Need help with nginx config (I think)

geekstrada · October 20, 2016, 4:59am

I’m using Debian 8.6 with Nginx 1.6.2, and my domain is reinsmidt.com

I think I have my nginx config correct but I am not able to connect through https. I do have port 443 open in my firewall.

Here are the relevant parts from my nginx config:

server {
    listen 443 ssl;
    listen 80;

    server_name reinsmidt.com;

    ssl on;
    ssl_certificate     /etc/letsencrypt/live/reinsmidt.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/reinsmidt.com/privkey.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location ~ /.well-known {
            allow all;
    }
}

I looked at my site using openssl and here are the results:

openssl s_client -connect reinsmidt.com:443 -servername reinsmidt.com
CONNECTED(00000003)
3073996476:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 311 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1476939349
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Any help would be greatly appreciated!

pfg · October 20, 2016, 6:15am

I don’t think you need the ssl on; directive when using the ssl parameter with the listen directive. Not sure if that’s causing the issue, but might be worth checking out.

Do you see anything interesting in your nginx log files? If there’s nothing there, and the config change doesn’t lead anywhere, it might be worth running tcpdump port 443 while trying to connect via HTTPS to see if that traffic is even reaching your server.

Osiris · October 20, 2016, 9:31am

Your nginx listens to port 443, but without SSL.(You can telnet to port 443 and ask with normal HTTP for the HTML ) As @pfg said, ssl on is probably not needed.

When I look at a nginx documentation page http://nginx.org/en/docs/http/configuring_https_servers.html it seems listen 443 ssl is enough.

mnordhoff · October 20, 2016, 9:35am

“ssl on;” should be making port 80 and port 443 use HTTPS…

I wonder if there’s a different (default) vhost with different settings.

geekstrada · October 21, 2016, 3:11am

You nailed the problem on the head. I have a default config that only listens on port 80. I had just assumed that the default config just grabbed anything going to my server’s IP that wasn’t one of my virtual hosts. That’s what I get for assuming.

Thanks for the heads up. You saved me a headache!

Also, just wanted to throw out there that I appreciate all of the fast replies from multiple people.

system · November 20, 2016, 3:16am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.