Problem with nginx and letsencrypt

iSeven · June 18, 2016, 7:07pm

Hello,
i got the following problem:

i got the certificats for my website (debian, nginx), but my config dont work
what iam doing wrong?

`server {
listen 80;
server_name myWebsite.net www.myWebsite.net;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl;
server_name myWebsite.net www.myWebsite.net;

root /var/www;
index index.html index.htm index.php;

ssl on;
ssl_certificate /etc/letsencrypt/live/myWebsite.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myWebsite.net/privkey.pem;


ssl_session_timeout 5m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_cache shared:SSL:50m;
add_header Strict-Transport-Security max-age=15768000;

location / {
	try_files $uri $uri/ =404;
}

location ~ /\.well-known\/acme-challenge {
	allow all;
}

}

`

Happy_Face · June 20, 2016, 11:04pm

Try changing:
ssl_certificate /etc/letsencrypt/live/myWebsite.net/fullchain.pem;

To instead be:

ssl_certificate /etc/letsencrypt/live/myWebsite.net/cert.pem;

Worked for me.

tialaramex · June 21, 2016, 2:11am

That’s definitely wrong. You should serve the “full chain” because most web browsers won’t try to reconstruct missing links in the chain if they’re not provided, so visitors will get an error saying your certificate isn’t trusted.

@iSeven - you say the config “dont work” but that’s very vague. What happens, and what did you expect to happen? For example, is there an error message displayed somewhere? If so, please tell us what it is.

schoen · June 21, 2016, 2:18am

@Happy_Face, as @tialaramex points out, what you did will probably make your site not work with some clients. You can test it at https://www.ssllabs.com/ssltest/ to see if it says there is a chain problem.

system · July 21, 2016, 2:18am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.