pomocu
68
5
Forge

LetsEncrypt installed through Laravel Forge causes Safari/iPhone timeout from Iran

Posted 3 months ago by pomocu

Hello all,

So here’s a challenging problem:

I have a "test" domain (filmdoost.com) through GoDaddy and a server on DigitalOcean (nginx 1.15.5) that I’ve deployed through Laravel Forge (LF). I’ve also used LF to add a LetsEncrypt (LE) certificate to the domain.

Everything works great prior to installing the LE certificate.

Here’s what happens when trying to access the site from Iran AFTER adding the LE certificate:

Everything is fine through:

Chrome, Firefox, IE browsers on MacOS/Windows
Chrome, Firefox on Android devices
Android app that hits the same server/domain

The site can ONLY BE ACCESSED WITH A VPN through:

Safari browser on MacOS/Windows
all browsers on the iPhone (iOS 11/12)
iOS app that hits the same server/domain

In other words, Apple related browsers/apps can only connect to the server through a VPN. The connection times out without a VPN.

Now if this were a sanctions related issue, then I’d expect to see the same problem across all devices/browsers. But the fact that this issue only arises with Apple related apps/browsers leads me to believe that the issue is config related. In other words, there is something about the server config applied by Forge after installing the certificate that Apple doesn’t like when trying to access the server from Iranian ISPs.

I've been talking to the LetsEncrypt support team, but to no avail so far. But I do know that the issue isn't related to the LE certificate itself because I can access sites with LE certificates that were not installed through the Forge panel.

I found what turned out to be a temporary fix for the iPhone app (creating default instead of shared nsurlsessions), but even that stopped working a couple of days ago. Here's the error that's thrown by the iPhone app:

Error Domain=NSURLErrorDomain Code=-1001 “The request timed out.” UserInfo={NSUnderlyingError=0x2816058c0 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 “(null)” UserInfo={_kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4}}, NSErrorFailingURLStringKey=https://filmdoost.com/...../......, NSErrorFailingURLKey=https://filmdoost.com/....../......, _kCFStreamErrorDomainKey=4, _kCFStreamErrorCodeKey=-2102, NSLocalizedDescription=The request timed out.}

Any assistance in helping resolve this issue is greatly appreciated. My iOS users are dropping like flies since they can’t run the app without a VPN.

Here’s a copy of my Nginx config file:

FORGE CONFIG (DO NOT REMOVE!)

include forge-conf/filmdoost.com/before/*;

server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name filmdoost.com; root /home/forge/filmdoost.com/public;

# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/filmdoost.com/******/server.crt;
ssl_certificate_key /etc/nginx/ssl/filmdoost.com/******/server.key;

ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

index index.html index.htm index.php;

charset utf-8;

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/filmdoost.com/server/*;

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt  { access_log off; log_not_found off; }

access_log off;
error_log  /var/log/nginx/filmdoost.com-error.log error;

error_page 404 /index.php;

location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
}

location ~ /\.(?!well-known).* {
    deny all;
}

}

FORGE CONFIG (DO NOT REMOVE!)

include forge-conf/filmdoost.com/after/*;

Please sign in or create an account to participate in this conversation.

Reply to

Use Markdown with GitHub-flavored code blocks.