OpenSSL SSL_connect: SSL_ERROR_SYSCALL


#1

My domain is: nic.rishat-sultanov.ru
All was fine, but now i have problem with SSL.

    ➜  ~ curl https://nic.rishat-sultanov.ru/ -vvv
    *   Trying 35.157.205.59...
    * TCP_NODELAY set
    * Connected to nic.rishat-sultanov.ru (35.157.205.59) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to nic.rishat-sultanov.ru:443 
    * stopped the pause stream!
    * Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to nic.rishat-sultanov.ru:443 

NGINX conf:

 server {
        	listen 443 ssl http2;
        	listen [::]:443 ssl http2;

    	server_name nic.rishat-sultanov.ru;
    	set $base /var/www/nic.rishat-sultanov.ru;
    	root $base/public;

    	# index.php
    	index index.php;

    	# index.php fallback
    	location / {
    		try_files $uri $uri/ /index.php?$query_string;
    	}

    	# handle .php
    	location ~ \.php$ {
    		try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_read_timeout 1200;
        include fastcgi_params;
    	}

    ssl_certificate /etc/letsencrypt/live/nic.rishat-sultanov.ru/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nic.rishat-sultanov.ru/privkey.pem; # managed by Certbot
    }

    # subdomains redirect
    server {
    	listen 443 ssl http2;
    	listen [::]:443 ssl http2;

    	server_name *.nic.rishat-sultanov.ru;

    	return 301 https://nic.rishat-sultanov.ru$request_uri;

    ssl_certificate /etc/letsencrypt/live/nic.rishat-sultanov.ru/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nic.rishat-sultanov.ru/privkey.pem; # managed by Certbot
    }

    # HTTP redirect
    server {
    if ($host = www.nic.rishat-sultanov.ru) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = nic.rishat-sultanov.ru) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    	listen 80;
    	listen [::]:80;

    	server_name .nic.rishat-sultanov.ru;

    	location / {
    		return 301 https://nic.rishat-sultanov.ru$request_uri;
    	}
    }

I generate certs like i did before:

    root@ip-172-31-34-121:/etc/letsencrypt/live/nic.rishat-sultanov.ru# ll
    total 12
    drwxr-xr-x 2 root root 4096 Nov  9 12:29 ./
    drwxr-xr-x 4 root root 4096 Nov  9 12:29 ../
    -rw-r--r-- 1 root root  543 Nov  9 12:29 README
    lrwxrwxrwx 1 root root   46 Nov  9 12:29 cert.pem -> ../../archive/nic.rishat-sultanov.ru/cert1.pem
    lrwxrwxrwx 1 root root   47 Nov  9 12:29 chain.pem -> ../../archive/nic.rishat-sultanov.ru/chain1.pem
    lrwxrwxrwx 1 root root   51 Nov  9 12:29 fullchain.pem -> ../../archive/nic.rishat-sultanov.ru/fullchain1.pem
    lrwxrwxrwx 1 root root   49 Nov  9 12:29 privkey.pem -> ../../archive/nic.rishat-sultanov.ru/privkey1.pem

ss -tlnp output:

    root@ip-172-31-34-121:/etc/letsencrypt/live/nic.rishat-sultanov.ru# ss -tlnp
    State    Recv-Q    Send-Q        Local Address:Port        Peer Address:Port                                                                                    
    LISTEN   0         128                 0.0.0.0:443              0.0.0.0:*        users:(("nginx",pid=8889,fd=9),("nginx",pid=8816,fd=9))                        
    LISTEN   0         128               127.0.0.1:9000             0.0.0.0:*        users:(("php-fpm7.2",pid=965,fd=9),("php-fpm7.2",pid=964,fd=9),("php-fpm7.2",pid=960,fd=9),("php-fpm7.2",pid=950,fd=9),("php-fpm7.2",pid=949,fd=9),("php-fpm7.2",pid=777,fd=7))
    LISTEN   0         80                  0.0.0.0:3306             0.0.0.0:*        users:(("mysqld",pid=953,fd=23))                                               
    LISTEN   0         128               127.0.0.1:6379             0.0.0.0:*        users:(("redis-server",pid=877,fd=6))                                          
    LISTEN   0         128                 0.0.0.0:80               0.0.0.0:*        users:(("nginx",pid=8889,fd=8),("nginx",pid=8816,fd=8))                        
    LISTEN   0         128           127.0.0.53%lo:53               0.0.0.0:*        users:(("systemd-resolve",pid=621,fd=13))                                      
    LISTEN   0         128                 0.0.0.0:22               0.0.0.0:*        users:(("sshd",pid=835,fd=3))                                                  
    LISTEN   0         128                    [::]:443                 [::]:*        users:(("nginx",pid=8889,fd=10),("nginx",pid=8816,fd=10))                      
    LISTEN   0         128                   [::1]:6379                [::]:*        users:(("redis-server",pid=877,fd=7))                                          
    LISTEN   0         128                    [::]:80                  [::]:*        users:(("nginx",pid=8889,fd=11),("nginx",pid=8816,fd=11))                      
    LISTEN   0         128                    [::]:22                  [::]:*        users:(("sshd",pid=835,fd=4))  

openssl s_client -connect 0.0.0.0:443

    root@ip-172-31-34-121:/etc/letsencrypt/live/nic.rishat-sultanov.ru# openssl s_client -connect 0.0.0.0:443
    CONNECTED(00000003)
    write:errno=0
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 176 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID: 
        Session-ID-ctx: 
        Master-Key: 
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1541768865
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
    ---
    root@ip-172-31-34-121:/etc/letsencrypt/live/nic.rishat-sultanov.ru# 

My web server is (include version): AWS EC2

The operating system my web server runs on is (include version): Ubuntu 18.04 Server

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no


#2

Where do you define:
ssl_protocols
ssl_ciphers