What I ended up needing to do (which is OK for now) is to not redirect the https from www.smaty.se, but rather put both of them in the serverblock with the full declaration. So, no, not really, unfortunately
This solved it for me as well, any idea why? I was getting this error only in firefox and chrome, it worked fine in Safar. Can this have something to do with HSTS?
I run a host of sites on Nginx using LE certificates and never had any problems.
I do not specify any SSL settings in my main nginx.conf file whatsoever.
I have a specific file at /etc/nginx/ssl.d/globalssl.conf as follows
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
#gzip off; #recommended off for SSL - said to be fixed post Nginx 1.9.1
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:128m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers recommended by https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# ciphers recommended by Lets Encrypt Below
# ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
ssl_stapling on;
ssl_stapling_verify on;
Then I simply use in each web sites conf file an include as follows
include /etc/nginx/ssl.d/globalssl.conf;
and then specify your certs in the site’s conf file
# First include our certificates and chain of trust
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/chain.pem;
I find having one centralised SSL config file is much easier for admin and the above settings I use across 28 sites using LE certs work across all browsers except for some very old one’s of course. All score A+ on Qualsys
Also in Nginx V1.10 you should rather use http2 instead of spdy as follows:
Thank you, I’ve now updated my config to more-or-less match this (I still had to remove ssl_session_tickets off to get it to work), but it’s now a lot more convenient. And I should be able to programmatically render my config files, which is A++