This site can't provide a secure connection with virtual host

ping now.[redacted]
Pinging now.[redacted] [43.228.131.113] with 32 bytes of data:
Reply from 43.228.131.113: bytes=32 time=2ms TTL=62

What is the inside IP?
[the one the NAT goes to]

10 Likes

Show output:
openssl s_client -connect 192.168.201.10:443 -servername now.[redacted]

10 Likes
root@test:/etc/nginx/sites-available# openssl s_client -connect 192.168.1.10:443 -servername now.[redacted]
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = now.[redacted]
verify return:1
---
Certificate chain
 0 s:CN = now.[redacted]
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJzCCBA+gAwIBAgISA/eLCqeyxEVXn42bs64ZsNtzMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA2MDYwODUxNTFaFw0yMjA5MDQwODUxNTBaMBsxGTAXBgNVBAMT
EG5vdy5laW5jZW50ZXIubW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDjQyoiBOlI9BZx/4oH9OJM0qotWf7KNUbtQHPFHfyjNkI/LFC8s24kVXHkxyj3
IDgE0o28XT7yAqBZe16bANrH9RsT6cU45j0GrAhn/mwUHx8JDzKf89sVVr56I5eP
...
-----END CERTIFICATE-----
subject=CN = now.[redacted]

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4648 bytes and written 403 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 1E6ACE6DCD1BD6EF93CE0A55945081814AF249377A4E10F90C44C82465822BB1
    Session-ID-ctx:
    Master-Key: 4589976D9F58B847688BB7DFAF499D1528B8367799F48EF3C0AA33132808FDB6469C7D520195D05E69DD4AC8C564618B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - d9 51 c1 90 d8 59 b4 0b-4a 50 c1 b9 07 77 9b 55   .Q...Y..JP...w.U
    0010 - f2 8c 95 d0 66 c1 5a b3-e1 b8 c8 13 d7 1b d5 98   ....f.Z.........
    0020 - 18 9d e5 a8 19 7c 44 5e-de 69 e3 b4 7c 69 eb 75   .....|D^.i..|i.u
    0030 - 4e 3c ad 92 c5 fe 53 cd-20 24 51 7b 17 07 41 bb   N<....S. $Q{..A.
    0040 - f8 09 9b ae a2 4c 16 69-3e c3 8e a1 f9 7b 57 97   .....L.i>....{W.
    0050 - fc 28 77 3b b8 c3 a6 a7-dd a8 df 21 cd fe 3e f7   .(w;.......!..>.
    0060 - af e1 82 5c 61 05 5f 6a-4c a8 64 75 ad 2c 18 83   ...\a._jL.du.,..
    0070 - 15 3a 26 be 24 94 06 3f-3c d0 8f 4d 88 e0 9c fb   .:&.$..?<..M....
    0080 - fb 6b 2b a2 45 16 d6 1f-f8 13 a3 69 c5 f4 90 3a   .k+.E......i...:
    0090 - 1c ef c7 1e b7 5c 6f e3-28 c8 a1 f6 fc cb bd d1   .....\o.(.......
    00a0 - bf 29 31 cf 2a b6 68 94-da 17 c9 75 ae 61 8b 23   .)1.*.h....u.a.#

    Start Time: 1654670411
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

So, internally nginx works just fine.
The "problem" is within your NAT device.

You can confirm it by adding a hosts file entry in your PC:
192.168.201.10 now.[redacted]
And then point your browser to it.

Feel free to buy me a :beer: LOL

12 Likes

I edited host file then tried
[redacted]
SSL works fine with it.
But is that nat problem sure?

It shows same with internal network

Thank you all. it was nat problem

2 Likes

domain [redacted] at the request of @allsolution

9 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.