Nginx – Replacing SSL certificate for Nginx – inaccessible from existing devices

httpsnginxssl

I am really hoping someone with more experience can help me get our production site back online as i am pulling my hair out!

I have just renewed an expired ssl cert on our production website, I created a new certificate and key then ordered a new ssl on Comodo. Since I added the new comodo signed certificate and key I can't connect to our production website from any device that has previously used the website with the old certificate. However on an iPad or iPhone everything works as should.

If i try and connect all i see in the bottom left corner is Performing TLS handshake and then i get the page is insecure error, I have checked online tools like: https://www.ssllabs.com/ssltest/ and they say the ssl is fine and valid until February 2018.

Below is my config file for nginx however I am starting to think this is related to the browser caching the old certificate as i have rebooted the server several times to see if that would change anything.

server {
    listen       80 default_server;
    listen       [::]:80 default_server;    
    server_name  _;
    server_tokens off;
    return 301 https://$host$request_uri;

}

server {
    listen       443;
    server_name  *;
    server_tokens off;
    ssl    on;
    ssl_certificate /jet/etc/nginx/ssl/cert.crt;
    ssl_certificate_key /jet/etc/nginx/ssl/key.key; 

    error_page  403   https://$host/404;
    error_page  404   https://$host/404;

    root         /jet/app/www/public;


    index index.php index.html index.htm;
    autoindex on;

    # Load configuration files for the default server block.
    include /jet/etc/nginx/conf.d/*.inc;
}

I have also attached a screen shot but removed the domain name, I would be really great full for any help. I am unable to sleep until I resolve the issue therefore using the phrase "I am panicking" is an understatement!

On one browser i get the following:

www…… uses an invalid security certificate. The certificate expired on 29 November 2017, 23:59. The current time is 30 November 2017, 03:33.

Which does apply to the old certificate that has been replaced and the new does not expire until February 2018. I have verified this has definitely been removed from the server but Firefox and other browsers except ios seem to think it has not been removed, could this be down to cache somewhere along the lines, If so.. does that mean all my visitors that have been to the site will see this message unless their a unique visitor?

Best Answer

Did you? :

# service stop nginx
# ps auxw|grep nginx

There must be no living nginx any more at this point. If there is the kill it. After that:

# service start nginx

If you stop and start nginx and make sure "stop" really killed the process and /jet/etc/nginx/ssl/cert.crt is really pointing to the new certificate (double check by dumping that cert.crt with openssl, verify that the Validity fields are at the correct date) then there's no way the old certificate could still be used by nginx.

Also, are you sure it's nginx picking up the connection? I.e. if you do a host www.your.site and connect to that IP with ssh and do a netstat -npa|grep 443 there, then the process that you get really is that nginx and not some other proxy (varnish, apache, haproxy, docker picking up the connection etc.)?

If in fact it is nginx that is picking up the connection, then you have to see that connection getting served by nginx in its logs /var/log/nginx/*.log.

If you have a more complex nginx setup it might be that there's multiple configuration items setting up the certificate. So do a grep -r ssl_certificate /etc/nginx. Is the certificate set in one place only or are there multiple sites setting it? Is another ssl_certificate setting being used instead of the one you want?

Also make sure it's not low level packet rewriting or such that is moving the connection somewhere else: check iptables -L and iptables -t NAT -L.

Related Solutions

Ssl – IIS 7 Still Serving old SSL Certificate

First a couple points that are probably the same for you

I was trying to update a certificate because it has expired.
I have multiple domains bound to the same IP. They happen to be a SAN certificate but that's probably irrelevant.
I was trying to use the centralized certificate store. Again I think this is irrelevant to most of my answer.
I had already attempted to update the certificate but it wasn't showing the new date.
You're probably in a panic right now if your old certificate already expired. Take a deep breath...

First I'd recommend strongly going to https://www.digicert.com/help/ and downloading their DigiCert tool. You can also use it online.

Enter in your website https://example.com and it will show you the expiration date and thumbprint (what MS calls the certificate hash). It does a realtime lookup so you don't have to worry whether or not your browser (or intermediate server) is caching something.

If you're using the centralized certificate store you'll want to be 100% sure the .pfx file is the latest version so go to your store directory and run this command:

C:\WEBSITES\SSL> certutil -dump www.example.com.pfx

This will show you the expiration date and hash/thumbprint. Obviously if this expiration date is wrong you probaly just exported the wrong certifcate to the filesystem so go and fix that first.

If you are using the CCS then assuming this certutil command gives you the expected expiration date (of your updated certificate) you can proceed.

Run the command:

netsh http show sslcert > c:\temp\certlog.txt
notepad c:\temp\certlog.txt

You likely have a lot of stuff in here so it's easier to open it up in a text editor.

You'll want to search this file for the WRONG hash that you got from digicert.com (or the thumbprint you got fromChrome).

For me this yielded the following. You'll see it is bound to an IP and not my expected domain name. This is the problem. It seems that this (for whatever reason I'm not sure) takes precedence over the binding set in IIS that I just updated for example.com.

IP:port                      : 10.0.0.1:443
Certificate Hash             : d4a17e3b57e48c1166f18394a819edf770459ac8
Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name       : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled

I don't even know where this binding came from - I don't even have any SSL bindings on my default site but this server is a few years old and I think something just got corrupted and stuck.

So you'll want to delete it.

To be on the safe side you'll want to run the following comand first to be sure you're only deleting this one item:

C:\Windows\system32>netsh http show sslcert ipport=10.0.0.1:443

SSL Certificate bindings:
-------------------------

IP:port                      : 10.0.0.1:443
Certificate Hash             : d4a17e3b57e48c1166f18394a819edf770459ac8
Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name       : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled

Now we've verified this is the 'bad' thumbprint, and expected single record we can delete it with this command:

C:\Windows\system32>netsh http delete sslcert ipport=10.0.0.1:443

SSL Certificate successfully deleted

Hopefully if you now go back to Digicert and re-run the command it will give you the expected certificate thumbprint. You should check all SAN names if you have any just to be sure.

Probably want to IISRESET here to be sure no surprises later.

Final note: If you're using the centralized certificate store and you're seeing erratic behavior trying to even determine if it is picking up your certificate from there or not don't worry - it's not your fault. It seems to sometimes pick up new files immediately, but cache old ones. Opening and resaving the SSL binding after making any kind of change seems to reset it but not 100% of the time.

Good luck :-)

Nginx – Properly setting up a “default” nginx server for https

I managed to configure a shared dedicated hosting on a single IP with nginx. Default HTTP and HTTPS serving a 404 for unknown domains incoming.

1 - Create a default zone

As nginx is loading vhosts in ascii order, you should create a 00-default file/symbolic link into your /etc/nginx/sites-enabled.

2 - Fill the default zone

Fill your 00-default with default vhosts. Here is the zone i am using:

server {
    server_name _;
    listen       80  default_server;
    return       404;
}


server {
    listen 443 ssl;
    server_name _;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    return       404;
}

3 - Create self signed certif, test, and reload

You will need to create a self signed certificate into /etc/nginx/ssl/nginx.crt.

Create a default self signed certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Just a reminder:

Test the nginx configuration before reloading/restarting : nginx -t
Reload a enjoy: sudo service nginx reload

Hope it helps.

Best Answer

Related Solutions

Ssl – IIS 7 Still Serving old SSL Certificate

Nginx – Properly setting up a “default” nginx server for https

Related Topic