Server IP HTTPS uses invalid SSL certificate


#1

Hi.

After I enabled SSL for my WordPress sites, my server IP over the HTTPS inaccessible (https://123.456.78.90), but without HTTPS it properly display the “Welcome to Nginx” page.

When I uses HTTPS it shows following error.
net::err_cert_authority_invalid

When I uses HTTPS it uses one of my WordPress SSL certificate. After I proceed it shows “ERR_SPDY_PROTOCOL_ERROR”.

Then I added following SSL settings to nginx default config file, but nothing succeeded.

listen [::]:443 ssl http2;
listen 443 ssl http2;

ssl_certificate /var/www/22222/cert/22222.crt;
ssl_certificate_key /var/www/22222/cert/22222.key;

Anyway to correct this issue? Still server IP over the HTTPS shows above errors.

I can login to admin tool if I use the tor web browser and add the SSL certificate to the exception list.


#2

@aka20

You posted this under EE v3. Im usin EE v4 and this issue also happens. Just to confirm are you using v3 or v4? If v4 what version?

Thanks


#3

Hi.

I’m using v3.


#4

Hey there,

So, sounds like it might be a few different problems, that may or may not be related. Just a heads up, V3 is going to be officially unsupported soon so might want to look into upgrading to V4 at some point.

If you make any change whatsoever to the NGiNX config file, you need to restart NGiNX for it to work using nginx -t && service nginx reload (also, make sure you chmod 600 both the certificate and key file, in case you haven’t.)

For the SPDY issue, it could be anything really, but usually it’s somewhere between browser configuration and DNS. If you renew your IP and flush your DNS and get no luck, you can also flush the SPDY sockets in Chrome by navigating to chrome://net-internals/#sockets and hitting the Flush Socket Pools button.

All certificate authorities issue SSL certs for a domain, or “common name”, not an IP Address (with a specific exception). So the default virtual host and Welcome page will show over HTTP okay but will not respond over HTTPS since technically no SSL has been configured for NGiNX’s default page (shown as the server’s IP). Even so, only a self-signed certificate will enable HTTPS traffic to an IP address over public DNS, and that’s usually used for higher ports (such as admin panels and so on).

Your IP will still resolve to the NGiNX default page over regular HTTP but request headers sent with the domain name will resolve over HTTPS. This is normal.

I can’t be sure from your question but it seems your problem can be narrowed down by:

  • undoing any manual configuration changes to NGiNX that EE generated
  • checking your hosts file and making sure there’s no redundancy (so you can resolve SSL over public DNS)
  • flushing your DNS cache

You can also let us know if you used Let’s Encrypt or a Custom SSL certificate.


#5

Thank you Paramdeo for your reply.

In my cause i can’t login to the admin tool. That’s why I try to load the server IP over HTTPS. I have flush DNS cache chrome and Windows and release new IP for Windows, but sill I face the same issue.

Then I used one of my site cloudflare origin certificate for 22222 sites, but Chrome still shows that error.

The webpage at https://111.111.1111.1111:22222/db/pma/ might be temporarily down or it may have moved permanently to a new web address.

ERR_SPDY_PROTOCOL_ERROR

If I use the Tor Web browser there’s no such an issue. After added the SSL certificate to exception list admin tool page loading properly.


#6

Hey there,

Oh it’s the EE Admin, ok that narrows it down. The Cloudflare Origin certificate is only valid for a domain name (example.com, *.example.com, etc.) so it’s not possible to place that as the installed certificate for either another domain, or an IP address in your case.

You can setup HTTP authentication to access the admin tools by using the guide here: https://easyengine.io/docs/commands/secure

Or, if you need SSL then you can simply generate a self-signed certificate and add it to the configuration for the admin tools virtual host in /etc/nginx/sites-enabled/default for NGiNX.

It’s not difficult but it’s a long-ish process, you can Google a tutorial on it. Here are two tutorials:

To make it easy for you, just follow Step 1 only in the Digital Ocean tutorial, then goto Step 2 onwards in the other tutorial.

You should also obviously remove the current Cloudflare Origin certificate as well from the current admin tools config, regardless of your choice of HTTP Auth vs. Self-signed Cert.