CODEWITHSUNDEEP
nginxwebsocket
Sam Leurs
Sam Leurs

Reputation: 490

Nginx websockets + SSL not working (net::ERR_CERT_COMMON_NAME_INVALID)

I have a problem with running a websocket server on Nginx. This is my Nginx default.conf:

upstream websocket {
    server xx.xx.xx.xx:8080;
}

server {
    listen 80;
    listen [::]:80;
    server_name domain.com *.domain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    root /var/www/html;

    index index.php index.html index.htm index.nginx-debian.html;

    server_name domain.com *.domain.com;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }

    location /ws {
            proxy_pass http://websocket;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
    }

}

I get the following error in chrome:

(index):2 WebSocket connection to 'wss://xx.xx.xx.xx/ws:8080' failed: Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID

I think it has something to do with certificates (SSL) but I really have no idea to fix this!

Thanks in advance!

Edit:

My index.php file is

<script>
    var conn = new WebSocket('wss://xx.xx.xx.xx/ws');
    conn.onopen = function(e) {
    console.log("Connection established!");
};
</script>

When I change xx.xx.xx.xx to domain.com I get a handshake error code 504.

Btw I'm running a websocket server via php (php server.php) with ratchet following this example: http://socketo.me/docs/hello-world

Upvotes: 1

Views: 3347

Answers (2)

miknik
miknik

Reputation: 5951

No mention of the port in your supplied code, but you are attempting to make a secure websocket connection directly from the browser to your websocket server, which is running on port 8080. Hence this message:

(index):2 WebSocket connection to 'wss://xx.xx.xx.xx/ws:8080' failed: Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID

What you should be doing is connecting to Nginx, which is listening on port 443 and then let Nginx proxy the request. There must be some code on your page somewhere which is specifying port 8080.

Get rid of it.

Upvotes: 0

Mohit M
Mohit M

Reputation: 829

Configure SSL for upstream - Nginx

Prerequisites

  1. NGINX Plus R6 and later or the latest NGINX Open Source compiled with the --with-stream and with-stream_ssl_module configuration parameters
  2. A proxied TCP server or an upstream group of TCP servers
  3. SSL certificates and a private key

Sample configuration: 

stream {
        upstream websocket {
             server backend1.example.com:8080;

    }

    server {
        listen                8080 ssl;
        proxy_pass            websocket;

        ssl_certificate       /etc/ssl/certs/server.crt;
        ssl_certificate_key   /etc/ssl/certs/server.key;
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;
    …
     }
}

For more detail please follow this link https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-tcp/

Upvotes: 1

Related Questions