SSL redirect in nodejs (express)? (Not in nginx anyway)

corballist · January 3, 2021, 11:01am

I have two URLs: corballis.co.uk and sarahcorballis.co.uk. The latter is not a Ghost site but just a plain old static hmtl site Until a few days ago the latter one worked but the former was very broken and sad. Now, neither works and I suspect it’s something to do with the steps taken to fix the Ghost installation.

This is the error I get if I run curl http://corballis.co.uk:

LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to [www.corballis.co.uk:443](http://www.corballis.co.uk:443/)

and in the nginx error log, I get:

[error] 21542#21542: *1 no “ssl_certificate” is defined in server listening on SSL port while SSL handshaking, client: 192.168.178.1, server: 0.0.0.0:443

Next, I tried to create ssl certs using certbot but he challenges fail:

Performing the following challenges:
http-01 challenge for [corballis.co.uk ](http://corballis.co.uk/)
http-01 challenge for [sarahcorballis.com](http://sarahcorballis.com/)
http-01 challenge for [www.corballis.co.uk ](http://www.corballis.co.uk/)
http-01 challenge for [www.sarahcorballis.com](http://www.sarahcorballis.com/)
Waiting for verification…
Challenge failed for domain [sarahcorballis.com](http://sarahcorballis.com/)
Challenge failed for domain [corballis.co.uk ](http://corballis.co.uk/)
Challenge failed for domain [www.corballis.co.uk ](http://www.corballis.co.uk/)
Challenge failed for domain [www.sarahcorballis.com](http://www.sarahcorballis.com/)
http-01 challenge for [sarahcorballis.com](http://sarahcorballis.com/)
http-01 challenge for [corballis.co.uk ](http://corballis.co.uk/)
http-01 challenge for [www.corballis.co.uk ](http://www.corballis.co.uk/)
http-01 challenge for [www.sarahcorballis.com](http://www.sarahcorballis.com/)
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

* The following errors were reported by the server:Domain: [sarahcorballis.com](http://sarahcorballis.com/)
Type: connection
Detail: Fetching
http://sarahcorballis.com/.well-known/acme-challenge/xxxx
Connection refusedDomain: [corballis.co.uk ](http://corballis.co.uk/)
Type: connection
Detail: Fetching
http://corballis.co.uk/.well-known/acme-challenge/xxxx
Connection refusedDomain: [www.corballis.co.uk ](http://www.corballis.co.uk/)
Type: connection
Detail: Fetching
[http://www.corballis.co.uk/.well-known/acme-challenge/xxxx: ](http://www.corballis.co.uk/.well-known/acme-challenge/xxxx:)
Timeout during connect (likely firewall problem)Domain: [www.sarahcorballis.com](http://www.sarahcorballis.com/)
Type: connection
Detail: Fetching
http://www.sarahcorballis.com/.well-known/acme-challenge/nxxxx
Timeout during connect (likely firewall problem):

So, I ran wget on localhost twice and can see that I’m getting a 301 redirect, though I can’t find a return or rewrite in the nginx config file so that’s confusing

Here’s the output running wget on localhost:2368

–2021-01-02 20:30:03-- [http://localhost:2368/ ](http://localhost:2368/)
Resolving localhost (localhost)… ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:2368… failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:2368… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://localhost:2368/ [following]
–2021-01-02 20:30:03-- https://localhost:2368/
Connecting to localhost (localhost)|127.0.0.1|:2368… connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.

and here it is when running wget on localhost:80
–2021-01-02 20:24:39-- http://localhost/
Resolving localhost (localhost)… ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://localhost/ [following]
–2021-01-02 20:24:39-- https://localhost/
Connecting to localhost (localhost)|::1|:443… connected.
GnuTLS: The TLS connection was non-properly terminated.
Unable to establish SSL connection.

Not much difference there but when I run wget localhost:443 then I get

Resolving localhost (localhost)… ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:443… connected.
HTTP request sent, awaiting response… Read error (Connection reset by peer) in headers.
Retrying.

(It retries 20 times before giving up)

My guess is there’s a redirect from port 80 to 443. This is a good idea if ssl is up and running but would seem to be a bad idea when it’s not because it (and this is a guess) means certbot can’t do a successful challenge as it is rerouted to 443 which isn’t yet working. So, I think (gues, prey) that the thing is to track down how the redirect is occurring and temporarily disable it. But a search for "res.redirect" on my system literally throws up hundreds of responses so I wouldn’t know where to start.

One final point to note is that in desperation, I did create a new directory earlier on and did a ghost install local which produced a development site that worked. I have since deleted that but I wonder if it made a change somewhere that is causing the issue? Again, just a guess.

Here is the output of nginx -T

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

configuration file /etc/nginx/nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;

server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
    #
    # Next two lines added by me on 2 Jan 2021 to try and resolve Cloudflare 521 issue
    # (successful but replaced by current issue)
    ssl_client_certificate /etc/nginx/ssl/cloudflare.crt;
    ssl_verify_client on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    # gzip_types text/html text/plain text/css image/*;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

}

configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:

load_module modules/ngx_http_auth_pam_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:

load_module modules/ngx_http_dav_ext_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:

load_module modules/ngx_http_echo_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:

load_module modules/ngx_http_geoip_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:

load_module modules/ngx_http_image_filter_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:

load_module modules/ngx_http_subs_filter_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:

load_module modules/ngx_http_upstream_fair_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:

load_module modules/ngx_http_xslt_filter_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:

load_module modules/ngx_mail_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:

load_module modules/ngx_stream_module.so;

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                           mml;
text/plain                            txt;
text/vnd.sun.j2me.app-descriptor      jad;
text/vnd.wap.wml                      wml;
text/x-component                      htc;

image/png                             png;
image/tiff                            tif tiff;
image/vnd.wap.wbmp                    wbmp;
image/x-icon                          ico;
image/x-jng                           jng;
image/x-ms-bmp                        bmp;
image/svg+xml                         svg svgz;
image/webp                            webp;

application/font-woff                 woff;
application/java-archive              jar war ear;
application/json                      json;
application/mac-binhex40              hqx;
application/msword                    doc;
application/pdf                       pdf;
application/postscript                ps eps ai;
application/rtf                       rtf;
application/vnd.apple.mpegurl         m3u8;
application/vnd.ms-excel              xls;
application/vnd.ms-fontobject         eot;
application/vnd.ms-powerpoint         ppt;
application/vnd.wap.wmlc              wmlc;
application/vnd.google-earth.kml+xml  kml;
application/vnd.google-earth.kmz      kmz;
application/x-7z-compressed           7z;
application/x-cocoa                   cco;
application/x-java-archive-diff       jardiff;
application/x-java-jnlp-file          jnlp;
application/x-makeself                run;
application/x-perl                    pl pm;
application/x-pilot                   prc pdb;
application/x-rar-compressed          rar;
application/x-redhat-package-manager  rpm;
application/x-sea                     sea;
application/x-shockwave-flash         swf;
application/x-stuffit                 sit;
application/x-tcl                     tcl tk;
application/x-x509-ca-cert            der pem crt;
application/x-xpinstall               xpi;
application/xhtml+xml                 xhtml;
application/xspf+xml                  xspf;
application/zip                       zip;

application/octet-stream              bin exe dll;
application/octet-stream              deb;
application/octet-stream              dmg;
application/octet-stream              iso img;
application/octet-stream              msi msp msm;

application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

audio/midi                            mid midi kar;
audio/mpeg                            mp3;
audio/ogg                             ogg;
audio/x-m4a                           m4a;
audio/x-realaudio                     ra;

video/3gpp                            3gpp 3gp;
video/mp2t                            ts;
video/mp4                             mp4;
video/mpeg                            mpeg mpg;
video/quicktime                       mov;
video/webm                            webm;
video/x-flv                           flv;
video/x-m4v                           m4v;
video/x-mng                           mng;
video/x-ms-asf                        asx asf;
video/x-ms-wmv                        wmv;
video/x-msvideo                       avi;

}

configuration file /etc/nginx/sites-enabled/corballis.co.uk:

server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;

server_name corballis.co.uk www.corballis.co.uk;
root /var/www/corballis.co.uk/system/nginx-root;

location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_pass http://127.0.0.1:2368;
    
}

location ~ /.well-known {
    allow all;
}

client_max_body_size 50m;

}

configuration file /etc/nginx/sites-enabled/sarahcorballis.com: