Error:ssl_error_no_cypher_overlap

Help
21

Sorry, I did not fine 443 port

    brotli on;
    brotli_static on;
    brotli_buffers 16 8k;
    brotli_comp_level 6;
    brotli_types *;


    ##
    # Virtual Host Configs
    ##
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}
22

Show:
ls -l /etc/nginx/sites-enabled/
grep -Ei 'listen|cipher' /etc/nginx/sites-enabled/

2 Likes
23

Last login: Fri Nov 16 13:29:41 2018 from 118.247.236.163 root@101:~# ls -l /etc/nginx/sites-enabled/ total 0 lrwxrwxrwx 1 root root 32 May 17 2018 22222 -> /etc/nginx/sites-available/22222 lrwxrwxrwx 1 root root 34 May 17 2018 default -> /etc/nginx/sites-available/default lrwxrwxrwx 1 root root 38 May 17 2018 lovcour.com -> /etc/nginx/sites-available/lovcour.com root@101:~#

24

root@101:~# grep -Ei ā€˜listen|cipherā€™ /etc/nginx/sites-enabled/
grep: /etc/nginx/sites-enabled/: Is a directory
root@101:~#

25

Please show:
cat /etc/nginx/sites-available/default
grep -Ei 'listen|cipher' /etc/nginx/sites-enabled/*

2 Likes
26 
oot@101:~# cat /etc/nginx/sites-available/default
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        # include snippets/snakeoil.conf;
        #
        # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # donā€™t use SSLv3 ref: POODLE
        # ssl_ciphers HIGH:!aNULL:!MD5;
        # ssl_prefer_server_ciphers on;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

location /stub_status {
        stub_status on;
        access_log off;
        allow 127.0.0.1;
        deny all;
}


# Status pages
location /nginx_status {
  stub_status on;
  access_log off;
  allow 127.0.0.1;
  deny all;
}

# phpfpm pool monitoring
location ~ ^/(status|ping) {
  include fastcgi_params;
  fastcgi_pass php7;
  include common/acl.conf;
}



        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php5-cgi alone:
        #       fastcgi_pass 127.0.0.1:9000;
        #       # With php5-fpm:
        #       fastcgi_pass unix:/var/run/php5-fpm.sock;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}
root@101:~#
27

root@101:~# grep -Ei 'listen|cipher' /etc/nginx/sites-enabled/*
/etc/nginx/sites-enabled/22222: listen 22222 default_server ssl http2;
/etc/nginx/sites-enabled/default: listen 80 default_server;
/etc/nginx/sites-enabled/default: listen [::]:80 default_server;
/etc/nginx/sites-enabled/default: # listen 443 ssl default_server;
/etc/nginx/sites-enabled/default: # listen [::]:443 ssl default_server;
/etc/nginx/sites-enabled/default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/sites-enabled/default: # ssl_prefer_server_ciphers on;
/etc/nginx/sites-enabled/default: # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
/etc/nginx/sites-enabled/default:# listen 80;
/etc/nginx/sites-enabled/default:# listen [::]:80;
/etc/nginx/sites-enabled/lovcour.com: # listen 80 default_server;
root@101:~#

28

Please show:
cat /etc/nginx/sites-available/lovcour.com

2 Likes
29 
root@101:~# cat /etc/nginx/sites-available/lovcour.com

server {

    # Uncomment the following line for domain mapping
    # listen 80 default_server;

    server_name lovcour.com www.lovcour.com  *.lovcour.com;

    # Uncomment the following line for domain mapping
    #server_name_in_redirect off;

    access_log /var/log/nginx/lovcour.com.access.log rt_cache_redis; 
    error_log /var/log/nginx/lovcour.com.error.log;


    root /var/www/lovcour.com/htdocs;
    
    

    index index.php index.html index.htm;

    # Added Later


if ($request_uri ~* "/store.*|/cart.*|/my-account.*|/checkout.*|/addons.*") {
         set $skip_cache 1;
}

    location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
                access_log off; log_not_found off; expires max;
    }

    # End of Added Later

    #Added Later redis to redisphp72
  
    include common/redis-php72.conf;     
    include common/wpcommon-php72.conf;
    include common/locations-php72.conf;
    include /var/www/lovcour.com/conf/nginx/*.conf;

  location /netdata {
        return 301 /netdata/;
   }

   location ~ /netdata/(?<ndpath>.*) {
        include common/acl.conf;
        proxy_redirect off;
        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
        proxy_pass http://netdata/$ndpath$is_args$args;

        gzip on;
        gzip_proxied any;
        gzip_types *;
    }

}
root@101:~#
30

There is no listen with 443

Please show:
ls -l /var/www/lovcour.com/conf/nginx/*.conf

2 Likes
31

root@101:~# ls -l /var/www/lovcour.com/conf/nginx/*.conf
-rwxr-xr-x 1 www-data www-data 247 May 17 2018 /var/www/lovcour.com/conf/nginx/ssl.conf
root@101:~#

32

Please show:
cat /var/www/lovcour.com/conf/nginx/ssl.conf

2 Likes
33 
root@101:~# cat /var/www/lovcour.com/conf/nginx/ssl.conf
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/nginx/acme.sh/lovcour.com/fullchain.pem;
ssl_certificate_key     /etc/nginx/acme.sh/lovcour.com/key.pem;
ssl_trusted_certificate /etc/nginx/acme.sh/lovcour.com/cert.pem;root@101:~#
34

That seems OKā€¦
But where are the ciphers?

Please show:
grep -Eri 'cipher' /etc/nginx/
grep -Eri 'cipher' /var/www/

2 Likes
35

root@101:~# grep -Eri 'cipher' /etc/nginx/
/etc/nginx/nginx.conf.default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/nginx.conf.default: # ssl_prefer_server_ciphers on;
/etc/nginx/sites-available/default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/sites-available/default: # ssl_prefer_server_ciphers on;
/etc/nginx/nginx.conf: ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
/etc/nginx/nginx.conf: ssl_prefer_server_ciphers on;
root@101:~#
root@101:~#
root@101:~#
root@101:~#
root@101:~#
root@101:~#
root@101:~#
root@101:~#

36

TLS13-CHACHA20-POLY1305-SHA256
TLS13-AES-256-GCM-SHA384
TLS13-AES-128-GCM-SHA256

Requires compatible SSL libraries.
Please show:
openssl version

also I donā€™t see where the protocol is specifiedā€¦
Please show:
grep -Eri 'protocol' /etc/nginx/
grep -Eri 'protocol' /var/www/

2 Likes
37

But here are so manny messages:

ies imap_client_buffer index ip_hash keepalive_requests keepalive_timeout kqueue_changes kqueue_events large_client_header_buffers limit_conn limit_conn_log_level limit_rate limit_rate_after limit_req limit_req_log_level limit_req_zone limit_zone lingering_time lingering_timeout lock_file log_format log_not_found log_subrequest map_hash_bucket_size map_hash_max_size master_process memcached_bind memcached_buffer_size memcached_connect_timeout memcached_next_upstream memcached_read_timeout memcached_send_timeout memcached_upstream_fail_timeout memcached_upstream_max_fails merge_slashes min_delete_depth modern_browser modern_browser_value msie_padding msie_refresh multi_accept open_file_cache open_file_cache_errors open_file_cache_events open_file_cache_min_uses open_file_cache_valid open_log_file_cache output_buffers override_charset perl perl_modules perl_require perl_set pid pop3_auth pop3_capabilities port_in_redirect postpone_gzipping postpone_output protocol proxy proxy_bind proxy_buffer proxy_buffer_size proxy_buffering proxy_buffers proxy_busy_buffers_size proxy_cache proxy_cache_key proxy_cache_methods proxy_cache_min_uses proxy_cache_path proxy_cache_use_stale proxy_cache_valid proxy_connect_timeout proxy_headers_hash_bucket_size proxy_headers_hash_max_size proxy_hide_header proxy_ignore_client_abort proxy_ignore_headers proxy_intercept_errors proxy_max_temp_file_size proxy_method proxy_next_upstream proxy_pass_error_message proxy_pass_header proxy_pass_request_body proxy_pass_request_headers proxy_read_timeout proxy_redirect proxy_send_lowat proxy_send_timeout proxy_set_body proxy_set_header proxy_ssl_session_reuse proxy_store proxy_store_access proxy_temp_file_write_size proxy_temp_path proxy_timeout proxy_upstream_fail_timeout proxy_upstream_max_fails random_index read_ahead real_ip_header recursive_error_pages request_pool_size reset_timedout_connection resolver resolver_timeout rewrite_log rtsig_overflow_events rtsig_overflow_test rtsig_overflow_threshold rtsig_signo satisfy secure_link_secret send_lowat send_timeout sendfile sendfile_max_chunk server_name_in_redirect server_names_hash_bucket_size server_names_hash_max_size server_tokens set_real_ip_from smtp_auth smtp_capabilities smtp_client_buffer smtp_greeting_delay so_keepalive source_charset ssi ssi_ignore_recycled_buffers ssi_min_file_chunk ssi_silent_errors ssi_types ssi_value_length ssl ssl_certificate ssl_certificate_key ssl_ciphers ssl_client_certificate ssl_crl ssl_dhparam ssl_engine ssl_prefer_server_ciphers ssl_protocols ssl_session_cache ssl_session_timeout ssl_verify_client ssl_verify_depth starttls stub_status sub_filter sub_filter_once sub_filter_types tcp_nodelay tcp_nopush thread_stack_size timeout timer_resolution types_hash_bucket_size types_hash_max_size underscores_in_headers uninitialized_variable_warn use user userid userid_domain userid_expires userid_mark userid_name userid_p3p userid_path userid_service valid_referers variables_hash_bucket_size variables_hash_max_size worker_connections worker_cpu_affinity worker_priority worker_processes worker_rlimit_core worker_rlimit_nofile worker_rlimit_sigpending worker_threads working_directory xclient xml_entities xslt_stylesheet xslt_typesdrew@li229-23"

39

root@101:~# grep -Eri 'protocol' /etc/nginx/
/etc/nginx/fastcgi.conf.default:fastcgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/scgi_params:scgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/fastcgi_params.default:fastcgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/fastcgi_params:fastcgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/uwsgi_params:uwsgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/sites-available/default: # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # donā€™t use SSLv3 ref: POODLE
/etc/nginx/uwsgi_params.default:uwsgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/nginx.conf: ssl_protocols TLSv1.2 TLSv1.3;
/etc/nginx/nginx.conf:# protocol pop3;
/etc/nginx/nginx.conf:# protocol imap;
/etc/nginx/fastcgi.conf:fastcgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/scgi_params.default:scgi_param SERVER_PROTOCOL $server_protocol;
root@101:~#
root@101:~#

40

Sorry try:
openssl version
grep -Eri 'ssl_cipher' /etc/nginx/
grep -Eri 'ssl_cipher' /var/www/

[And delete the really long posts]

2 Likes
41

root@101:~# openssl version
OpenSSL 1.1.0h 27 Mar 2018
root@101:~#