Nginx SSL Configuration Failing

server nginx ssl

9,835

After much discussion, and deliberation here, I found what the issue was.

In my main nginx.conf I was setting the listen directives to both port 80 and 443

Once I removed them, and added them to the VHost configurations, it started working.

9,835

Kevin

Let's face it, today is an age where everybody is online and 'surfing the net'. Couple that with all the new handheld devices, like PDA's, smart phones, tablets, and even gaming systems; companies cannot afford to not be at the forefront of technology. Websites are easier to maintain, less expensive than print, and easier to get noticed. 700+ million people daily view web pages from all over the world, don't you think it's time to get a slice of that pie? I think so, and I think it should be as painless as possible. Contact me today to get started with your online presence.

Updated on September 18, 2022

Comments

Kevin over 1 year
I have configured SSL on my LEMP with a self-signed certificate according to the instructions here: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04

The ONLY exception is the default_server which I will not be able to use because this will be a multi-vhost server (eventually)

Nothing fails during the entire process until I attempt to browse the site via HTTPS, it fails with Secure Connection Failed with no other option to bypass. (I expect an error based on the self-signed cert, but in Firefox there is usually that 'Advanced' button I can bypass with.)

I have also verified that the proper ports are open to the server via netstat -ntlp

You can browse the site here if you wish to see the error message: https://www.azem.us/ (it's non-production, so I'm not real worried about it...)

Running curl -I https://www.azem.us/ is returning me the following error: curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

What's really got me, is there is nothing in any configured error log.

What can I do to fix this, and be able to serve up these sites with SSL?

NOTE: This also happens with a properly SSL certificate from a real CA

Progress Diagnosing Running openssl s_client -connect www.azem.us:443 is returning me some interesting info:
```
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1474399712
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
```
I am probably off in my thinking but doesnt this mean the certificates do not exist on the server? I can verify that they do indeed exist, and are properly configured in my nginx.conf

And with: openssl s_client -verify www.azem.us:443 Returns:
```
verify depth is 0
connect: Connection refused
connect:errno=111
```
Per nmap from another machine
```
Host is up (0.0043s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
```
telnet can connect, but immediately closes the connection when attempting port 443

GIT REPO to config: https://github.com/kpirnie/LEMP-Command

Finally getting somewhere... I changed the error_log level for the main nginx.conf and am now getting an error in the log: 2016/09/21 08:22:58 [error] 29557#29557: *4 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: this.is.my.ip, server: 0.0.0.0:443
- Jeroen over 7 years
  
  With curl I get back "curl: (35) Encountered end of file" w/o the insecure option. I would look again at your nginx options. Have you run nginx -t?
- Kevin over 7 years
  
  @muru, I have disabled that, and the issue still occurs.
- Kevin over 7 years
  
  @Jeroen yes, nginx -t is fine
- muru over 7 years
  
  HSTS doesn't go away by just disabling it, browsers remember that setting. Try with a different browser.
- Kevin over 7 years
  
  @Jeroen I am also getting fine results back from curl -I on http protocol from a remote to server location, https is not
- Kevin over 7 years
  
  The same issue still results with multiple browsers across multiple machines (of which have never been to the site), also performing a curl -I against the https is returning a curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated. Error
- Ankit Balyan over 7 years
  
  Try using let's encrypt, It well explained over here digitalocean.com/community/tutorials/… Make sure nginx service is stopped while generating certificates.
- Kevin over 7 years
  
  Although I cannot use letsencrypt in production; for testing purposes I am making the attempt with nginx stopped, it fails with cannot connect to DOMAIN
- Kevin over 7 years
  
  And again, we are back to square one. I was able to generate the cert, via having nginx running. All known errors are above in the question
- Jeroen over 7 years
  
  my guess is that the problem is with nginx configuration. Perhaps there is no file served or so? Please add e.g. the sites-available config to ur q. And please check the site of Bjorn Johansen and linked configs. The best tutorial I have found on ssl and nginx
- Thomas Ward over 7 years
  
  Given this happens with legitimate and self signed certs it is almost definitely a problem with the configs or possibly the keys or the cert not being read right, check /var/log/nginx/error.log for any related TLS errors and please include your configs if possible. (If you see TLS errors in the error.log file, please include the error messages you are seeing as well)
- Kevin over 7 years
  
  My config files are seperated. Should I include a link to my git repo? Dont know if thats allowed or not...
- Kevin over 7 years
  
  Ok, yeah it doesnt contain anything "incriminating" lol. I've updated the question with the repo. All configuration is in the /etc folder
- Kevin over 7 years
  
  I may rework the config structure... tho may not... works great so far for non-ssl sites lol
- Kevin over 7 years
  
  Sorry... site specific configurations are in a template in /usr/bin/templates/site-config-template The rest of the nginx configs are in /etc/nginx/
- Kevin over 7 years
  
  Now we're getting somewhere... So, with that error, I moved the listen directives to the vhost configs. Now I need to mess with the encryption apparently. Getting a new error: The website tried to negotiate an inadequate level of security.