Shared ssl_session_cache causing trouble in Nginx with multiple servers

I have multiple web servers running in a single NGinx instance; one of them is a Seafile server.

I tried to add another server using Certbot’s Nginx integration. Activating this new server caused the Seafile server to stop working (actually: to return empty replies for any request).

After some experimentation, I figured out that the trouble is related to the include file /etc/letsencrypt/options-ssl-nginx.conf which is added to my server configuration by Certbot’s Nginx integration. More specifically, if I comment the statement ssl_session_cache shared:le_nginx_SSL:1m;
in that include file, the Seafile server starts working again.

It is as if the ssl_session_cache statement is causing a side effect on another, unrelated server running in the same NGinx instance.

Is this a known issue? Is this a Certbot issue or an NGinx issue?

I am using Certbot 0.18.2 and NGinx 1.4.6 (Ubuntu).

@erica, do you have any prior experience with this problem?

your description is confusing

A) Are all your webservers running Seafile?
B) Are you using a different certificate and private key on each server?
C) Are you load balancing in someway between the server?
D) Is your trouble with just the one Seafile server?
E) Are you running ssl_cache_session on all your other servers with no issues?

This is most likely an application issue. I.e. Seafile (not NGINX or Le’ts Encrypt)

Applications are written different ways and it’s always wortwhile review the configuration recommendations on the applications support forums etc.

A google of seafile + ssl + cache session would have led you to this

Andrei

Sorry if my description was confusing, and thanks for your help. I was tired and frustrated after several hours of trying to figure out what was wrong. The link to the seafile forum did help me solve the issue. I will try to clarify below for the benefit of others who might run into similar problems.

No, one webserver was running Seafile and the other (new) webserver was running Django.

Yes I am using a different certificate and private key on each server. Also the domain names differ (seafile.sikanda.be and broodshop.sikando.com respectively), but the IP address is shared.

I am not doing anything specific for load balancing. These are just two servers running in the same Nginx instance on the same VPS.

Yes the trouble is just with the Seafile server. The Django server is running correctly. Also, the Seafile server’s web interface is working; only the Seafile local client stops working. This is very similar to the problem described in the post on the Seafile forum.

I am only using ssl_cache_session on the Django server. The other server configurations - including the Seafile server configuration - are older and did not include the file /etc/letsencrypt/options-ssl-nginx.conf yet. Also, they did not have an ssl_session_cache directive. They did however have directives similar (but not identical) to the other directives in options-ssl-nginx.conf: ssl_ciphers, ssl_prefer_server_ciphers and ssl_protocols.

What I have done to fix the problem is to update the Seafile server configuration by including /etc/letsencrypt/options-ssl-nginx.conf and removing the existing ssl_ciphers, ssl_prefer_server_ciphers and ssl_protocols statements. As a result, the Seafile server and the Django server are now using identical statement, including identical ssl_session_cache, from the include file, and both servers are now working correctly.

Conclusion: everything works fine when the different servers use the same settings for ssl_session_cache. The fact that different settings can cause trouble is an NGinx issue, and not a Let’s Encrypt issue.

Johan

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.