Page 1 of 2
How to open 443 port? SSL not working
Posted: Thu Jun 22, 2017 11:25 pm
by scristi
Hello,
I have SSL working to 8083 port (panel), but not to SSL in my domains. I have installed SSL cert (copy cert in the domain creation step and seems to be OK), but when I call the https page, it returns an ERR_CONNECTION_REFUSED error.
At Vesta firewall (IPTables option inside the vesta CP) I added 8080 and 8443 ports to can listen both, but nothing, outside port 8443 is open but 443 is closed.
How can I solve it? any idea or help...
Thanks in advance,
Sebastian
Re: Port 443 or 8443? SSL not working
Posted: Fri Jun 23, 2017 6:15 am
by gecube_ru
The default SSL port for nginx server is 443.
If you use default templates, please check that you allowed 443 port in firewall.
Re: Port 443 or 8443? SSL not working
Posted: Fri Jun 23, 2017 10:44 am
by scristi
Thanks gecube_ru.
I tried to allow 443 port in firewall, but nothing.
I'm with CentOS 7
At vesta panel, in firewall:
ACCEPT TCP/ SSH 22 0.0.0.0/0
ACCEPT TCP/ WEB 80,443,8080,8443 0.0.0.0/0
ACCEPT TCP/ FTP 21,12000-12100 0.0.0.0/0
ACCEPT UDP/ DNS 53 0.0.0.0/0
ACCEPT TCP/ DNS 53 0.0.0.0/0
ACCEPT TCP/ SMTP 25,465,587,2525 0.0.0.0/0
ACCEPT TCP/ POP3 110,995 0.0.0.0/0
ACCEPT TCP/ IMAP 143,993 0.0.0.0/0
ACCEPT TCP/ DB 3306,5432 0.0.0.0/0
ACCEPT TCP/ VESTA 8083 0.0.0.0/0
ACCEPT ICMP/ PING 0 0.0.0.0/0
Also I tried it with IPTABLES (SSH) but port 443 remains closed...
If I try firewall by command, return that:
[root@server ~]# firewall-cmd --get-active-zones
FirewallD is not running
-------------
If I try
https://mydomain.com:8443/ it works... but not
https://mydomain.com (without port, neither with 443 port). Maybe the solution is make nginx work with 8443 port, the same used by httpd... but how?
Any idea?
Re: How to open 443 port? SSL not working
Posted: Fri Jun 23, 2017 12:44 pm
by gecube_ru
Please run the next commands and write here their output
Code: Select all
netstat -tulpn | grep --color :80
netstat -tulpn | grep --color :443
Re: How to open 443 port? SSL not working
Posted: Fri Jun 23, 2017 12:47 pm
by scristi
Thanks:
Code: Select all
[root@server nginx]# netstat -tulpn | grep --color :80
tcp 0 0 myip1:80 0.0.0.0:* LISTEN 32560/nginx: master
tcp 0 0 myip2:80 0.0.0.0:* LISTEN 32560/nginx: master
tcp 0 0 myip3:80 0.0.0.0:* LISTEN 32560/nginx: master
tcp 0 0 myip4:80 0.0.0.0:* LISTEN 32560/nginx: master
tcp 0 0 myip5:80 0.0.0.0:* LISTEN 32560/nginx: master
tcp 0 0 myip1:8080 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip2:8080 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip3:8080 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip4:8080 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip5:8080 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 0.0.0.0:8083 0.0.0.0:* LISTEN 1987/nginx: master
tcp 0 0 127.0.0.1:8084 0.0.0.0:* LISTEN 32560/nginx: master
---------------------------------------
Code: Select all
[root@server nginx]# netstat -tulpn | grep --color :443
[root@server nginx]#
(nothing)
---------------------------------------
Code: Select all
[root@server nginx]# netstat -tulpn | grep --color :8443
tcp 0 0 myip1:8443 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip2:8443 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip3:8443 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip4:8443 0.0.0.0:* LISTEN 5212/httpd
tcp 0 0 myip5:8443 0.0.0.0:* LISTEN 5212/httpd
Re: How to open 443 port? SSL not working
Posted: Fri Jun 23, 2017 2:42 pm
by gecube_ru
It just means that you have not enabled SSL configuration for nginx.
Check the existance and correctness of snginx.conf file under /home/<username>/conf/web catalogue
If it is OK, try to check config
and to reload nginx.
Re: How to open 443 port? SSL not working
Posted: Fri Jun 23, 2017 3:11 pm
by scristi
Thanks for your help and time gecube_ru.
file snginx.conf is not under this dir. How can I fix it?
first:
Code: Select all
[root@server web]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
At
negix.conf I have a doubdt. I have 2 domains inside server, but inside that file just appear to be one, the domain1 (it's not my work domain, domain1 is there just to make some tests and I use it to nameservers):
-----------------------------------------------------
Code: Select all
server {
listen 204.(my-ip-for-domain1):80;
server_name domain1.com www.domain1.com ns3.domain1.com ns4.domain1.com;
error_log /var/log/httpd/domains/domain1.com.error.log error;
location / {
proxy_pass http://204.(my-ip-for-domain1):8080;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi$
root /home/scristi/web/domain1/public_html;
access_log /var/log/httpd/domains/domain1.log combined;
access_log /var/log/httpd/domains/domain1.bytes bytes;
expires max;
try_files $uri @fallback;
}
}
location /error/ {
alias /home/scristi/web/domain1/document_errors/;
}
location @fallback {
proxy_pass http://204.(my-ip-for-domain1):8080;
}
location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
disable_symlinks if_not_owner from=/home/scristi/web/domain1/public_html;
include /home/scristi/conf/web/nginx.domain1.conf*;
}
-----------------------------------------------------
Inside the same folder there are independient files for each domain.
Domain2 file (also there is domain1 file here) is
nginx.domain2.conf_letsencrypt and it show:
Code: Select all
location ~ "^/\.well-known/acme-challenge/(.*)$" {
default_type text/plain;
return 200 "$1.Vt43YGcIN7B3dK9lmY3MsHIsjtZK9AiZeXaQ_Xocjqc";
}
-----------------------------------------------------
Also I have here
shttpd.conf, the content:
Code: Select all
<VirtualHost 204.(my-ip-for-DOMAIN2):8443>
ServerName domain2.com
ServerAlias www.domain2.com domain2-com.domain2.com
ServerAdmin [email protected]
DocumentRoot /home/scristi/web/domain2/public_html
ScriptAlias /cgi-bin/ /home/scristi/web/domain2/cgi-bin/
Alias /vstats/ /home/scristi/web/domain2/stats/
Alias /error/ /home/scristi/web/domain2/document_errors/
#SuexecUserGroup scristi scristi
CustomLog /var/log/httpd/domains/domain2.bytes bytes
CustomLog /var/log/httpd/domains/domain2.log combined
ErrorLog /var/log/httpd/domains/domain2.error.log
<Directory /home/scristi/web/domain2/public_html>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value upload_max_filesize 10M
php_admin_value max_execution_time 20
php_admin_value post_max_size 8M
php_admin_value memory_limit 32M
php_admin_flag mysql.allow_persistent off
php_admin_flag safe_mode off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@domain2"
php_admin_value open_basedir /home/scristi/web/domain2/public_html:/home/scristi/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/et$
php_admin_value upload_tmp_dir /home/scristi/tmp
php_admin_value session.save_path /home/scristi/tmp
</Directory>
<Directory /home/scristi/web/domain2/stats>
AllowOverride All
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /home/scristi/conf/web/ssl.domain2.crt
SSLCertificateKeyFile /home/scristi/conf/web/ssl.domain2.key
#SSLCertificateChainFile /home/scristi/conf/web/ssl.domain2.ca
<IfModule mod_ruid2.c>
RMode config
RUidGid scristi scristi
RGroups apache
</IfModule>
<IfModule itk.c>
AssignUserID scristi scristi
</IfModule>
IncludeOptional /home/scristi/conf/web/shttpd.domain2.conf*
</VirtualHost>
(I'm trying to start https in domain2. Domain 1 is there just for testing porpouses)
More info, at /etc/httpd/conf.d/my-ip2.conf:
Code: Select all
Listen my-ip2:8080
Listen my-ip2:8443
Re: How to open 443 port? SSL not working
Posted: Sat Jun 24, 2017 10:51 am
by gecube_ru
Please try to de-select "SSL Support" in checkbox for your domain, save settings.
Then select it again, save settings and check again if nginx will accept incoming connections on 443 port.
The problem is that nginxs.conf wasn't created in your catalogue. So it doesn't know that you need to accept ssl connections on 443 port.
Re: How to open 443 port? SSL not working
Posted: Sat Jun 24, 2017 2:41 pm
by scristi
I tried following this steps:
1.- Disable SSL checkbox and regenerating the hosting account
2.- reboot server
3.- Select SSL checkbox, entering the SSL keys and certs, and regenerating account
4.- reboot server
Result: the same (tried 3 times)
Maybe the problem is because I'm using an external SSL cert., but I can't generate a letsencrypt cert directly in Vesta, this option generate an error at creation step.
But cert seems to be valid and working:
-----------------------------------
Subject: (domain2-here.com)
ALIASES: (domain2-here.com),www.(domain2-here.com)
NOT_BEFORE: Jun 20 22:42:00 2017 GMT
NOT_AFTER: Sep 18 22:42:00 2017 GMT
SIGNATURE: sha256WithRSAEncryption
PUB_KEY: 2048 bit
ISSUER C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X
----------------------------------
But...
Code: Select all
[root@server ~]# cat /etc/services | grep 443
https 443/tcp # http protocol over TLS/SSL
https 443/udp # http protocol over TLS/SSL
https 443/sctp # http protocol over TLS/SSL
pcsync-https 8443/tcp # PCsync HTTPS
pcsync-https 8443/udp # PCsync HTTPS
(there are another *443* ports but listed both of interest)
And if I go to test 443 from another location,
Code: Select all
The 1 scanned port on domain-2.com (my-ip-2) is closed
Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds
Re: How to open 443 port? SSL not working
Posted: Sat Jun 24, 2017 6:25 pm
by gecube_ru
It is very strange that your "external" certificate is issued by Lets Encrypt authority.
I really don't have any idea how you could get into such issie. If I got into such one, I'd rewrite nginx.conf adding listen 443 ssl directive, path to actual certificates and proxy to your site. Also httpd on 8443 is totally non-sense, because the proxy server (i.e. nginx) uses certificate for ssl connection with client of your site.
The only drawback of manual editing of config files is that they will be rewritten by Vesta when you will change settings in panel