It’s a curious thing, and I’m not really sure it’s LE-related (everything’s working when I fallback to startssl certs, so it should be, in some way, right?)
I’m running nginx with acmetool as forward proxy. I spawn all the web configs from exactly the same template:
listen 443 ssl http2;
ssl on;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!DES:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_dhparam /etc/nginx/conf.d/dhparams.pem;
ssl_ct on;
ssl_certificate /etc/nginx/ssl/rsa/live/{{$rootDomain}}/fullchain;
ssl_certificate_key /etc/nginx/ssl/rsa/live/{{$rootDomain}}/privkey;
ssl_ct_static_scts /etc/nginx/ssl/rsa/live/{{$rootDomain}}/scts;
ssl_certificate /etc/nginx/ssl/ecdsa/live/{{$rootDomain}}/fullchain;
ssl_certificate_key /etc/nginx/ssl/ecdsa/live/{{$rootDomain}}/privkey;
ssl_ct_static_scts /etc/nginx/ssl/ecdsa/live/{{$rootDomain}}/scts;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
The domain wolfyarts.com works everywhere, the domain wolfyart.com fails to load in Safari (on either OSX or iOS).
Any ideas how to debug the Safari ssl issue? wolfyart.com loads fine in chrome and firefox on the same system.
It’s funny that ssllabs.com rates both as A+ with no issues.
Update: it’s not Safari-specific, it’s CFNetwork-specific, e.g. curl fails too:
$ curl -v https://wolfyart.com/
* Trying 176.9.58.152...
* Connected to wolfyart.com (176.9.58.152) port 443 (#0)
* Unknown SSL protocol error in connection to wolfyart.com:-9800
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to wolfyart.com:-9800