that time. so i tried to separate them before asking for help. to explain the problem for me and, speed up for you understanding the problem. (maybe that was mistake)

one of the problem is three ssl sites behind cloudflare was giving 525 when I update OS. i just use the most important site pratikk as an example not mentioned other ones since i thought if i solve one, i can apply to others. that was maybe another mistake. and sorry for this as well.

the other problem arousing from this. “removing the pratikk.net from Cloudflare with panic to solve 525 while waiting for the answer (well patience is a cure that most of the times can’t be applied :confused: ) . and dealing with wrong certificate”.

i decided to open another topic since it isn’t relevant cloudflare anymore.

well that was my thought train but for sure, next time i will be careful for this. sorry for the trouble that might cause from this.


#9

hi @sahsanu, indeed! thank you.


#10

hi @auludag

Not an issue at all. Just part of the learning process.

I only picked it up because I look at post from oldest to newset

Don’t beat yourself up about it :smiley:

Andrei


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.