ERR_SSL_PROTOCOL_ERROR with Nginx

Chrome on my laptop and phone are returning an ERR_SSL_PROTOCOL_ERROR and SSL Labs is telling me my site doesn’t even have a certificate.

What’s wrong with my configuration?

$ openssl s_client -connect bluma.net:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1556822276
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

And the site configuration:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name bluma.net;
    root   /var/www/domains/bluma.net;
    access_log  /var/log/nginx/bluma.net.access.log;
    error_log /var/log/nginx/bluma.net.error.log;

    include /etc/nginx/sites-available/include-php;

    location / {
        if (!-e $request_filename) {
            rewrite ^/(.*) /index.php?q=$1;
        }
    }

    ssl on;
    ssl_certificate /etc/letsencrypt/live/bluma.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/bluma.net/privkey.pem; # managed by Certbot
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    #ssl_session_tickets off;
}

The only thing I can think is that your not forwarding port 443 correctly in to your server.

Hi @bluemanos

there are some curious things. Your ip addresses ( https://check-your-website.server-daten.de/?q=bluma.net ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
bluma.net A 51.77.59.50 yes 1 0
AAAA yes
www.bluma.net A 104.28.4.73 yes 1 0
A 104.28.5.73 yes 1 0
AAAA 2606:4700:30::681c:449 yes
AAAA 2606:4700:30::681c:549 yes

And there are redirects https -> http:

Domainname Http-Status redirect Sec. G
http://bluma.net/
51.77.59.50 200 0.080 H
http://www.bluma.net/
104.28.4.73 200 0.097 H
http://www.bluma.net/
104.28.5.73 200 0.094 H
http://www.bluma.net/
2606:4700:30::681c:449 200 0.097 H
http://www.bluma.net/
2606:4700:30::681c:549 200 0.094 H
https://www.bluma.net/
104.28.4.73 301 http://www.bluma.net/ 0.173 F
https://www.bluma.net/
104.28.5.73 301 http://www.bluma.net/ 0.170 F
https://www.bluma.net/
2606:4700:30::681c:449 301 http://www.bluma.net/ 0.150 F
https://www.bluma.net/
2606:4700:30::681c:549 301 http://www.bluma.net/ 0.157 F
https://bluma.net/
51.77.59.50 -4 0.144 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. Authentication failed because the remote party has closed the transport stream.

A lot of Grade F.

One - https + non-www - doesn’t work. The other - redirect https -> http.

You are right - I fixed this. Unfortunately still the domain is not working :confused:

What says

nginx -t

Check the nginx logs.

nginx -t is and was ok.

Finally, I figured it out what was wrong with the configuration.
Nginx (my version: nginx/1.14.0) needs a one default_server in listen entry also for port 443. I added it to the domain listen 443 default_server ssl;. And after this the domain is working correctly. Hopeful other domains will also works.

1 Like

Now your configuration works.

There is a new check ( https://check-your-website.server-daten.de/?q=bluma.net ):

You use a certificate with only one domain name:

CN=bluma.net
	03.05.2019
	01.08.2019
expires in 90 days	bluma.net - 1 entry

But you have two dns entries. So create one certificate with both domain names and use that.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.