sni-support-required-for-valid-ssl error with AWS EC2 instance while implementing ssl with openresty

Question

I have built a web app app.mywebapp.com. I'm planning to implement white labeling for my users.

User example website: userwebsite.com. I want to point their subdomain to my app.

Example: dashboard.userwebsite.com should point to app.mywebapp.com

I have added a CNAME record in my users DNS settings

I'm using openresty to implement the dynamic SSL certificates handling via reverse proxy.

My webapp is running on one AWS EC2 instance with SSL being handled by loadbalancer.

I have created another EC2 instance with a loadbalancer to handle the SSL requests from my user websites.

When I type EC2 instance Public DNS in browser, I'm getting insecure SSL error with message

"sni-support-required-for-valid-ssl" certificate is not trusted

Here is the nginx.conf file for handling SSL via openresty

    user  www-data;
    events {
      worker_connections 1024;
    }

    http {
      lua_shared_dict auto_ssl 1m;
      lua_shared_dict auto_ssl_settings 64k;
      resolver 8.8.8.8 ipv6=off;

      init_by_lua_block {
        auto_ssl = (require "resty.auto-ssl").new()
        auto_ssl:set("allow_domain", function(domain)
          return true
        end)
        auto_ssl:init()
      }

      init_worker_by_lua_block {
        auto_ssl:init_worker()
      }

      server {
        listen 443 ssl;
        ssl_certificate_by_lua_block {
          auto_ssl:ssl_certificate()
        }
        ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
        ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;

    proxy_ssl_server_name on;

    location / {
            proxy_set_header Host app.mywebapp.com;
            proxy_set_header Referer $host$uri;
            proxy_buffer_size          128k;
            proxy_buffers              4 256k;
              proxy_busy_buffers_size    256k;

            proxy_set_header User-Agent $http_user_agent;
            proxy_set_header X-Real-IP $remote_addr;

            proxy_set_header Accept-Encoding "";
            proxy_set_header Accept-Language $http_accept_language;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto  https;
            proxy_read_timeout 5m;

            proxy_pass https://app.mywebapp.com;
        }
      }

      server {
        listen 80;
        location /.well-known/acme-challenge/ {
          content_by_lua_block {
            auto_ssl:challenge_server()
          }
        }

    location /{
    return 301 https://$host$request_uri;
    }

      }

      server {
        listen 127.0.0.1:8999;
        client_body_buffer_size 128k;
        client_max_body_size 128k;

        location / {
          content_by_lua_block {
            auto_ssl:hook_server()
          }
        }
      }
    }

I had this issue and `tail -F /usr/local/openresty/nginx/logs/error.log` at the terminal while hitting refresh helped me see what was going wrong — user1069816, Jul 05 '21 at 15:16

score 0 · Answer 1 · answered Dec 14 '19 at 10:23

This happens because, for some reason, your server failed to obtain new certificates. I cannot fully debug your setup, but I can assure you that the documentation at https://github.com/GUI/lua-resty-auto-ssl works, but may be not easy to debug.

Protip; watch your logs

Your question is incomplete, but most of the time, when using OpenResty, you should watch your error logs files for what it will tell you. But most of the time, these will be common errors:

Too many requests

GUI/lua-resty-auto-ssl will retry very, very fast. It means that if you deploy a wrong configuration, you very likely will reach Let's Encript Limits. If you are doing heavy debug, really recommend you use another subdomain to not saturate you main domain

Directory permissions

If the openresty cannot write, it will fail. But in some cases, you OpenResty/Nginx still be able to work, but the Deydrated will fail

Issues with redirects and or not have the GUI/lua-resty-auto-ssl on the exact place

This is hard to debug, but explaining very simple, go step by step when implementing redirects (like forced HTTP to HTTPS) because you may able to obtain a new certificate, then not renew it.

By "exact place" means that

if the Let's encrypt will try on port 80, you need have GUI/lua-resty-auto-ssl snippet there
if the Let's encrypt will try on domain example.com, you need have GUI/lua-resty-auto-ssl snippet there

Final comments:

If you can, try the very minimum examples from GUI/lua-resty-auto-ssl, then each change you make, try again, steps by steps, and watch your logs files. If you do this, may take you 30~60min more, but can save you days of debugging, in special if you are using for the first time.