Level 4
I removed the site entirely in Forge, thinking that because I had set the Forge site to accept wildcards, it may have somehow affected the SSL installation process, but it is still the same issue with the site after reinstalling.
Dec 8, 2015
25
Level 4
SSL test: No secure protocols supported
Hello,
After buying a '123-SSL' SSL certificate from 123-reg (their basic certificate), I followed the steps to install it onto a site using Forge. Generating the CSR, downloading the Key etc, all seemed to go well with no errors reported by Forge.
However, now the site is not reachable, so I want to ask for help in diagnosing the problem.
Running a Qualys SSL test results in the message 'Assessment failed: No secure protocols supported' The Solution they offer is 'if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the "www" prefix (e.g., "www.ssllabs.com", not just "ssllabs.com").'
The site is jollybrown.co.uk - I had it working fine (without the www).
After checking the nginx configuration for the site, I noticed there was a '.' at the start of the server_name like this:
server { listen 443 ssl; server_name .jollybrown.co.uk; root /home/forge/jollybrown.co.uk;
...which I tried removing without success.
I just looked at the list of sites in Forge, and see that this site is checked to support wildcards, however the SSL certificate that I bought is not.
This is all the information that I think I can offer at the moment, can anybody offer any assistance please? Thanks
Level 18
Is a Let's Encrypt certificate out of the question? With Forge there's a one-click installation process.
Level 4
I'll give it a try @JoeDawson thanks a lot.
I tried before, but I think because it was set to wildcard, the Let's Encrypt didn't work. Hopefully this time round it will.
Level 18
Fingers crossed!
Level 4
I deleted the site again, and reinstalled the repository.
Forge successfully installed Let's Encrypt, and after activating it, I still cannot access the site.
Same issue: Qualys SSL labs says: "Assessment failed: No secure protocols supported"
Level 18
That's odd - might be worth contacting Taylor through Forge to see if he can help.
Level 4
@TaylorOtwell wonder if you had any ideas to contribute please? Thanks in advance
Level 4
From Taylor Otwell:
The following error is in your /var/log/nginx/error.log:
2015/12/08 22:56:52 [error] 8673#0: *458 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 66.249.91.74, server: 0.0.0.0:443
Regards,
Taylor
Searching that error message in the log lead me to finding a solution:
basically I changed:
listen 443 ssl; to listen 443 default_server ssl;
and it now works. Does anybody an understanding why that is?
Level 65
All default_server does is make it the default virtual host if the hostname is not found within the server_name attribute.
Adding that is not the solution you want. You should figure out what you did wrong and fix it. When you go to add another server, it may do the same.
1 like
Level 4
OK Thanks @bashy I'll check it out - its late now and although I've got the site up ready for the client to see tomorrow, you're right I should get to the root of the problem. I'll take your advice and investigate.
Level 65
@adammench No problem. It's probably this that's causing it. I know you tried before but it's definitely not loading the correct vhost without adding default_server to this one.
server_name .jollybrown.co.uk // wrong
// try
server_name *.jollybrown.co.uk
// or
server_name www.jollybrown.co.uk jollybrown.co.uk
1 like
Level 4
Hmm,
Tried both of those to no avail.
To re-cap, this works but is flawed as you said “When you go to add another server, it may do the same.”:
server {
listen 80;
# listen 443 ssl;
server_name jollybrown.co.uk;
return 301 https://jollybrown.co.uk$request_uri;
}
server {
listen 443 default_server ssl;
server_name jollybrown.co.uk;
root /home/forge/jollybrown.co.uk;
But trying this:
server {
listen 80;
server_name www.jollybrown.co.uk jollybrown.co.uk;
# Also: server_name *.jollybrown.co.uk;
return 301 https://jollybrown.co.uk$request_uri;
}
server {
listen 443 ssl;
server_name jollybrown.co.uk;
root /home/forge/jollybrown.co.uk;
Doesn't work, and locks the site out, saying ERR_CONNECTION_CLOSED
Level 65
Do you have a default drop all for your Nginx?
Try this and see if it returns this instead of the actual site. Maybe you have some sort of proxy in front of it.
/etc/nginx/sites-available/default and symlink it to enabled.
# Drop requests for unknown hosts
#
# If no default server is defined, nginx will use the first found server.
# To prevent host header attacks, or other potential problems when an unknown
# servername is used in a request, it's recommended to drop the request
# returning 444 "no response".
server {
listen 80 default_server;
return 444;
}
server {
listen 443 ssl default_server;
# self-signed is fine
ssl_certificate /etc/nginx/ssl/cert.crt;
ssl_certificate_key /etc/nginx/ssl/cert.key;
return 444;
}
Level 4
Thanks @bashy I have created a self signed certificate, created a default vhost file as per your comment, and after removing the default_server reference in the jollybrown.co.uk I ran $ sudo nginx -t
Here is the output:
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Here is the contents of default:
# Drop requests for unknown hosts
#
# If no default server is defined, nginx will use the first found server.
# To prevent host header attacks, or other potential problems when an unknown
# servername is used in a request, it's recommended to drop the request
# returning 444 "no response".
server {
listen 80 default_server;
# server_name "";
return 444;
}
server {
listen 443 ssl default_server;
# server_name "";
# self-signed is fine
ssl_certificate /etc/nginx/ssl/cert.crt;
ssl_certificate_key /etc/nginx/ssl/cert.key;
return 444;
}
Any help would be appreciated, thank you.
Level 65
Don't add server_name to the default vhosts.
Sounds like you have multiple server names being set. Got any other files enabled in Nginx?
Level 4
The server_name is commented out, it was just as I was testing. So that shouldn't matter should it? I can remove the comment.
Yeah I have quite a few vhosts enabled...
What should I be looking out for to combat this conflicting server name?
Level 65
Yeah I wouldn't leave that in there because 6 months later, maybe you'll think "oh this can be used here?". It won't ever be used in the default_server server block :)
Basically look for server_name and see if you've setup jollybrown.co.uk or left one empty and/or have default_server set in any other files.
Level 4
OK. I have removed the comment in the default file, referring to server_name
I ran
$ grep -r 'server_name' /etc/nginx/sites-available/
# and
$ grep -r 'default_server' /etc/nginx/sites-available/
No duplicates of default_server
or blank server_name
Any other ideas? thanks again
Level 4
This is my nginx conf for jollybrown.co.uk
server {
listen 80;
# listen 443 ssl;
server_name jollybrown.co.uk;
return 301 https://jollybrown.co.uk$request_uri;
}
server {
listen 443 ssl;
server_name jollybrown.co.uk;
root /home/forge/jollybrown.co.uk;
# FORGE SSL (DO NOT REMOVE!)
include logjam_fix;
ssl_certificate /etc/nginx/ssl/jollybrown.co.uk/18327/server.crt;
ssl_certificate_key /etc/nginx/ssl/jollybrown.co.uk/18327/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/jollybrown.co.uk-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
Level 65
And nginx -t still returns issues with the conflicting empty server name?
You definitely have something wrong since this should return 444 https://www.jollybrown.co.uk (also you should get TLS certs on the www. subdomain so it works on both).
Have a check over this https://bashy.im/blog/nginx-redirect-to-https-with-without-www-subdomain
Level 4
Yes, nginx -t still returns:
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
I haven't restarted nginx yet, because of these errors, I don't want to take down the other sites on the server.
I followed your article so now the config is :
server {
listen 80;
listen [::]:80;
server_name www.jollybrown.co.uk jollybrown.co.uk;
return 301 https://jollybrown.co.uk$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
include logjam_fix;
ssl_certificate /etc/nginx/ssl/jollybrown.co.uk/18327/server.crt;
ssl_certificate_key /etc/nginx/ssl/jollybrown.co.uk/18327/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
server_name www.jollybrown.co.uk;
return 301 https://jollybrown.co.uk$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name jollybrown.co.uk;
root /home/forge/jollybrown.co.uk;
# FORGE SSL (DO NOT REMOVE!)
include logjam_fix;
ssl_certificate /etc/nginx/ssl/jollybrown.co.uk/18327/server.crt;
ssl_certificate_key /etc/nginx/ssl/jollybrown.co.uk/18327/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/jollybrown.co.uk-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
Regarding getting another certificate for the www version, is this necessary if I have the redirect in place?
Level 65
Okay, that's probably why it's still erroring then, from a previous setting that is currently "live".
Yes you need one for even making a secure connection to start with. It's before the redirect is even reached. Most certs can be assigned to www. and it will work for both www. and non-www.
Also - make sure include logjam_fix; doesn't already include ssl_protocols TLSv1 TLSv1.1 TLSv1.2; or similar.
Level 4
You're right, running the restart has worked, jollybrown is working now that the default site is in place to block anonymous requests. Thanks!
However, I'm still getting the same conflicting server names as shown in my previous post when running nginx -t - strange! I guess I'll have to go through logjam_fix to check for duplicates. And other vhost config files to make sure.
Level 65
Good to hear. That's a proper way to lay out the sites. Will help future debugging.
Very strange, if you work it out, I'd love to put my brain at rest by trying to think of what it could be! :P
Level 4
Agreed, I feel better knowing that I'm not relying on default_server anymore!
I'll let you know when I find the problem out... Going to look through log files.
1 like
Please or to participate in this conversation.