Ubuntu 16.04, NGINX COnfiguration error after adding Subdomain


#1

Hello. I am new to using self-hosted solutions. I have a box with Linode. It is set-up with Ubuntu 16.04 running Nginx. I am trying to set-up a few wordpress sites. kaidawei.me will be the main site, and subdomian.

After much difficulty with setting up the main website (I had to delete and reset the box 4 times) i finally got a stable install. I added the subdomain no problem. The main domain was working fine, but now gives warnings when you visit, the subdomain is totally working fine with Let’s Encrypt.

I used the following command to add the subdomain, based on a forum post here:

$sudo certbot -a webroot -i nginx --cert-name kaidawei.me -d www.kaidawei.me -d wpbase.kaidawei.me

The initial command I used was:

$sudo certbot --nginx -d kaidawei.me -d www.kaidawei.me

I verified $sudo ufw status

Nginx Full

When I run $sudo certbot renew --dry-run - I get no errors.

But in the error logs it seems these errors are related:

2018/03/08 11:21:26 [crit] 23452#23452: *421 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_b$
2018/03/08 11:21:26 [crit] 23452#23452: *423 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_b$
2018/03/08 11:21:45 [crit] 23452#23452: *468 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_b$
2018/03/08 11:21:45 [crit] 23452#23452: *469 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_b$

I have two server block files in the sites-available directory. One for each site: kaidawei.me and wpbase.kaidawei.me

I deleted the default file

for KAIDAWEI.ME (MAIN DOMAIN SITE)

server {

root /var/www/html/kaidawei.me/public_html;
index index.php index.html index.htm index.nginx-debian.html;

server_name kaidawei.me www.kaidawei.me;

location / {
    try_files $uri $uri/ /index.php$is_args$args;
    #try_files $uri $uri/ =404;
}

location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt { log_not_found off; access_log off; allow all; }
    location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
            expires max;
            log_not_found off;
    }

location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

location ~ /\.ht {
    deny all;
}

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/kaidawei.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/kaidawei.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

server {
if ($host = www.kaidawei.me) {
return 301 https://$host$request_uri;
} # managed by Certbot

if ($host = kaidawei.me) {
    return 301 https://$host$request_uri;
} # managed by Certbot


listen 80;
listen [::]:80;

server_name kaidawei.me www.kaidawei.me;
return 404; # managed by Certbot

}

==========================================================================

The server blocks are:

for WPBASE.KAIDAWEI.ME (SUBDOMAIN SITE)

server {

root /var/www/html/wpbase.kaidawei.me/public_html;
index index.php index.html index.htm index.nginx-debian.html;

server_name wpbase.kaidawei.me;

location / {
    try_files $uri $uri/ /index.php$is_args$args;
    #try_files $uri $uri/ =404;
}

location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt { log_not_found off; access_log off; allow all; }
    location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
            expires max;
            log_not_found off;
    }

location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

location ~ /\.ht {
    deny all;
}

managed by Certbot

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/kaidawei.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/kaidawei.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = wpbase.kaidawei.me) {
return 301 https://$host$request_uri;
} # managed by Certbot

server_name wpbase.kaidawei.me;
listen 80;
return 404; # managed by Certbot

}

===================================================================

I am not sure where else to look or what to look for. I have tried many things including reconfiguring them.

I have run at various stages AFTER the problem started and to no change:
sudo certbot renew --dry-run
sudo certbot -a webroot -i nginx --cert-name kaidawei.me -d www.kaidawei.me -d wpbase.kaidawei.me --expand
sudo certbot -a webroot -i nginx --cert-name kaidawei.me -d www.kaidawei.me -d wpbase.kaidawei.me

NOTE: SSLLABS give both my sites an A but the main domain gets browser warning.

Thank you for any help on this.


#2

The first command included “-d kaidawei.me -d www.kaidawei.me”. The second command included only “-d www.kaidawei.me -d wpbase.kaidawei.me”, so the new certificate doesn’t include the name “kaidawei.me”.

The certificate name is only used for Certbot’s purposes and isn’t automatically included in the certificate. (By default, it’s set to the first name you passed when creating the certificate, but it doesn’t have to be.)

You need to issue a new certificate with all 3 names with:

sudo certbot --nginx -d kaidawei.me -d www.kaidawei.me -d wpbase.kaidawei.me

or

sudo certbot -a webroot -i nginx -d kaidawei.me -d www.kaidawei.me -d wpbase.kaidawei.me

You can add “--cert-name kaidawei.me” or “--expand”, but Certbot should automatically figure it out and ask you anyway.

Could you paste the complete error lines? Those error lines were truncated.

I can’t be sure, but they’re probably harmless. SSL Labs tests a lot of different things; as part of that, it makes some invalid connections, some of which cause Nginx to log errors. It’s normal.


#3

Dear mnordoff,

Thank you very much for your response.

I used:

$ sudo certbot -a webroot -i nginx -d kaidawei.me -d www.kaidawei.me -d wpbase.kaidawei.me --expand

And the problem completely fixed itself.

(Note: Those errors were from my nginx error logs. Not SSL Labs. SSL Labs was happy and gave me an A - like school - undeserved at that point.)

Thank you very much for your response. I learned that I needed to add -d to each of the domains. Again, thank you.


#4

Yeah. But, for example, when SSL Labs tests if you’re vulnerable to a certain security issue, if you’re not vulnerable, Nginx will log an “error” because the test request SSL Labs made was insecure and bad.


#5

Ahh. Okay. Here are the full error logs.

2018/03/08 11:21:26 [crit] 23452#23452: *421 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.108, server: 0.0.0.0:443
2018/03/08 11:21:26 [crit] 23452#23452: *423 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.108, server: 0.0.0.0:443
2018/03/08 11:21:45 [crit] 23452#23452: *468 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.108, server: 0.0.0.0:443
2018/03/08 11:21:45 [crit] 23452#23452: *469 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.108, server: 0.0.0.0:443

I went ahead and reran SSL Labs:
kaidawei.me
wpbase.kaidawei.me

and then checked the error logs again. I got almost identical errors: (See below)

2018/03/08 15:41:25 [crit] 24253#24253: *1404 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.106, server: 0.0.0.0:443
2018/03/08 15:41:26 [crit] 24253#24253: *1406 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.106, server: 0.0.0.0:443
2018/03/08 15:41:55 [crit] 24253#24253: *1485 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.106, server: 0.0.0.0:443
2018/03/08 15:41:56 [crit] 24253#24253: *1486 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.106, server: 0.0.0.0:443


The above errors are everything.

Thank you for helping me.

-DK


#6

It’s what I said. SSL Labs is testing if you’re vulnerable to some old OpenSSL security issue. Since you’re NOT vulnerable, OpenSSL rejects it and Nginx logs an error. If you were vulnerable, I don’t think Nginx would log anything.

I think it’s CVE-2014-0224, listed as “OpenSSL CCS vuln. (CVE-2014-0224)” in the SSL Labs report.

64.41.200.108 is an SSL Labs IP address.


#7

Excellent. I think I understood that there really isn’t a problem. These errors are the result of SSL Labs trying to find a problem with the certificate.

Thank you very much for your attention and care.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.