WSS with SSL certificate not working

Help
1

My domain is : healthieshield.com

I have installed my system on ubuntu 18.04 LTS , and plesk (Version Plesk Obsidian v18.0.27_build1800200522.12) is insalled.
Hosting provideer is soyoustart and domain bought from namecheap.

From plesk panel I have binded the let’s encrypt certificate (with wildcard). Which I have used for main website, api service and internal MQTT service.
For main website and API service (subdomain api.healthieshield.com), SSL working properly.
But when I have bind certificate in mqtt broker (aedes mqtt broker), it shows issue. From website (healthieshield.com), when trying to connect on wss (wss://www.healthieshield.com:3001/) it shows below error:
WebSocket connection to ‘wss://www.healthieshield.com:3001/’ failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID

We have also tried below command, and it shows desired output:

echo | openssl s_client -connect healthieshield.com:443 -servername healthieshield.com 2>/dev/null | awk ‘/Certificate chain/,/—/’
Certificate chain
0 s:CN = srv01.healthieshield.com
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
1 s:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3

We have tried to solve it but we did not get any solution.

2

Hi,

This doesn't work because the issue is on WebSocket, which as per your output is on port 3001.
The correct command is:
openssl s_client -connect www.healthieshield.com:3001 -servername healthieshield.com
I believe your WebSocket application doesn't read Plesk's certificate database (as it might not even passthrough Plesk Nginx/apache), so you'll need to do some custom work to change WebSocket address (to go through Plesk/https) and make sure Plesk proxy those requests (via Nginx)
You can try this: ubuntu - NGINX Proxy_Pass to websocket server on a Plesk Server - Server Fault (Disclaimer: I found this online so be cautioous when you apply any solutions.)

3

Hi @pkachhia

your command checks the non-www version.

But your www version has a self signed certificate - https://check-your-website.server-daten.de/?q=healthieshield.com%3A3001

E=sysadmin@slscorp.com, CN=local.mqtt, OU=TEMPie, O=SLS, L=Anand, S=Gujarat, C=IN
	01.06.2020
	09.01.2026
expires in 2040 days

So there is no Letsencrypt certificate.

Same with OpenSsl.

openssl s_client -connect www.healthieshield.com:3001

4

Thanks @JuergenAuer,

We have updated the certificate, and checked, issue resolved.

Now it working properly.

Can you help me to understand that, if the ceriticate will auto update after 3 month of time, will the name stored on linux server will change ?

5

I don't know.

A restart of that service may be always required to use the new certificate.

But

  • you can use symlinks (if that program understands symlinks) (or)
  • you can copy the certificate

If you have the certificate copied, you have to do that again.

6

Thanks for update @JuergenAuer,

I think for me 1st option with symlinks is better, let’s try at our end.