Почему 500 SSL negotiation failed?

Question

[sailorpapay]

whois.domaintools.com/wiseessays.cn
Ругается на 500, сайт открывается с 5-10 попытки.
Не могу найти в чем проблема?

Comments

[ky0]

Вы расскажите, что там у вас стоит за веб-сервер и как он настроен, для начала.

[sailorpapay]

ky0,

upstream backend {
server 192.168.42.1;
}



server {


listen 443 http2 ssl ;
server_name www.wiseessays.cn;
ssl_certificate /etc/letsencrypt/live/wiseessays.cn/fullchain.pem; # managed by Certbot

ssl_certificate_key /etc/letsencrypt/live/wiseessays.cn/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

ssl_protocols TLSv1.2 TLSv1.3 TLSv1.1;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000";

server_tokens off;

add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff" always;



rewrite ^/(.*)/$ /$1 permanent;
if ($request_uri ~* "\/\/") { rewrite ^/(.*) $scheme://$host/$1 permanent; }

#rewrite lowercase
location ~ [A-Z] {
set $temp 1;
#if ($request_uri ~ ((\.css(\?.+)?$)|(\.svg(\?.+)?$)|(\.js(\?.+)?$)|\/font\/|(\.jpg(\?.+)?$))) {set $temp 3;}
if ($request_uri ~ ((\.css(\?.+)?$)|(\.svg(\?.+)?$)|(\.js(\?.+)?$)|\/font\/|(\.jpg(\?.+)?$))) {add_header Cache-Control "public, no-transform";expires 7d;set $temp 3;}
if ($temp ~ 1) {
rewrite ^(.*)$ $scheme://$host$uri_lowercase;
}
}

location /assets/ {
root /var/www/;
try_files $uri $uri/ = router;
expires 7d;
access_log off;
log_not_found off;

}

location router {
proxy_pass http://backend;
proxy_set_header Host $host;

}

location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffers 4 256k;
proxy_buffer_size 128k;
proxy_busy_buffers_size 256k;

}

location /wp-admin { deny all; }

location ~ /\.ht { deny all;}

}

[sailorpapay]

ky0,

Trying 120.79.167.120...
* TCP_NODELAY set
* Connected to www.wiseessays.cn (120.79.167.120) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.wiseessays.cn:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.wiseessays.cn:443

[sailorpapay]

сейчас этой проблемы нет, я переключил на AWS ALB с их сертификатом.
проблема на сертификате Certbot

[sailorpapay]

собственно вернул все как было, сертификат взял от комодо.
* Trying 120.79.167.120...
* TCP_NODELAY set
* Connected to www.wiseessays.cn (120.79.167.120) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.wiseessays.cn:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.wiseessays.cn:443

[sailorpapay]

а на 3-5 попытку

~ curl -v 'https://www.wiseessays.cn'

* Trying 47.112.74.69...
* TCP_NODELAY set
* Connected to www.wiseessays.cn (47.112.74.69) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: OU=Domain Control Validated; OU=PositiveSSL; CN=www.wiseessays.cn
* start date: Nov 21 00:00:00 2019 GMT
* expire date: Nov 20 23:59:59 2020 GMT
* subjectAltName: host "www.wiseessays.cn" matched cert's "www.wiseessays.cn"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fe086005600)
> GET / HTTP/2
> Host: www.wiseessays.cn
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
^[[A^C
➜ ~ curl -v 'https://www.wiseessays.cn'

Answer 1

[Михаил Васильев]

Все у вас хорошо:
https://ping-admin.ru/free_test/result/1574355916w...

Сайт лично у меня открывается нормально, проблема на стороне domaintools.com
Их чекер не умеет в TLS 1.3 вот и вся причина 500 при проверке.

Comments

[sailorpapay]

сейчас я переключил на AWS, где ssl от AWS.

[sailorpapay]

upstream backend {
server 192.168.42.1;
}



server {


listen 443 http2 ssl ;
server_name www.wiseessays.cn;
ssl_certificate /etc/letsencrypt/live/wiseessays.cn/fullchain.pem; # managed by Certbot

ssl_certificate_key /etc/letsencrypt/live/wiseessays.cn/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

ssl_protocols TLSv1.2 TLSv1.3 TLSv1.1;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000";



server_tokens off;

add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff" always;




rewrite ^/(.*)/$ /$1 permanent;
if ($request_uri ~* "\/\/") { rewrite ^/(.*) $scheme://$host/$1 permanent; }



#rewrite lowercase
location ~ [A-Z] {
set $temp 1;
#if ($request_uri ~ ((\.css(\?.+)?$)|(\.svg(\?.+)?$)|(\.js(\?.+)?$)|\/font\/|(\.jpg(\?.+)?$))) {set $temp 3;}
if ($request_uri ~ ((\.css(\?.+)?$)|(\.svg(\?.+)?$)|(\.js(\?.+)?$)|\/font\/|(\.jpg(\?.+)?$))) {add_header Cache-Control "public, no-transform";expires 7d;set $temp 3;}
if ($temp ~ 1) {
rewrite ^(.*)$ $scheme://$host$uri_lowercase;
}
}



location /assets/ {
root /var/www/;
try_files $uri $uri/ = router;
expires 7d;
access_log off;
log_not_found off;

}


location router {
proxy_pass http://backend;
proxy_set_header Host $host;

}

location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffers 4 256k;
proxy_buffer_size 128k;
proxy_busy_buffers_size 256k;


}




location /wp-admin { deny all; }

location ~ /\.ht { deny all;}




}

[Михаил Васильев]

sailorpapay, проверка так и показывает 500-тку.

[sailorpapay]

апстрим по 80 порту, и сути не играет, даже если открывать локальные файлы та же беда

[sailorpapay]

* Trying 47.112.74.69...
* TCP_NODELAY set
* Connected to www.wiseessays.cn (47.112.74.69) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.wiseessays.cn:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.wiseessays.cn:443
➜ ~

[sailorpapay]

а на 3-5 попытку

~ curl -v 'https://www.wiseessays.cn'

* Trying 47.112.74.69...
* TCP_NODELAY set
* Connected to www.wiseessays.cn (47.112.74.69) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: OU=Domain Control Validated; OU=PositiveSSL; CN=www.wiseessays.cn
* start date: Nov 21 00:00:00 2019 GMT
* expire date: Nov 20 23:59:59 2020 GMT
* subjectAltName: host "www.wiseessays.cn" matched cert's "www.wiseessays.cn"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fe086005600)
> GET / HTTP/2
> Host: www.wiseessays.cn
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
^[[A^C
➜ ~ curl -v 'https://www.wiseessays.cn'