Letsencrypt with Phusion Passenger (Nginx) not working

DaniG2k · January 14, 2016, 11:09am

I’m trying to get Letsencrypt to work with Phusion Passenger (Nginx) on an Ubuntu 15.10 server.

Steps I’ve taken:

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
sudo service nginx stop
cd /opt/letsencrypt
./letsencrypt-auto certonly --standalone -d example.com -d www.example.com

this created cert, chain, fullchain, and privkey pem files.
I then edited my /etc/nginx/sites-available/example.conf with the following:

server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  server_name www.example.com;
  return 301 $scheme://example.com$request_uri;
}

server {
  listen                443     ssl;
  server_name           example.com;
  root  /home/myuser/example/public;
  passenger_enabled     on;

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  # File upload size:
  client_max_body_size  7M;

  location ~ ^/(assets)/ {
    expires max;
    add_header Cache-Control public;
    gzip_static on;
  }
  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
    root   html;
  }
}

I then restarted nginx. When I now run curl -iv https://example.com I am getting the following response:

* Rebuilt URL to: https://example.com/
*   Trying xxx.xx.xx.xx...
* Connected to example.com (xxx.xx.xx.xx) port 443 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake

Ports 80 and 443 are open:

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN

Am I doing something incorrectly here? I’ve basically made my server inaccessible now. Any help much appreciated. I am using Passenger version 5.0.23 if it helps.

Thanks in advance

pfg · January 14, 2016, 11:27am

Other than the ssl_* directives being missing from the www.example.com server block (which shouldn’t be relevant since you’re curl-ing https://example.com), I don’t see any obvious mistakes in your configuration.

I’d suggest using the openssl binary to open a TLS connection to your server; this usually reveals more detailed error messages:

openssl s_client -connect example.com:443

DaniG2k · January 14, 2016, 11:29am

Thanks for your prompt response

That command returns the following message:

CONNECTED(00000003)
5538:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_lib.c:185:

pfg · January 14, 2016, 11:40am

Okay, that’s quite generic as well.

Is there anything in your nginx error log?

Could you try a more backwards-compatible cipher list for ssl_ciphers? i.e.:

 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

DaniG2k · January 14, 2016, 11:43am

Same thing

$ openssl s_client -connect example.com:443
CONNECTED(00000003)
5924:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_lib.c:185:

and curling still returns

* Rebuilt URL to: https://example.com/
*   Trying xxx.xx.xx.xx...
* Connected to example.com (xxx.xx.xx.xx) port 443 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake

sahsanu · January 14, 2016, 12:27pm

Hello @DaniG2k,

1.- Is it working if you disable passenger?.

2.- What is your openssl version?
openssl version

3.- Check if one of the following commands works:

openssl s_client -connect example.com:443 -servername example.com
openssl s_client -tls1 -connect example.com:443
openssl s_client -tls1 -connect example.com:443 -servername example.com
openssl s_client -tls1_1 -connect example.com:443
openssl s_client -tls1_1 -connect example.com:443 -servername example.com
openssl s_client -tls1_2 -connect example.com:443
openssl s_client -tls1_2 -connect example.com:443 -servername example.com

Edit: Just for testing purpouses, add SSLv3 to ssl_protocols:

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

Restart nginx and try again:

openssl s_client -connect example.com:443
openssl s_client -connect example.com:443 -servername example.com

Cheers,
sahsanu