Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL issue with rewrite_www_to_non_www parameter #542

Closed
cscheib opened this issue Jan 4, 2015 · 5 comments · Fixed by #548
Closed

SSL issue with rewrite_www_to_non_www parameter #542

cscheib opened this issue Jan 4, 2015 · 5 comments · Fixed by #548

Comments

@cscheib
Copy link

cscheib commented Jan 4, 2015

The nginx::resource::vhost module seems to create an invalid config when rewrite_www_to_non_www is true.

I had to add the SSL parameters to resolve the error message. The error message occurs when accessing https://www.site.io and https://site.io (i.e. ssl is effectively completely broken for the site config).

Please let me know if I'm using the parameter incorrectly, I am fairly new to nginx and this module.

It looks as though the vhost_header.erb should include some ssl parameters (at least "ssl on"?) in the conf file.

version: commit 1620e18 (latest commit as of issue submission)

error message from nginx:

2015/01/04 16:42:57 [error] 11025#0: *52 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: *redacted*, server: 0.0.0.0:443

puppet manifest:

include nginx
nginx::resource::vhost { 'site.io':
    ensure         => present,
    www_root       => '/var/www/site_io',
    ipv6_enable    => true,
    ssl            => true,
    ssl_cert       => '/root/siteio-ca/keys/site.io.crt',
    ssl_key        => '/root/siteio-ca/keys/site.io.key',
    listen_port    => '80',
    ssl_port       => '443',
    rewrite_www_to_non_www => true,
  }

complete nginx configuration that was generated:

server {
  listen       *:80;
  server_name  www.site.io;
  return       301 http://site.io$uri;
}

server {
  listen                *:80;
  listen [::]:80 default ipv6only=on;
  server_name           site.io;

  index  index.html index.htm index.php;

  access_log            /var/log/nginx/site.io.access.log combined;
  error_log             /var/log/nginx/site.io.error.log;

  location / {
    root      /var/www/site_io;
  }
}
server {
  listen       *:443 ssl;
  server_name  www.site.io;
  return       301 https://site.io$uri;
}

server {
  listen       *:443 ssl;
  listen [::]:443 ssl default ipv6only=on;
  server_name  site.io;

  ssl on;

  ssl_certificate           /etc/nginx/site.io.crt;
  ssl_certificate_key       /etc/nginx/site.io.key;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
  ssl_prefer_server_ciphers on;

  index  index.html index.htm index.php;

  access_log            /var/log/nginx/ssl-site.io.access.log combined;
  error_log             /var/log/nginx/ssl-site.io.error.log;


  location / {
    root      /var/www/site_io;
  }
}

offending snippet from above nginx conf:

server {
  listen       *:443 ssl;
  server_name  www.site.io;
  return       301 https://site.io$uri;
}

repaired snippet from nginx conf:

server {
  listen       *:443 ssl;
  server_name  www.site.io;
  return       301 https://site.io$uri;
  ssl on;
  ssl_certificate           /etc/nginx/site.io.crt;
  ssl_certificate_key       /etc/nginx/site.io.key;
}
cscheib added a commit to cscheib/puppet-nginx that referenced this issue Jan 4, 2015
joehillen added a commit to joehillen/puppet-nginx that referenced this issue Jan 15, 2015
@joehillen
Copy link
Contributor

I think my fix is more complete/modular.

@cscheib
Copy link
Author

cscheib commented Jan 15, 2015

@joehillen agreed it's probably the right way to go (I only made a quick fix)... but appears to be failing the Travis CI build... have you verified valid output? you may need to fix the spec test

@joehillen
Copy link
Contributor

I tested it. If you look at the test error, the spec is wrong, but I don't know rspec, so I don't immediately know how to fix it.

@cscheib
Copy link
Author

cscheib commented Jan 15, 2015

I don't know it either, unfortunately, or I would have likely fixed it already. I may have time to learn and mess with it another day, but I'm working on other projects the next couple days.

@paul91
Copy link

paul91 commented Mar 30, 2015

Currently experiencing this issue with release 0.2.2

@3flex 3flex mentioned this issue Apr 10, 2015
5 tasks
joehillen added a commit to joehillen/puppet-nginx that referenced this issue May 7, 2015
@3flex 3flex closed this as completed in #548 May 7, 2015
cegeka-jenkins pushed a commit to cegeka/puppet-nginx that referenced this issue Oct 23, 2017
slm0n87 pushed a commit to slm0n87/puppet-nginx that referenced this issue Mar 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants