Hello!
Christopher Schultz <chris@xxxxxxxxxxxxxxxxxxxxxx> schrieb am 31.08.16 um 19:50:20 Uhr:
> > <IfDefine SSL> <IfDefine !NOSSL> IfModule mod_ssl.c>
>
> Missing < in the previous line. Typo or copy/paste error?
This was a copy/paste error.
# netstat -pantu |grep http
tcp 0 0 46.38.231.143:443 0.0.0.0:* LISTEN 14160/httpd2-prefor
tcp 0 0 37.120.166.21:443 0.0.0.0:* LISTEN 14160/httpd2-prefor
tcp 0 0 46.38.231.143:80 0.0.0.0:* LISTEN 14160/httpd2-prefor
tcp 0 0 37.120.166.21:80 0.0.0.0:* LISTEN 14160/httpd2-prefor
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 14160/httpd2-prefor
tcp 0 0 2a03:4000:6:4123::1:443 :::* LISTEN 14160/httpd2-prefor
tcp 0 0 2a03:4000:6:4123::1:80 :::* LISTEN 14160/httpd2-prefor
> Try this:
>
> <Virtualhost 37.120.166.21:80 [2a03:4000:6:4123::1]:80>
> ...
> </VirtualHost>
> <Virtualhost 37.120.166.21:443 [2a03:4000:6:4123::1]:443>
> ...
> </VirtualHost>
done that
> Note that you haven't specified a VirtualHost for localhost and
> whatever 46.38.231.143 is.
created a VirtualHost localhost. 46.38.231.143 is just another VirtualHost
the server is serving
> Which interface are you using for testing?
On the server it is ens3:
ens3 Link encap:Ethernet Hardware Adresse BA:69:5F:F3:F8:26
inet Adresse:37.120.166.21 Bcast:37.120.167.255 Maske:255.255.252.0
inet6 Adresse: 2a03:4000:6:4123::1/64 Gültigkeitsbereich:Global
inet6 Adresse: fe80::b869:5fff:fef3:f826/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16017225 errors:0 dropped:0 overruns:0 frame:0
TX packets:1231199 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:1000
RX bytes:1209401803 (1153.3 Mb) TX bytes:841330316 (802.3 Mb)
From my testingmachine it is wlan1:
wlan1 Link encap:Ethernet Hardware Adresse 00:22:B0:E7:D9:9B
inet Adresse:192.168.3.100 Bcast:192.168.3.255 Maske:255.255.255.0
inet6 Adresse: fe80::222:b0ff:fee7:d99b/64 Gültigkeitsbereich:Verbindung
inet6 Adresse: 2003:54:ef22:e900:222:b0ff:fee7:d99b/64 Gültigkeitsbereich:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:77004 errors:0 dropped:0 overruns:0 frame:0
TX packets:60273 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:1000
RX bytes:79839183 (76.1 Mb) TX bytes:7037131 (6.7 Mb)
> Do any of the ports work? Does httpd even start up?
Yes, no errors-
> >> Those are two different problems:
> >>
> >> 1. Certificates are not found
> >
> > The certificate are there. If I disable the IPV6 things, they are
> > found.
>
> Woah, what?
>
> When you say "disable IPv6", what do you mean? How are you changing
> your configuration?
I mean if disable the listening for IPv6-addresses in listen.conf and
remove the IPv6-addresses in the VirtualHost statement.
> >> 2. Web site is not reachable
> >>
> >> One may cause the other.
> >>
> >> What error message to you get, and where?
> >
> > The thing is, I didn't notice the website is not reachable 'cause
> > my testings with my IPv6 connection showed no errors.
>
> That statement is confusing to me. Can you clarify it?
I mean I can reach the server on port 443 with IPv6-entries without
problems from my outside connection with IPv6 enabled but people
tell me they can't.
If have this in bitcorner-ssl.conf
SSLEngine on
SSLProtocol all
> > ping from outside:
> >
> > andreas@workstation:/> ping6 2a03:4000:6:4123::1 PING
> > 2a03:4000:6:4123::1(2a03:4000:6:4123::1) 56 data bytes 64 bytes
> > from 2a03:4000:6:4123::1: icmp_seq=1 ttl=58 time=33.2 ms 64 bytes
> > from 2a03:4000:6:4123::1: icmp_seq=2 ttl=58 time=33.1 ms 64 bytes
> > from 2a03:4000:6:4123::1: icmp_seq=3 ttl=58 time=30.9 ms ^C
> >
> > People then reported the site is not reachable, for instance:
> >
> > Firefox-Fehlermeldung: Ein Fehler ist während einer Verbindung mit
> > www.bitcorner.de aufgetreten. SSL hat einen Eintrag erhalten, der
> > die maximal erlaubte Länge überschritten hat. Fehlercode:
> > SSL_ERROR_RX_RECORD_TOO_LONG
> >
> > Curl: error (35): error:140770FC:SSL
> > routines:SSL23_GET_SERVER_HELLO:unknown protocol]
>
> That usually happens when you (correctly) disable SSLv3 and someone
> tries to use an SSLv3 handshake with your site. That doesn't
> necessarily mean that your site is misconfigured.
>
> > Wget: wget "https://www.bitcorner.de/bshop/products.csv";
> > --2016-08-31 15:21:12--
> > https://www.bitcorner.de/bshop/products.csv Resolving
> > www.bitcorner.de (www.bitcorner.de)... 37.120.166.21,
> > 2a03:4000:6:4123::1 Connecting to www.bitcorner.de
> > (www.bitcorner.de)|37.120.166.21|:443... connected. GnuTLS: An
> > unexpected TLS packet was received. Unable to establish SSL
> > connection.
>
> How about this:
>
> $ openssl s_client -tls1 -connect www.bitcorner.de:443
>
> Here's what I get when I try SSLv3:
>
> $ openssl s_client -ssl3 -connect www.bitcorner.de:443
> CONNECTED(00000003)
> 5966:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
> SL098-59.60.1/src/ssl/s3_pkt.c:1145:SSL
> alert number 40
> 5966:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
> SL098-59.60.1/src/ssl/s3_pkt.c:566:
>
> Using TLSv1, I get better results:
>
> $ openssl s_client -tls1 -connect www.bitcorner.de:443
> CONNECTED(00000003)
> depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> - ---
> Certificate chain
> 0 s:/CN=bitcorner.de
> i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> - ---
> [...]
> - ---
> SSL handshake has read 4652 bytes and written 682 bytes
> - ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
>
> etc.
>
> If I let s_client choose the protocol, it chooses TLSv1.2:
> $ openssl s_client -connect www.bitcorner.de:443
> CONNECTED(00000003)
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> - ---
> Certificate chain
> 0 s:/CN=bitcorner.de
> i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> - ---
> [...]
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>
> etc.
yes, allright
andreas@workstation:~> openssl s_client -connect www.bitcorner.de:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = bitcorner.de
verify return:1
---
Certificate chain
0 s:/CN=bitcorner.de
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
....
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: E78775875C88EDB18D25CCE24295EF81B521C024753D77EA19085B5F6916E714
Session-ID-ctx:
Master-Key: AF834CBD084DB5F2BFFA2625C36EB2EAB3C290257A07B1ADCA978C8191BF04717456A8B92379797B5F844D6DFB9EC161
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - fb 80 d4 4a e9 07 ce eb-36 af fb 8e d5 2e 5d 27 ...J....6.....]'
0010 - 1e 77 84 33 f4 cb a7 4e-14 df a8 18 38 41 a2 ec .w.3...N....8A..
0020 - 25 fd 14 5d c9 d8 4f 63-ab 45 59 e5 50 e8 db 03 %..]..Oc.EY.P...
0030 - 1a 83 aa 01 1b c0 d6 63-56 40 a6 65 db 51 18 b3 .......cV@.e.Q..
0040 - 2c cf 89 ab 84 86 04 d6-5b 33 bf de d2 40 16 06 ,.......[3...@..
0050 - 7a 48 04 7c d5 8d 92 b6-48 7b 53 19 ac 46 f2 60 zH.|....H{S..F.`
0060 - 10 0b 39 8a 9a 65 b6 cd-08 2f 19 57 5a 08 4e 66 ..9..e.../.WZ.Nf
0070 - 3e 65 f0 69 b3 5d 1c 1f-46 35 cf 85 34 04 6a c6 >e.i.]..F5..4.j.
0080 - 1a fb 72 fe 59 fb c9 a7-fa fa 0b ab 65 9a 0f 5f ..r.Y.......e.._
0090 - 20 c4 4a 53 0d 51 00 00-9e 2c 17 7d b8 74 60 66 .JS.Q...,.}.t`f
00a0 - 56 af 7a 33 a7 6a 3a 09-e4 5d 41 c8 b7 22 eb 84 V.z3.j:..]A.."..
00b0 - 8d c7 e4 f4 4c cf 26 93-f1 bb 42 5a e9 f3 71 ....L.&...BZ..q
00c0 - <SPACES/NULS>
Start Time: 1472713310
Timeout : 300 (sec)
Verify return code: 0 (ok)
>
> $ host www.bitcorner.de
> www.bitcorner.de has address 37.120.166.21
> www.bitcorner.de has IPv6 address 2a03:4000:6:4123::1
>
> $ ping6 2a03:4000:6:4123::1
> connect: Network is unreachable
>
> $ ping www.bitcorner.de
> PING www.bitcorner.de (37.120.166.21) 56(84) bytes of data.
> 64 bytes from mail.bitcorner.de (37.120.166.21): icmp_req=1 ttl=49
> time=92.6 ms
>
> $ /sbin/ifconfig
> eth0 Link encap:Ethernet HWaddr [...]
> inet addr:10.[...] Bcast:10.192.215.255 Mask:255.255.254.0
> inet6 addr: [present]/64 Scope:Link
>
> Weird. Looks like my IPv6 isn't working as I'd expect. So whatever
> configuration you have there now seems to be working. Did you
> roll-back when things weren't working?
Maybe after the changes to
<Virtualhost 37.120.166.21:80 [2a03:4000:6:4123::1]:80>
and
<VirtualHost 37.120.166.21:443 [2a03:4000:6:4123::1]:443>
things work better?
I disabled the RewriteRule for now.
#RewriteCond %{HTTPS} off
#RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Andreas
Attachment:
pgpz3bQAA_c2J.pgp
Description: Digitale Signatur von OpenPGP
|