How do I troubleshoot The TLS connection was non-properly terminated

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.open-plant.com

I ran this command: curl -l https://www.open-plant.com

It produced this output: curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.7 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

2 Likes

The first thing I'd look is in the nginx logs. If those don't tell you much, you should increase the verbosity, until the logs tell you something useful.

5 Likes

Hi @azrinsani and welcome to the LE community forum :slight_smile:

Is this the first secure vhost running on this server?
In any case, we should have a look at the full nginx config, with:
nginx -T

4 Likes

Hi, thank you for the fast reply. Here is attached the output of my Nginx -T command. Never knew about this command. It's a very long file!

Btw none of my websites are working at the moment.

3 Likes

This is the output I get from command 'cat /var/log/nginx/error.log' after trying to open https://www.open-plant.com

2022/01/16 08:16:53 [error] 30879#30879: *846 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 220.158.189.181, server: 0.0.0.0:443
2022/01/16 08:16:53 [error] 30879#30879: *847 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 220.158.189.181, server: 0.0.0.0:443
2022/01/16 08:16:55 [error] 30879#30879: *848 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 220.158.189.181, server: 0.0.0.0:443
2022/01/16 08:16:55 [error] 30879#30879: *849 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 220.158.189.181, server: 0.0.0.0:443
2 Likes

Why would you do this?:

    # include /etc/nginx/sites-enabled/*.conf;
    include /etc/nginx/sites-available/*.conf;
3 Likes

What do you mean? The main config file is
/etc/nginx/sites-available/default.conf

this is where everything goes.

2 Likes

Then you are entirely missing the value of the /sites-enabled/ folder.

3 Likes

I'd make this a bit more standard:

        listen 80;listen [::]:80;

Like:

        listen 80;
        listen [::]:80;

[not very likely to fix anything - but easier on the eye]

3 Likes

Try changing:

        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot

To:

        listen 443 ssl; # managed by Certbot
3 Likes

Thanks for the suggestiosn but I tried both suggestions neither of them seems to work. It still says (in nginx logs)

2022/01/16 14:04:12 [error] 1557#1557: *14 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 220.158.189.181, server: 0.0.0.0:443

when I try browsing the website. Weird its saying no SSL certificate but my SSL certs are all valid

Certificate Name: open-plant.com
Domains: open-plant.com
Expiry Date: 2022-03-23 15:02:26+00:00 (VALID: 66 days)
Certificate Path: /etc/letsencrypt/live/open-plant.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/open-plant.com/privkey.pem

2 Likes

Thank for the suggestions but none of them worked, I am still seeting the same error when browsing my website (nginx logs)

2022/01/16 14:04:12 [error] 1557#1557: *14 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 220.158.189.181, server: 0.0.0.0:443

This problem is happening to all my websites, therefore it must be something related to a global setting.

2 Likes

The only strange thing I can find is that there's only a server_name www.open-plant.com which is missing the hostname open-plant.com (i.e.: without www).

But if that's going to fix your nginx, I'm not sure.

Also, I've never seen that error message before. Usually, a webserver refuses to start if it can't find the certificate at start up.. So why is it only complaining when connecting? I dunno..

4 Likes

Thank you all for the help. I found the culprit. It was actually due to two similar "include" statements found in the various conf files. Particularly it was the '/etc/nginx/sites-available/default.conf' file and the '/etc/nginx/sites-enabled/00-default.conf' files

Nginx is so convoluted!

It was nothing to do with Lets Encrypt. But thank you very much for all the help, definitely it pointed me to the right direction.

I wish I could buy you guys a coffee or two :grin:

4 Likes

As Rudy already somewhat hinted to, but not explicitely said:

The sites-available is a directory where AVAILABLE configuration files are placed. Usually, one would ENABLE some (or all, if required) of those configuration files by symbolically linking files from the sites-available to the sites-enabled directory. And in the main nginx configuration, one would only include the sites-enabled directory. That way, by aid of the symbolic links, one can choose which configuration file one does and doesn't want to have enabled.

Including the entire sites-available directory is not how the nginx directory structure is supposed to work.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.