We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Issue with ngninx 1.11.13 and ssl on ipv4?
Issue with ngninx 1.11.13 and ssl on ipv4?
Hi,
I'm having a hell of a job trying to get this working. Please see this post:
http://serverfault.com/questions/843367 ... -my-domain
I've managed to get http:80 working for both ipv4 and ipv6, yet the SSL stuff only seems to work on ipv6:
..but not ipv4:
My setup is pretty simple:
Am I missing something? The exact same setup works fine on another server (that I setup manually) with nginx 1.10 :/
Thanks!
Andy
I'm having a hell of a job trying to get this working. Please see this post:
http://serverfault.com/questions/843367 ... -my-domain
I've managed to get http:80 working for both ipv4 and ipv6, yet the SSL stuff only seems to work on ipv6:
Code: Select all
root@steamdev2:~# curl -Iv6 https://steampj.com/
* Hostname was NOT found in DNS cache
* Trying 2a01:7e00::f03c:91ff:feac:4983...
* Connected to steampj.com (2a01:7e00::f03c:91ff:feac:4983) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server hello (2):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, CERT (11):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server finished (14):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: CN=steampj.com
* start date: 2017-04-08 13:32:00 GMT
* expire date: 2017-07-07 13:32:00 GMT
* subjectAltName: steampj.com matched
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* SSLv2, Unknown (23):
> HEAD / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: steampj.com
> Accept: */*
>
* SSLv2, Unknown (23):
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
Server: nginx
< Date: Mon, 10 Apr 2017 07:59:47 GMT
Date: Mon, 10 Apr 2017 07:59:47 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 1045
Content-Length: 1045
< Last-Modified: Fri, 07 Apr 2017 14:13:42 GMT
Last-Modified: Fri, 07 Apr 2017 14:13:42 GMT
< Connection: keep-alive
Connection: keep-alive
< Keep-Alive: timeout=60
Keep-Alive: timeout=60
< ETag: "58e79e96-415"
ETag: "58e79e96-415"
< Accept-Ranges: bytes
Accept-Ranges: bytes
<
* Connection #0 to host steampj.com left intact
..but not ipv4:
Code: Select all
root@steamdev2:~# curl -Iv4 https://steampj.com/
* Hostname was NOT found in DNS cache
* Trying 213.219.38.44...
* Connected to steampj.com (213.219.38.44) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
My setup is pretty simple:
Code: Select all
server {
server_name steampj.com www.steampj.com;
listen [::]:443 ssl;
listen 443 ssl;
root /home/admin/web/steampj.com/public_html;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/steampj.com.log combined;
access_log /var/log/nginx/domains/steampj.com.bytes bytes;
error_log /var/log/nginx/domains/steampj.com.error.log error;
# ssl on;
ssl_certificate /home/admin/conf/web/ssl.steampj.com.pem;
ssl_certificate_key /home/admin/conf/web/ssl.steampj.com.key;
# other stuff here
}
Am I missing something? The exact same setup works fine on another server (that I setup manually) with nginx 1.10 :/
Thanks!
Andy
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Issue with ngninx 1.11.13 and ssl on ipv4?
try rebuilding web for user admin
Re: Issue with ngninx 1.11.13 and ssl on ipv4?
Thanks for the reply. I'm not sure what you mean though? :)
Re: Issue with ngninx 1.11.13 and ssl on ipv4?
I think, mehargags mean this - but this delete your changes and restore config from template (!)youradds wrote:Thanks for the reply. I'm not sure what you mean though? :)
Re: Issue with ngninx 1.11.13 and ssl on ipv4?
Did you try something like this?
Code: Select all
listen 443 ssl;
listen [::]:443 ipv6only=on ssl;
Re: Issue with ngninx 1.11.13 and ssl on ipv4?
Ah cool - I didn't realise we had those features. Unfortunatly the result is still the same though:
Code: Select all
root@steamdev2:~# curl -Iv4 https://steampj.com/
* Hostname was NOT found in DNS cache
* Trying 213.219.38.44...
* Connected to steampj.com (213.219.38.44) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
root@steamdev2:~# exit^C
root@steamdev2:~#
root@steamdev2:~#
root@steamdev2:~# curl -Iv6 https://steampj.com/
* Hostname was NOT found in DNS cache
* Trying 2a01:7e00::f03c:91ff:feac:4983...
* Connected to steampj.com (2a01:7e00::f03c:91ff:feac:4983) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server hello (2):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, CERT (11):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server finished (14):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: CN=steampj.com
* start date: 2017-04-08 13:32:00 GMT
* expire date: 2017-07-07 13:32:00 GMT
* subjectAltName: steampj.com matched
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* SSLv2, Unknown (23):
> HEAD / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: steampj.com
> Accept: */*
>
* SSLv2, Unknown (23):
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
Server: nginx
< Date: Mon, 10 Apr 2017 10:21:53 GMT
Date: Mon, 10 Apr 2017 10:21:53 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 1045
Content-Length: 1045
< Last-Modified: Fri, 07 Apr 2017 14:13:42 GMT
Last-Modified: Fri, 07 Apr 2017 14:13:42 GMT
< Connection: keep-alive
Connection: keep-alive
< Keep-Alive: timeout=60
Keep-Alive: timeout=60
< ETag: "58e79e96-415"
ETag: "58e79e96-415"
< Accept-Ranges: bytes
Accept-Ranges: bytes
<
* Connection #0 to host steampj.com left intact
Re: Issue with ngninx 1.11.13 and ssl on ipv4?
Yup :(skurudo wrote:Did you try something like this?
Code: Select all
listen 443 ssl; listen [::]:443 ipv6only=on ssl;
The silly thing is that it DOES work for ipv6.. its ipv4 that won't load! Just makes no sense :S
Cheers
Andy
Re: Issue with ngninx 1.11.13 and ssl on ipv4?
I managed to get this working by doing a full re-build (from scratch), but now I've got a similar issue and its doing my head in!
This doesn't work on ipv6:
...yet it works fine on ipv4
Do I need to add a firewall entry in, to allow ipv6 traffic in on port 80? The weird thing, is that it works just fine on 443:
Also, is it normal for my ipv6 IP 2a01:7e00::f03c:91ff:febc:0659 , to be showing as 2a01:7e00::f03c:91ff:febc:659 (missing the leading "0" in 0659)
Thanks!
Andy
This doesn't work on ipv6:
Code: Select all
root@steamdev2:~# curl -Iv6 http://businessofbrands.co.uk
* Rebuilt URL to: http://businessofbrands.co.uk/
* Hostname was NOT found in DNS cache
* Trying 2a01:7e00::f03c:91ff:febc:659...
* Connected to businessofbrands.co.uk (2a01:7e00::f03c:91ff:febc:659) port 80 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: businessofbrands.co.uk
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
root@steamdev2:~# curl --insecure -Iv6 http://businessofbrands.co.uk
* Rebuilt URL to: http://businessofbrands.co.uk/
* Hostname was NOT found in DNS cache
* Trying 2a01:7e00::f03c:91ff:febc:659...
* Connected to businessofbrands.co.uk (2a01:7e00::f03c:91ff:febc:659) port 80 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: businessofbrands.co.uk
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
Code: Select all
root@steamdev2:~# curl -Iv4 http://businessofbrands.co.uk
* Rebuilt URL to: http://businessofbrands.co.uk/
* Hostname was NOT found in DNS cache
* Trying 178.79.134.35...
* Connected to businessofbrands.co.uk (178.79.134.35) port 80 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: businessofbrands.co.uk
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
* Server nginx is not blacklisted
< Server: nginx
Server: nginx
< Date: Tue, 11 Apr 2017 15:22:33 GMT
Date: Tue, 11 Apr 2017 15:22:33 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 178
Content-Length: 178
< Connection: keep-alive
Connection: keep-alive
< Keep-Alive: timeout=60
Keep-Alive: timeout=60
< Location: https://businessofbrands.co.uk/
Location: https://businessofbrands.co.uk/
<
* Connection #0 to host businessofbrands.co.uk left intact
Code: Select all
root@steamdev2:~# curl --insecure -Iv6 https://businessofbrands.co.uk
* Rebuilt URL to: https://businessofbrands.co.uk/
* Hostname was NOT found in DNS cache
* Trying 2a01:7e00::f03c:91ff:febc:659...
* Connected to businessofbrands.co.uk (2a01:7e00::f03c:91ff:febc:659) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server hello (2):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, CERT (11):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server finished (14):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=MyCompany LLC; OU=IT; CN=businessofbrands.co.uk; [email protected]
* start date: 2017-04-11 14:57:31 GMT
* expire date: 2018-04-11 14:57:31 GMT
* issuer: C=US; ST=California; L=San Francisco; O=MyCompany LLC; OU=IT; CN=businessofbrands.co.uk; [email protected]
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* SSLv2, Unknown (23):
> HEAD / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: businessofbrands.co.uk
> Accept: */*
>
* SSLv2, Unknown (23):
< HTTP/1.1 500 Internal Server Error
HTTP/1.1 500 Internal Server Error
* Server nginx is not blacklisted
< Server: nginx
Server: nginx
< Date: Tue, 11 Apr 2017 15:24:43 GMT
Date: Tue, 11 Apr 2017 15:24:43 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< Keep-Alive: timeout=60
Keep-Alive: timeout=60
<
* Connection #0 to host businessofbrands.co.uk left intact
Thanks!
Andy