0

Sorry I'm not a sys admin.

I'm trying to install my SSL Certificate for encrypt purposes and to use Nginx as a frontend of my Tomcat Alfresco application.

I just can't reach my domain with HTTPS as desired, I receive these messages on each browser that I attempt to connect

Chrome:

SSL connection error

ERRSSLPROTOCOL_ERROR Hide details Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.

FireFox:

An error occurred during a connection to www.example.com. SSL received a >record that exceeded the maximum permissible length. (Error code: >ssl_error_rx_record_too_long) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

The log files (access and error) at /var/log/nginx are completely empty and here is my nginx.conf file 

user www-data;
worker_processes 2;
pid /run/nginx.pid;

events {
worker_connections 1024;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
##

access_log on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log debug;

##
# Gzip Settings
##

gzip                on;
gzip_disable        "msie6";
gzip_http_version   1.1;
gzip_comp_level     6;
#gzip_min_length    256;
gzip_buffers        16 8k;
gzip_proxied        any;
gzip_types          text/xml text/plain application/json text/javascript application/javascript application/x-javascript text/css text/csv text/x-markdown text/x-web-markdown application/atom+xml application/rss+xml application/atomsvc+xml;
#gzip_vary           on;

# Set proxy cache path
proxy_cache_path /var/cache/nginx/alfresco levels=1 keys_zone=alfrescocache:256m max_size=512m inactive=1440m;

# Main website Tomcat instance
upstream alfresco {
    server localhost:8080;
}

# Sharepoint Alfresco vti module
#upstream sharepoint {
#    server localhost:7070;
#}

# Uncomment if you want redirect to https
server {
    listen        80 default_server ;
    listen   [::]:80 default_server ipv6only=on;
    server_name example.com www.example.com;
    server_name_in_redirect off;
    rewrite ^ https://$host$request_uri? permanent;
}

# Default server config. Update servername.
server {
    #listen        80 default_server ;
    #listen   [::]:80 default_server ipv6only=on;
    listen        443 default_server ssl;
    #listen        443 ssl spdy;
    server_name example.com www.example.com;

    root /opt/alfresco/www;
    index index.html index.htm;

    # Redirecto root requests to Share
    rewrite ^/$ /share;

    ssl         on;
    ssl_certificate       /etc/ssl/example.crt;
    ssl_certificate_key   /etc/ssl/private/example.key;
    ssl_verify_client off;

    ssl_session_timeout  15m;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    #ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    # spdy Support, use add_header if you do not use redirection from http to https
    #add_header        Alternate-Protocol  443:npn-spdy/2;
    #spdy_headers_comp 4;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ /index.html;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page 502 503 504 /maintenance.html;
        location = /maintenance.html {
        root   /opt/alfresco/www;
    }

    # Access to old Alfresco web client. Remove this location if not needed.
    location /alfresco {

        # Allow for large file uploads
        client_max_body_size 0;

        # Proxy all the requests to Tomcat
        proxy_http_version 1.1;
        #proxy_buffering off;
        proxy_pass http://alfresco;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Server $host;
    }

    location /share {

        # Allow for large file uploads
        client_max_body_size 0;

        # Proxy all the requests to Tomcat
        proxy_http_version 1.1;
        #proxy_buffering off;
        proxy_pass http://alfresco;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Server $host;
    }

    location /share/proxy/alfresco {
        # This section is for allowing to rewrite 50x response to 401 on Ajax req.
        # This forces Share to reload page, and thus display maintenance page

        # Allow for large file uploads
        client_max_body_size 0;

        # Proxy all the requests to Tomcat
        proxy_http_version 1.1;
        #proxy_buffering off;
        proxy_pass http://alfresco;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_intercept_errors on;
        error_page 502 503 504 =401 /maintenance.html;
    }

    location /share/res/ {

        # Proxy all the requests to Tomcat
        proxy_http_version 1.1;
        proxy_pass http://alfresco;
        proxy_set_header  Host $http_host;

        proxy_cache alfrescocache;
        proxy_cache_min_uses 1;
        proxy_cache_valid  200 302 1440m;
        proxy_cache_valid  404 1m;
        proxy_cache_use_stale updating error timeout invalid_header http_500 http_502 http_503 http_504;
    }
}

Can anybody help me sort this out? I have 15 days to get this work out or return it and ask the CA for a refund.

Extra info:

Ubuntu 15.04

java version "1.8.0_66"

Tomcat 7

nginx/1.8.0

SSL from GoDaddy

Edit: user@host:/opt/alfresco/www$ ls -la total 20 drwxr-xr-x 2 www-data root 4096 Sep 17 18:21 . drwxr-xr-x 9 alfresco alfresco 4096 Sep 17 19:23 .. -rw-r--r-- 1 www-data root 10563 Sep 17 18:21 maintenance.html

augustus182l
  • 101
  • 2
  • I take it you've either restarted or reloaded the nginx process since you made these changes? – Thomas Ward Dec 03 '15 at 17:04
  • Try uncommenting the server_name line please. Maybe there's some bug related to that. – Florin Asăvoaie Dec 03 '15 at 17:41
  • I've been strugglint with this for days and everytime I make any change I do 'sudo nginx -t' and 'sudo /etc/init.d/nginx/restart'. Nothing changed @FlorinAsăvoaie – augustus182l Dec 03 '15 at 19:53
  • How are you accessing the server? Are you going to http:// and expecting the HTTP to HTTPS redirect to work? – ericbond007 Dec 03 '15 at 19:57
  • @ericbond007 I'm typing in my domain with the https:// because my ISP blocks port 80, so as I don't want to have to use example.com:80 ,I'm port forwarding on my router the requests from 443 to 80 (internal port) – augustus182l Dec 03 '15 at 20:20
  • @augustus182l Please comment your `ssl_ciphers` directive and see if this helps. If not, please enable debug error log and post the output of a request. – gxx Dec 03 '15 at 22:09
  • So I understand you correctly: Your ISP blocks port 80, so port 80 requests don't hit your router. So anything on your router that hits 443 you are sending to nginx on port 80 – Drifter104 Dec 03 '15 at 23:31
  • If thats the case, nginx will never get any requests on port 443? – Drifter104 Dec 04 '15 at 00:26
  • I'm gonna do that gf_. Exactly, @Drifter104! I don't want to have to type the port, I want to access my application directly through http:// or https://example.com. I was thinking, what if I just let the port 443 without redirecting it to port 80 and with that setting I get this error message: 400 Bad Request The plain HTTP request was sent to HTTPS port – augustus182l Dec 04 '15 at 00:29
  • Sorry @Drifter104 I'm really new to that as I'm not sys admin. I might be confusing lot of things. I don't want user to be able to access my application without SSL. What if I just leave port 443 and comment the listen port 80? Is it supposed to work that way? – augustus182l Dec 04 '15 at 00:31
  • @gf_ I enabled logging with 'debug'. There are 2 situations when I type in example.com: the first one is when I router any traffic that hits port 443 to internal port 443 I get this: [link](http://wikisend.com/download/762032/case1.txt) and when I router any traffic that hits port 443 to internal port 80 i get this: [link](http://wikisend.com/download/724746/case2.txt) Thanks in advance – augustus182l Dec 04 '15 at 01:53
  • If you only want https traffic then you would set your router to send port 443 to the nginx server. Then your config takes over and does the ssl decrypt part – Drifter104 Dec 04 '15 at 09:20
  • @augustus182l Sorry, as it currently stands, I'm not able to understand the problem and the things involved in. The second link you've posted contained a file with garbled output (is this correct?). For the future, please put these log files directly into your question, so one isn't depended on a third-party service, and it's possible to understand your question, the problems involved and a possible solution in the future as well; maybe there'll be another user experiencing the same problem, it might be of help to him to get the complete picture. – gxx Dec 04 '15 at 11:12
  • @augustus182l I don't understand your comment about the ports...what is the "internal port 443"? Maybe you could try to put as much information as you think are relevant into your question. – gxx Dec 04 '15 at 11:13
  • @augustus182l The two logs you've posted...these are `access` logs, right? More helpful would be the `error` logs. – gxx Dec 04 '15 at 11:15
  • I think you need to take a step back. Verify your firewall settings, make sure port 443 can reach the server. If you have questions regard that it would also be better in a different question. – Drifter104 Dec 04 '15 at 12:03
  • @gf_ These logs are from error.log. When I try to reach https://example.com it will try to access my router on port 443, right? So my internal port is actually the port of my host server in this case port 80 so Nginx can proxy it to my application. I can't believe that something that sounds really simple to implement is becoming a hassle! – augustus182l Dec 04 '15 at 12:26
  • @augustus182l If you try to connect to `https://example.com` (which is where your posted link points to), by default, it will go straight to `port 443`. No `port 80` involved in this case, as long as you don't do any sort of "port translation". – gxx Dec 04 '15 at 12:45
  • @Drifter104 My router firewall is port forwarding to the host and the host has UFW disabled for test purposes, although the port 443 is open. – augustus182l Dec 04 '15 at 13:08
  • Guys, I edited the question with the whole code I'm using after all the suggestions I received here. Also, at the bottom I added the ls of my www directory. I believe I'm really dumb cuz I just saw that I don't have any file in that but maintenance.html. I'm sorry again, I got this config from googling. When I try to reach my host directly by its IP:443, my browser asks me about security questions and it works! When I try with example.com it keeps trying to connect and ends by giving me connection timed out – augustus182l Dec 04 '15 at 19:48
  • I don't want to answer my own question as I dont want to be a lame. I ended up fixing this by doing a handful of things: edited server.xml add redirectport=8443 on connector 8080 parameter; edited nginx.conf set upstream to port 8443, set proxy_pass params to https:// not http://; removed https redirection snippet; set my router to portforward requests from port 443 to my host-ip 443. Afterwards, when I type in https://www.example.com it redirects me to my tomcat application. Thanks for all the the replied I received here, they certainly helped me to make out the solution for my issue. – augustus182l Dec 10 '15 at 18:49

0 Answers0