Want more timely Centmin Mod News Updates?
Become a Member

SSL A lot of "SSL_do_handshake() failed (SSL: error"

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by RoldanLT, Apr 4, 2017.

  1. RoldanLT

    RoldanLT Well-Known Member

    3,822
    928
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,256
    Local Time:
    5:56 PM
    1.11
    10.2
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.11.12

    Code:
    2017/04/04 16:16:01 [crit] 26949#0: *9389241 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 94.100.224.164, server: 0.0.0.0:443
    2017/04/04 16:23:48 [crit] 26946#0: *9402630 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 222.127.163.148, server: 0.0.0.0:443
    2017/04/04 16:24:29 [crit] 26948#0: *9403753 SSL_do_handshake() failed (SSL: error:060BC064:digital envelope routines:AEAD_AES_GCM_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 121.54.44.165, server: 0.0.0.0:443
    2017/04/04 16:29:56 [crit] 26946#0: *9412467 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 130.105.209.91, server: 0.0.0.0:443
    2017/04/04 16:38:28 [crit] 26945#0: *9428662 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.203.157.188, server: 0.0.0.0:443
    2017/04/04 16:39:48 [crit] 26947#0: *9431036 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.203.157.188, server: 0.0.0.0:443
    2017/04/04 16:41:02 [crit] 26951#0: *9433244 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.209.241.79, server: 0.0.0.0:443
    2017/04/04 16:41:36 [crit] 26945#0: *9434190 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.198.118.124, server: 0.0.0.0:443
    2017/04/04 16:41:46 [crit] 26948#0: *9434453 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.198.75.10, server: 0.0.0.0:443
    2017/04/04 16:44:35 [crit] 26949#0: *9439168 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 175.158.201.15, server: 0.0.0.0:443
    2017/04/04 16:45:56 [crit] 26949#0: *9441640 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.198.102.111, server: 0.0.0.0:443
    2017/04/04 16:46:33 [crit] 26946#0: *9442706 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 124.6.155.52, server: 0.0.0.0:443
    2017/04/04 16:52:04 [crit] 26949#0: *9452478 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 122.52.156.239, server: 0.0.0.0:443
    2017/04/04 16:54:11 [crit] 26946#0: *9456554 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.198.73.156, server: 0.0.0.0:443
    2017/04/04 16:55:33 [crit] 26947#0: *9459016 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.198.73.156, server: 0.0.0.0:443
    2017/04/04 16:55:36 [crit] 26947#0: *9459194 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 222.127.135.84, server: 0.0.0.0:443
    2017/04/04 16:57:35 [crit] 26948#0: *9462788 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.198.75.160, server: 0.0.0.0:443
    2017/04/04 17:01:28 [crit] 26947#0: *9469785 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 203.177.28.183, server: 0.0.0.0:443
    2017/04/04 17:04:34 [crit] 26945#0: *9475139 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 203.87.129.143, server: 0.0.0.0:443
    2017/04/04 17:04:59 [crit] 26949#0: *9472796 SSL_read() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while processing HTTP/2 connection, client: 112.198.98.225, server: 0.0.0.0:443
    2017/04/04 17:06:26 [crit] 26947#0: *9478339 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 180.190.67.120, server: 0.0.0.0:443
    2017/04/04 17:11:43 [crit] 26951#0: *9487555 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 180.191.114.229, server: 0.0.0.0:443
    2017/04/04 17:13:09 [crit] 26951#0: *9490010 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 72.143.239.250, server: 0.0.0.0:443
    2017/04/04 17:14:06 [crit] 26951#0: *9491580 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 182.18.201.74, server: 0.0.0.0:443
    2017/04/04 17:14:54 [crit] 26951#0: *9492963 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.207.221.172, server: 0.0.0.0:443
    2017/04/04 17:15:17 [crit] 26948#0: *9493669 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 180.232.83.50, server: 0.0.0.0:443
    2017/04/04 17:19:57 [crit] 26948#0: *9501405 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.198.118.78, server: 0.0.0.0:443
    2017/04/04 17:21:04 [crit] 26949#0: *9503343 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 180.190.79.160, server: 0.0.0.0:443
    2017/04/04 17:21:49 [crit] 26949#0: *9504617 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.205.184.135, server: 0.0.0.0:443
    2017/04/04 17:25:45 [crit] 26948#0: *9511419 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 121.54.90.106, server: 0.0.0.0:443
    2017/04/04 17:26:54 [crit] 26945#0: *9513385 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 124.104.40.81, server: 0.0.0.0:443
    2017/04/04 17:32:05 [crit] 26945#0: *9522288 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 124.104.236.148, server: 0.0.0.0:443
    2017/04/04 17:36:00 [crit] 26947#0: *9528959 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 198.215.36.5, server: 0.0.0.0:443
    2017/04/04 17:41:02 [crit] 26949#0: *9537171 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 116.87.108.103, server: 0.0.0.0:443
    2017/04/04 17:43:50 [crit] 26945#0: *9541541 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 49.2.86.141, server: 0.0.0.0:443
    2017/04/04 17:47:24 [crit] 26948#0: *9547311 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.198.72.198, server: 0.0.0.0:443
    2017/04/04 17:50:33 [crit] 26949#0: *9552111 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 121.54.32.163, server: 0.0.0.0:443
    2017/04/04 17:55:01 [crit] 26946#0: *9559692 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 112.198.69.17, server: 0.0.0.0:443
    

     
  2. RoldanLT

    RoldanLT Well-Known Member

    3,822
    928
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,256
    Local Time:
    5:56 PM
    1.11
    10.2
    My SSL Config:
    Code:
        keepalive_timeout 300;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        add_header X-Content-Type-Options "nosniff";
            
        ssl_certificate /usr/local/nginx/conf/ssl/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/ssl.key;
        
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 24h;
        ssl_buffer_size 1400;
    
    Taken from here: Generate Mozilla Security Recommended Web Server Configuration Files
     
  3. Sunka

    Sunka Active Member

    888
    230
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +376
    Local Time:
    11:56 AM
    Nginx 1.13.3
    MariaDB 10.1.24
    Maybe not related, but my forum went down for 1,5 hour last night.
    Only error I can see is:
    Code (Text):
    # tail -10 /usr/local/nginx/logs/error.log
    2017/04/04 04:55:38 [error] 1895#1895: ocsp.comodoca.com could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.comodoca.com, certificate: "/usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt"


    After 1,5 hour all back to normal.
    nginx -t is OK

    Similiar errors like @RoldanLT at that time:

    Code (Text):
    2017/04/04 04:12:07 [error] 1895#1895: *349821 access forbidden by rule, client: 31.217.50.89, server: pijanitvor.com, request: "GET /.well-known/dnt-policy.txt HTTP/2.0", host: "www.pijanitvor.com"
    2017/04/04 05:47:55 [error] 1894#1894: *351541 access forbidden by rule, client: 24.6.48.212, server: pijanitvor.com, request: "GET /.well-known/dnt-policy.txt HTTP/2.0", host: "www.pijanitvor.com"
    2017/04/04 06:01:59 [crit] 1895#1895: *351717 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 178.17.112.74, server: 0.0.0.0:443
    2017/04/04 06:08:02 [crit] 1895#1895: *351842 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 62.193.135.121, server: 0.0.0.0:443
    2017/04/04 06:12:52 [crit] 1895#1895: *352016 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 212.15.177.122, server: 0.0.0.0:443
    2017/04/04 06:19:50 [crit] 1894#1894: *352301 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 93.140.5.69, server: 0.0.0.0:443
    2017/04/04 06:22:24 [crit] 1895#1895: *352470 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 93.140.5.69, server: 0.0.0.0:443
    2017/04/04 06:25:52 [crit] 1894#1894: *352633 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 93.138.103.248, server: 0.0.0.0:443
    2017/04/04 06:27:06 [crit] 1894#1894: *352709 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 185.18.60.46, server: 0.0.0.0:443
    2017/04/04 06:32:15 [crit] 1895#1895: *352974 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 37.205.109.190, server: 0.0.0.0:443
    2017/04/04 06:34:22 [crit] 1894#1894: *353069 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 93.138.103.248, server: 0.0.0.0:443
    2017/04/04 06:35:05 [error] 1895#1895: *353101 open() "/home/nginx/domains/pijanitvor.com/public/images/smilies/aha.gif" failed (2: No such file or directory), client: 93.142.254.150, server: pijanitvor.com, request: "GET /images/smilies/aha.gif HTTP/1.1", host: "www.pijanitvor.com", referrer: "http://www.cvijet.info/forum/forum_posts.asp?TID=3388&PN=4"
    2017/04/04 06:35:23 [error] 1894#1894: *353108 open() "/home/nginx/domains/pijanitvor.com/public/images/smilies/aha.gif" failed (2: No such file or directory), client: 93.142.254.150, server: pijanitvor.com, request: "GET /images/smilies/aha.gif HTTP/1.1", host: "www.pijanitvor.com", referrer: "http://www.cvijet.info/forum/forum_posts.asp?TID=3388&PN=4"
    2017/04/04 06:37:16 [crit] 1895#1895: *353215 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 185.18.60.46, server: 0.0.0.0:443
    2017/04/04 06:38:32 [crit] 1894#1894: *353287 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 185.18.60.46, server: 0.0.0.0:443
    2017/04/04 06:39:01 [crit] 1894#1894: *353314 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 185.18.60.46, server: 0.0.0.0:443
    2017/04/04 06:50:46 [crit] 1894#1894: *354034 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 89.164.175.63, server: 0.0.0.0:443
     
  4. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    7:56 PM
    Nginx 1.13.x
    MariaDB 5.5
    have you tested domain's HTTPS site via dev SSLLabs test site Qualys SSL Labs ?

    what's output for these 2 commands

    Code (Text):
    nginx -V
    

    wrap output in QUOTE tags

    Code (Text):
    egrep -rn 'ssl_ciphers |ssl_session_cache ' /usr/local/nginx/conf/conf.d/
    

    wrap output in CODE tags

    and following SSH commands, where yourdomain.com is the domain name for your https based Centmin Mod site. If using OpenSSL via LIBRESSL_SWITCH='n' for Nginx built with OpenSSL instead of LibreSSL default, change defined variable from OPENSSLBIN=/opt/libressl/bin/openssl to OPENSSLBIN=/opt/openssl/bin/openssl
    Code (Text):
    OPENSSLBIN=/opt/libressl/bin/openssl
    DOMAIN=yourdomain.com
    echo "" | $OPENSSLBIN s_client -connect ${DOMAIN}:443 | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    

    and
    Code (Text):
    OPENSSLBIN=/opt/libressl/bin/openssl
    DOMAIN=yourdomain.com
    echo "" | $OPENSSLBIN s_client -connect ${DOMAIN}:443 -ssl3 -cipher RC4-SHA | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    

    and
    Code (Text):
    OPENSSLBIN=/opt/libressl/bin/openssl
    DOMAIN=yourdomain.com
    echo "" | $OPENSSLBIN s_client -connect ${DOMAIN}:443 -cipher ECDHE-RSA-AES256-SHA384 | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    

    and
    Code (Text):
    OPENSSLBIN=/opt/libressl/bin/openssl
    DOMAIN=yourdomain.com
    echo "" | $OPENSSLBIN s_client -connect ${DOMAIN}:443 -cipher ECDHE-RSA-CHACHA20-POLY1305 | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    

    and
    Code (Text):
    OPENSSLBIN=/opt/libressl/bin/openssl
    DOMAIN=yourdomain.com
    echo "" | $OPENSSLBIN s_client -connect ${DOMAIN}:443 -cipher ECDHE-RSA-CHACHA20-POLY1305-OLD | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    

    wrap output in CODE tags

    behind cloudflare ? using cloudflare ssl certificates ? flexible, full, full strict based ? could be related to SSLv3 from Cloudflare end with no SSLv3 support on your Centmin Mod Nginx backend when using Cloudflare Full SSL. When did these errors start happening ? Test without cloudflare ? or using local edit /etc/hosts to bypass Cloudflare DNS to see Centmin Mod directly ?
     
    Last edited: Apr 4, 2017
  5. RoldanLT

    RoldanLT Well-Known Member

    3,822
    928
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,256
    Local Time:
    5:56 PM
    1.11
    10.2
    Yes here it is: https://goo.gl/0NWKUD

    Not relevant anymore now as I just switch to Openssl after posting this thread instead of LibreSSL.
    Code:
    nginx version: nginx/1.11.12
    built by gcc 5.3.1 20160406 (Red Hat 5.3.1-6) (GCC)
    built with OpenSSL 1.0.2k  26 Jan 2017
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -g -O3 -fstack-protector-strong -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_realip_module --with-openssl=../openssl-1.0.2k --with-libatomic --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11
    
    Code:
    /usr/local/nginx/conf/nginx.conf.default:108:    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    /usr/local/nginx/conf/ssl/domain1_ssl.conf:12:    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    /usr/local/nginx/conf/ssl/domain2.com_ssl.conf:9:    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    /usr/local/nginx/conf/ssl/domain3.com_ssl.conf:9:    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    /usr/local/nginx/conf/ssl/domain4.com_ssl.conf:9:    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    

    Not anymore.
    Direct to OVH Server now.
     
  6. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    7:56 PM
    Nginx 1.13.x
    MariaDB 5.5
    doesn't help with troubleshooting without the commands and LibreSSL but do you get errors with OpenSSL ?
     
  7. RoldanLT

    RoldanLT Well-Known Member

    3,822
    928
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,256
    Local Time:
    5:56 PM
    1.11
    10.2
    That, I will observe now.
     
  8. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    7:56 PM
    Nginx 1.13.x
    MariaDB 5.5
    how long ago did you turn off Cloudflare and how much time between when Cloudflare turned off and the start of these handshake errors ? Did you have Cloudflare Flexible, or Full/Full Strict SSL enabled prior ?
     
  9. RoldanLT

    RoldanLT Well-Known Member

    3,822
    928
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,256
    Local Time:
    5:56 PM
    1.11
    10.2
    Just started using this config 4 days ago.
    Not sure how much time as I already clean my log now to monitor again.
    Cloudflare Full.