DaniG2k
January 14, 2016, 11:09am
1
I’m trying to get Letsencrypt to work with Phusion Passenger (Nginx) on an Ubuntu 15.10 server.
Steps I’ve taken:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
sudo service nginx stop
cd /opt/letsencrypt
./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
this created cert, chain, fullchain, and privkey pem files.
I then edited my /etc/nginx/sites-available/example.conf with the following:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name www.example.com;
return 301 $scheme://example.com$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
root /home/myuser/example/public;
passenger_enabled on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# File upload size:
client_max_body_size 7M;
location ~ ^/(assets)/ {
expires max;
add_header Cache-Control public;
gzip_static on;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
I then restarted nginx. When I now run curl -iv https://example.com
I am getting the following response:
* Rebuilt URL to: https://example.com/
* Trying xxx.xx.xx.xx...
* Connected to example.com (xxx.xx.xx.xx) port 443 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
Ports 80 and 443 are open:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
Am I doing something incorrectly here? I’ve basically made my server inaccessible now. Any help much appreciated. I am using Passenger version 5.0.23 if it helps.
Thanks in advance
pfg
January 14, 2016, 11:27am
2
Other than the ssl_*
directives being missing from the www.example.com
server block (which shouldn’t be relevant since you’re curl
-ing https://example.com
), I don’t see any obvious mistakes in your configuration.
I’d suggest using the openssl
binary to open a TLS connection to your server; this usually reveals more detailed error messages:
openssl s_client -connect example.com:443
DaniG2k
January 14, 2016, 11:29am
3
Thanks for your prompt response
That command returns the following message:
CONNECTED(00000003)
5538:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_lib.c:185:
pfg
January 14, 2016, 11:40am
4
Okay, that’s quite generic as well.
Is there anything in your nginx error log?
Could you try a more backwards-compatible cipher list for ssl_ciphers
? i.e.:
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
DaniG2k
January 14, 2016, 11:43am
5
Same thing
$ openssl s_client -connect example.com:443
CONNECTED(00000003)
5924:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_lib.c:185:
and curling still returns
* Rebuilt URL to: https://example.com/
* Trying xxx.xx.xx.xx...
* Connected to example.com (xxx.xx.xx.xx) port 443 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
sahsanu
January 14, 2016, 12:27pm
6
Hello @DaniG2k ,
1.- Is it working if you disable passenger?.
2.- What is your openssl version?
openssl version
3.- Check if one of the following commands works:
openssl s_client -connect example.com:443 -servername example.com
openssl s_client -tls1 -connect example.com:443
openssl s_client -tls1 -connect example.com:443 -servername example.com
openssl s_client -tls1_1 -connect example.com:443
openssl s_client -tls1_1 -connect example.com:443 -servername example.com
openssl s_client -tls1_2 -connect example.com:443
openssl s_client -tls1_2 -connect example.com:443 -servername example.com
Edit: Just for testing purpouses, add SSLv3 to ssl_protocols:
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
Restart nginx and try again:
openssl s_client -connect example.com:443
openssl s_client -connect example.com:443 -servername example.com
Cheers,
sahsanu