Nginx SSL Configuration Failing
After much discussion, and deliberation here, I found what the issue was.
In my main nginx.conf
I was setting the listen
directives to both port 80
and 443
Once I removed them, and added them to the VHost configurations, it started working.
Related videos on Youtube
Kevin
Let's face it, today is an age where everybody is online and 'surfing the net'. Couple that with all the new handheld devices, like PDA's, smart phones, tablets, and even gaming systems; companies cannot afford to not be at the forefront of technology. Websites are easier to maintain, less expensive than print, and easier to get noticed. 700+ million people daily view web pages from all over the world, don't you think it's time to get a slice of that pie? I think so, and I think it should be as painless as possible. Contact me today to get started with your online presence.
Updated on September 18, 2022Comments
-
Kevin over 1 year
I have configured SSL on my LEMP with a self-signed certificate according to the instructions here: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04
The ONLY exception is the
default_server
which I will not be able to use because this will be a multi-vhost server (eventually)Nothing fails during the entire process until I attempt to browse the site via HTTPS, it fails with
Secure Connection Failed
with no other option to bypass. (I expect an error based on the self-signed cert, but in Firefox there is usually that 'Advanced' button I can bypass with.)I have also verified that the proper ports are open to the server via
netstat -ntlp
You can browse the site here if you wish to see the error message: https://www.azem.us/ (it's non-production, so I'm not real worried about it...)
Running
curl -I https://www.azem.us/
is returning me the following error:curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.
What's really got me, is there is nothing in any configured error log.
What can I do to fix this, and be able to serve up these sites with SSL?
NOTE: This also happens with a properly SSL certificate from a real CA
Progress Diagnosing Running
openssl s_client -connect www.azem.us:443
is returning me some interesting info:CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 305 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1474399712 Timeout : 300 (sec) Verify return code: 0 (ok) ---
I am probably off in my thinking but doesnt this mean the certificates do not exist on the server? I can verify that they do indeed exist, and are properly configured in my
nginx.conf
And with:
openssl s_client -verify www.azem.us:443
Returns:verify depth is 0 connect: Connection refused connect:errno=111
Per nmap from another machine
Host is up (0.0043s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https
telnet
can connect, but immediately closes the connection when attempting port 443GIT REPO to config: https://github.com/kpirnie/LEMP-Command
Finally getting somewhere... I changed the
error_log
level for the main nginx.conf and am now getting an error in the log:2016/09/21 08:22:58 [error] 29557#29557: *4 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: this.is.my.ip, server: 0.0.0.0:443
-
Jeroen over 7 yearsWith curl I get back "curl: (35) Encountered end of file" w/o the insecure option. I would look again at your nginx options. Have you run
nginx -t
? -
Kevin over 7 years@muru, I have disabled that, and the issue still occurs.
-
Kevin over 7 years@Jeroen yes,
nginx -t
is fine -
muru over 7 yearsHSTS doesn't go away by just disabling it, browsers remember that setting. Try with a different browser.
-
Kevin over 7 years@Jeroen I am also getting fine results back from
curl -I
on http protocol from a remote to server location, https is not -
Kevin over 7 yearsThe same issue still results with multiple browsers across multiple machines (of which have never been to the site), also performing a
curl -I
against the https is returning acurl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.
Error -
Ankit Balyan over 7 yearsTry using let's encrypt, It well explained over here digitalocean.com/community/tutorials/… Make sure nginx service is stopped while generating certificates.
-
Kevin over 7 yearsAlthough I cannot use letsencrypt in production; for testing purposes I am making the attempt with nginx stopped, it fails with
cannot connect to DOMAIN
-
Kevin over 7 yearsAnd again, we are back to square one. I was able to generate the cert, via having nginx running. All known errors are above in the question
-
Jeroen over 7 yearsmy guess is that the problem is with nginx configuration. Perhaps there is no file served or so? Please add e.g. the sites-available config to ur q. And please check the site of Bjorn Johansen and linked configs. The best tutorial I have found on ssl and nginx
-
Thomas Ward over 7 yearsGiven this happens with legitimate and self signed certs it is almost definitely a problem with the configs or possibly the keys or the cert not being read right, check
/var/log/nginx/error.log
for any related TLS errors and please include your configs if possible. (If you see TLS errors in theerror.log
file, please include the error messages you are seeing as well) -
Kevin over 7 yearsMy config files are seperated. Should I include a link to my git repo? Dont know if thats allowed or not...
-
Kevin over 7 yearsOk, yeah it doesnt contain anything "incriminating" lol. I've updated the question with the repo. All configuration is in the /etc folder
-
Kevin over 7 yearsI may rework the config structure... tho may not... works great so far for non-ssl sites lol
-
Kevin over 7 yearsSorry... site specific configurations are in a template in
/usr/bin/templates/site-config-template
The rest of the nginx configs are in/etc/nginx/
-
Kevin over 7 yearsNow we're getting somewhere... So, with that error, I moved the
listen
directives to the vhost configs. Now I need to mess with the encryption apparently. Getting a new error:The website tried to negotiate an inadequate level of security.
-