I have a nginx server functioning as a reverse proxy. It is sat behind Cloudflare.
The website is functioning fine (there are no errors on the browser), but there are lots of warnings in the logs like this:
[info] 1187517#1187517: *2446393 SSL_do_handshake() failed
(SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42)
while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443
Here is a section from my configuration file:
server {
server_name rawumberstudios.com;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_prefer_server_ciphers off;
#SSL configuration
listen 443 ssl default_server http2;
client_max_body_size 25M;
ssl_certificate /etc/letsencrypt/live/rawumberstudios.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rawumberstudios.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!3DES';
And here is a dump from OpenSSL of fullchain.pem:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:16:40:3f:f1:da:26:af:e4:1b:63:ee:a2:86:5f:4b:4e:7c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Apr 13 06:21:46 2023 GMT
Not After : Jul 12 06:21:45 2023 GMT
Subject: CN = rawumberstudios.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a3:8a:74:29:01:22:bd:bd:25:43:84:50:5d:9d:
a6:81:aa:ec:13:54:5a:f2:0b:40:5a:37:40:84:fe:
25:30:b9:00:7f:ee:0d:8e:74:72:69:14:4d:09:fd:
bd:75:87:ed:17:47:fa:e2:90:f1:30:8c:10:8b:b6:
14:40:3d:17:12
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
8E:B5:73:A4:06:A7:85:E8:7B:AA:1C:BC:11:49:42:9E:3D:4B:D7:69
X509v3 Authority Key Identifier:
14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:rawumberstudios.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
Timestamp : Apr 13 07:21:46.292 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:03:FB:74:1E:71:D3:23:BD:EE:CA:ED:A9:
E5:0C:71:DF:2E:99:59:4E:70:38:47:B7:D9:85:34:18:
7F:4C:93:FA:02:20:7E:B4:E9:12:28:4A:8F:93:1D:80:
6A:42:5A:CA:11:F2:90:BF:6C:56:85:7B:D7:1C:C5:83:
1E:1D:6E:16:2C:1C
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
Timestamp : Apr 13 07:21:46.288 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:26:85:A2:02:B7:C5:AC:CB:D6:DB:6A:F0:
ED:7D:89:23:39:8D:28:21:B7:9F:A6:91:AD:89:CF:A9:
AE:BF:8D:10:02:20:4F:D2:44:3C:6C:2A:78:09:AB:D1:
18:DA:FD:84:5D:12:7A:3C:22:1A:6D:FD:D7:13:DC:27:
93:7D:BB:AA:49:3A
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
49:f6:b7:ba:6c:70:52:fa:e0:c5:8a:ba:06:96:65:b5:ef:1f:
3c:15:ba:c0:ce:58:f1:12:d5:ab:cb:c3:68:f5:24:84:37:2a:
09:6c:b4:fc:68:80:ab:03:ae:21:af:d2:1b:e6:4c:b8:1a:f6:
0f:7d:bf:53:11:ca:cf:6b:e9:45:1d:c7:8d:8e:59:79:61:83:
3d:02:8b:81:52:5e:16:2b:a6:c9:5a:f6:f6:ab:82:cd:4f:8f:
07:c6:bf:89:08:81:5e:31:31:a2:f2:d5:78:48:90:d4:1c:00:
06:57:bd:79:ac:df:ed:bd:6a:e5:36:38:56:74:67:36:80:a2:
0b:b8:1b:b4:01:22:72:b8:45:6c:34:de:14:19:19:8f:2b:4e:
78:2f:6c:59:c2:b4:0b:23:16:a0:70:60:a5:f5:81:63:79:39:
88:ff:61:1e:5c:4a:44:6c:bf:43:40:f6:fe:d3:63:ca:0d:b0:
16:4a:d5:79:91:1c:f0:18:02:d7:61:e7:a7:36:39:de:df:d4:
34:30:f5:eb:85:bd:77:29:cf:37:71:ef:47:03:b3:d5:67:63:
21:46:ad:e5:dd:c3:6c:7e:6a:ae:37:d7:7a:9e:9a:c9:e8:34:
5d:7c:5d:9f:0b:28:e5:f4:ae:99:5b:7c:86:e1:d9:b6:c7:cb:
19:78:c7:01
If anybody has any ideas, I'd really appreciate it!
