How to fix PR_END_OF_FILE_ERROR when using nginx with ssl?
For anyone else with this issue.. it can also happen if you have forgotten to add ssl
to the listen directives. Chrome shows ERR_SSL_PROTOCOL_ERROR
whilst Firefox shows PR_END_OF_FILE_ERROR
.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
...
}
Michael Shustin
Updated on June 05, 2022Comments
-
Michael Shustin almost 2 years
I'm trying to reverse-proxy an http server via nginx. The service is listening on port 8123 and I want to proxy it on 443. I created a self-signed certificate like this:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Here is the complete nginx configuration:
events { worker_connections 768; } http { server { listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate /home/mcmsadm/cert.pem; ssl_certificate_key /home/mcmsadm/key.pem; location / { proxy_pass http://localhost:8123; } } }
When I try to connect to the server using Firefox, it says PR_END_OF_FILE_ERROR.
What am I doing wrong? Thanks!
EDIT: I found the nginx error message in the logs (Didn't think about it):
SSL_CTX_use_PrivateKey_file("/home/mcmsadm/key.pem") failed (SSL: error:2807106B:UI routines:UI_process:processing error:while reading strings error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0907B068:PEM routines:PEM_read_bio_PrivateKey:bad password read error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
I did create the certificate with a password, but nginx is asking for it when I restart it via
nginx -s reload
. To temporarily solve this I wrote the password in a file and added this line to mynginx.conf
:ssl_password_file /etc/nginx/pass;
Is there any way that I can avoid writing the password in a file?
-
Steffen Ullrich about 4 yearsPlease have a look at the nginx error log for what might be wrong. If you don't understand the messages there please add these to the question.
-
dave_thompson_085 about 4 yearsThis isn't a programming question, and I'd expect it to be covered on serverfault or superuser or maybe security.SX but I can't find a good dupe. You can remove the password from an existing OpenSSL privatekey file with
openssl rsa <k1 >k2
oropenssl pkey <k1 >k2
. You could have created the privatekey without password by adding-nodes
on theopenssl req -new -x509 ...
command. Note it's the key that has the password not the certificate, although a server like nginx needs both so this distinction is less important.
-