Welcome! Log In Create A New Profile

Advanced

Letsencrypt certbot leads to ssl protocol error

Ian Hobson
June 24, 2022 05:22AM
Hi All,

Two of my sites have suffered problems since I updated them to https,
from http. In fact since the latest
scheduled update by certbot.

The home page of coachmaster.co.uk should be a log in screen.

Brave shows me
This site can’t provide a secure connection
coachmaster.co.uk sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

I think the protocol message it doesn't like is Upgrade-Insecure-Requests: 1

Edge is really informative:
The connection for this site is not secure coachmaster.co.uk sent an
invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

Browser: Brave Version 1.40.105 Chromium: 103.0.5060.53 (Official
Build) (64-bit)
All others I've tried also fail.

nginx version 1.21.6
openSSL version 1.1.1.n
special compile.

certbot applies configuration of

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

This last is all one line.

The server block(s) for the site are is (removing a lot of comments to
save space).
------------- file begins ----------------
# redirect from http at bottom of file
server {
server_name coachmaster.co.uk www.coachmaster.co.uk;
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains";

add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-Xss-Protection "1; mode=block" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate
/etc/letsencrypt/live/coachmaster.co.uk-0001/fullchain.pem;

limit_req zone=ip burst=12 delay=8;
location ^~ /Avatars {
limit_req zone=fp burst=70 nodelay;
}
root /var/www/coachmaster.co.uk/htsecure;
access_log /var/log/nginx/coachmaster.co.uk.access.log;

# error_log /var/log/nginx/error.log; set in nginx.conf

index index.php;
location = /Coachmaster.html {
rewrite ^(.*) http://thecoachmasternetwork.com/software/;

}
location = / {
rewrite ^ /index.php last;
}
location /easyrtc {
proxy_pass http://localhost:5006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /socket.io {
proxy_pass http://localhost:5006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# serve php files via fastcgi if the file exists
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;

fastcgi_param CENTRAL_ROOT $document_root;
fastcgi_param RESELLER_ROOT $document_root;
fastcgi_param ENVIRONMENT production;
fastcgi_param HTTPS ON;
include /etc/nginx/fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
}
# serve static files
try_files $uri $uri/ /index.php;
expires 30m;
location /publish {
nchan_publisher;
nchan_channel_id $arg_id;
nchan_channel_id $arg_id;
nchan_message_buffer_length 10;
nchan_message_timeout 90s;
}
location /activity {
nchan_subscriber;
nchan_channel_id $arg_id;
}

listen 443 ssl; # managed by Certbot
ssl_certificate
/etc/letsencrypt/live/coachmaster.co.uk-0001/fullchain.pem; # managed by
Certbot

ssl_certificate_key
/etc/letsencrypt/live/coachmaster.co.uk-0001/privkey.pem; # managed by
Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = www.coachmaster.co.uk) {
return 301 https://$host$request_uri;
} # managed by Certbot

if ($host = coachmaster.co.uk) {
return 301 https://$host$request_uri;
} # managed by Certbot

server_name coachmaster.co.uk www.coachmaster.co.uk;
listen 80;
return 404; # managed by Certbot
}
------------ end of file -----------
I have inserted a blank line after long lines that wrap.

According to the UptimeRobot the site is up.

The service at
https://www.ssllabs.com/ssltest/analyze.html?d=coachmaster.co.uk give no
obvious errors,
except that it shows the TLS 1.2 protocol NOT enabled.

I'm way out of my depth now. Can anyone suggest something that is not
weakening the security.

Regards

Ian

--
Ian Hobson
Tel (+66) 626 544 695
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org
Subject Author Posted

Letsencrypt certbot leads to ssl protocol error

Ian Hobson June 24, 2022 05:22AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 109
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready