Unable to access my sites: SSL certificate error


#1

I have a So You Start server with ubuntu distribution and a Plesk panel to manage it all. I have problems with Chrome version 70.xx browsers (latest updates) and Firefox 63 and I didn’t have until these last updates. no server-side modifications or sites, Let’s Encrypt certificates directly generated from the module integrated in Plesk.for Chrome 70, here is the error displayed: This site is inaccessible xxxxxxxx is currently inaccessible.
Try the suggestions below:

Check the connection
Check the proxy and firewall
ERR_SSL_VERSION_INTERFERENCE
For Firefox 63 :Secure connection failure

The page you are trying to view cannot be displayed because the authenticity of the data received cannot be verified.
Please contact the website owners to inform them of this problem. What is the problem? How can it be resolved?
Note: Plesk’s Let’s Encrypt module (like the whole panel) is up to date.

My domain is: rencontrelafemme.com

I ran this command: Firefox63 & Chrome 70 access to my website

It produced this output: Error to connect at this website because SSL certificate not good

My web server is (include version): Plesk Onyx v17.8.11_build1708180301.19 os_Ubuntu 14.04

The operating system my web server runs on is (include version): Ubuntu 14.04.5 LTS

My hosting provider, if applicable, is: So You Start

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes Plesk


#2

Hi @littlebighorn69

this is really bad. Checked with Chrome, no problem - oh, wait, my Chrome want’s to update. Updated Chrome -

ERR_SSL_VERSION_INTERFERENCE

Checked with SSLLabs:

https://www.ssllabs.com/ssltest/analyze.html?d=www.rencontrelafemme.com&hideResults=on

no problem, you have a Grade A, no critical warnings.

There are some pages with the same problem, sometimes older. Disabling Tls.1.3 on the client isn’t a server side solution.

The only idea: Check your date and time, if this is correct. If yes, ask your provider. Perhaps there is somewhere a buggy software.


#3

Can you show us the output for:

nginx -V

Edit: here’s a failed SSL handshake from Firefox 64. It seems like nginx is finding something questionable about the ClientHello sent by this version of Firefox (but it shouldn’t):

$ ssltap -s -p 8443 rencontrelafemme.com:443
Looking up "rencontrelafemme.com"...
Proxy socket ready and listening
Connected to rencontrelafemme.com:443
--> [
(517 bytes of 512)
SSLRecord { [Sun Oct 28 21:39:03 2018]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 512 (0x200)
   handshake {
      type = 1 (client_hello)
      length = 508 (0x0001fc)
	 ClientHelloV3 {
	    client_version = {3, 3}
	    random = {...}
	    session ID = {
		length = 32
		contents = {...}
	    }
	    cipher_suites[18] = {
		(0x1301) ????/????????/?????????/???
		(0x1303) ????/????????/?????????/???
		(0x1302) ????/????????/?????????/???
		(0xc02b) TLS/ECDHE-ECDSA/AES128-GCM/SHA256
		(0xc02f) TLS/ECDHE-RSA/AES128-GCM/SHA256
		(0xcca9) TLS/ECDHE-ECDSA/CHACHA20-POLY1305/SHA256
		(0xcca8) TLS/ECDHE-RSA/CHACHA20-POLY1305/SHA256
		(0xc02c) TLS/ECDHE-ECDSA/AES256-GCM/SHA384
		(0xc030) ????/????????/?????????/???
		(0xc00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA
		(0xc009) TLS/ECDHE-ECDSA/AES128-CBC/SHA
		(0xc013) TLS/ECDHE-RSA/AES128-CBC/SHA
		(0xc014) TLS/ECDHE-RSA/AES256-CBC/SHA
		(0x0033) TLS/DHE-RSA/AES128-CBC/SHA
		(0x0039) TLS/DHE-RSA/AES256-CBC/SHA
		(0x002f) TLS/RSA/AES128-CBC/SHA
		(0x0035) TLS/RSA/AES256-CBC/SHA
		(0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
	    }
	    compression[1] = {
		(00) NULL
	    }
	    extensions[399] = {
	      extension type server_name, length [25] = {
   0: 00 17 00 00  14 72 65 6e  63 6f 6e 74  72 65 6c 61  | .....rencontrela
  10: 66 65 6d 6d  65 2e 63 6f  6d                        | femme.com
	      }
	      extension type 23, length [0]
	      extension type renegotiation_info, length [1] = {
   0: 00                                                  | .
	      }
	      extension type elliptic_curves, length [14] = {
   0: 00 0c 00 1d  00 17 00 18  00 19 01 00  01 01        | ..............
	      }
	      extension type ec_point_formats, length [2] = {
   0: 01 00                                               | ..
	      }
	      extension type session_ticket, length [0]
	      extension type 16, length [14] = {
   0: 00 0c 02 68  32 08 68 74  74 70 2f 31  2e 31        | ...h2.http/1.1
	      }
	      extension type status_request, length [5] = {
   0: 01 00 00 00  00                                     | .....
	      }
	      extension type 51, length [107] = {
   0: 00 69 00 1d  00 20 50 11  2b 5e 8c 6c  f2 aa 3c 3c  | .i... P.+^.l..<<
  10: 1c 98 f3 4c  1f e5 87 5c  37 ca 37 34  da 8d 7a 8c  | ...L...\7.74..z.
  20: 73 a1 26 d4  92 3c 00 17  00 41 04 b9  48 00 b5 4a  | s.&..<...A..H..J
  30: 49 a6 dc 82  67 9d 9a c7  98 e0 94 d8  29 0c ef 1b  | I...g.......)...
  40: 05 7c 36 e6  53 00 f3 0e  05 a6 c5 70  6d 57 49 2f  | .|6.S......pmWI/
  50: f1 83 e7 74  42 76 69 ba  88 36 65 c4  c6 ff 9e 06  | ...tBvi..6e.....
  60: cd 84 51 bd  b0 1b 9d e6  98 bd 49                  | ..Q.......I
	      }
	      extension type 43, length [9] = {
   0: 08 03 04 03  03 03 02 03  01                        | .........
	      }
	      extension type signature_algorithms, length [24] = {
   0: 00 16 04 03  05 03 06 03  08 04 08 05  08 06 04 01  | ................
  10: 05 01 06 01  02 03 02 01                            | ........
	      }
	      extension type 45, length [2] = {
   0: 01 01                                               | ..
	      }
	      extension type 28, length [2] = {
   0: 40 01                                               | @.
	      }
	      extension type 21, length [138] = {
   0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  | ................
  10: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  | ................
  20: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  | ................
  30: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  | ................
  40: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  | ................
  50: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  | ................
  60: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  | ................
  70: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  | ................
  80: 00 00 00 00  00 00 00 00  00 00                     | ..........
	      }
	    }
	 }
   }
}
]
<-- [
(7 bytes of 2)
SSLRecord { [Sun Oct 28 21:39:03 2018]
   type    = 21 (alert)
   version = { 3,1 }
   length  = 2 (0x2)
   fatal: unknown alert 109
}
]
Read EOF on Server socket. [Sun Oct 28 21:39:03 2018]
Read EOF on Client socket. [Sun Oct 28 21:39:03 2018]
Connection 1 Complete [Sun Oct 28 21:39:03 2018]

#4

Chrome has a warning:

Thus, if you see the following situation, you might have some buggy software or hardware that we’re not aware of and we would be very interested in the details:

  1. Chrome 69 works without issues.
  2. Chrome 70 works for most sites except Gmail.
  3. Gmail fails to load with ERR_SSL_VERSION_INTERFERENCE or ERR_TLS13_DOWNGRADE_DETECTED.

In this situation, consider the following:

  1. Do you have local “anti-virus” software running that may be attempting to manipulate TLS connections (often called “HTTPS scanning”)? If so, please see whether disabling that scanning solves the problem and, if so, please report to us the vendor and version number of the software.
  2. Do you have a “deep packet inspection” (DPI) firewall that might be attempting to disrupt connections that don’t match the appearance of older TLS versions? Does the problem go away when not behind that firewall? If so, please report to us the make, model, and firmware version.
  3. Similarly to the case of a DPI firewall, if you have a TLS proxy consider whether it might be the source of the issue. If so, please tell us the vendor, product name, and firmware version.

Please report problems on the administrator’s forum.

So this is your situation. Chrome 69 without problems, Chrome 70 fails. Perhaps use this administrator forum.


#5

Thanks guys for your help !
I am not at all technical and especially on the server side.

@_az :

Blockquote
Can you show us the output for:

nginx -V

Blockquote

How do I do that and where? (plesk onyx)


#6

If you know how to login to SSH, you can just login and run it.


#7

nginx version: nginx/1.12.1
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
built with OpenSSL 1.1.1-dev xx XXX xxxx
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --user=nginx --group=nginx --with-debug --with-file-aio --with-google_perftools_module --with-mail --with-mail_ssl_module --with-threads --with-select_module --with-stream --with-stream_ssl_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_stub_status_module --with-http_sub_module --with-http_ssl_module --with-http_v2_module --with-http_xslt_module --with-poll_module --with-openssl=/usr/share/openssl --with-openssl-opt=enable-tls1_3 --add-module=/root/ngx_pagespeed-1.12.34.3-stable --add-module=/root/headers-more-nginx-module-0.32


#8

@_az Is that what you wanted?


#9

This seems like a deadly (incompatible) combination …

I am not 100% sure that it is the cause of your problems, but I wouldn’t be surprised if it caused the exact issues you’re currently experiencing.

Did you build this version of nginx yourself? Did it come with Plesk?

I would suggest that if you are wanting to run with OpenSSL 1.1.1, you should get the released version (or at least the 1.1.1a-dev version) and build it against nginx 1.15 or higher.


#10

No! plesk manages everything, I don’t have the skills for all this…


#11

@_az What should I do?


#12

Are you paying Plesk money for support? I’d ask them for help, since they (probably) are the responsible party in this case.


#13

Ok, ! Thanks ! You’re the bests !


#14

Oh, I see: Now it’s fixed. I can see the site with Chrome 70.

What was the problem?


#15

Just…Nginx compilation is bad ! I recompilate her and it’s good now !
Thanks for your help guys !


#16

Thanks. Good to know.