ERR_SSL_PROTOCOL_ERROR in browser with Nginx

I have two apps running behind nginx, one is a website, the other is an api the website gets data from. Both have letsencrypt certs. The website loads fine on https, but when it tries to fetch data from the api, there is a ERR_SSL_PROTOCOL_ERROR in the browser console.

I’ve read several nginx/ERR_SSL_PROTOCOL_ERROR posts from the forum but none have remedied the situation. I had the setup working a few days ago, the only thing I can think of that I modified was add a few sites to sites-enabled. I have since removed those but the problem persists.

I tried removing ssl_session_tickets as per this post but that didn’t fix it.

Here is the config:

fegoze:/etc/nginx$ cat nginx.conf | grep -v '#'
user www-data;
worker_processes auto;
pid /run/;

events {
  worker_connections 768;

http {

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ssl_prefer_server_ciphers on;

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  gzip on;
  gzip_disable "msie6";

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/snippets/redirect-to-https.conf;
  include /etc/nginx/sites-enabled/*;

fegoze:/etc/nginx$ sudo cat /etc/nginx/snippets/redirect-to-https.conf
server {
  listen 80;
  listen [::]:80 default_server ipv6only=on;

  # Redirect to https
  return 301 https://$host$request_uri;
fegoze:/etc/nginx$ sudo ls -l sites-enabled/
total 0
lrwxrwxrwx 1 root root 50 Apr 15 06:31 -> /etc/nginx/sites-available/
lrwxrwxrwx 1 root root 46 Apr 15 07:56 -> /etc/nginx/sites-available/
fegoze:/etc/nginx$ sudo cat /etc/nginx/sites-enabled/
server {
  # Enable HTTP/2
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  # Use the Let’s Encrypt certificates
  ssl_certificate /etc/letsencrypt/live/;
  ssl_certificate_key /etc/letsencrypt/live/;

  # Include the SSL configuration from
  include snippets/ssl-params.conf;

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://localhost:8443/;
    proxy_ssl_session_reuse off;
    proxy_set_header Host $http_host;
    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
fegoze:/etc/nginx$ sudo cat snippets/ssl-params.conf
# See for details on this configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

# Add our strong Diffie-Hellman group
ssl_dhparam /etc/ssl/certs/dhparam.pem;
fegoze:/etc/nginx$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Some other info that might be relevant:

openssl s_client -connect -servername
4987:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:/BuildRoot/Library/Caches/

When I try to access en endpoint from the command line:


http: error: SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:590) while doing GET request to URL:<username>

What did I get wrong?

The daemon/service your nginx reverse proxy is connecting to (localhost:8443), does this also use TLS?

The daemon/service your nginx reverse proxy is connecting to (localhost:8443), does this also use TLS?


Osiris thanks for looking at this earlier. I re-installed and the issue went away.

I wanted to post a followup, because I had to re-install again for an unrelated issue and the problem re-surfaced. I eventually narrowed it down to how Cloudflare handles subdomains.

They only handle 1 level of subdomains, even if you supply your own certificate on origin and use Full Strict mode.

I have something similar to:


With this setup, the website loads fine, but the api has SSL errors.

I updated it to:


And both website and api have no SSL errors.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.