Nginx, OpenSSL with Cloudflare full SSL - handshake fail 525 - ssl

I'm getting Handshake fail 525 when trying to use Full SSL option with Cloudflare. Since this is my first time trying to implement some sort of SSL certificate I don't know what could be wrong here.
My SSL cert is generated this way:
sudo mkdir /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.crt
My nginx default config looks like this:
server {
listen 443;
listen [::]:443;
root /var/www/site-laravel/public;
index index.php index.html index.htm;
server_name site.ee;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
}

Make sure you select full SSL in CloudFlare, but no "Full (Strict)". Strict mode requires a validated SSL certificate and does not work with a self-signed one.

I faced a similar issue recently. I'm not entirely sure why this occurs either, but make sure your default_server has an SSL certificate set.

ssl should be added.
server {
listen 443 ssl;
listen [::]:443 ssl;
root /var/www/site-laravel/public;
index index.php index.html index.htm;
server_name site.ee;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
}

Related

Nginx , Ssl slow website

i installed my SSL to my website ( Nginx , SSL ) . After SSL my website is too slow.
I could not find solution but it's related with ssl.
In same droplet i have 3 apps. 1 php ( laravel ) , 2 ruby ( ruby on rails )apps. But just one of them has SSL.
Conf file for my website with SSL :
server {
listen 443 ssl;
server_name www.guclukal.com;
passenger_enabled on;
rails_env production;
root /home/rails/trbodybuilding/public;
ssl on;
ssl_certificate /etc/nginx/ssl/guclukal.com/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/guclukal.com/guclukal.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
I use this steps to create SSL :
1.mkdir /etc/nginx/ssl
openssl req -new -newkey rsa:2048 -nodes -keyout guclukal.key -out guclukal.csr
i paste guclukal.csr to ssls.com to get files
cat guclukal_com.crt guclukal_com.ca-bundle > guclukal.crt to create crt file
than i made my nginx conf file .

How to I override nginx ssl protocols?

I am web developer using nginx 1.6.2 ver using openssl 1.0.2h
I manage a lot of domains.
And very interested in security.
So My default nginx ssl setting is right here.
default.conf
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/SSL/***.crt;
ssl_certificate_key /etc/nginx/SSL/***.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location ~ {
root /etc/nginx/html;
index index.php;
return 470;
include /etc/nginx/sites-enabled/error_config;
}
}
as you can see, I used only ssl_protocols TLSv1, TLSv1.1, TLSv1.2
and I want to one of domains, getssltest.ga
Want to use only TLSv 1.1 & TLSv 1.2
But I tried to change virtual host configure file any way.
However, just adding 'ssl_protocols TLSv1.1 TLSv1.2;' doesn't validate.
like above this.
server {
listen 443;
server_name getssltest.ga www.getssltest.ga;
ssl_protocols TLSv1.1 TLSv1.2;
ssl on;
ssl_certificate **;
ssl_certificate_key **;
include /etc/nginx/sites-enabled/ssl_config;
proxy_http_version 1.1;
I can not find the way. ( I could check the protocols in here https://www.ssllabs.com/ssltest/analyze.html?d=getssltest.ga)
How can I override ssl_protocol to one of my virtual hosts?
Thx.
You can look it into documentation http://nginx.org/en/docs/http/configuring_https_servers.html, configuration should be how that:
server {
listen 443 ssl;
server_name getssltest.ga www.getssltest.ga;
ssl_certificate *;
ssl_certificate_key *;
ssl_protocols TLSv1.1 TLSv1.2;
...
}

SSL not allowed in two configs after nginx/1.11.4 / Ubu 16.04 update

This was working prior to nginx/1.11.4 and update to Ubuntu 16.04 (and it was on 1.11.x before). There are two sites configured to use SSL on a virtual IP (libvirt). When that didn't work (somehow it always landed on the first config alphabetically with SSL), I changed it to use two different virtual IPs and changed libvirt routing two real IPs to 192.168.122.10 and the other to 192.168.122.11, respectively. Now it's simply giving a handshake failure.
server {
listen 192.168.122.11:443 ssl http2;
server_name www.domain2.org domain2.org;
access_log /var/log/nginx/domains/domain2.org.log;
error_log /var/log/nginx/domains/domain2.org.err;
root /app/domain2.org/html;
ssl on;
ssl_certificate /etc/nginx/ssl/domain2.org.crt;
ssl_certificate_key /etc/nginx/ssl/domain2.org.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
include /etc/nginx/include/php.conf;
include /etc/nginx/include/restrictions.conf;
}
server {
listen 192.168.122.10:443 ssl http2;
server_name domain1.com www.domain1.com *.domain1.com;
access_log /var/log/nginx/domains/domain1.com.log;
error_log /var/log/nginx/domains/domain1.com.err;
root /app/domain1.com/html;
ssl_certificate /etc/nginx/ssl/domain1.cert;
ssl_certificate_key /etc/nginx/ssl/domain1.pkey;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
include /etc/nginx/include/restrictions.conf;
include /etc/nginx/include/php.conf;
}
This is just the standard nginx from nginx.org packaging, and yes it has SNI. I have no idea why this would suddenly stop working.
root#production:/etc/nginx/conf.d# nginx -V
nginx version: nginx/1.11.4
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2)
built with OpenSSL 1.0.2g-fips 1 Mar 2016 (running with OpenSSL 1.0.2g 1 Mar 2016)
TLS SNI support enabled

SSL Chain Incomplete

After creating 7 SSL Certificates with Let's Encrypt, I have stumbled upon this error. I had setup all my configs correct and I scanned my whole site for SSL Vulnerabilities on [SSLLabs.com][1] and it told me that my server's certificate chain is incomplete.
The grading picture:
My SSL Grading
The error:
The error I got
I am running CentOS Linux release 7.2.1511 (Core) as a Reverse Proxy in NginX. And my configuration is:
# GhostAntiDDoS
server {
listen 443 ssl;
server_name ghostantiddos.com *.ghostantiddos.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/ghostantiddos.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Strict-Transport-Security max-age=15768000;
# Bulletin
#limit_conn conn_limit_per_ip 10;
#limit_req zone=req_limit_per_ip burst=5 nodelay;
client_body_timeout 5s;
client_header_timeout 5s;
....
The rest of the parts are hidden as they will expose my origin.
If anyone could assist me in this, I'd be great!
Replace
certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem
by
certificate /etc/letsencrypt/live/ghostantiddos.com/fullchain.pem
then test again with https://ssllabs.com

Certificate signed by Intermediate shows as self-signed certificate

I'm currently in the process of migrating the hosting of a service of mine from a Managed hosting (running Lighspeed + Cpanel) to my own Managed hosting, running Nginx.
Everything is running fine in Nginx 1.6.0, but my problem is that my certificate shows as self-signed. I installed the SSL certificate including the chained certificate as per
http://www.digicert.com/ssl-certificate-installation-nginx.htm
However, even trying the configuration on NGinx SSL certificate authentication signed by intermediate CA (chain) it does not work.
If I input my website on http://sslcheck.globalsign.com/en_US it shows as it's a self-signed certificate.
Below is my virtual host configuration regarding SSL:
server {
listen 80;
listen 443 ssl;
server_name host02.website.com *.website.com;
root /spacedata/website.com;
index index.php index.html /;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security max-age=31536000;
ssl_certificate /etc/pki/tls/certs/bundle-alpha.crt;
ssl_certificate_key /etc/pki/tls/certs/private.key;
...
}
I confirm that I installed the right Cert and Private Keys.
Bear in mind that I run the AlphaSSL Wildcard certificate.
I suspect that I'm missing something in regards to the configuration as in my other hosting I installed the same .crt file and .key.
I had the same issue before, had todo with the order of the certs that reside inside your ssl_certificate file.
You need to include all intermediate CA certs in this file, and have them in the right order.
All I had to do was reverse the order of the certs within that file, and my problem was solved.
Your server cert should be on top, then simply go down the CA chain.
PS. My config looks like:
listen 443 default ssl;
ssl_certificate /etc/nginx/ssl/server_plus.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;