ERR_SSL_PROTOCOL_ERROR in browser with Nginx


#1

I have two apps running behind nginx, one is a website, the other is an api the website gets data from. Both have letsencrypt certs. The website loads fine on https, but when it tries to fetch data from the api, there is a ERR_SSL_PROTOCOL_ERROR in the browser console.

I’ve read several nginx/ERR_SSL_PROTOCOL_ERROR posts from the forum but none have remedied the situation. I had the setup working a few days ago, the only thing I can think of that I modified was add a few sites to sites-enabled. I have since removed those but the problem persists.

I tried removing ssl_session_tickets as per this post but that didn’t fix it.

Here is the config:

fegoze:/etc/nginx$ cat nginx.conf | grep -v '#'
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
  worker_connections 768;
}

http {

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ssl_prefer_server_ciphers on;

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  gzip on;
  gzip_disable "msie6";

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/snippets/redirect-to-https.conf;
  include /etc/nginx/sites-enabled/*;
}

fegoze:/etc/nginx$ sudo cat /etc/nginx/snippets/redirect-to-https.conf
server {
  listen 80;
  listen [::]:80 default_server ipv6only=on;

  # Redirect to https
  return 301 https://$host$request_uri;
}
fegoze:/etc/nginx$ sudo ls -l sites-enabled/
total 0
lrwxrwxrwx 1 root root 50 Apr 15 06:31 api.example.com -> /etc/nginx/sites-available/api.example.com
lrwxrwxrwx 1 root root 46 Apr 15 07:56 example.com -> /etc/nginx/sites-available/example.com
fegoze:/etc/nginx$ sudo cat /etc/nginx/sites-enabled/api.example.com
server {
  # Enable HTTP/2
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name api.example.com;

  # Use the Let’s Encrypt certificates
  ssl_certificate /etc/letsencrypt/live/api.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/api.example.com/privkey.pem;

  # Include the SSL configuration from cipherli.st
  include snippets/ssl-params.conf;

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://localhost:8443/;
    proxy_ssl_session_reuse off;
    proxy_set_header Host $http_host;
    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
  }
}
fegoze:/etc/nginx$ sudo cat snippets/ssl-params.conf
# See https://cipherli.st/ for details on this configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

# Add our strong Diffie-Hellman group
ssl_dhparam /etc/ssl/certs/dhparam.pem;
fegoze:/etc/nginx$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Some other info that might be relevant:

openssl s_client -connect api.example.com:443 -servername api.example.com
CONNECTED(00000003)
4987:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s23_clnt.c:593:

When I try to access en endpoint from the command line:

http https://api.example.com/v1/users/<username>

http: error: SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:590) while doing GET request to URL: https://api.example.com/v1/users/<username>

What did I get wrong?
Thanks


#2

The daemon/service your nginx reverse proxy is connecting to (localhost:8443), does this also use TLS?


#3

The daemon/service your nginx reverse proxy is connecting to (localhost:8443), does this also use TLS?

No


#4

Osiris thanks for looking at this earlier. I re-installed and the issue went away.


#5

I wanted to post a followup, because I had to re-install again for an unrelated issue and the problem re-surfaced. I eventually narrowed it down to how Cloudflare handles subdomains.

They only handle 1 level of subdomains, even if you supply your own certificate on origin and use Full Strict mode.

I have something similar to:

website: stage.example.com
api: api.stage.example.com

With this setup, the website loads fine, but the api has SSL errors.

I updated it to:

website: stage.example.com
api: api-stage.example.com

And both website and api have no SSL errors.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.