Hi @sam / @Andrew,
Could I get some clarification on this:
Are you saying discourse shouldn’t be run behind nginx, or that there’s something about the way I’ve got it configured that’s problematic. Also, some explanation or reference on why this not a good idea would be great.
Anyway I’m getting the feeling this isn’t related to discourse, so I’ll probably stop posting about it here, but if anyone can shed some light, I’d really appreciate it. I’m kinda stumped here.
I just tried some similar tests to @Andrew with curl but using -v…
On Windows, I get back the home page and the site works in Chrome, Edge and Firefox
On OSX, I get this error and the site works in Chrome but not Safari (didn’t realize that yesterday)
Brads-MBP:~ brad$ curl -v https://community.cantabilesoftware.com/
* Trying 173.255.196.118...
* TCP_NODELAY set
* Connected to community.cantabilesoftware.com (173.255.196.118) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: cantabilesoftware.com
* Server certificate: SSL.com DV CA
* Server certificate: USERTrust RSA Certification Authority
> GET / HTTP/1.1
> Host: community.cantabilesoftware.com
> User-Agent: curl/7.54.0
> Accept: */*
>
* SSLRead() return error -9806
* Closing connection 0
curl: (56) SSLRead() return error -9806
On Ubuntu 14.04 Desktop, I get this error from curl but the site works in Chrome and Firefox.
brad@localhost:~$ curl https://community.cantabilesoftware.com
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
brad@localhost:~$ curl https://community.cantabilesoftware.com -v
* Rebuilt URL to: https://community.cantabilesoftware.com/
* Hostname was NOT found in DNS cache
* Trying 173.255.196.118...
* Connected to community.cantabilesoftware.com (173.255.196.118) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: OU=Domain Control Validated; CN=cantabilesoftware.com
* start date: 2018-01-03 00:00:00 GMT
* expire date: 2021-01-02 23:59:59 GMT
* subjectAltName: community.cantabilesoftware.com matched
* issuer: C=US; O=SSL.com; OU=www.ssl.com; CN=SSL.com DV CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: community.cantabilesoftware.com
> Accept: */*
>
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection 0
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
On Ubuntu on another Linode server, I get this error: (no browsers to test with)
brad@localhost:~$ curl -v https://community.cantabilesoftware.com/
* Hostname was NOT found in DNS cache
* Trying 173.255.196.118...
* Connected to community.cantabilesoftware.com (173.255.196.118) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: OU=Domain Control Validated; CN=cantabilesoftware.com
* start date: 2018-01-03 00:00:00 GMT
* expire date: 2021-01-02 23:59:59 GMT
* subjectAltName: community.cantabilesoftware.com matched
* issuer: C=US; O=SSL.com; OU=www.ssl.com; CN=SSL.com DV CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: community.cantabilesoftware.com
> Accept: */*
>
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection 0
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
Also, on all machines/browsers and with curl the (non-discourse) site http://www.cantabilesoftware.com
which uses exactly the same certificate file works - although that site runs on a different server, but pretty much identically configured.
Obviously there’s something about the server side configuration for just this discourse site, or something about the certificate and that sub-domain that some clients don’t like. Could it be that community.cantabilesoftware.com
is the subjectAltName
in the certificate and some clients don’t like this?
Searching the above error codes, the best I could come up with this this post on stackoverflow, but the solutions revolve around client side fixes (eg: rebuilding curl).
Any help greatly appreciated.
Brad