[nginx] Assessment failed: No secure protocols supported

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: blog.salimhome.de

I ran this command: sudo certbot certonly --nginx

It produced this output: "Successful"

My web server is (include version): nginx 1.14.0 --> forwarding to a wordpress in another server

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: IONOS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

I have a following setup:
pic.salimhome.de --> nginx running on a server in IONOS --> wordpress running on my home server

I tried to setup the letsencrypt on the nginx server. I followed the tutorial given here: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx
And it ran successfully.
My configuration for the nginx was updated as follow:

server {
server_name blog.salimhome.de;

location /wp {
    proxy_pass http://localhost:280/wp;
    proxy_set_header Host $host;
}

location = / {
    return 301 $scheme://$host/wp;
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/blog.salimhome.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blog.salimhome.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = blog.salimhome.de) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;                                                                                                              
server_name blog.salimhome.de;                                                                                          
return 404; # managed by Certbot                                                                                                                                                                                                                                            }

Running the test in https://www.ssllabs.com/ssltest/analyze.html?d=blog.salimhome.de, I got the following error message:

Assessment failed: No secure protocols supported

Running the test in lets-debug, I got the following error message:

ANotWorking

Error

blog.salimhome.de has an A (IPv4) record (217.160.251.6) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

Get "https://blog.salimhome.de/.well-known/acme-challenge/letsdebug-test": read tcp 172.104.24.29:33620->217.160.251.6:443: read: connection reset by peer

Trace:
0ms: Making a request to http://blog.salimhome.de/.well-known/acme-challenge/letsdebug-test (using initial IP 217.160.251.6)
0ms: Dialing 217.160.251.6
187ms: Server response: HTTP 301 Moved Permanently
187ms: Received redirect to https://blog.salimhome.de/.well-known/acme-challenge/letsdebug-test
187ms: Dialing 217.160.251.6
370ms: Experienced error: read tcp 172.104.24.29:33620->217.160.251.6:443: read: connection reset by peer

IssueFromLetsEncrypt

Error

A test authorization for blog.salimhome.de to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

Fetching https://blog.salimhome.de/.well-known/acme-challenge/Rfl9627RhMWpM8bZYsKhK2oT0kFwuKXs9ZgVaF_dD_k: Error getting validation data

Before this I got similar error message but with reason of: connection reset by peer.

Could anyone please help me solving this issue?

Thanks and best regards,
Heru

2

If I adapt the configuration on nginx a bit, that it is listening on port 80 additionally to 443 (see below), then let's debug said, "All OK!". But still SSLLab shows the same error.
And the server now listens to port 80 (HTTP), but the HTTPS still does not work.

server {
server_name blog.salimhome.de;

location /wp {
    proxy_pass http://localhost:280/wp;
    proxy_set_header Host $host;
}

location = / {
    return 301 $scheme://$host/wp;
}

listen 80; # added just now to listen HTTP
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/blog.salimhome.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blog.salimhome.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = blog.salimhome.de) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;                                                                                                              
server_name blog.salimhome.de;                                                                                          
return 404; # managed by Certbot

}

3

Hi @herusalim

that's always bad.

Create two different server blocks, one with port 80, one with port 443. Never mix two protocols in one server block.

4

Hi @JuergenAuer,

Ok, thanks for the info. I’ll remove it.
But then let’s debug complains as if https://blog.salimhome.de/.well-known/acme-challenge/Rfl9627RhMWpM8bZYsKhK2oT0kFwuKXs9ZgVaF_dD_k (port 80) is not reachable

I’ll try creating the second block

5

No, that's wrong. Your port 80 works, but sends a redirect to port 443, that port doesn't work.

So that may block creating a new certificate, but it's not a port 80 problem, it's the same not working port 443 problem.

6

Hmm, you are right. Now I understand the context a bit more.
Now I updated my configuration to the following>

server {
server_name blog.salimhome.de;

location /wp {
    proxy_pass http://localhost:280/wp;
    proxy_set_header Host $host;
}

location = / {
    return 301 $scheme://$host/wp;
}

listen 80;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/blog.salimhome.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blog.salimhome.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
server_name blog.salimhome.de;
listen 80;

location /wp {
    proxy_pass http://localhost:280/wp;
    proxy_set_header Host $host;
}

location = / {
    return 301 $scheme://$host/wp;
}

}

Now HTTP works, HTTPS still does not work (PR_END_OF_FILE_ERROR).
Let's Debug is still outputting

All OK!

OK

No issues were found with blog.salimhome.de. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

And SSL-Labs still reporting the same error message.

Assessment failed: No secure protocols supported

Do you have any idea how I could debug it further?

7

Additional missing facts:
on the same port nginx is listening the same port 80 and forward it to 2 different subdomain:

  1. wordpress
  2. picture server

Both servers do not have any installed certificates.

I do not have any idea whether those information are relevant.

8

Hi all, could anybody tell me how to debug or to find out the root cause of the issue? I have been searching in the letsencrypt pages and cannot find the “how to debug” information.

9

After checking the nginx error logs, I found out that there are any other service listening the same port 443. After removing it, I solved the issue, and the https works perfectly.

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.