Nginx Letsencrypt SSL Properly configuring IPv6

RB1 · Jan 14, 2017

Just curious if anyone can give me some input on this. Real IPs/domains have been changed for privacy.

At Linode I've been given IPs:
45.33.164.112
45.79.69.122

IPv6 Public Pool:
2600:3c00:f000:0164:: / 64 routed to 2600:2c99::f03c:53ff:fcc6:5bbf
2600:3c00:f000:0147:: / 64 routed to 2600:2c99::f03c:53ff:fcc6:5bbf

=========================

I've configured ifcfg-eth0 as follows:

DEVICE="eth0"
BOOTPROTO="none"
ONBOOT="yes"
IPV6INIT="yes"
IPV6_AUTOCONF="no"
NM_CONTROLLED="no"
PEERDNS="no"

GATEWAY=45.33.164.1

IPADDR0=45.33.164.112
PREFIX0="24"

# Secondary IP
IPADDR1=45.79.69.122
PREFIX1="24"

IPV6ADDR="2600:3c00:f000:0164::1/64"
IPV6ADDR_SECONDARIES="2600:3c00:f000:0147::1/64 2600:3c00:f000:0147::2/64"
Click to expand...

=========================

DNS for example1.com contains:
A - 45.33.164.112
AAAA - 2600:3c00:f000:0164::1

DNS for example2.com contains:
A - 45.79.69.122
AAAA - 2600:3c00:f000:0147::1

DNS for example3.com contains:
A - 45.79.69.122
AAAA - 2600:3c00:f000:0147::2

=========================

The vhost config of example1.com contains:

server {
listen 80;
listen [::]:80;
server_name trkaa.com www.example1.com;
Click to expand...

The vhost config of example2.com/example3.com contains (same config, just different domain names):

server {
server_name example2.com www.example2.com;
return 301 https://example2.com$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example2.com www.example2.com;
}
Click to expand...

IPv6 is working correctly on the example1.com domain, however whenever attempting to visit example2.com or example3.com it simply redirects to example1.com. I feel like it's something completely obvious that I'm missing and will probably be embarrassed when corrected.

Sorry, I know it's a lot to read through. Only bother if you have the time

eva2000 · Jan 14, 2017

example2.com missing

Code (Text):

listen 80;
listen [::]:80;

Code (Text):

listen 80;
listen [::]:80;
server_name example2.com www.example2.com;
return 301 https://example2.com$request_uri;

RB1 · Jan 14, 2017

eva2000 said: ↑
example2.com missing
Code (Text):
listen 80;
listen [::]:80;
Code (Text):
listen 80;
listen [::]:80;
server_name example2.com www.example2.com;
return 301 https://example2.com$request_uri;
Click to expand...
I'm using the method where I rename
domain.com.conf --> domain.com.conf-disabled
and keep domain.com.ssl.conf to force HTTPS

With this method it still needs:

server {
listen 80;
listen [::]:80;
server_name example2.com www.example2.com;
return 301 https://example2.com$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example2.com www.example2.com;
Click to expand...

?

RB1 · Jan 14, 2017

RB1 said: ↑

I'm using the method where I rename
domain.com.conf --> domain.com.conf-disabled
and keep domain.com.ssl.conf to force HTTPS

With this method it still needs:

?
Click to expand...

Nevermind...why don't I try first before asking
It works

eva2000 · Jan 14, 2017

always test redirects for 301/302 in private incognito browser sessions too so you don't cache the redirect in browser

RB1 · Jan 14, 2017

eva2000 said: ↑

always test redirects for 301/302 in private incognito browser sessions too so you don't cache the redirect in browser
Click to expand...

Now I get an SSL error (net::ERR_CERT_COMMON_NAME_INVALID). Seems example2.com is serving certificate from example3.com
Lol it's always something

I'm having more issues than last time I tried to fix this problem

eva2000 · Jan 14, 2017

test each domain with https at SSL Server Test (Powered by Qualys SSL Labs) and see what it says

eva2000 · Jan 14, 2017

if you used manual vhost generator method to get letsencrypt ssl certs - maybe also read Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates for clues as to where you manual steps may have gone wrong

RB1 · Jan 14, 2017

Thanks! I have to go away for a few hours but I while troubleshoot with the links provided when I get back.

In the meantime...PayPal donation incoming

RB1 · Jan 14, 2017

eva2000 said: ↑

test each domain with https at SSL Server Test (Powered by Qualys SSL Labs) and see what it says
Click to expand...

I'm back sooner than I thought

SSL Labs Report:
domain3.com
2600:3c00:f000:0147:0:0:0:1 - Ready: A+
45.79.69.122 - Ready: A+

domain2.com
2600:3c00:f000:0147:0:0:0:1 - Certificate not valid for domain name: -
45.79.69.122 - Ready: A+

Also changed DNS to different IPv6 on domain2.com and re-ran test:
domain2.com
2600:3c00:f000:0147:0:0:0:2 - Certificate not valid for domain name: -
45.79.69.122 - Ready: A+

I would have thought I wouldn't get the error after switching over to different IPv6 addresses. The SSL was working on these two domains until I got IPv6 working. Fix one thing, something else breaks

eva2000 · Jan 14, 2017

RB1 said: ↑

Certificate not valid for domain name:
Click to expand...

that refers to the files you pointed to for where newdomain.com = yourdomain.com
Code (Text):
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer;
From ssl letsencrypt generated newdomain.com instructions at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS
For letsencrypt SSL certificate, you need to replace 3 file paths for ssl_certificate, ssl_certificate_key and ssl_trusted_certificate in above nginx HTTPS vhost.

From:
Code (Text):
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;

  #resolver 8.8.8.8 8.8.4.4 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-trusted.crt;
To:
Code (Text):
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key;

  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer;
Click to expand...

RB1 · Jan 14, 2017

I checked and it's correct according to those changes
Also rebuilt the .ssl.conf file and same error :\

Browser thinks SSL cert for domain2.com is issued to domain3.com while there is no reference to that domain/directory in vhost config. All caches cleared too

RB1 · Jan 14, 2017

Acutally, re-running the steps @ /vhost.php may have alleviated the problem.
If you generate a cert and then change the IPv6 address later, will that invalidate the cert? Seems like that may have been the issue, and my second problem after rebuilding 15 mins ago was forgetting:

listen [::]:443 ssl http2;
Click to expand...

in the vhost config.

eva2000 · Jan 14, 2017

RB1 said: ↑

If you generate a cert and then change the IPv6 address later, will that invalidate the cert?
Click to expand...

it shouldn't as you validated domain before the change

the error you get is usually due to ssl cert file paths being mixed up or incorrect

in ssh client as root user type this curl header check command for each domain and post what the output says
Code (Text):
curl -Isv https://yourdomain.com

RB1 · Jan 14, 2017

eva2000 said: ↑
it shouldn't as you validated domain before the change

the error you get is usually due to ssl cert file paths being mixed up or incorrect

in ssh client as root user type this curl header check command for each domain and post what the output says
Code (Text):
curl -Isv https://yourdomain.com
Click to expand...
Spoilers so post isn't too long:

domain2.com

* About to connect() to domain2.com port 443 (#0)
* Trying 2600:3c00:xxxx:xxx::2...
* Connected to domain2.com (2600:3c00:xxxx:xxx::2) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=domain2.com
* start date: Jan 14 00:17:00 2017 GMT
* expire date: Apr 14 00:17:00 2017 GMT
* common name: domain2.com
* issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: domain2.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx centminmod
Server: nginx centminmod
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Vary: Cookie
Vary: Cookie
< Set-Cookie: PHPSESSID=ak3k10kn71nqd5kfk4m8rsvgf0; path=/
Set-Cookie: PHPSESSID=ak3k10kn71nqd5kfk4m8rsvgf0; path=/
< Pragma: no-cache
Pragma: no-cache
< Link: <https://domain2.com/wp-json/>; rel="REST API Handbook | WordPress Developer Resources"
Link: <https://domain2.com/wp-json/>; rel="REST API Handbook | WordPress Developer Resources"
< Date: Sat, 14 Jan 2017 02:40:17 GMT
Date: Sat, 14 Jan 2017 02:40:17 GMT
< X-Page-Speed: 1.12.34.2-0
X-Page-Speed: 1.12.34.2-0
< Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Cache-Control: max-age=0, no-cache, no-store, must-revalidate

<
* Connection #0 to host domain2.com left intact
Click to expand...

domain3.com

* About to connect() to domain3.com port 443 (#0)
* Trying 2600:3c00:xxxx:xxx::1...
* Connected to domain3.com (2600:3c00:xxxx:xxx::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=domain3.com
* start date: Jan 12 02:08:00 2017 GMT
* expire date: Apr 12 02:08:00 2017 GMT
* common name: domain3.com
* issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: domain3.com
> Accept: */*
>
< HTTP/1.1 302 Moved Temporarily
HTTP/1.1 302 Moved Temporarily
< Server: nginx centminmod
Server: nginx centminmod
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< location: /202-login.php
location: /202-login.php
< Strict-Transport-Security: max-age=31536000;
Strict-Transport-Security: max-age=31536000;
< Date: Sat, 14 Jan 2017 02:41:12 GMT
Date: Sat, 14 Jan 2017 02:41:12 GMT
< X-Page-Speed: 1.12.34.2-0
X-Page-Speed: 1.12.34.2-0
< Cache-Control: max-age=0, no-cache
Cache-Control: max-age=0, no-cache

<
* Connection #0 to host domain3.com left intact
Click to expand...

eva2000 · Jan 14, 2017

if the reported output for common name: and subject: CN are correct domains for ssl certs then should be good

Log in / Register

Forums

Welcome to Centmin Mod Community

Nginx Letsencrypt SSL Properly configuring IPv6

RB1 Active Member

eva2000 Administrator Staff Member

RB1 Active Member

RB1 Active Member

eva2000 Administrator Staff Member

RB1 Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

RB1 Active Member

RB1 Active Member

eva2000 Administrator Staff Member

RB1 Active Member

RB1 Active Member

eva2000 Administrator Staff Member

RB1 Active Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

Nginx Letsencrypt SSL Properly configuring IPv6

RB1 Active Member

eva2000 Administrator Staff Member

RB1 Active Member

RB1 Active Member

eva2000 Administrator Staff Member

RB1 Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

RB1 Active Member

RB1 Active Member

eva2000 Administrator Staff Member

RB1 Active Member

RB1 Active Member

eva2000 Administrator Staff Member

RB1 Active Member

eva2000 Administrator Staff Member

.