This site can't provide a secure connection with virtual host

I have a static internet ip and our router goes NAT to my server (192.168.1.5) with 80 port. We just added 443 port also, but it shows "This site can’t provide a secure connection" still.

You will need to port map both (80 and 443).

10 Likes

We created NAT on 80 and 443 also but problem is persist still

It still does not look like requests to port 443 get to that nginx server. Can you show result of these two commands from that server?

ifconfig | grep -Ei 'add|inet' 
sudo netstat -pant | grep -i listen
10 Likes
root@test:/etc/nginx/sites-available# ifconfig | grep -Ei 'add|inet'
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
        inet6 fe80::42:b5ff:fe10:13c9  prefixlen 64  scopeid 0x20<link>
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet 192.168.1.15  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::e61f:13ff:fe2c:8fa4  prefixlen 64  scopeid 0x20<link>
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        inet6 fe80::300e:5fff:fe92:73ad  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::3c3f:83ff:fe9e:f8dc  prefixlen 64  scopeid 0x20<link>
root@test:/etc/nginx/sites-available# sudo netstat -pant | grep -i listen
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      1160/systemd-resolv
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1623/sshd
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      2809/docker-proxy
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      18613/nginx: master
tcp        0      0 192.168.1.15:5090    0.0.0.0:*               LISTEN      1711/freeswitch
tcp        0      0 192.168.1.15:5060    0.0.0.0:*               LISTEN      1711/freeswitch
tcp        0      0 127.0.0.1:5000          0.0.0.0:*               LISTEN      2823/docker-proxy
tcp        0      0 127.0.0.1:9001          0.0.0.0:*               LISTEN      1298/node
tcp        0      0 192.168.1.15:5066    0.0.0.0:*               LISTEN      1711/freeswitch
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      1409/redis-server 1
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      18613/nginx: master
tcp        0      0 192.168.1.15:7443    0.0.0.0:*               LISTEN      1711/freeswitch
tcp6       0      0 :::8021                 :::*                    LISTEN      1711/freeswitch
tcp6       0      0 :::22                   :::*                    LISTEN      1623/sshd
tcp6       0      0 127.0.0.1:8090          :::*                    LISTEN      1704/java
tcp6       0      0 ::1:5090                :::*                    LISTEN      1711/freeswitch
tcp6       0      0 127.0.0.1:8900          :::*                    LISTEN      1794/java
tcp6       0      0 ::1:5060                :::*                    LISTEN      1711/freeswitch
tcp6       0      0 127.0.0.1:8901          :::*                    LISTEN      1802/java
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      1997/java
tcp6       0      0 ::1:5066                :::*                    LISTEN      1711/freeswitch
tcp6       0      0 ::1:6379                :::*                    LISTEN      1409/redis-server 1
tcp6       0      0 :::8080                 :::*                    LISTEN      1997/java
tcp6       0      0 ::1:7443                :::*                    LISTEN      1711/freeswitch
root@test:/etc/nginx/sites-available#

1 Like

Was that a typo? Because you just showed 192.168.1.15

10 Likes

It is not problem, I just changed it for security. It was 192.168.1.5

Is there something we should be aware of?

10 Likes

Can you show us:

sudo systemctl status nginx

Thanks

10 Likes
root@test:/etc/nginx/sites-available# sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2022-06-08 00:55:06 UTC; 2h 17min ago
     Docs: man:nginx(8)
  Process: 18600 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 18612 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 18601 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 18613 (nginx)
    Tasks: 9 (limit: 4915)
   CGroup: /system.slice/nginx.service
           β”œβ”€18613 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           β”œβ”€18615 nginx: worker process
           β”œβ”€18617 nginx: worker process
           β”œβ”€18619 nginx: worker process
           β”œβ”€18621 nginx: worker process
           β”œβ”€18622 nginx: worker process
           β”œβ”€18623 nginx: worker process
           β”œβ”€18624 nginx: worker process
           └─18625 nginx: worker process

Jun 08 00:55:06 test systemd[1]: Starting A high performance web server and a reverse proxy server...
Jun 08 00:55:06 test systemd[1]: Started A high performance web server and a reverse proxy server.

To which IP does the NAT send the port 80 and 443 requests?

10 Likes

I don't think the https requests are reaching that server correctly. I think it is most likely in your NAT forwarding.

But, if you don't see anything with that then this logging may help.

Add below logging for your two now.[redacted] server blocks.
This will prove where the requests are processed and may show errors.

Update /etc/nginx/sites-enabled/default

Add these lines:

    error_log   /var/log/nginx/error443.log warn;
    access_log  /var/log/nginx/access443.log;

after these lines in the listen 443 server:

server {
    server_name now.[redacted];
    client_max_body_size 2048M;

And, add these lines:

    error_log   /var/log/nginx/error80.log warn;
    access_log  /var/log/nginx/access80.log;

after these lines in the listen 80 server:

server {
    if ($host = now.[redacted]) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

Then restart nginx and do these tests

curl -I https://now.[redacted]/trying443.html
curl -I http://now.[redacted]/try80.html
curl -I http://now.[redacted]:443/tryhttpwith443.html

And show the contents of the 4 log files

10 Likes

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

3 of 4 log was empty.

root@test:/var/log/nginx# cat access80.log
192.168.1.202 - - [08/Jun/2022:03:52:57 +0000] "HEAD /try80.html HTTP/1.1" 301 0 "-" "curl/7.58.0"
192.168.1.202 - - [08/Jun/2022:03:53:02 +0000] "HEAD /tryhttpwith443.html HTTP/1.1" 301 0 "-" "curl/7.58.0"

202 is my pc ip.

Temporarily change:

    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-NginX-Proxy true;
      proxy_pass http://192.168.1.10:4000;
      proxy_ssl_session_reuse off;
      proxy_set_header Host $http_host;
      proxy_cache_bypass $http_upgrade;
      proxy_redirect off;
    }

to:

    location / {
      return 200 'this much works securely';
    }

then try:
curl -I https://now.[redacted]/trying443-200.html
and show the output and log entry.

10 Likes

I suspect even that simple test will fail:

openssl s_client -connect now.[redacted]:443
CONNECTED(0000019C)
6096:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl\record\ssl3_record.c:250:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1654662847
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

I think the version of nginx has been stripped of all higher TLS, try SSLv3.

10 Likes

It shows again. root@test:/etc/nginx/sites-available# curl -I https://now.[redacted]/trying443-200.html curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

How it can be changed?

root@test:/etc/nginx/sites-available# dpkg -l | grep -i openssl
ii  libcurl4:amd64                         7.58.0-2ubuntu3.18                              amd64        easy-to-use client-side URL transfer library (OpenSSL flavour)
ii  libcurl4-openssl-dev:amd64             7.58.0-2ubuntu3.18                              amd64        development files and documentation for libcurl (OpenSSL flavour)
ii  libxmlsec1-openssl:amd64               1.2.25-1build1                                  amd64        Openssl engine for the XML security library
ii  openssl                                1.1.1-1ubuntu2.1~18.04.17                       amd64        Secure Sockets Layer toolkit - cryptographic utility
ii  python3-ndg-httpsclient                0.4.4-1                                         all          enhanced HTTPS support for httplib and urllib2 using PyOpenSSL for Python3
ii  python3-openssl                        17.5.0-1ubuntu1                                 all          Python 3 wrapper around the OpenSSL library
ii  python3-service-identity               16.0.0-2                                        all          Service identity verification for pyOpenSSL (Python 3 module)

This request should NOT be in access80.log, as it was directed towards port 443.

Please double, triple, quatro-check your portmaps.

Although.. Weird thing is: you're doing this from within your own network it seems, looking at the .202 IP address? Is there a local firewall messing with the ports on your host? Iptables redirecting 443 tot 80 or something like that?

7 Likes

Show:
nginx -V

9 Likes

root@test:/etc/nginx/sites-available# nginx -V
nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KgqPmI/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

Show output from your .202 PC:
ping now.[redacted]

9 Likes