Learn about Centmin Mod LEMP Stack today
Register Now

Nginx Letsencrypt SSL Properly configuring IPv6

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by RB1, Jan 14, 2017.

  1. RB1

    RB1 Active Member

    281
    72
    28
    Nov 11, 2016
    California
    Ratings:
    +119
    Local Time:
    3:34 AM
    Nginx 1.13.x
    MariaDB 10.1.x
    Just curious if anyone can give me some input on this. Real IPs/domains have been changed for privacy.

    At Linode I've been given IPs:
    45.33.164.112
    45.79.69.122

    IPv6 Public Pool:
    2600:3c00:f000:0164:: / 64 routed to 2600:2c99::f03c:53ff:fcc6:5bbf
    2600:3c00:f000:0147:: / 64 routed to 2600:2c99::f03c:53ff:fcc6:5bbf

    =========================

    I've configured ifcfg-eth0 as follows:
    =========================

    DNS for example1.com contains:
    A - 45.33.164.112
    AAAA - 2600:3c00:f000:0164::1

    DNS for example2.com contains:
    A - 45.79.69.122
    AAAA - 2600:3c00:f000:0147::1

    DNS for example3.com contains:
    A - 45.79.69.122
    AAAA - 2600:3c00:f000:0147::2

    =========================

    The vhost config of example1.com contains:
    The vhost config of example2.com/example3.com contains (same config, just different domain names):
    IPv6 is working correctly on the example1.com domain, however whenever attempting to visit example2.com or example3.com it simply redirects to example1.com. I feel like it's something completely obvious that I'm missing and will probably be embarrassed when corrected.

    Sorry, I know it's a lot to read through. Only bother if you have the time :p
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,850
    6,904
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,394
    Local Time:
    9:34 PM
    Nginx 1.13.x
    MariaDB 5.5
    example2.com missing
    Code (Text):
    listen 80;
    listen [::]:80;
    

    Code (Text):
    listen 80;
    listen [::]:80;
    server_name example2.com www.example2.com;
    return 301 https://example2.com$request_uri;
    
     
  3. RB1

    RB1 Active Member

    281
    72
    28
    Nov 11, 2016
    California
    Ratings:
    +119
    Local Time:
    3:34 AM
    Nginx 1.13.x
    MariaDB 10.1.x
    I'm using the method where I rename
    domain.com.conf --> domain.com.conf-disabled
    and keep domain.com.ssl.conf to force HTTPS

    With this method it still needs:
    ?
     
  4. RB1

    RB1 Active Member

    281
    72
    28
    Nov 11, 2016
    California
    Ratings:
    +119
    Local Time:
    3:34 AM
    Nginx 1.13.x
    MariaDB 10.1.x
    Nevermind...why don't I try first before asking :)
    It works :oops:
     
    • Like Like x 1
  5. eva2000

    eva2000 Administrator Staff Member

    30,850
    6,904
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,394
    Local Time:
    9:34 PM
    Nginx 1.13.x
    MariaDB 5.5
    always test redirects for 301/302 in private incognito browser sessions too so you don't cache the redirect in browser :)
     
  6. RB1

    RB1 Active Member

    281
    72
    28
    Nov 11, 2016
    California
    Ratings:
    +119
    Local Time:
    3:34 AM
    Nginx 1.13.x
    MariaDB 10.1.x
    Now I get an SSL error (net::ERR_CERT_COMMON_NAME_INVALID). Seems example2.com is serving certificate from example3.com :D
    Lol it's always something :)

    I'm having more issues than last time I tried to fix this problem
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,850
    6,904
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,394
    Local Time:
    9:34 PM
    Nginx 1.13.x
    MariaDB 5.5
  8. eva2000

    eva2000 Administrator Staff Member

    30,850
    6,904
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,394
    Local Time:
    9:34 PM
    Nginx 1.13.x
    MariaDB 5.5
  9. RB1

    RB1 Active Member

    281
    72
    28
    Nov 11, 2016
    California
    Ratings:
    +119
    Local Time:
    3:34 AM
    Nginx 1.13.x
    MariaDB 10.1.x
    Thanks! I have to go away for a few hours but I while troubleshoot with the links provided when I get back.

    In the meantime...PayPal donation incoming (y)
     
    • Like Like x 1
  10. RB1

    RB1 Active Member

    281
    72
    28
    Nov 11, 2016
    California
    Ratings:
    +119
    Local Time:
    3:34 AM
    Nginx 1.13.x
    MariaDB 10.1.x
    I'm back sooner than I thought :)

    SSL Labs Report:
    domain3.com
    2600:3c00:f000:0147:0:0:0:1 - Ready: A+
    45.79.69.122 - Ready: A+

    domain2.com
    2600:3c00:f000:0147:0:0:0:1 - Certificate not valid for domain name: -
    45.79.69.122 - Ready: A+

    Also changed DNS to different IPv6 on domain2.com and re-ran test:
    domain2.com
    2600:3c00:f000:0147:0:0:0:2 - Certificate not valid for domain name: -
    45.79.69.122 - Ready: A+


    I would have thought I wouldn't get the error after switching over to different IPv6 addresses. The SSL was working on these two domains until I got IPv6 working. Fix one thing, something else breaks :p
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,850
    6,904
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,394
    Local Time:
    9:34 PM
    Nginx 1.13.x
    MariaDB 5.5
    that refers to the files you pointed to for where newdomain.com = yourdomain.com
    Code (Text):
      ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer;
    

    From ssl letsencrypt generated newdomain.com instructions at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS
     
  12. RB1

    RB1 Active Member

    281
    72
    28
    Nov 11, 2016
    California
    Ratings:
    +119
    Local Time:
    3:34 AM
    Nginx 1.13.x
    MariaDB 10.1.x
    I checked and it's correct according to those changes
    Also rebuilt the .ssl.conf file and same error :\

    Browser thinks SSL cert for domain2.com is issued to domain3.com while there is no reference to that domain/directory in vhost config. All caches cleared too
     
  13. RB1

    RB1 Active Member

    281
    72
    28
    Nov 11, 2016
    California
    Ratings:
    +119
    Local Time:
    3:34 AM
    Nginx 1.13.x
    MariaDB 10.1.x
    Acutally, re-running the steps @ /vhost.php may have alleviated the problem.
    If you generate a cert and then change the IPv6 address later, will that invalidate the cert? Seems like that may have been the issue, and my second problem after rebuilding 15 mins ago was forgetting:
    in the vhost config. :banghead::banghead::banghead:
     
    • Informative Informative x 1
  14. eva2000

    eva2000 Administrator Staff Member

    30,850
    6,904
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,394
    Local Time:
    9:34 PM
    Nginx 1.13.x
    MariaDB 5.5
    it shouldn't as you validated domain before the change

    the error you get is usually due to ssl cert file paths being mixed up or incorrect

    in ssh client as root user type this curl header check command for each domain and post what the output says
    Code (Text):
    curl -Isv https://yourdomain.com
    
     
  15. RB1

    RB1 Active Member

    281
    72
    28
    Nov 11, 2016
    California
    Ratings:
    +119
    Local Time:
    3:34 AM
    Nginx 1.13.x
    MariaDB 10.1.x
    Spoilers so post isn't too long:

    domain2.com

    domain3.com
     
  16. eva2000

    eva2000 Administrator Staff Member

    30,850
    6,904
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,394
    Local Time:
    9:34 PM
    Nginx 1.13.x
    MariaDB 5.5
    if the reported output for common name: and subject: CN are correct domains for ssl certs then should be good
     
    • Informative Informative x 1