Welcome! Log In Create A New Profile

Advanced

Problem when reconfiguring Nginx for SSL with self-signed certificate

Posted by Frank_Mascarell 
I have a VPS on Digital Ocean with Ubuntu 18.04, Nginx, Gunicorn, Django,
and a test web application, all configured (ufw) to work with http: 80.
Everything works perfectly. Tutorial:
https://www.digitalocean.com/community/tutorials/how-to-set-up-django-with-postgres-nginx-and-gunicorn-on-ubuntu-18-04#configure-nginx-to-proxy-pass-to-gunicorn

Now I modify the file /sites-available/LibrosWeb to allow SSL traffic with a
self-signed certificate, since I do not have a domain.
Tutorial:
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04

Result "Error 502 Bad Gateway".

This is the initial code that works well with http: 80:

server{
#Configuracion http

listen 80;
listen [::]:80;
server_name 15.15.15.15;

location = /favicon.ico { access_log off; log_not_found off; }
location /robots.txt {
alias /var/www/LibrosWeb/robots.txt ;
}
location /static/ {
root /home/gela/LibrosWeb;
}

location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}

And this is the code to allow SSL (error 502):

server{
#Configuracion SSL

listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name 15.15.15.15;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;

location = /favicon.ico { access_log off; log_not_found off; }
location /robots.txt {
alias /var/www/LibrosWeb/robots.txt ;
}
location /static/ {
root /home/gela/LibrosWeb;
}

location / {
include proxy_params;
proxy_pass https://unix:/run/gunicorn.sock;
}
}

server{
#Configuracion http

listen 80;
listen [::]:80;
server_name 15.15.15.15;
return 302 https://15.15.15.15$request_uri;
}

UFW configured as:

80,443/tcp (Nginx Full) ALLOW IN Anywhere
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)

The files /etc/nginx/snippets/self-signed.conf and
/etc/nginx/snippets/ssl-params.conf are the same as those in the tutorial.

I've been testing configurations for two days and the most I could get is
that I work halfway, that is, I can show the default page of django but not
the one of my application, if I put the code like this:

server{
#Configuracion http

listen 80;
listen [::]:80;
server_name 15.15.15.15;
return 302 https://15.15.15.15$request_uri;

location = /favicon.ico { access_log off; log_not_found off; }
location /robots.txt {
alias /var/www/LibrosWeb/robots.txt ;
}
location /static/ {
root /home/gela/LibrosWeb;
}
}

server{
#Configuracion SSL

listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name 15.15.15.15;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;

location / {
include proxy_params;
proxy_pass https://unix:/run/gunicorn.sock;
}
}
What is wrong, or what is missing?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281099,281099#msg-281099

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
On Tue, Sep 04, 2018 at 02:30:18PM -0400, Frank_Mascarell wrote:

Hi there,

> I have a VPS on Digital Ocean with Ubuntu 18.04, Nginx, Gunicorn, Django,
> and a test web application, all configured (ufw) to work with http: 80.
> Everything works perfectly.

> Now I modify the file /sites-available/LibrosWeb to allow SSL traffic with a
> self-signed certificate, since I do not have a domain.

> Result "Error 502 Bad Gateway".

> This is the initial code that works well with http: 80:

> location / {
> include proxy_params;
> proxy_pass http://unix:/run/gunicorn.sock;
> }

> And this is the code to allow SSL (error 502):

> location / {
> include proxy_params;
> proxy_pass https://unix:/run/gunicorn.sock;
> }

Unless you changed something on the gunicorn side, you almost certainly
want to use http, not https, to the socket.

So change the proxy_pass back to what it was.


The first tutorial you linked to does include some troubleshooting
tips. If you still have a problem, including the output from the nginx
parts of those will probably help the next person.

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
It has also tried the proxy_passs an http, with the same error.
This is like finding a needle in a pocket: stressful and disappointing.


[email protected]:~# systemctl status gunicorn
● gunicorn.service - gunicorn daemon
Loaded: loaded (/etc/systemd/system/gunicorn.service; disabled; vendor
preset: enabled)
Active: failed (Result: exit-code) since Wed 2018-09-05 20:34:38 UTC;
12min ago
Process: 8842 ExecStart=/home/gela/.virtualenvs/django20/bin/gunicorn
--access-logfile - --workers 3 --bind unix:/run/gunicorn.sock
LibrosWeb.wsgi:application (code=exited, status=1/FAILURE)
Main PID: 8842 (code=exited, status=1/FAILURE)

sep 05 20:34:38 BaseVPS-ubuntu1804-django20 gunicorn[8842]: self.stop()
sep 05 20:34:38 BaseVPS-ubuntu1804-django20 gunicorn[8842]: File
"/home/gela/.virtualenvs/django20/lib/python3.6/site-packages/gunicorn/arbiter.py",
line 393, in stop
sep 05 20:34:38 BaseVPS-ubuntu1804-django20 gunicorn[8842]:
time.sleep(0.1)
sep 05 20:34:38 BaseVPS-ubuntu1804-django20 gunicorn[8842]: File
"/home/gela/.virtualenvs/django20/lib/python3.6/site-packages/gunicorn/arbiter.py",
line 245, in handle_chld
sep 05 20:34:38 BaseVPS-ubuntu1804-django20 gunicorn[8842]:
self.reap_workers()
sep 05 20:34:38 BaseVPS-ubuntu1804-django20 gunicorn[8842]: File
"/home/gela/.virtualenvs/django20/lib/python3.6/site-packages/gunicorn/arbiter.py",
line 525, in reap_workers
sep 05 20:34:38 BaseVPS-ubuntu1804-django20 gunicorn[8842]: raise
HaltServer(reason, self.WORKER_BOOT_ERROR)
sep 05 20:34:38 BaseVPS-ubuntu1804-django20 gunicorn[8842]:
gunicorn.errors.HaltServer: <HaltServer 'Worker failed to boot.' 3>
sep 05 20:34:38 BaseVPS-ubuntu1804-django20 systemd[1]: gunicorn.service:
Main process exited, code=exited, status=1/FAILURE
sep 05 20:34:38 BaseVPS-ubuntu1804-django20 systemd[1]: gunicorn.service:
Failed with result 'exit-code'.

[email protected]:~# systemctl status gunicorn.socket
Failed to dump process list, ignoring: No such file or directory
● gunicorn.socket - gunicorn socket
Loaded: loaded (/etc/systemd/system/gunicorn.socket; enabled; vendor
preset: enabled)
Active: active (listening) since Wed 2018-09-05 20:34:37 UTC; 13min ago
Listen: /run/gunicorn.sock (Stream)
CGroup: /system.slice/gunicorn.socket

sep 05 20:34:37 BaseVPS-ubuntu1804-django20 systemd[1]: Listening on
gunicorn socket.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281099,281110#msg-281110

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
On Wed, Sep 05, 2018 at 04:49:19PM -0400, Frank_Mascarell wrote:

Hi there,

> It has also tried the proxy_passs an http, with the same error.

Can you run a command like "curl -v https://15.15.15.15/test";, and show
the output that you get?

And if it is curl reporting that it does not like the certificate,
try again with

curl -k -v https://15.15.15.15/test

And if that shows that things are working, try the same with whatever
url you were using originally, until the problem shows.

> This is like finding a needle in a pocket: stressful and disappointing.

I suspect that the best way through it is to test one thing at a time,
and change one thing between tests.


https://www.digitalocean.com/community/tutorials/how-to-set-up-django-with-postgres-nginx-and-gunicorn-on-ubuntu-18-04

does have a section called "Nginx Is Displaying a 502 Bad Gateway
Error Instead of the Django Application", which sounds like what you
are reporting.

Its first question seems to be "what does the nginx log say?".

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
[email protected]:~# curl -v https://15.15.15.15/test
* Trying 15.15.15.15...
* TCP_NODELAY set
* Connected to 15.15.15.15 (15.15.15.15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[email protected]:~# tail -F /var/log/nginx/error.log
2018/09/05 13:41:02 [crit] 3975#3975: *38 SSL_do_handshake() failed (SSL:
error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol)
while SSL handshaking, client: 221.212.99.106, server: 0.0.0.0:443
2018/09/05 13:41:03 [crit] 3975#3975: *39 SSL_do_handshake() failed (SSL:
error:1417D18C:SSL routines:tls_process_client_hello:version too low) while
SSL handshaking, client: 221.212.99.106, server: 0.0.0.0:443
2018/09/05 16:19:31 [crit] 3975#3975: *48 SSL_do_handshake() failed (SSL:
error:1417D18C:SSL routines:tls_process_client_hello:version too low) while
SSL handshaking, client: 198.108.66.16, server: 0.0.0.0:443
2018/09/05 18:20:12 [error] 3975#3975: *52 connect() to
unix:/run/gunicorn.sock failed (111: Connection refused) while connecting to
upstream, client: 139.162.116.133, server: 15.15.15.15, request: "GET /
HTTP/1.1", upstream: "http://unix:/run/gunicorn.sock:/";, host:
"15.15.15.15"
2018/09/05 19:45:39 [crit] 3975#3975: *56 SSL_do_handshake() failed (SSL:
error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol)
while SSL handshaking, client: 80.82.70.118, server: 0.0.0.0:443

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281099,281112#msg-281112

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
On Wed, Sep 05, 2018 at 06:51:38PM -0400, Frank_Mascarell wrote:

Hi there,

> [email protected]:~# curl -v https://15.15.15.15/test

> * SSL certificate problem: self signed certificate
> * Closing connection 0
> curl: (60) SSL certificate problem: self signed certificate

Ok, that's useful. It is not the 502 error, but it is something.

This is "the client (curl) does not like the fact that the server is
presenting a self-signed certificate".

One way to tell the client to accept the certificate is to add " -k"
to the command line.

However, the older nginx log entry...

> 2018/09/05 18:20:12 [error] 3975#3975: *52 connect() to
> unix:/run/gunicorn.sock failed (111: Connection refused) while connecting to

suggests that at that time, nginx was unable to connect to gunicorn.

That is usually a configuration (access control) problem outside of
nginx's control; if that problem persists, you may want to check the
gunicorn config or logs to see what it thinks is happening.

> upstream, client: 139.162.116.133, server: 15.15.15.15, request: "GET /
> HTTP/1.1", upstream: "http://unix:/run/gunicorn.sock:/";, host:
> "15.15.15.15"

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Greetings, I think my days of suffering are over. After reading hundreds of
logs, I found the problem. An update of Whitenoise to 4.0 where you must
change the shape of the configuration, caused that with my old configuration
the gunicorn service will throw errors. The rest is all right.

http://whitenoise.evans.io/en/stable/django.html#django-middleware

Francis Daly thanks for the help.
Good day.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281099,281128#msg-281128

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
On Sat, Sep 08, 2018 at 11:25:32PM -0400, Frank_Mascarell wrote:

Hi there,

> I found the problem. An update of Whitenoise to 4.0 where you must
> change the shape of the configuration, caused that with my old configuration
> the gunicorn service will throw errors. The rest is all right.
>
> http://whitenoise.evans.io/en/stable/django.html#django-middleware

Good that you found and fixed the problem.

And thanks for sharing the answer with the mailing list -- the next
person with the same problem will be very happy to take advantage of
your response.

Cheers,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login