Invalid SSL certificate on the origin server (error 526)

Hello,

After going through the already existing tickets about this topic, i didn’t find a proper answer that could solve our issue.

We have added a new subdomain called grouphug.peachbitcoin.com. We first tested it our by creating the subdomain grouphug-testnet.peachbitcoin.com, pointing to the test server and everything simply worked as with any other subdomain we’ve ever registered through CF.

However, this time, after setting up the nginx configuration exactly the same as for the testnet subdomain, but for the production domain grouphug.peachbitcoin.com, and pointing the A record to our production server IP, when we try to access it we get a 526 invalid SSL error on origin server.

I’ve gone through the troubleshooting guide, and modified the nginx conf to use either a letsencrypt certificate (didn’t work), and then one of the certificates issued by CF on the SSL/TLS > Origin Server page. I’ve specifically added those certs into my origin server, under /etc/ssl/certs/ folder, and added that path to our nginx configuration file.

After doing all this I still receive the 526 SSL cert error on the origin server.

We have our SSL encryption mode at FULL, not FULL STRICT.

Is there anything else we’re missing, or that we could try to be able to reach our server?

When checking sslshopper with grouphug.peachbitcoin.com the certificate that we’ve added into our nginx config file appears, so it seems SSLsHopper detects it, but Cloudflare doesn’t.

Any help would be highly appreciated. Thanks.

First of all, you should always use Full (strict). Full is as good as not using SSL at all.

But if you are experiencing this problem on Full, it means your server is not offering any SSL certificate at all for your new subdomain.

This means there is likely a problem with your Nginx configuration. Can you show the relevant part of the config?

If you could also share your server IP (via PN if you don’t want it public) I could also take a look at what exactly happens during the SSL handshake.

The test detects the Cloudflare Edge certificate, not the certificate on your server.

Hey, thanks for the quick response.

Adding the nginx conf for the grouphug subdomain below:

server {

    ssl_certificate    /etc/ssl/certs/grouphug.peachbitcoin.com.pem;
    ssl_certificate_key    /etc/ssl/certs/grouphug.peachbitcoin.com.key;        

    server_name grouphug.peachbitcoin.com;
    listen 443;

    location / {
        proxy_pass          http://127.0.0.1:8081;
        proxy_http_version  1.1;
        proxy_set_header    X-Forwarded-For $remote_addr;
    }
}

how can I send a PN to share the IP?

Summary

This text will be hidden

Try the following:

openssl s_client -connect 1.2.3.4:443 -servername grouphug.peachbitcoin.com
curl -ksvo /dev/null https://grouphug.peachbitcoin.com --connect-to ::1.2.3.4

And replace 1.2.3.4 with your origin IP. These will replicate a TLS connection to your origin IP and should show an error that highlight that your certificate is not being correctly presented, which should help you debug further the origin config.

Note: this all assumes that your domain is active on Cloudflare and that in your Cloudflare DNS settings for the domain grouphug.peachbitcoin.com is correctly pointed to your origin IP address, which is always worth double-checking. If you’re connecting to the wrong origin, then the wrong cert would be presented causing a 526 (in Full Strict mode, at least).

1 Like
$ openssl s_client -connect <server-IP>:443 -servername grouphug.peachbitcoin.com         
      
CONNECTED(00000003)
4639209132:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number:/AppleInternal/Library/BuildRoots/20d6c351-ee94-11ec-bcaf-7247572f23b4/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/ssl/ssl_pkt.c:386:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1692968548
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

$ curl -ksvo /dev/null https://grouphug.peachbitcoin.com --connect-to ::<server-IP>
* Connecting to hostname: <server-IP>
*   Trying <server-IP>:443...
* Connected to <server-IP> (<server-IP>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
} [330 bytes data]
* error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection 0

That OpenSSL can’t connect is a sign that your origin server IP is fundamentally misconfigured, I think.

I think you will need to consult with your hosting provider to make sure things are correct.

EDIT: May be worth checking your nginx error logs when you replicate the problem and also when you restart the server to see what is logged in case there’s an nginx problem.

1 Like

curl output is on the same answer on the last reply just under the openssl lines :slight_smile:

Maybe this should be listen 443 ssl;?

1 Like

Ahh… “the devil is in the details” my friend. Everything working now, thank you for your close review of the nginx :pray: . We can close this issue, thank you for the support guys.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.