Setup not loading in the browser
-
Hi !
I'm having a problem with finishing Cloudron Setup,
I've created a Cloudflare account, connected it to my domain,
gave my API token and email to the first setup(which was /setupdns.html)
and after a time, it started to redirect me to the domain (my.***.com/setup.html)
but it won't load up, it just gives me the error of "no common encryption algorithm(s)"
Error code is : "SSL_ERROR_NO_CYPHER_OVERLAP"and yes, I did the port-forwarding process of my IP address to the LAN IP and the same port(both 80)
Note: the URL gives that error the same device that cloudron is running, from another device, it just says "Unable to connect" [with https]
without HTTPS, in the local device, it loads up my router settings(and yes the web option is off on my router I double checked)
but on another device, without HTTPS, it just says "The requested URL could not be retrieved"any help would be appreciated
-
@ehsanfox looks like maybe Cloudron didn't manage to get a certificate for the domain for some reason.
As a first step, can you try
curl https://my.domain.com
from your PC ? If it complains about some cert, can you trycurl -k https://my.domain.com
? That should dump some html.Can you also maybe tell us a bit more about your server setup? Looks like this is hosted at home is it? Do you know if your router supports hairpinned routing? See https://en.wikipedia.org/wiki/Network_address_translation#NAT_loopback . This is required for home server setups that expose their Cloudron to the internet to work.
-
@girish hey, sorry for the late replay, I just did what u told me, I tried to curl the domain from the device that has cloudron and my personal computer, 2 different results(same as the first ones tho)
my pc just said that it gets timed out, however, it says that it was pointing to port 443 which was kinda new to me, anyway,and on the local device that has the cloudron, it was the same, the both curl and curl with k flag gave me "curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure"
and also about the NAT, yes, but I don't exactly know what hairpinned routing means, but my router does support that NAT, and I use a feature called virtual server to point my static IP address port 80 to the port 80 of the device that has cloudron on it(picture below)
-
@ehsanfox said in Setup not loading in the browser:
my pc just said that it gets timed out, however, it says that it was pointing to port 443 which was kinda new to me, anyway,
I think what's missing is the port forwarding of port 443 (like what you did to port 80). Port 443 is the main port that is needed for Cloudron since that is https traffic. Port 80 is http traffic.
and also about the NAT, yes, but I don't exactly know what hairpinned routing means
In simple terms:
- Cloudron is setting up the DNS to point to your public IP. So, if you do
host my.domain.com
on your PC, you will see the public IP of your home/setup - When you are doing
curl https://my.domain.com
, it's going to contact the public IP on port 443 (https). - Now, this is where the hairpinning part comes in. Your PC is now sending packets to the public IP, which ends up in your router. The router has to be smart enough to realize that this public IP is basically itself and then do a NAT translation and send the packet back into the internal network. i.e even though we are contacting a public IP, these packets never hit the internet. Hope that makes sense.
An easy way to see if this is a hairpinning problem, is to test things using your mobile network. Simply browse to
https://my.domain.com
using your phone and see if that works. - Cloudron is setting up the DNS to point to your public IP. So, if you do
-
@ehsanfox you should forward both.
Port 80 is unencrypted traffic and not secure. Cloudron does not use port 80 as such. But when Cloudron is contacted on port 80, it will redirect to port 443.
Port 443 is encrypted traffic and Cloudron uses this exclusively.
You might then ask why forward port 80 at all. Two reasons:
- When you enter
app.domain.com
on your browser (i.e withouthttps://
in the front), for legacy reasons, it will always contact "http" first. It will then switch to https because of the redirect. Even if your browser is "smart" to always use https straight up, there might be other users with older browsers. - Port 80 is required for Let's Encrypt certificates when you use manual/wildcard DNS. I think you use Cloudflare, so port 80 is not needed to get certificates. The certs are instead got through DNS automation.
But of course, depending on your situation, you can disable port 80 completely since it's not used, as long as you understand the above.
- When you enter
-
I just forwarded my global 80 to the device 443 and I tried the curl command with my personal computer and the device itself, the results are:
My Personal:
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ALGORITHM_MISMATCH (0x80090331) - The client and server cannot communicate, because they do not possess a common algorithm.
The Device:
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
the browser results are the same, but the HTTP URL gives me 400 error that comes from ngix(i don't have one in my ubuntu tho....)