nginx ssl configuration per virtual host
It turned out that there was at least one enabled virtual host which was bound to 443 port and didn't have ssl configured properly (ssl_certificate_key
, ssl_certificate
parameters were lacking).
I don't know why, but nginx didn't complain about this and instead - other virtual hosts were broken.
Related videos on Youtube
Maciej Dobrowolski
Updated on September 18, 2022Comments
-
Maciej Dobrowolski over 1 year
I am switching configuration from a single host to several virtual hosts on the nginx server. Until my changes, ssl was working correctly, but after adding several virtual hosts, each with unique domain name and - consequently - different certificate, ssl does not want to work.
My original configuration was:
# fragment of nginx.conf file http { # ... ssl_certificate_key /path/to/privkey.pem; ssl_certificate /path/to/fullchain.pem; ssl_dhparam /path/to/dhparam; # ... }
So, this is a single certificate for the nginx server.
After adding several virtual hosts, I want them to present their own, correct certificates for their domains. So I removed all ssl-related params from the main
nginx.conf
file and added them to virtual hosts files like that:# fragment of sites-enabled/my.server.com file server { listen 443 ssl; root "/var/www/my.server.com/"; server_name my.server.com www.my.server.com; location / { try_files $uri $uri/ /index.html; } ssl_certificate_key /path/to/my/server/com/privkey.pem; ssl_certificate /path/to/my/server/com/fullchain.pem; ssl_dhparam /path/to/my/server/com/dhparam; }
After reloading nginx I am unable to connect to these virtual hosts:
# curl https://my.server.com curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated. # openssl s_client -connect my.server.com:443 CONNECTED(00000003) 140524682454680:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 305 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1488541876 Timeout : 300 (sec) Verify return code: 0 (ok) ---
For me, it really looks like an nginx cannot find/read the certificate file, but it's not the case as the paths are exactly the same as for configuration without virtual hosts.
After looking at
/var/logs/nginx/error.log
I also found the line:*39 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking
I am sure it's something really small and stupid what I am missing. Can anyone see what I am doing wrong?
-
user84207 over 5 yearsit would be better if there was a more useful error message in a situation like this