My domain is: nic.rishat-sultanov.ru
All was fine, but now i have problem with SSL.
➜ ~ curl https://nic.rishat-sultanov.ru/ -vvv
* Trying 35.157.205.59...
* TCP_NODELAY set
* Connected to nic.rishat-sultanov.ru (35.157.205.59) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to nic.rishat-sultanov.ru:443
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to nic.rishat-sultanov.ru:443
NGINX conf:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name nic.rishat-sultanov.ru;
set $base /var/www/nic.rishat-sultanov.ru;
root $base/public;
# index.php
index index.php;
# index.php fallback
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# handle .php
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 1200;
include fastcgi_params;
}
ssl_certificate /etc/letsencrypt/live/nic.rishat-sultanov.ru/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nic.rishat-sultanov.ru/privkey.pem; # managed by Certbot
}
# subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.nic.rishat-sultanov.ru;
return 301 https://nic.rishat-sultanov.ru$request_uri;
ssl_certificate /etc/letsencrypt/live/nic.rishat-sultanov.ru/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nic.rishat-sultanov.ru/privkey.pem; # managed by Certbot
}
# HTTP redirect
server {
if ($host = www.nic.rishat-sultanov.ru) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = nic.rishat-sultanov.ru) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name .nic.rishat-sultanov.ru;
location / {
return 301 https://nic.rishat-sultanov.ru$request_uri;
}
}
I generate certs like i did before:
root@ip-172-31-34-121:/etc/letsencrypt/live/nic.rishat-sultanov.ru# ll
total 12
drwxr-xr-x 2 root root 4096 Nov 9 12:29 ./
drwxr-xr-x 4 root root 4096 Nov 9 12:29 ../
-rw-r--r-- 1 root root 543 Nov 9 12:29 README
lrwxrwxrwx 1 root root 46 Nov 9 12:29 cert.pem -> ../../archive/nic.rishat-sultanov.ru/cert1.pem
lrwxrwxrwx 1 root root 47 Nov 9 12:29 chain.pem -> ../../archive/nic.rishat-sultanov.ru/chain1.pem
lrwxrwxrwx 1 root root 51 Nov 9 12:29 fullchain.pem -> ../../archive/nic.rishat-sultanov.ru/fullchain1.pem
lrwxrwxrwx 1 root root 49 Nov 9 12:29 privkey.pem -> ../../archive/nic.rishat-sultanov.ru/privkey1.pem
ss -tlnp output:
root@ip-172-31-34-121:/etc/letsencrypt/live/nic.rishat-sultanov.ru# ss -tlnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=8889,fd=9),("nginx",pid=8816,fd=9))
LISTEN 0 128 127.0.0.1:9000 0.0.0.0:* users:(("php-fpm7.2",pid=965,fd=9),("php-fpm7.2",pid=964,fd=9),("php-fpm7.2",pid=960,fd=9),("php-fpm7.2",pid=950,fd=9),("php-fpm7.2",pid=949,fd=9),("php-fpm7.2",pid=777,fd=7))
LISTEN 0 80 0.0.0.0:3306 0.0.0.0:* users:(("mysqld",pid=953,fd=23))
LISTEN 0 128 127.0.0.1:6379 0.0.0.0:* users:(("redis-server",pid=877,fd=6))
LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=8889,fd=8),("nginx",pid=8816,fd=8))
LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=621,fd=13))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=835,fd=3))
LISTEN 0 128 [::]:443 [::]:* users:(("nginx",pid=8889,fd=10),("nginx",pid=8816,fd=10))
LISTEN 0 128 [::1]:6379 [::]:* users:(("redis-server",pid=877,fd=7))
LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=8889,fd=11),("nginx",pid=8816,fd=11))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=835,fd=4))
openssl s_client -connect 0.0.0.0:443
root@ip-172-31-34-121:/etc/letsencrypt/live/nic.rishat-sultanov.ru# openssl s_client -connect 0.0.0.0:443
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1541768865
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
root@ip-172-31-34-121:/etc/letsencrypt/live/nic.rishat-sultanov.ru#
My web server is (include version): AWS EC2
The operating system my web server runs on is (include version): Ubuntu 18.04 Server
My hosting provider, if applicable, is: AWS EC2
I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no