Shields.io shows that my site is turned off. However, it is not.

[dorokhin]

Are you experiencing an issue with...

• [* ] shields.io

🪲 Description

Shilds.io shows that my site is turned off. However, it is not.
This happened after I updated the certificates, and the SSL settings of the web server

www.ssllabs.com shows that my server has an A + rating

🔗

https://img.shields.io/website-up-down-green-red/https/dorokhin.moscow.svg?label=dorokhin.moscow

ssllabs report

** Screenshots **
Screenshot 1
Screenshot 1

💡 Possible Solution

Update your ssl client library.

[chris48s]

Tried this locally and its throwing:

{
Error: write EPROTO 139639970006848:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:../deps/openssl/openssl/ssl/s23_clnt.c:802: at
WriteWrap.afterWrite [as oncomplete] (net.js:868:14) errno: 'EPROTO', code: 'EPROTO', syscall: 'write'
}

Can make a HEAD request OK with curl:

$ curl -I --head "https://dorokhin.moscow/"
HTTP/1.1 200 OK

[paulmelnikow]

I can't reproduce that locally in Node 10, though I can in Node 9 and Node 8. I don't have access to upgrade Node on the servers, but it seems like that's what we'll need to do.

[paulmelnikow]

We could also try setting secureProtocol to the Node 10 value to see if it fixes this. There's some differences in the docs in Node 9 and the subsequent versions.

[chris48s]

Suspect its probably this then: nodejs/node#3692 Might be some settings we can fiddle with if you trawl that thread, but node 10 has a more recent version of openssl which fixes this.

[paulmelnikow]

The ssl test report shows a handful of client failures:

This is from their documentation:

In order to support older clients, you may need to continue to support TLS v1.0 and TLS v1.1 for now. However, you should plan to retire TLS v1.0 in the near future. For example, the PCI DSS standard will require all sites that accept credit card payments to remove support for TLS v1.0 by June 2018.

Sort of tangential: it would be cool to have a TLS version support badge.

[paulmelnikow]

By adding this service test, I confirmed that TLS 1.2 is not the issue with dorokhin.moscow.

t.create('status of a TLS 1.2 site')
  .only()
  .get('/website/https/tls-v1-2.badssl.com:1012.json')
  .expectJSON({ name: 'website', value: 'online' })

That passes in Node 8 and 9.

[paulmelnikow]

So… it's failing for some other reason. I'm guessing it's related to the ciphers.

[mfominov]

or u can add
require("tls").DEFAULT_ECDH_CURVE = "auto"
to server.js

[derSoerrn95]

@dorokhin: how did u solve your problem?

[mfominov]

@dorokhin: how did u solve your problem?

try my comment with server.js

[derSoerrn95]

it works with self-hosted version. but the shield.io version always shows down.

[paulmelnikow]

The production servers are now running Node 10.20.1 so this should be resolved.

Can anyone confirm?

[paulmelnikow]

I can't confirm this is fixed but I'm going to close it. If this isn't fixed, feel free to comment here and we'll reopen.

[derSoerrn95]

nice, it works for my page now :)

[dorokhin]

I can't confirm this is fixed but I'm going to close it. If this isn't fixed, feel free to comment here and we'll reopen.

it works!