Nginx self-signed certificate isn't working on a Vagrant VM - ssl

We're running Vagrant VMs here. On a VM, I installed nginx. I then created a self-signed certificate. When I look at the certificate's innards, I see:
subject= /C=US/ST=IN/L=myCity/O=My Company/OU=MyProduct/CN=silly.com/emailAddress=info#silly.com
This is obviously sanitized. I believe this certificate is supposed to work for silly.com. Do I interpret this correctly?
On my laptop, I added a hostfile entry to map silly.com to the appropriate IP address.
On the VM, I added the following configuration to /etc/nginx/conf.d/default.conf
# HTTPS server server {
listen 443;
server_name silly.com;
ssl on;
ssl_certificate /etc/nginx/ssl/silly.crt;
ssl_certificate_key /etc/nginx/ssl/silly.key; }
When I browse the site, the port 80 http screen is displayed properly. When I browse with https://silly.com, however, the https portion is rejected and the non-SSL screen is displayed. (I think I clicked 'proceed' while experimenting...)
I commented from the nginx.conf file all lines relating to port 80. Then I restarted nginx. I will get the same success on port 80 and failure on port 443 as I did before.
I tested the config file with nginx -t. It reported no errors.
Would someone offer a debugging tip, please?

It might have something to do with the fact that your opening server { block is effectively commented out because of the # HTTPS server comment. You should actually be getting an error on this config because the closing } is there. Perhaps this is preventing you from restarting Nginx.

Related

SSL for pointed domains

I have an app that is "multi-domain", Other domain just have to point to the IP address to run on my app on the web-server.
Using letsencrypt, I have also generated SSL for those pointed domain using "HTTP" challenges.
Now, my problem is - how do I tell my webserver to read that generated SSL files for the pointed domain.
They are not hosted on my server with config settings. They are just pointed with the IP address to my App and My app renders the content based on a domain name.
I am using VestaCP to manage server, domain, and email
Pointed domains have no config file on my server. They work on the web-application level.
How do I set https for that pointed domain? On a note, I already have valid SSL files - just not sure, where to post or point them, since there is no config.
Can they be kept using "htaccess" or at a web-application level?
E.g, My app runs at "http://example.com" and shows content for example.com, and for the second domain that is pointed to my server "http://anotherExample.com" - my app shows the content for "anotherExample.com" and so on and so forth. "example.com" is hosted on my server with Nginx and apache config, so SSL is set. But anotherExample.com is not hosted on server level but only at the app level - now, where do I set SSL for it? I have already successfully generated SSL using letsencrypt with HTTP challenge.
Update: I run a platform like Blogspot.com Multi-Domain blogs - How to serve SSL for pointed domain?
Thanks
I don't think what you want is directly possible. From your question, I think you are creating multiple A records which points to your application IP address, from which your application decides what data to serve.
So what you have to do is to get SSL certificate for each and every domain you want to serve. Then configure the web server to send the corresponding certificate. This can be done easily with most web servers. Eg: On nginx
server {
listen *:443 ssl;
server_name domain1.com;
ssl_certificate /path/to/domain1.crt;
ssl_certificate_key /path/to/domain1.key;
...
}
server {
listen *:443 ssl;
server_name domain2.com;
ssl_certificate /path/to/domain2.crt;
ssl_certificate_key /path/to/domain2.key;
...
}
Incase you are serving on different subdomains like domain1.example.com and domain2.example.com, then you could get a wildcard certificate which will do the trick.

SSL Termination on NGINX

I have purchased an SSL cert and bundled it up correctly in so much as when I verify the modulus (i.e. https://kb.wisc.edu/middleware/4064) then the hashes are the same.
I have moved the cert and key to my server # /etc/ssl and ensured that the folder permissions are 700 and each file is 600.
I have then the following nginx config:
server {
listen 80;
listen 443 ;
server_name escapehatch.chrisjowen.uk;
ssl on;
ssl_certificate /etc/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/secret.txt;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
proxy_pass http://localhost:8080;
}
}
Finally, to test this, I have a Python SimpleHTTPServer running on port 8080. When I hit the URL on HTTPS, I receive an error
This site can’t provide a secure connection
Looking at the logs from the Python server, I see:
218.186.183.142 - - [21/Aug/2019 04:45:53] code 400, message Bad HTTP/0.9 request type ('\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03\x01a\x96\x061LE\x88I\xf1i\x7f\xc3\xdc%d\x18r\xbbzq9q<\xeb\x1dD\xa3\x8b\x01\x10\x7f')
218.186.183.142 - - [21/Aug/2019 04:45:53] "�a�1LE�I�i��%dr�zq9q<�D�� n��Z���΀��SN�F���j;X.Zw�s^�"**�+�/�,�0̨̩����/5" 400 -
218.186.183.142 - - [21/Aug/2019 04:45:53] code 400, message Bad request version ('\x0fb\x03g\x8d\x04\x8b\xbe!\xad\x98W\x9bV\xd2\x8e\x1e\xc6\xf3\xaa\xff\xce\x0f\x1b\xc9\x0f\xebY\xae\xc4\x00"\xfa\xfa\x13\x01\x13\x02\x13\x03\xc0+\xc0/\xc0,\xc00\xcc\xa9\xcc\xa8\xc0\x13\xc0\x14\x00\x9c\x00\x9d\x00/\x005\x00')
So, it seems like nginx is not decrypting the request and terminating the SSL connection, instead it's passing it to the upstream server, which I do not want.
Checking the nginx logs /var/log/nginx/nginx.vhost.access.log shows nothing.
So, now I am stumped what to do to debug the issue, it appears that either nginx config is wrong or there is something wrong with the cert, but as mentioned I checked this with the following method https://kb.wisc.edu/middleware/4064
listen 80;
listen 443 ;
If you want it to listen for plain http on port 80 and https on port 443 the second line should be listen 443 ssl;.
ssl on;
From the documentation:
This directive was made obsolete in version 1.15.0. The ssl parameter of the listen directive should be used instead.
Also you have the following in the logs of your Python server:
218.186.183.142 - - [21/Aug/2019 04:45:53] code 400, ....
This Python server is clearly visited directly by an external IP address. If the request would be forwarded by the local nginx then the source IP should be 127.0.0.1 instead. This shows, that you don't hit nginx at all but somehow make a direct request to the Python server.

nginx returns SSL certificate for subdomain that should have no certificate

I have a nginx server that manages a few domains and subdomains. There are some subdomains that have an own SSL certificate and they work fine. The problem is that if I try to open blablabla.mydomain.com (this subdomain is not configured in nginx) then firefox shows me an error "Connection is not secure" and "The certificate is only valid for xyz.mydomain.com" (this domain is configured with SSL and works well)
The same happens when I open the root domain mydomain.com. Then the server also returns the certificate for xyz.mydomain.com which is rejected by firefox.
I only want nginx to return the SSL certificate for domains/subdomains I explicitly have configured HTTPS. For what I understand, my configuration should be doing exactly this.
I configured all my https-subdomains like this:
server {
listen 443 ssl;
server_name xyz.mydomain.com;
root /var/www/xyz.mydomain/;
ssl on;
ssl_certificate /etc/letsencrypt/live/xyz.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xyz.mydomain.com/privkey.pem;
...
}
The root domain (which should have no SSL) is configured like this:
server {
listen 80;
server_name mydomain.com;
return http://some-redirection.com;
}
There is no SSL server block for this domain. Nor is for the other subdomains that do not exist. So why does nginx in these cases return the certificate for xyz.mydomain.com?
I don't use any wildcards in my server config. Is there some way to debug this? I mean, there must be a reason why nginx always returns the certificate for xyz.mydomain.com for every non-configured domain/subdomain. Why not another configured and working certificate?
I use an Ubuntu 14.04 server with nginx 1.4.6
If you need more info on my config, let me know
EDIT: I think I know why my config does not work. When using https the client encrypts also the domain name and this causes nginx to try all available server defintions. When it doesn't find one it returns the last one? And xyz.mydomain.com seems to be the last one (alphabetically)
So is there a way to avoid this? Would I have to create a ssl cert for every other subdomain?

Port 443 works but not https

I have a website setup, if I load the website with http://www.url.com:443 it works as expected, but if I load https://www.url.com I get a "ERR_CONNECTION_CLOSED" error on Chrome.
I have setup iptables to load port 3000 through both port 80 and 443.
Server is running centos, there is no ssl certificate setup at this stage
You configured the server to listen on port 443 but didn't configure it for SSL traffic. In other words, you merely changed the port from 80 to 443, so it is serving HTTP on port 443.
You say there are no SSL certificates set up. That's the problem. You need to set up certificates (even if only self-signed ones) for HTTPS to work at all. It's the key and certificates from this setup process that tell the server how to encrypt the HTTPS data, and how to identify itself.
This page will help you to set things up properly: https://wiki.centos.org/HowTos/Https
There are many places you can look for advice on creating keys and certs, but the easiest and least expensive options are StartSSL and LetsEncrypt. Both will do this for you at no cost.
https://letsencrypt.org/
https://www.startssl.com/

Laravel Homestead - SSL set up

I'm trying to start to use vagrant for development - I'm completely new to using vagrant for my development - relying on an apache/php/mysql set up on a laptop.
I'm developing using laravel and have set up homestead and am up and running.
I've tried to enable SSL on the homestead (box?) and followed these instructions to set up: https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04
I made the changes to the homestead sites_enabled file for the site i'm working on.
I added port 443 just beneath port 80 within the server,added the entries for SSL On etc
I've restarted the nginx server and am able to see my pages using https (although chrome doesn't like the certificate)
If I then try to access pages using http I get a 400 error The plain HTTP request was sent to HTTPS port
so a few questions:
1. how can I alter the set up to use a combination of HTTP and HTTPS requests?
2. is it bad practice to serve a site with a combination of HTTP and HTTPS requests - should I simply serve the whole site as https?
Very confused to a completely new subject
Thank you
Add port forwarding to homestead 1.x
You need to forward the SSL port by adding a new line to homestead.rb
sudo nano /vagrant/scripts/homestead.rb
# add SSL port forwarding ...
config.vm.network "forwarded_port", guest: 443, host: 44300
Create SSL certificate
Steps one to four
Do the steps one to step four only from this tutorial https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04
Step five - Set up the certificate
Edit your homestead site you are working on (replace example with your existing site)
sudo nano /etc/nginx/sites-available/example
Duplicate the whole server{…} section (not only the listen line as you did).
In the duplicated section edit listen 80 to listen 443.
Before the end of the section add the following lines:
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
exit and do a vagrant reload.
Be careful with --provision. The changes to sites-available/example you just made are reset to default.
If you need to make the changes permanently even in case of provisioning, then have a look at the serve.sh located at your host's homestead folder homstead/scripts/serve.sh and edit it equally to step 5.
Use https://your.domain:44300 in your browser to access via SSL. Accept the self signed certificate in your browser if necessary.
In addition to Peh. I did not get it working with the above code:
I did need to remove
SSL on
and add the ssl to the listener
listen 443 ssl;