Need help with nginx config (I think)

I’m using Debian 8.6 with Nginx 1.6.2, and my domain is

I think I have my nginx config correct but I am not able to connect through https. I do have port 443 open in my firewall.

Here are the relevant parts from my nginx config:

server {
    listen 443 ssl;
    listen 80;


    ssl on;
    ssl_certificate     /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location ~ /.well-known {
            allow all;

I looked at my site using openssl and here are the results:

openssl s_client -connect -servername
3073996476:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 311 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1.2
    Cipher    : 0000
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1476939349
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Any help would be greatly appreciated!

I don’t think you need the ssl on; directive when using the ssl parameter with the listen directive. Not sure if that’s causing the issue, but might be worth checking out.

Do you see anything interesting in your nginx log files? If there’s nothing there, and the config change doesn’t lead anywhere, it might be worth running tcpdump port 443 while trying to connect via HTTPS to see if that traffic is even reaching your server.

Your nginx listens to port 443, but without SSL.(You can telnet to port 443 and ask with normal HTTP for the HTML :stuck_out_tongue:) As @pfg said, ssl on is probably not needed.

When I look at a nginx documentation page it seems listen 443 ssl is enough.

ssl on;” should be making port 80 and port 443 use HTTPS…

I wonder if there’s a different (default) vhost with different settings.

You nailed the problem on the head. I have a default config that only listens on port 80. I had just assumed that the default config just grabbed anything going to my server’s IP that wasn’t one of my virtual hosts. That’s what I get for assuming.

Thanks for the heads up. You saved me a headache!

Also, just wanted to throw out there that I appreciate all of the fast replies from multiple people.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.