Nginx: ERR_SSL_PROTOCOL_ERROR

yesterday I set up the certificate and everything, and it seemed to work splendidly.

Today I wake up to errors in Chrome, firefox, mobile chrome … it seems only Safari is OK with my config!

Any thoughts? Site: https://smaty.se

nginx config:

server {
    listen       443 ssl spdy;
    server_name www.smaty.se;
    ssl_certificate /etc/letsencrypt/live/www.smaty.se/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.smaty.se/privkey.pem;
    return 301 $scheme://smaty.se$request_uri;
}

server {
    listen              80;
    listen              [::]:80;
    server_name         smaty.se www.smaty.se;

    location / {
        return 301 https://smaty.se$request_uri;
    }
}

server {
    listen 443 ssl spdy;
    listen [::]:443 ssl spdy;
    ssl_certificate /etc/letsencrypt/live/www.smaty.se/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.smaty.se/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security max-age=15768000;

    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
    ssl_trusted_certificate /etc/letsencrypt/live/www.smaty.se/chain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=86400;
    resolver_timeout 10;

    server_name smaty.se;

    location = /stories.html {
        return 301 https://smaty.se/stories/$request_uri;
    }

    location = /author.html {
        return 301 https://smaty.se/author/$request_uri;
    }

    location = /sitemap.html {
        return 301 https://smaty.se/sitemap/$request_uri;
    }

    location = /colophone.html {
        return 301 https://smaty.se/colophone/$request_uri;
    }

    location = /characters/mio-singh/ {
        return 301 /characters/satinder-singh/;
    }

    root   /srv/web/smaty.se;

    index  index.html index.htm;


    location ~ \.(js|css|png|jpg|jpeg|gif|ico|html|woff|ttf|svg|eot|otf)$ {
        add_header "Access-Control-Allow-Origin" "*";
        expires 1M;
        include pratchett.conf;
        access_log off;
        add_header Cache-Control "public";
    }
}
```

The config is based on https://blog.rudeotter.com/lets-encrypt-ssl-certificate-nginx-ubuntu/

And … now it’s working again. facepalm

I don’t suppose you got to the bottom of this did you? I’m having the same issue…

What I ended up needing to do (which is OK for now) is to not redirect the https from www.smaty.se, but rather put both of them in the serverblock with the full declaration. So, no, not really, unfortunately

Oddly I had to explicitly state ssl on in the nginx conf and that resolved it for me.
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl

I was also having this issue with nginx/1.9.12. Removing ssl_session_tickets off; fixed it for me.

1 Like

This solved it for me as well, any idea why? I was getting this error only in firefox and chrome, it worked fine in Safar. Can this have something to do with HSTS?

I run a host of sites on Nginx using LE certificates and never had any problems.

I do not specify any SSL settings in my main nginx.conf file whatsoever.

I have a specific file at /etc/nginx/ssl.d/globalssl.conf as follows

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	#gzip off; #recommended off for SSL - said to be fixed post Nginx 1.9.1
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:128m;
	ssl_session_tickets off;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ciphers recommended by https://mozilla.github.io/server-side-tls/ssl-config-generator/
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
	# ciphers recommended by Lets Encrypt Below
	# ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
	ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
	ssl_stapling on;
	ssl_stapling_verify on;

Then I simply use in each web sites conf file an include as follows

include /etc/nginx/ssl.d/globalssl.conf;

and then specify your certs in the site’s conf file

	# First include our certificates and chain of trust
	ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/chain.pem;

I find having one centralised SSL config file is much easier for admin and the above settings I use across 28 sites using LE certs work across all browsers except for some very old one’s of course. All score A+ on Qualsys

Also in Nginx V1.10 you should rather use http2 instead of spdy as follows:

listen 443 ssl http2;

Thank you, I’ve now updated my config to more-or-less match this (I still had to remove ssl_session_tickets off to get it to work), but it’s now a lot more convenient. And I should be able to programmatically render my config files, which is A++