JP's picture

Good morning!

Long time turnkeylinux user here. 

I'm having a strange issue forcing SSL - I've included this in my rewrite rule in the virtual host conf, however it won't force SSL. If I manually visit the website using http, and specifying a certain page, it still allows me to connect insecurely, and won't force. Is there something I am missing here?

#Redirect HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Another strange issue, is that I'm not able to perform an SSL test. SSLlabs indicates "Assessment failed: Failed to obtain certificate"

I have configured LetsEncrypt via confconsole - all is working well in many browsers.

I appreciate any help!

Here is the site in question:

https://staging.annemarieninaphotography.com

SSLLabs page that fails:

https://www.ssllabs.com/ssltest/analyze.html?d=staging.annemarieninaphotography.com&hideResults=on

Forum: 
JP's picture

I'm also noticing the website times out intermittently since adding the SSL - mostly when working inside WordPress.

JP's picture

I think I am getting closer - I had to perform a SNAT and make sure the IP address matched. Upon re-issuing the certificate with confconsole - the test worked partially. 

SSLLabs gets part way through the test, and then says "Assessment failed: Unexpected failure"

Jeremy Davis's picture

I had never heard of SNAT before, so I had to do a google. According to Wikipedia whilst it's related to NAT (network address translation), 'SNAT' is not actually a generic term and the 'S' can have a number of alternate meanings, depending on context.... The wiki page notes 4 things the 'S' may stand for: 'source', 'stateful' 'static' and/or 'secure'.

Just thought I'd share. :)

Jeremy Davis's picture

TBH, I'm not an Apache expert, but I've not had any success with a generic redirect. However, this block works (with hardcoded domain - I've substituted yours here):

<VirtualHost *:80>
    # other stuff here...
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/(.*) https://staging.annemarieninaphotography.com/$1 [R,L]
</VirtualHost>

Once in production you'd likely want to implement a 301 redirect, but personally, I prefer to leave that out while in development... (once you've created a 301 it's a PITA if you decide later you want to change it).

Re SSL Labs failure, that is a strange one, and TBH I don't understand. On my end, it's still failing (almost instantly). I checked a couple of other free online SSL/TLS testers and most of them failed too, although SSLShopper (not sure of their pedigree...) reports all is well. The Digicert test initially failed, but I noticed that if I explicitly retried with the leading "https://", then it worked. It displayed mostly green ticks, although there was one "error" noted: "An unknown error occurred while scanning for the Heartbleed Bug."

I do recall that SSL Labs used to only accept 'www.' prefixed subdomains (and in the notes, it says that's still the case), but I just checked the Hub (hub.turnkeylinux.org) and that works fine. See here:
https://www.ssllabs.com/ssltest/analyze.html?d=hub.turnkeylinux.org

I can't at all be sure, but I suspect that it may be related to your redirect? It clearly isn't working as intended (I can browse the site via plain http without being redirected), but perhaps it is doing something? Something which browsers can recover from/work around, but not more specific tools? I'm only guessing though...

Also the timing out that you note doesn't sound ideal. It may be related to the above issues too perhaps? FWIW, in my brief checks, your site appears to be loading fine for me. (Loads fine in Chrome and no lost packets via ping; Dig DNS checks out fine, etc).

If you haven't already, I would suggest that you try checking the Apache logs (/var/log/apache2/) to see if perhaps there are any hints there? I'd also be trying to get some info on the server resource state at the time when the timeouts occur. E.g. ping times, CPU & RAM usage. Checking the journal (or syslog) might also be of value? Perhaps there is something else occurring which is indirectly causing the issue (or at least contributing)?

JP's picture

Hi Jeremy - thanks for the response! 

Strange, this is how I was trying to do the redirect before:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The WordPress settings are set to https, so that's why the other links were redirecting back to SSL - but with your rules I'm able to see the https forcing on the homepage now - so thank you! Not sure why the above wasn't working. I had the above rules commented out entirely for the purposes of these tests.

As for the SNAT, that's simply because the site is behind an F5 LTM - I'm passing traffic through layer 4, so the LTM isn't actually doing anything but passing traffic through, allowing the turnkeylinux VM to handle SSL, and also resolve to the correct IP to match the A record for LetsEncrypt purposes.

What's strange is that I see the timeouts happening mostly on mobile - my phone will tell me that the site timed out. If I disable SSL, it seems to work fine. What's also even more strange is that this site is hosted in my data center with a variety of other sites, but this is hte only one I'm having trouble with. Only factor that's different here is that I'm using LetsEncrypt. Seems totally fine on desktop browsers.

I can enable debug logging for apache, I don't see anything in the error logs that indicates a forced shutdown. I've also tuned apache for performance and ran the apache2buddy tool, and all reports well.

Is there a way to enable debug logging in the webmin interface? I mostly use a terminal.

I appreciate your help! Have a great weekend.

JP's picture

My apologies - this had nothing to do with LetsEncrypt - it was the virtual server type on the BigIP LTM. Changed it from forwarding (layer 4) to fowarding (http) and all is well! It must have something to do with the profile assocaited with the VIP. I can play around with the protocol profiles and see if I can get it working otherwise.

 

Cheers!

Jeremy Davis's picture

Glad to hear you worked it out. :)

Add new comment