Join the community today
Register Now

Nginx SSL 502 bad gateway - SSL_do_handshake() failed

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by NeiPCs, Apr 2, 2019.

  1. NeiPCs

    NeiPCs Member

    40
    9
    8
    Jun 28, 2014
    Ratings:
    +13
    Local Time:
    10:07 AM
    1.11.1
    5.5
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit ?
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.15.10
    • PHP Version Installed: 7.0.33
    • MariaDB MySQL Version Installed: 10.0.38
    • When was last time updated Centmin Mod code base ? : Today run centmin.sh menu option 23 submenu option 2
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
      Code (Text):
      EMAIL='[email protected]'          # Server notification email address enter only 1 address
      ZONEINFO=America/Sao_Paulo  # Set Timezone
      NGXDYNAMIC_NGXPAGESPEED='y'
      NGINX_PAGESPEED='y'
      LETSENCRYPT_DETECT='y'
      PHP_PGO='y'
      PHPPGO_INDEXPATH='/home/nginx/domains/mydomain.com/public/index.php'
      #LIBRESSL_SWITCH='n'
      OPENSSL_VERSION='1.1.1'
      #TLSONETHREE='y'
      CLANG='n'
      DEVTOOLSETSIX='n'
      DEVTOOLSETSEVEN='y'
      DEVTOOLSETEIGHT='n'
      NGINX_DEVTOOLSETGCC='y'
      


      Error Log (many lines but same error)
      Code (Text):
      2019/04/02 12:22:34 [error] 17262#17262: *356 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: X.X.X.X, server: myserverurl, request: "GET /api/path HTTP/2.0", upstream: "https://104.18.19.83:443/v1/path", host: "myserverurl", referrer: "https://myserverurl/path"
      


      I have an app working about 5 months, but since yesterday my website don't work and I got this error above every time.
      I have an VueJS App hosted, Nginx proxying from mysite/api/v1/path to targetsite/v1/path

      My syte custom nginx conf is:
      Code:
        location /api/ {
          rewrite ^/api^/ /$1 break;
          proxy_pass https://targetsite/v1/;
        }
      
      I've tried to update to the last centminmod, deleted and recreated mysite by Option 2, everything is working again with let's encrypt certificate tested with ssllabs.com.

      Sorry, but I don't understand about certificates, but when I tried to connect to targetsite throught openssl it give me error:

      Code:
      openssl s_client -connect targetsite:443
      
      CONNECTED(00000003)
      139715937351568:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
      ---
      no peer certificate available
      ---
      No client certificate CA names sent
      ---
      SSL handshake has read 7 bytes and written 289 bytes
      ---
      New, (NONE), Cipher is (NONE)
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
          Protocol  : TLSv1
          Cipher    : 0000
          Session-ID:
          Session-ID-ctx:
          Master-Key:
          Key-Arg   : None
          Krb5 Principal: None
          PSK identity: None
          PSK identity hint: None
          Start Time: 1554208707
          Timeout   : 300 (sec)
          Verify return code: 0 (ok)
      ---
      
     
  2. eva2000

    eva2000 Administrator Staff Member

    42,370
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,741
    Local Time:
    11:07 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I'd first remove from persistent config file the options for
    Code (Text):
    OPENSSL_VERSION='1.1.1'
    #TLSONETHREE='y'
    CLANG='n'
    DEVTOOLSETSIX='n'
    DEVTOOLSETSEVEN='y'
    DEVTOOLSETEIGHT='n'
    NGINX_DEVTOOLSETGCC='y'
    

    Let centmin mod 123.09beta01 set the defaults as you are also forcing an out dated OPENSSL_VERSION for 1.1.1 while 1.1.1b is latest

    then re-run centmin.sh menu option 4 to recomile Nginx version = 1.15.10
    1. is the VueJS App on same server at that IP ? or remote server ? that ip looks like it belongs to cloudflare IP Location Finder | Detailed geolocation data and RESTful API
    2. with cloudflare what is minimum TLS version you set ? TLS v1.0, v1.1, v1.2 or v1.3 ?
    3. in the past I tried reverse proxy to a cloudflare protected upstream and got errors myself - haven't tried it since. If the VueJS App is remotely hosted and it worked before, it could be due to the remote host didn't use cloudflare before. But they may have recently put the remotely hosted VueJS App behind Cloudflare, so now causing you problems.
    4. If they only recently switched to using cloudflare in front, you may need to set proxy_ssl_server_name in your proxy config to the server/hostname of that SSL cert/site you are trying to connect to Module ngx_http_proxy_module or proxy_ssl_name Module ngx_http_proxy_module
    However the upstream remote target site seems to have messed up HTTPS configuration only accepting outdated insecure SSLv2 and SSLv3 and not accepting newer default TLSv1.0, TLSv1.1 and TLSv1.2

    Accessing IP upstream directly in web browser gives me
     
  3. NeiPCs

    NeiPCs Member

    40
    9
    8
    Jun 28, 2014
    Ratings:
    +13
    Local Time:
    10:07 AM
    1.11.1
    5.5
    Ok,

    I've removed and recompiled:
    Code (Text):
    nginx -V
    nginx version: nginx/1.15.10 (020419-170651-centos7-kvm)
    built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC)
    built with OpenSSL 1.1.1b  26 Feb 2019
    TLS SNI support enabled
    

    1. No. VueJS App is on my server, upstream is in a different server with I don't have any access.
    2. I don't know how to configure cloudflare settings like that :/ but I've defined TLS 1.2 on nginx host config
    3. Yeah, my App was running before and they may have changed to cloudflare at remote host.
    4. Well, I've tried all that options, one by one:
    Code:
      location /api/ {
        rewrite ^/api^/ /$1 break;
        proxy_pass https://api.iugu.com/v1/;
        proxy_ssl_trusted_certificate /usr/local/nginx/conf/ssl/mysiteurl/mysiteurl-acme.cer;
        proxy_ssl_certificate /usr/local/nginx/conf/ssl/mysiteurl/mysiteurl-acme.cer;
        proxy_ssl_certificate_key /usr/local/nginx/conf/ssl/mysiteurl/mysiteurl-acme.key;
        proxy_ssl_verify       on;
        proxy_ssl_verify_depth 2;
        proxy_ssl_session_reuse on;
        proxy_ssl_protocols TLSv1.2;
        proxy_ssl_ciphers   TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GC$-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
        proxy_ssl_name mysiteurl;
        proxy_ssl_server_name on;
      }
    
    Check they ssltest over cloudflare as you said: SSL Server Test: api.iugu.com (Powered by Qualys SSL Labs)

    I'm trying my best, but I don't know what happened.
     
  4. eva2000

    eva2000 Administrator Staff Member

    42,370
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,741
    Local Time:
    11:07 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    ssllabs reports 404 not found status code for the domain so the remotely hosted app is broken or not working or something

    probably need to contact that remotely hosted app's web site owner/web host to make sure it's working first
    are these required by your remote app for proxying ?? usually they aren't required
     
  5. NeiPCs

    NeiPCs Member

    40
    9
    8
    Jun 28, 2014
    Ratings:
    +13
    Local Time:
    10:07 AM
    1.11.1
    5.5
    [​IMG]
    It's working, remote site is api.iugu.com

    I'm talking with they, but they don't know what happen too.
    I've tested by direct access from my DEV (running express as webserver) and it works, but by proxy with nginx it don't work :/

    It seems now to be authentication with cloudflare from my site.
    How can I send the certificate correctly to cloudflare authentication?

    I've tried to uncomment these lines, but got Error 400.
    Code (Text):
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/mysiteurl/origin.crt;
      ssl_verify_client on;
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    42,370
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,741
    Local Time:
    11:07 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for such to figure out your proper nginx reverse proxy setup with a cloudflare backend origin over HTTPS.

    However, Centmin Mod users are free to help each other out and ask questions or give answers on this community forum. My hopes are that this community forum evolves so that more veteran long time Centmin Mod users help new Centmin Mod users out :)
     
  7. eva2000

    eva2000 Administrator Staff Member

    42,370
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,741
    Local Time:
    11:07 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    SSL is working for the site but NOT for web app itself isn't as ssllabs report 404 not found

    upload_2019-4-3_5-45-17.png
     
  8. NeiPCs

    NeiPCs Member

    40
    9
    8
    Jun 28, 2014
    Ratings:
    +13
    Local Time:
    10:07 AM
    1.11.1
    5.5
    I'm so grateful for all your help even outside of centminmod, you're really a great guy!
    I hope to solve this issue fast as I can, I'll keep trying until fix it. Then it will help others too.
     
    • Like Like x 1
  9. NeiPCs

    NeiPCs Member

    40
    9
    8
    Jun 28, 2014
    Ratings:
    +13
    Local Time:
    10:07 AM
    1.11.1
    5.5
    Hello guys,

    I couldn't wait until fix this issue of communication between my nginx to remote api through ssl/tls, but is there a wordkaround.

    I use centminmod to host any webapp or web page because the way to deal with nginx, php-fpm, vhosts with valid certificate by letsencrypt, ftp integrated, mariadb ready to use, cache, etc... and I love it for years.

    This time I'm dealing with a vuejsApp that means pure static webapp (html,css,js).
    From Javascript I call remote Api to work with dynamic data and all commands is from/to remote api.

    My 1st try:
    MyApp -> remote api directly.
    failed due to CORS

    My 2nd try:
    MyApp -> remote api (throught nginx location /api/, then proxypass to https://remoteapiurl)
    worked until days ago, when remote api has implemented cloudflare

    My last try:
    Create a new proxy hosted with MyApp to run with nodejs:
    Code:
    var express = require('express')
    var proxy = require('http-proxy-middleware')
    var app = express()
    app.use('/api', proxy({ target: 'http://remoteapiurl', changeOrigin: true }))
    app.listen(3000)
    
    MyApp -> new proxy throught nginx location /api/ -> remote api

    working


    I hope it helps who have the same problem, or someone can solve the first 2 tries too.
     
    • Informative Informative x 1
  10. eva2000

    eva2000 Administrator Staff Member

    42,370
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,741
    Local Time:
    11:07 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Interesting approach but why not just host your Vue App on same Centmin Mod server wih Centmin Mod Nginx in front connecting to local backend for it.
     
  11. NeiPCs

    NeiPCs Member

    40
    9
    8
    Jun 28, 2014
    Ratings:
    +13
    Local Time:
    10:07 AM
    1.11.1
    5.5
    That's exactly as was, my try 2.
    Centmin Mod Nginx is my webserver hosting vueapp that's connect to this local proxy server in node (at same host).
    Whats' changed?
    Proxy. Instead off built-in nginx proxypass to remoteapi, now I need to proxypass to localhost proxy, that proxy again to remote api.

    Just host local proxy inside private folder of MyApp that's on public.
     
    • Informative Informative x 1
  12. eva2000

    eva2000 Administrator Staff Member

    42,370
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,741
    Local Time:
    11:07 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    what i mean is don't connect to remote api at all and host the remote api web locally on Centmin Mod so it's internal connection not over internet.
     
  13. NeiPCs

    NeiPCs Member

    40
    9
    8
    Jun 28, 2014
    Ratings:
    +13
    Local Time:
    10:07 AM
    1.11.1
    5.5
    Gotcha!

    remote api is an internet app paid monthly, it's not mine.