Want to subscribe to topics you're interested in?
Become a Member

SSH SSL TSL are death

Discussion in 'Install & Upgrades or Pre-Install Questions' started by Max, Jul 3, 2018.

  1. Max

    Max Member

    67
    4
    8
    Feb 17, 2018
    Ratings:
    +6
    Local Time:
    7:40 PM
    Hello

    on my vps is ssl tsl an ssh dead
    my websites not work with https
    Code:
    secured connection failed
    ssh no connection

    why how can i fix

    Thanks
    regards
    • CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.15.0
    • PHP Version Installed: 7.2.5
    • MariaDB MySQL Version Installed: 10.1.34
    • When was last time updated Centmin Mod code base ? : today
    • libressl
     
  2. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:40 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    • How long have you used HTTPS and SSL certificate for your site ? when did you get it setup ?
    • How did you get HTTPS SSL cert setup ? Exact steps ?
    • Who is your web host ? And what plan are you on ?
    • So non-HTTPS works ? can you access VPS's IP address within your web browser ?
    • Tried accessing from different browsers ? Chrome, Opera, Edge, IE11 ?
    • Contacted web host tech support to see if it's an issue on their end yet ?
    If using Centmin Mod's integrated letsencrypt ssl certs, how was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?
    On another server with SSH access or if you can get into your VPS via out of band console with web host, try typing these commands and sharing their output
    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Code (Text):
    curl -Iv https://yourdomain.com
    

    Code (Text):
    curl -Iv http://yourdomain.com
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
  3. Max

    Max Member

    67
    4
    8
    Feb 17, 2018
    Ratings:
    +6
    Local Time:
    7:40 PM
    Hello
    and on firefox,crome Browser http + https say 503


    How long have you used HTTPS and SSL certificate for your site ? when did you get it setup ?
    3 months
    How did you get HTTPS SSL cert setup ? Exact steps ?
    centmin 22
    Who is your web host ? And what plan are you on ?
    ramnode 2GB
    So non-HTTPS works ? can you access VPS's IP address within your web browser ?
    No
    Tried accessing from different browsers ? Chrome, Opera, Edge, IE11 ?
    no 503



    Code:
    [email protected]:~> curl -Iv http://rvlove.co
    * Rebuilt URL to: http://rvlove.co/
    *   Trying 176.56.236.90...
    * TCP_NODELAY set
    * Connected to rvlove.co (176.56.236.90) port 80 (#0)
    > HEAD / HTTP/1.1
    > Host: rvlove.co
    > User-Agent: curl/7.60.0
    > Accept: */*
    >
    < HTTP/1.1 504 Gateway Time-out
    HTTP/1.1 504 Gateway Time-out
    < Server: WebProxy/1.0 Pre-Alpha
    Server: WebProxy/1.0 Pre-Alpha
    < Date: Tue, 03 Jul 2018 03:39:23 GMT
    Date: Tue, 03 Jul 2018 03:39:23 GMT
    < Content-Length: 0
    Content-Length: 0
    < Connection: keep-alive
    Connection: keep-alive
    
    <
    * Connection #0 to host rvlove.co left intact
    
    Code:
    [email protected]:~> curl -Iv https://rvlove.co
    * Rebuilt URL to: https://rvlove.co/
    *   Trying 176.56.236.90...
    * TCP_NODELAY set
    * Connected to rvlove.co (176.56.236.90) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to rvlove.co:443
    * stopped the pause stream!
    * Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to rvlove.co:443
    
    Code:
    [email protected]:~> echo | openssl s_client -connect rvlove.co:443    
    CONNECTED(00000003)
    write:errno=0
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 176 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1530589010
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
    ---
    [email protected]:~> curl -Iv https://rvlove.co
    * Rebuilt URL to: https://rvlove.co/
    *   Trying 176.56.236.90...
    * TCP_NODELAY set
    * Connected to rvlove.co (176.56.236.90) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to rvlove.co:443
    * stopped the pause stream!
    * Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to rvlove.co:443
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:40 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    is that even centmin mod nginx server? or you changed the server name displayed ? or using Fastly CDN What is WebProxy/1.0 Pre-Alpha? ? If so Fastly CDN isn't configured properly for HTTPS

    looks like web server = Webproxy doesn't have HTTPS configured properly

    503 or 504 error as curl says 504

    Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for such.

    Nginx 502 or 504 Bad Gateway Errors



    Bad gateway 502 /504 timeouts are usually related to Nginx timing out waiting on PHP-FPM to respond as PHP-FPM is overloaded or overwhelmed with requests, so may need to tune PHP-FPM values. It also maybe due to PHP-FPM in turn being queued and backed up waiting on MariaDB MySQL server to respond - so also need to look at MySQL.

    You'll need to tune your PHP-FPM settings with php-fpm main pool config file at /usr/local/etc/php-fpm.conf (overview of config files) and this is left up to end user to do but here's a thread for starters to enable PHP-FPM status page output outlined at
    Enabling PHP-FPM status also allows setting up 3rd party PHP-FPM status metric monitoring from services like:

    Checking PHP-FPM etc logs



    You'll also need to check into your PHP-FPM, Nginx and MariaDB logs which you can find as outlined at How to troubleshoot Centmin Mod initial install issues

    Server logs include Nginx, PHP-FPM, MariaDB MySQL error logs as well as others. You can find your Centmin Mod install/menu logs at FAQ 7 and server logs at FAQ 19 at Centmin Mod FAQ (most up to date info in FAQ so always read that first). Spoiler tag below has info too but may not be up to date.

    Some of Centmin Mod's installed software will have their own access and error logs which maybe useful for diagnosing errors or give info, notes, or warning notices.

    Note: There's no support provided by me for diagnosing such errors which may occur for various reasons including misconfiguration of installed php/mysql scripts or applications.
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:40 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    maybe your ISP connection is behind a proxy of some kind or VPN or anti-virus software which is man in the middle (MITM) intercepting and monitoring your connections and that is timing out ? If you're behind VPN or proxy or disable anti-virus MITM, disable it and try accessing site directly

    I tested your https version via ssllabs and it returns back fine SSL Server Test: rvlove.co (Powered by Qualys SSL Labs)

    upload_2018-7-3_14-7-55.png
     
  6. Max

    Max Member

    67
    4
    8
    Feb 17, 2018
    Ratings:
    +6
    Local Time:
    7:40 PM
    Hello
    i have only centminmod install 1 day ago i make yum -y update no errors
    and switch to nginx 1.15.0 no errors

    Nginx Bad Gateway Errors is 504

    I have only centminmod no webproxy
    no changed the server name

    Code:
    Restarting nginx  [OK]
     
  7. Max

    Max Member

    67
    4
    8
    Feb 17, 2018
    Ratings:
    +6
    Local Time:
    7:40 PM
    Mh yes i have only G3 or G4 ISP Vodafone but no extra proxy.

    You can load htts://rvlove.co in your browser?
     
  8. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:40 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    works fine here WebPagetest Test Result - Dulles : rvlove.co - 07/03/18 04:20:59 problem is your Vodafone ISP connection issues seems it has a transparent proxy somewhere hence curl header checks you posted show you are connecting to a server called = Server: WebProxy/1.0 Pre-Alpha and not Centmin Mod Nginx if there was no proxy in front of Centmin Mod Nginx

    webpagetest header check for index page shows server: nginx centminmod as expected and HTTP 200 ok status

    upload_2018-7-3_14-23-21.png
     
  9. Max

    Max Member

    67
    4
    8
    Feb 17, 2018
    Ratings:
    +6
    Local Time:
    7:40 PM
    Thank you very much
    it was actually due to the Vodafone ISP connection

    regards
     
    • Informative Informative x 1
..