Cannot establish secure connexion


#1

Hi everyone,

I’m a french recent owner of a Raspberry Pi 2. I try to set up a small server on it with nginx.

I’m facing an error when I try to reach my website with https. Firefox, Safari and IE refuse fail to establish a secured connexion. I’ve checked all my configuration files but cannot find where does the problem come from.

Here’s the configuration of my virtual host (here changed by ‘mysite.eu’) :

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        server_name mysite.eu www.mysite.eu
        ssl_certificate /etc/letsencrypt/live/mysite.eu/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/mysite.eu/privkey.pem;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        #Diffie-Hellman key
        #ssl_dhparam /path/to/dhparam.pem;

        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GC$
        ssl_prefer_server_ciphers on;

        root /data/mysite.eu/www;
        index index.php index.html index.htm;

        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        root /data/mysite.eu/www;
        }

        # Error & Access logs
        error_log /data/mysite.eu/logs/error.log error;
        access_log /data/mysite.eu/logs/access.log;

        location / {
        index index.html index.php;
        }

        location ~ [^/].php(/|$) {
        fastcgi_split_path_info ^(.+?.php)(/.*)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        }

        add_header Strict-Transport-Security max-age=15768000;

        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4 valid=86400;
        resolver_timeout 10;

}

I tried to find the error with the SSL checker. Here’s what I get:

No SSL certificates
were found on mysite.eu. Make sure that the name resolves to the
correct server and that the SSL port (default is 443) is open on your
server’s firewall.

My firewall is well configured and port 443 is opened.

Does anyone have an idea of the problem ?

Thanks in advance,

Arnaud


#2

Hello @Arnaud31500,

You should swap ssl and default_server in your listen directives. Also you didn’t finished server_name directive using semicolon.

listen 443 default_server ssl;
listen [::]:443 default_server ssl;
server_name mysite.eu www.mysite.eu;

I didn’t check any other directive, I’m using my smartphone and it is not easy :wink:

Edit: I forgot to say that you should test your configuration using nginx -t command.

Cheers,
sahsanu


#3

Hi sahsanu,

Thank you so much for your help : it works quite well now. :slightly_smiling:
It was probably a stupid mistake but I’m a newbie with those things :confused: !

Thanks again,

Cheers,

Arnaud


#4

Hi,

I re-open this topic because I’m facing a problem with stapling.
In /var/log/nginx/error.log I have a lot of lines like this :

2016/06/12 13:08:48 [warn] 607#0: “ssl_stapling” ignored, host not found in OCSP responder “ocsp.int-x3.letsencrypt.org/

If I try openssl s_client -connect my.domain:443 -tls1 -tlsextdebug -status, the result is :

CONNECTED(00000003)
write:errno=104

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 0 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1465737260
Timeout : 7200 (sec)
Verify return code: 0 (ok)

I don’t understand because my configuration seems to be in accordance with the recommandations :

server {
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
server_name www.my.domain;
ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.domain/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
[…]
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
resolver_timeout 10s;
[…]
}

Any idea of what could be the problem ?

Thanks in advance,

Arnaud


#5

Hi, can’t anybody help me to find out the solution ?
Thank you very much.

Anraud


#6

I get crazy with this problem, can anyone help ? Maybe the problem doesn’t come from LE but from my Nginx config ?


#7

Does ping ocsp.int-x3.letsencrypt.org work for you? How about dig @8.8.8.8 ocsp.int-x3.letsencrypt.org?


#8

Double-check that all the listed resolvers are actually reachable and try increasing resolver_timeout (to the default 30s for example). Additionally you might turn off looking for ipv6 there in resolver config line by adding “ipv6=off”.

Ref: http://nginx.org/en/docs/http/ngx_http_core_module.html#resolver


#9

Hi @pfg and thanks for your help. Here are the results, everything seems to work fine.

arnaud@raspserver:~ $ sudo ping ocsp.int-x3.letsencrypt.org
[sudo] password for arnaud: 
PING a771.dscq.akamai.net (2.16.117.99) 56(84) bytes of data.
64 bytes from a2-16-117-99.deploy.akamaitechnologies.com (2.16.117.99): icmp_seq=1 ttl=58 time=39.1 ms
[...]
^C
--- a771.dscq.akamai.net ping statistics ---
68 packets transmitted, 68 received, 0% packet loss, time 67050ms
rtt min/avg/max/mdev = 38.263/40.327/79.124/4.863 ms

arnaud@raspserver:~ $ sudo dig @8.8.8.8 ocsp.int-x3.letsencrypt.org

; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> @8.8.8.8 ocsp.int-x3.letsencrypt.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28918
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org.    IN    A

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 97    IN    CNAME    ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 21504 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net.    19    IN    A    88.221.83.75
a771.dscq.akamai.net.    19    IN    A    88.221.83.80
a771.dscq.akamai.net.    19    IN    A    88.221.83.67
a771.dscq.akamai.net.    19    IN    A    88.221.83.74
a771.dscq.akamai.net.    19    IN    A    88.221.83.82
a771.dscq.akamai.net.    19    IN    A    88.221.83.81
a771.dscq.akamai.net.    19    IN    A    88.221.83.51
a771.dscq.akamai.net.    19    IN    A    88.221.83.73
a771.dscq.akamai.net.    19    IN    A    88.221.83.83

;; Query time: 62 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jun 25 13:44:48 CEST 2016
;; MSG SIZE  rcvd: 286

arnaud@raspserver:~ $ sudo dig @8.8.4.4 ocsp.int-x3.letsencrypt.org

; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> @8.8.4.4 ocsp.int-x3.letsencrypt.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15992
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org.    IN    A

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 33    IN    CNAME    ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 21440 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net.    19    IN    A    88.221.83.66
a771.dscq.akamai.net.    19    IN    A    88.221.83.67
a771.dscq.akamai.net.    19    IN    A    88.221.83.82
a771.dscq.akamai.net.    19    IN    A    88.221.83.74
a771.dscq.akamai.net.    19    IN    A    88.221.83.80
a771.dscq.akamai.net.    19    IN    A    88.221.83.65
a771.dscq.akamai.net.    19    IN    A    88.221.83.73
a771.dscq.akamai.net.    19    IN    A    88.221.83.75
a771.dscq.akamai.net.    19    IN    A    88.221.83.81

;; Query time: 58 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Sat Jun 25 13:45:52 CEST 2016
;; MSG SIZE  rcvd: 286

arnaud@raspserver:~ $ sudo dig @208.67.222.222 ocsp.int-x3.letsencrypt.org

; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> @208.67.222.222 ocsp.int-x3.letsencrypt.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20078
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org.    IN    A

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 527 IN    CNAME    ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 19816 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net.    20    IN    A    88.221.83.57
a771.dscq.akamai.net.    20    IN    A    88.221.83.83
a771.dscq.akamai.net.    20    IN    A    88.221.83.51
a771.dscq.akamai.net.    20    IN    A    88.221.83.75
a771.dscq.akamai.net.    20    IN    A    88.221.83.81
a771.dscq.akamai.net.    20    IN    A    88.221.83.56
a771.dscq.akamai.net.    20    IN    A    88.221.83.80
a771.dscq.akamai.net.    20    IN    A    88.221.83.59
a771.dscq.akamai.net.    20    IN    A    88.221.83.58

;; Query time: 53 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat Jun 25 13:46:11 CEST 2016
;; MSG SIZE  rcvd: 286

arnaud@raspserver:~ $ sudo dig @208.67.220.220 ocsp.int-x3.letsencrypt.org

; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> @208.67.220.220 ocsp.int-x3.letsencrypt.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3920
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org.    IN    A

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 599 IN    CNAME    ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 16073 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net.    20    IN    A    88.221.83.74
a771.dscq.akamai.net.    20    IN    A    88.221.83.75
a771.dscq.akamai.net.    20    IN    A    88.221.83.73
a771.dscq.akamai.net.    20    IN    A    88.221.83.83
a771.dscq.akamai.net.    20    IN    A    88.221.83.57
a771.dscq.akamai.net.    20    IN    A    88.221.83.80
a771.dscq.akamai.net.    20    IN    A    88.221.83.51
a771.dscq.akamai.net.    20    IN    A    88.221.83.56
a771.dscq.akamai.net.    20    IN    A    88.221.83.81

;; Query time: 61 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Sat Jun 25 13:46:27 CEST 2016
;; MSG SIZE  rcvd: 286

#10

Dear @leader,

I’ve tried your configuration but unfortunately, it doesn’t change anything. openssl s_client -connect my.domain:443 -tls1 -tlsextdebug -status still gives the same answer…
I can’t understand why it doesn’t work !


#11

You seem to be testing “my.domain” while having the server configured as “www.my.domain”.


#12

Dear @leader,
Thanks for your help.

I’ve tried openssl s_client -connect www.my.domain:443 -tls1 -tlsextdebug -status and it gives the same result…


#13

Add -servername www.my.domain to account for SNI


#14

In the openssl command ? If yes, same result…


#15

Just noticed in one of your posts up in the thread:

And then you’re connecting with:

-tls1

From openssl help screen:

-tls1_2 - just use TLSv1.2
-tls1_1 - just use TLSv1.1
-tls1 - just use TLSv1


#16

tls1_1 and tls1_2 doesn’t give the same result, maybe it can help :

$ openssl s_client -connect www.my.site443 -servername www.my.site -tls1_1 -tlsextdebug -status
CONNECTED(00000003)
write:errno=104

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 0 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1466857812
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

And

$ openssl s_client -connect www.my.site:443 -servername www.my.site -tls1_2 -tlsextdebug -status
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "heartbeat" (id=15), len=1
0000 - 01                                                .
OCSP response: no response sent
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = my.site
verify return:1

Certificate chain
 0 s:/CN=my.site
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIFOjCCBCKgAwIBAgISAwUye5rSN6NMu59QcYw17F0iMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA2MDIwNjU5MDBaFw0x
NjA4MzEwNjU5MDBaMBcxFTATBgNVBAMTDGR1cmFudGhvbi5ldTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANLMZktZTECsk+7/3aBIwMUuaXi/9ROdLbTc
QF4ItfxokXvJHPDII07DVNobmLdk857lkBAxgWvUIKx7sfnsYDpx1q8kISxabTT3
RHQ5dZfepyePX7ehFhsoRQ7ToxFk9NRfIF1LlrJoyRH3MuzyX4fGzma+ngfN606U
XTzlBrtMURU9XxwWAKNlzW2hkucxFlOWx9WCCl3zrdtQ6z+H0yzCVUmdK4e0WGIm
A30rIlU+g+Q3bFjivlW4jXJRrZ3e04pSn/PUKbq8VLiSR5tqGtiKZMHZjaB7cPVL
GskyU+2F/CT2wgJfo8NjBDRvDAJjeZ7Hh3mR+NSoAcACEYccqrECAwEAAaOCAksw
ggJHMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzaxSuxdrlKjtNcJD3JANQVaJ5Dww
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wVQYDVR0RBE4wTIIMZHVyYW50aG9uLmV1ghFtYWlsLmR1cmFudGhvbi5ldYIX
cmFzcHNlcnZlci5kdXJhbnRob24uZXWCEHd3dy5kdXJhbnRob24uZXUwgf4GA1Ud
IASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtU
aGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlp
bmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRp
ZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9y
ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAZ9phldhSBTh+8NfYwtN2b+Y3
cZdDyQcDWtZ5sfeMm18TOdzSggIFlh/HGt12Iyg56mUxK/vmSk9mBg2fHzCosZAJ
vQ/IYag9VuW9h9BX1QA/bNkc409zxbmnJT3wQPnjKL8cSdeSp6SLfRjN9nNYMEIg
39R7z3jUOqKvFHQzNojJIqz/S7U+Jo8hNPTdn3MB+6eCtqZ6Y/+950j1r3qHiOH6
QsEYoyF0Rm6ir6JWprSdUfsp7a9eDR2gQyV32fthUQQMCelor59hc5ya6sQj4w59
29n2ZxNnYGW7G74US0tOo/lyIiQhHt7Mpc8L5wq6BmX+drd+ZBDiF8ASynD+sg==
-----END CERTIFICATE-----
subject=/CN=my.site
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent

SSL handshake has read 3031 bytes and written 449 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 075A4E2E09B8D537035FD531606F1D0412984DDDB44AFFBF6A9D468A82B10EAD
    Session-ID-ctx: 
    Master-Key: BEDA95400EA7E5580AC39257E15C620BC67D425358963104CB81C1DE0A299A3DE96595DBDAC15DA7FCED902E7B1869DC
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1466857920
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

closed

#17

Let’s rewind for a sec - basically you seem to have a correctly installed certificate but you are not receiving an OSCP response as expected and there seem to be an error produced in Nginx logs related to stapling, correct?

I have just tried a few configurations of Nginx with LE certs and they seem to work fine (btw, if intermediate certs are in the same file with the domain cert, the ssl_trusted_certificate is not needed). You need to keep in mind that unless you have prepared ssl_stapling_file, the first time you query Nginx, there will be no OSCP response sent back. On retry there should be though.

P.S. Please always note in your post if you have changed something in configuration since the original posting. For example, you seem to have dropped TLSv1.1 from protocols since the original post. That, combined with a limited list of acceptable ciphers and enforced server preference, will cause quite a few clients to fail when trying to connect.


#18

Exactly !

What do you mean ? Is there a step I missed ?

My configuration file has not been changed at all, and I’m surprised that the TLSv1.1 doesn’t work because it is still in my config. Do you think that the limited list of acceptable ciphers could be in cause with my problem ?

To help, I give you my entire config file :

1. nginx.conf

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    client_header_timeout 10;
    client_body_timeout 10;
    send_timeout 10;
    types_hash_max_size 2048;
    server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    gzip_min_length 1100;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript images/svg+xml application/x-font-ttf font/opentype application/vnd.ms-fontobject;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

        ##
        # Protection contre les attaques DDOS
        ##

    #Connexions max per IP
    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
    limit_conn limit_per_ip 15;

    #Request/s max per ip
    limit_req_zone $binary_remote_addr zone=allips:10m rate=100r/s;
    limit_req zone=allips burst=100 nodelay;
    limit_conn_status 403;
    limit_req_status 403;
}


#mail {
#    # See sample authentication script at:
#    # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#    # auth_http localhost/auth.php;
#    # pop3_capabilities "TOP" "USER";
#    # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#    server {
#        listen     localhost:110;
#        protocol   pop3;
#        proxy      on;
#    }
# 
#    server {
#        listen     localhost:143;
#        protocol   imap;
#        proxy      on;
#    }
#}

2. Specific conf file in “sites-available”

upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php5-fpm.sock;
}

##
# SSL configuration
##

server {
    server_name  my.site;
    rewrite ^(.*) https://www.my.site$1 permanent;
}

server {
    listen 443 default_server ssl;
    listen [::]:443 default_server ssl;
    server_name www.my.site;
    ssl_certificate /etc/letsencrypt/live/my.site/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/my.site/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/my.site/chain.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    #Diffie-Hellman key
    ssl_dhparam /etc/ssl/private/dhparams.pem;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    root /data2/my.site/www;
    index index.php index.html index.htm;

        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        root /data2/my.site/www;
        }

    # Error & Access logs
    error_log /var/log/nginx/error.log;
     access_log /var/log/nginx/access.log;

    client_max_body_size 10G; # set max upload size
    fastcgi_buffers 64 4K;

    # ownCloud blacklist
    location ~ ^/owncloud/(?:\.htaccess|data|config|db_structure\.xml|README) {
    deny all;
    error_page 403 = /owncloud/core/templates/403.php;
    }

    location / {
    index index.html index.php;
    }

    location /owncloud/ {
    error_page 403 = /owncloud/core/templates/403.php;
    error_page 404 = /owncloud/core/templates/404.php;

    rewrite ^/owncloud/caldav(.*)$ /remote.php/caldav$1 redirect;
    rewrite ^/owncloud/carddav(.*)$ /remote.php/carddav$1 redirect;
    rewrite ^/owncloud/webdav(.*)$ /remote.php/webdav$1 redirect;

    rewrite ^(/owncloud/core/doc[^\/]+/)$ $1/index.html;

    # The following rules are only needed with webfinger
    rewrite ^/owncloud/.well-known/host-meta /public.php?service=host-meta last;
    rewrite ^/owncloud/.well-known/host-meta.json /public.php?service=host-meta-json last;
    rewrite ^/owncloud/.well-known/carddav /remote.php/carddav/ redirect;
    rewrite ^/owncloud/.well-known/caldav /remote.php/caldav/ redirect;

    try_files $uri $uri/ index.php;
    }

    autoindex off;

    location ~ [^/].php(/|$) {
    fastcgi_split_path_info ^(.+?.php)(/.*)$;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
}

    # Optional: set long EXPIRES header on static assets
    location ~* ^/owncloud(/.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf))$ {
    expires 30d;
    access_log off;  # Optional: Don't log access to assets
    }

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s ipv6=off;
    resolver_timeout 30s;

# Serve static files directly
    #location ~* \.(png|jpe?g|gif|ico)$ {
        #expires 1y;
        #access_log off;
        #try_files $uri $uri/ @rewrite;
        #gzip off;
    #}
    #location ~* \.(mp3)$ {
        #expires 1y;
        #access_log off;
        #gzip off;
    #}
    #location ~* \.(css)$ {
        #expires 1d;
        #access_log off;
    #}
    #location ~* \.(js)$ {
        #expires 1h;
        #access_log off;
    #}

#phpMyAdmin deguise
    location /adminmail {
    root /usr/share/;
        index index.php index.html index.htm;
        location ~ ^/adminmail/(.+\.php)$ {
        root /usr/share/;
        #include fastcgi-gen.conf;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
        fastcgi_buffer_size 128k;
        fastcgi_buffers 256 4k;
        fastcgi_busy_buffers_size 256k;
        fastcgi_temp_file_write_size 256k;
        fastcgi_read_timeout 240;
    }
        location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }
    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

}

##
# Renvoi du http traditionnel
##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
}

Thanks again for your help !

P.S. : Ooooops ! You’re right : TLSv1.1 is not in my config yet, I removed it after my first messages some weeks ago…


#19

I mean that when running that openssl test command against the restarted/reloaded Nginx, it would first return:

OCSP response: no response sent

But if you repeat that test command, it should start returning:

verify return:1
OCSP response:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response

Your settings for ssl_protocols and ssl_ciphers should not be affecting the process. In fact, I have just reconfigured one server with the same ones just to be sure and it works fine, as expected.

It does seem that the issue might be related to networking and resolvers in particular. Try dropping OpenDNS and leaving just Google Public DNS and see if that helps:

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 30s;

Additionally you could try setting http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_responder explicitly.


#20

You are right ! Removing OpenDNS seems to fix the problem :slight_smile: :

$ openssl s_client -connect www.my.site:443 -tls1_2 -tlsextdebug -status
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "status request" (id=5), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01                                                .
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = my.site
verify return:1
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Jun 22 08:06:00 2016 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 0305327B9AD237A34CBB9F50718C35EC5D22
    Cert Status: good
    This Update: Jun 22 08:00:00 2016 GMT
    Next Update: Jun 29 08:00:00 2016 GMT

    Signature Algorithm: sha256WithRSAEncryption
         46:95:32:48:65:da:c3:89:9a:67:2c:40:4b:34:5c:72:85:b3:
         c6:74:4c:23:90:f8:95:23:df:01:59:8c:08:18:a6:b8:4e:09:
         fb:c1:09:bb:67:46:16:b0:fc:6c:b8:ae:4b:47:83:37:45:88:
         8a:1d:c5:13:29:b3:20:b2:f5:61:68:50:11:72:d9:17:bc:ec:
         b8:10:28:4e:76:12:da:1d:1f:68:da:8b:c9:69:28:34:35:26:
         4f:19:47:e1:4d:83:2e:af:b7:c6:bb:87:77:a5:20:a1:12:5d:
         8d:80:32:68:84:c4:00:5b:fc:a4:1a:da:94:dd:de:69:f0:db:
         ab:36:4a:f6:22:54:86:28:62:d8:4d:4b:d3:3e:fc:d8:a2:b3:
         01:13:35:62:2d:de:51:5f:aa:e3:e4:0c:76:be:69:dc:48:39:
         d3:30:24:1c:01:c8:67:51:02:aa:93:68:0a:52:b1:11:c2:b9:
         71:31:09:8a:ac:23:84:40:89:89:ce:82:c7:0a:c5:20:f5:62:
         88:77:e6:24:13:ca:2f:9d:55:ee:99:93:ef:a4:02:6b:09:7e:
         bd:18:94:6b:a4:21:89:d1:fa:22:9d:ea:04:55:3e:11:8e:84:
         9a:32:9c:ff:35:82:0a:6e:46:c3:8b:de:a5:4d:58:16:07:c4:
         24:e4:94:f2
======================================
---
Certificate chain
 0 s:/CN=my.site
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFOjCCBCKgAwIBAgISAwUye5rSN6NMu59QcYw17F0iMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA2MDIwNjU5MDBaFw0x
NjA4MzEwNjU5MDBaMBcxFTATBgNVBAMTDGR1cmFudGhvbi5ldTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANLMZktZTECsk+7/3aBIwMUuaXi/9ROdLbTc
QF4ItfxokXvJHPDII07DVNobmLdk857lkBAxgWvUIKx7sfnsYDpx1q8kISxabTT3
RHQ5dZfepyePX7ehFhsoRQ7ToxFk9NRfIF1LlrJoyRH3MuzyX4fGzma+ngfN606U
XTzlBrtMURU9XxwWAKNlzW2hkucxFlOWx9WCCl3zrdtQ6z+H0yzCVUmdK4e0WGIm
A30rIlU+g+Q3bFjivlW4jXJRrZ3e04pSn/PUKbq8VLiSR5tqGtiKZMHZjaB7cPVL
GskyU+2F/CT2wgJfo8NjBDRvDAJjeZ7Hh3mR+NSoAcACEYccqrECAwEAAaOCAksw
ggJHMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzaxSuxdrlKjtNcJD3JANQVaJ5Dww
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wVQYDVR0RBE4wTIIMZHVyYW50aG9uLmV1ghFtYWlsLmR1cmFudGhvbi5ldYIX
cmFzcHNlcnZlci5kdXJhbnRob24uZXWCEHd3dy5kdXJhbnRob24uZXUwgf4GA1Ud
IASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtU
aGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlp
bmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRp
ZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9y
ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAZ9phldhSBTh+8NfYwtN2b+Y3
cZdDyQcDWtZ5sfeMm18TOdzSggIFlh/HGt12Iyg56mUxK/vmSk9mBg2fHzCosZAJ
vQ/IYag9VuW9h9BX1QA/bNkc409zxbmnJT3wQPnjKL8cSdeSp6SLfRjN9nNYMEIg
39R7z3jUOqKvFHQzNojJIqz/S7U+Jo8hNPTdn3MB+6eCtqZ6Y/+950j1r3qHiOH6
QsEYoyF0Rm6ir6JWprSdUfsp7a9eDR2gQyV32fthUQQMCelor59hc5ya6sQj4w59
29n2ZxNnYGW7G74US0tOo/lyIiQhHt7Mpc8L5wq6BmX+drd+ZBDiF8ASynD+sg==
-----END CERTIFICATE-----
subject=/CN=my.site
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3580 bytes and written 424 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F77B960F31D0ECF856B8B415EF6A080F4D5F97503A516B4271AB313B689D6A6F
    Session-ID-ctx: 
    Master-Key: BC8012E4A56A327DC877BA410D53B03A7777F27316331944AA0E12E6DC2D6ABFDA5BE32081DC9EF45E5ED3204540B983
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1466892055
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
closed

Thank you very much for your help, I appreciate !