I have a host with LE certificate and it works well in a browsers, but I still can't connect using curl
, openssl
, wget
, POST
(libwww-perl):
curl
# curl -v -3 https://example.com/
* Hostname was NOT found in DNS cache
* Trying 123.123.123.123...
* Connected to example.com (123.123.123.123) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to example.com:443
* Closing connection 0
openssl
# openssl s_client -connect example.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
wget
# wget --post-data "key=val" -vvv https://example.com/
--2016-05-11 11:19:01-- https://example.com/
Resolving example.com (example.com)... 123.123.123.123
Connecting to example.com (example.com)|123.123.123.123|:443... connected.
Unable to establish SSL connection.
POST
# echo 'key=val' | POST https://example.com:443
Can't connect to example.com:443
LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error SSL wants a read first at /usr/share/perl5/LWP/Protocol/http.pm line 41, <STDIN> line 1.
Vhost Config:
<VirtualHost *:443>
ServerName example.com
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLVerifyDepth 10
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem
DocumentRoot "/var/www/"
</VirtualHost>
Best Answer
I think your problem is DNSSEC-related. There exists a DS record for the zone:
but the A record for
chat
is unsigned:Note the lack of an
RRSIG
record forchat.codestronaut.com
. This causes DNS lookups simply to fail on certain platforms:I don't thnk there's much chance of getting all this to work reliably until you fix your DNS; either have your registrar stop publishing a
DS
record for the zone, or sign your zone properly. I'm not saying this is the only problem you have, but having a working DNS is pretty much a pre-requisite for everything else, and that includes debugging.Edit: you say you've disabled DNSSEC, but the change has not yet propagated (it may take up to a day, since the TTL on your old DS record was 86400s). Using a DNSSEC-blind client, I can't reproduce the problems you report, but I note that you're running SNI on that system (ie, several SSL certificates are available, including both
chat.codestronaut.com
andpanel.codestronaut.com
).curl -v -3
explicitly doesn't support SNI (because SNI is an extension to TLS, and thus isn't available in SSLv3).openssl s_client
works OK once it's warned about SNI:though without the SNI flag (
-servername ...
) it gets the certificate forpanel.
instead.So at the moment your original report "it works well in a browsers, but I still can't connect using [other tools]" seems to boil down to "it works fine, except when I connect using tools that aren't supposed to work on this setup". This is looking a bit like a non-problem.