ERR_SSL_PROTOCOL_ERROR with Nginx and Amazon Linux 2

shampliu · July 7, 2020, 12:42am

I just ran certbot --nginx and the keys were generated but I get a ERR_SSL_PROTOCOL_ERROR when trying to access the domain. However the IP addresses work (http://34.217.100.7:3000/ and http://34.217.100.7:443)

SSLabs (https://www.ssllabs.com/ssltest/analyze.html?d=blaseball.com) tells me that there is no secure protocols supported with the site.

I will post my nginx.conf below. If it helps I’m running a Node Express stack with React frontend which is being served statically via Express. Everything was working fine without https so I don’t think the client / server is at fault.

My web server is (include version): Nginx 1.18.0

The operating system my web server runs on is (include version): Amazon Linux 2

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.5.0

shampliu · July 7, 2020, 12:43am

Here is my nginx conf:

    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/nginx.pid;

    # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
    include /usr/share/nginx/modules/*.conf;

    events {
        worker_connections 1024;
    }

    http {
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';

        access_log  /var/log/nginx/access.log  main;

        sendfile            on;
        tcp_nopush          on;
        tcp_nodelay         on;
        keepalive_timeout   65;
        types_hash_max_size 4096;

        include             /etc/nginx/mime.types;
        default_type        application/octet-stream;

        # Load modular configuration files from the /etc/nginx/conf.d directory.
        # See http://nginx.org/en/docs/ngx_core_module.html#include
        # for more information.
        include /etc/nginx/conf.d/*.conf;

        server {
            server_name  blaseball.com www.blaseball.com;

            location / {
                    proxy_pass http://localhost:3000;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection 'upgrade';
                    proxy_set_header Host $host;
                    proxy_cache_bypass $http_upgrade;
            }

            # Load configuration files for the default server block.
            include /etc/nginx/default.d/*.conf;

        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/blaseball.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/blaseball.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    }



        server {
        if ($host = www.blaseball.com) {
            return 301 https://$host$request_uri;
        } # managed by Certbot


        if ($host = blaseball.com) {
            return 301 https://$host$request_uri;
        } # managed by Certbot


            listen       80;
            listen       [::]:80;
            server_name  blaseball.com www.blaseball.com;
        return 404; # managed by Certbot
}}

_az · July 7, 2020, 1:18am

Something else is bound to port 443, not nginx.

sudo ss -tlpn | grep -E ":443"

I am guessing it’s your Node/Express program. You need to free up to port so that nginx can bind to it.

shampliu · July 7, 2020, 2:13am

seems to me that no node / express program is running on 443?

_az · July 7, 2020, 3:34am

Hmm. I don’t see how that’s possible. nginx would send a Server header if it was the server responding on :443, but it’s not there:

$ curl -X GET -I  blaseball.com:443
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 06 Jul 2020 10:41:50 GMT
ETag: W/"ae4-17323b7bb6d"
Content-Type: text/html; charset=UTF-8
Content-Length: 2788
Set-Cookie: connect.sid=s%3Ac20Dbgx29l7KcXBsy3zUqPFUy8_fsMnc.vul%2Bk6CQpjXXOJI5zKo3TLso6e57ogfrFrm%2FMShEm9M; Path=/; HttpOnly
Date: Tue, 07 Jul 2020 03:33:45 GMT
Connection: keep-alive

Are you sure you’re not doing any funky iptables port redirection stuff on port 443?

shampliu · July 7, 2020, 4:28am

That was it thank you so much! We had a previous PREROUTING rule in the iptables so I just reset everything to the defaults.

system · August 6, 2020, 4:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ERR_SSL_PROTOCOL_ERROR after updating certbot (nginx) Help	9	2790	March 17, 2021
Err_ssl_protocol_error Help	5	723	April 20, 2021
Help with certbot on AMazon Linux 2 using nginx Server	9	5747	February 18, 2019
Ssl not being accessible with nginx server Help	3	533	April 21, 2021
ERR_SSL_PROTOCOL_ERROR nginx Help	5	1083	July 6, 2023

ERR_SSL_PROTOCOL_ERROR with Nginx and Amazon Linux 2

Related topics