Created
July 26, 2020 22:35
-
-
Save CryogenicPlanet/81570ac097d42b35ee206de9bf3db02c to your computer and use it in GitHub Desktop.
Conversations with GPT-3 to fix the Spine
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The following is a conversation with an AI assistant. The assistant is helpful, creative, clever, and very friendly. | |
| Human: Hello, who are you? | |
| AI: I am an AI created by OpenAI. How can I help you today? | |
| Human: Can you help me debug an SSL configuration error? | |
| AI: Sure. What's wrong? | |
| Human: When I open the website, it shows 'ERR_SSL_PROTOCOL_ERROR' | |
| AI: The server's TLS configuration does not support the protocol you are trying to use. | |
| Human: How do I fix that? | |
| AI: Check your server's configuration. Make sure that TLSv1.0 or TLSv1.1 is supported. | |
| Human: How do I check that? | |
| AI: For Ubuntu systems, this can be done by running the command: openssl s_client -connect example.com:443 . | |
| AI: Make sure to replace example.com:443 with your server's IP address. | |
| Human: Okay, this is what it returned: | |
| --------------------------- | |
| CONNECTED(00000003) | |
| depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 | |
| verify return:1 | |
| depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 | |
| verify return:1 | |
| depth=0 CN = thevarsity.ca | |
| verify return:1 | |
| --- | |
| Certificate chain | |
| 0 s:/CN=thevarsity.ca | |
| i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 | |
| 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 | |
| i:/O=Digital Signature Trust Co./CN=DST Root CA X3 | |
| --- | |
| Server certificate | |
| -----BEGIN CERTIFICATE----- | |
| <truncated> | |
| -----END CERTIFICATE----- | |
| subject=/CN=thevarsity.ca | |
| issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 | |
| --- | |
| No client certificate CA names sent | |
| Peer signing digest: SHA512 | |
| Server Temp Key: ECDH, P-256, 256 bits | |
| --- | |
| SSL handshake has read 3305 bytes and written 320 bytes | |
| Verification: OK | |
| --- | |
| New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 | |
| Server public key is 2048 bit | |
| Secure Renegotiation IS supported | |
| Compression: NONE | |
| Expansion: NONE | |
| No ALPN negotiated | |
| SSL-Session: | |
| Protocol : TLSv1.2 | |
| Cipher : ECDHE-RSA-AES128-GCM-SHA256 | |
| Session-ID: 0F2989E575AB0412BFD704DA862C789213198DD37655E0D1A1D0FC49E6A8E91C | |
| Session-ID-ctx: | |
| Master-Key: 85277981B0AB390FB218AB262397C27129FB9D7AB98070A2F905E8B1A25D0BD4D060D6168F41D4A396FC6A7B809094E8 | |
| PSK identity: None | |
| PSK identity hint: None | |
| SRP username: None | |
| TLS session ticket lifetime hint: 86400 (seconds) | |
| TLS session ticket: <truncated> | |
| Start Time: 1595783988 | |
| Timeout : 7200 (sec) | |
| Verify return code: 0 (ok) | |
| Extended master secret: no | |
| --- | |
| closed | |
| --------------------------- | |
| AI: | |
| AI: I think that the issue is caused by the server being behind an HTTP proxy, not an HTTPS proxy. | |
| Human: Can you elaborate? I'm using nginx | |
| AI: There are two ways to solve this problem. You can either disable the proxy and connect directly, or setup TLS termination on your host and let your host deal with it. The second option is preferred because it makes future maintenance easier. I can write a tutorial explaining how to do that if you want. | |
| Human: Awesome! Go ahead | |
| AI: Just for clarification, we are currently logged in to your server, yes? | |
| Human: Yes | |
| AI: Okay, the first step is to use your distribution's package manager to install stunnel. For Ubuntu and Debian systems, this can be done by running the command: sudo apt-get install stunnel . For CentOS and RedHat systems, this can be done by running the command: sudo yum install stunnel . Please replace apt-get with yum if you are using one of these. | |
| Human: Great, what do we do with stunnel? | |
| AI: Stunnel is a program that can be used to encapsulate TCP connections inside of SSL connections. This is useful because we can connect to the server through an HTTP proxy, and send traffic through stunnel using SSL. This is known as TLS termination. Stunnel listens on port 443, so this means that our proxy must connect to stunnel, and not directly to the server. Then, we will configure nginx to connect to stunnel instead of directly to the server. | |
| AI: The next step is to create a configuration file for stunnel. Since you're not behind a firewall and your hostname is thevarsity.ca, it's probably easiest to use the configuration provided by https://cipherli.st. Copy the text in the green box below, and save it as /etc/stunnel/stunnel.conf on your server. Then run sudo service stunnel4 restart . | |
| AI: Now, we need to configure nginx to connect to stunnel. Create a new file called /etc/nginx/conf.d/ssl-upstream.conf and put the text in the green box below into that file. Then run sudo service nginx restart . | |
| AI: First, generate a new pair of keys for your host. You can use openssl genrsa -out ca.key 4096 and openssl req -new -key ca.key -out ca.csr to do this. | |
| Human: Okay. done! | |
| AI: Next, use openssl x509 -req -days 3650 -in ca.csr -CA ca.crt -CAkey ca.key -set_serial 01 -extensions v3_ca -out ca.crt to convert it to the proper format. Finally, copy the contents of the ca.crt file to the correct directory on your server. | |
| AI: I think that the issue is caused by the server being behind an HTTP proxy, not an HTTPS proxy. | |
| AI: Can you try accessing the server directly instead? | |
| Human: I see the Apache default page | |
| AI: Can you open the webpage using curl? | |
| Human: Yes, it works | |
| AI: Can you try a different TLS version? | |
| Human: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment