SSL obtained but HTTPS connection resets itself

Help
1

When I obtained a new certificate, the certificates are generated, the nginx server config for the vhost is updated, yet when I access the HTTPS server seems to reset connection during loading.

Is anyone having this issue, or knows how to fix it ? Thanks !

server:

server {
  listen 80;

  root /home/elkinoo_tv/web/;
  index index.html index.htm;
  server_name elkinoo.tv www.elkinoo.tv;

  location /home/elkinoo_tv/web {
try_files $uri $uri/ index.html;
  }
  location ~ \/(src\/assets\/.*) {
try_files $uri $uri/ =404;
  }
  location ~ \/(node_modules\/|src\/|package(-lock)?.json|README.md|webpack.config.js) {
return 404;
  }

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/elkinoo.tv-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/elkinoo.tv-0001/privkey.pem; # managed by Certbot
ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
ssl_session_timeout 1440m; # managed by Certbot

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
ssl_prefer_server_ciphers on; # managed by Certbot

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-A$



}

https://www.ssllabs.com/ssltest/analyze.html?d=elkinoo.tv
https://crt.sh/?q=elkinoo.tv

My domain is: elkinoo.tv

I ran this command: certbot --authenticator webroot --webroot-path /home/elkinoo_tv/web/ --installer nginx -d elkinoo.tv

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/elkinoo.tv-0001.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/elkinoo.tv for set(['www.elkinoo.tv', 'elkinoo.tv'])

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://elkinoo.tv

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=elkinoo.tv
-------------------------------------------------------------------------------

My web server is (include version): Nginx 1.10.3

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: /

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

2

I would check your network setup.

Neither port 80 nor port 443 are currently behaving as HTTP or HTTPS servers, respectively.

$ openssl s_client -connect elkinoo.tv:443 -servername elkinoo.tv
CONNECTED(00000003)
140705343299392:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1515876312
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

$ curl -vvv http://elkinoo.tv
* Rebuilt URL to: http://elkinoo.tv/
*   Trying 188.165.150.104...
* TCP_NODELAY set
* Connected to elkinoo.tv (188.165.150.104) port 80 (#0)
> GET / HTTP/1.1
> Host: elkinoo.tv
> User-Agent: curl/7.55.1
> Accept: */*
> 
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 57)
* Closing connection 0
3

my bad, i tried meanwhile some settings, including “http2” after the port; I reverted to standard one
Curl output is now the following:

$ curl -vvv https://elkinoo.tv
* Rebuilt URL to: https://elkinoo.tv/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 188.165.150.104...
* TCP_NODELAY set
* Connected to elkinoo.tv (188.165.150.104) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to elkinoo.tv:443
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to elkinoo.tv:443




$ curl -vvv http://elkinoo.tv
* Rebuilt URL to: http://elkinoo.tv/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 188.165.150.104...
* TCP_NODELAY set
* Connected to elkinoo.tv (188.165.150.104) port 80 (#0)
> GET / HTTP/1.1
> Host: elkinoo.tv
> User-Agent: curl/7.57.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.3
< Date: Sat, 13 Jan 2018 21:02:49 GMT
< Content-Type: text/html
< Content-Length: 204
< Last-Modified: Sat, 13 Jan 2018 16:13:39 GMT
< Connection: keep-alive
< ETag: "5a5a3033-cc"
< Accept-Ranges: bytes
<
{ [204 bytes data]
100   204  100   204    0     0    204      0  0:00:01 --:--:--  0:00:01  6580<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Elkinoo TV</title>
  </head>
  <body>
    <div id="app"></div>
    <script src="/dist/build.js"></script>
  </body>
</html>

* Connection #0 to host elkinoo.tv left intact
4

Weird - to me it seems like nginx is not even serving traffic on that port, because its plaintext “wrong protocol” handler is not working for :443. Could you try from the server:

ss -tlnp

and

openssl s_client -connect 127.0.0.1:443

Check nginx’s error log too.

5

ss -tlnp result :

root@crusade:/home/elkinoo_tv# ss -tlnp
State       Recv-Q Send-Q                                                                          Local Address:Port                                                                                         Peer Address:Port
LISTEN      0      128                                                                                         *:443                                                                                                     *:*                   users:(("nginx",pid=20254,fd=7),("nginx",pid=20253,fd=7),("nginx",pid=20074,fd=7))
LISTEN      0      128                                                                                         *:80                                                                                                      *:*                   users:(("nginx",pid=20254,fd=6),("nginx",pid=20253,fd=6),("nginx",pid=20074,fd=6))
LISTEN      0      128                                                                                         *:22                                                                                                      *:*                   users:(("sshd",pid=427,fd=3))
LISTEN      0      50                                                                                         :::18625                                                                                                  :::*                   users:(("java",pid=7988,fd=18))
LISTEN      0      128                                                                                        :::80                                                                                                     :::*                   users:(("nginx",pid=20254,fd=8),("nginx",pid=20253,fd=8),("nginx",pid=20074,fd=8))
LISTEN      0      128                                                                                        :::22                                                                                                     :::*                   users:(("sshd",pid=427,fd=4))
root@crusade:/home/elkinoo_tv#

openssl command output:

root@crusade:/home/elkinoo_tv# openssl s_client -connect 127.0.0.1:443
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1515879350
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
root@crusade:/home/elkinoo_tv#

the NGINX error log contains a lot of lines as follow, but I don’t understand

2018/01/13 21:35:50 [error] 20253#20253: *324 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443

I mean, it IS defined:

server {
  listen 80;

  root /home/elkinoo_tv/web/;
  index index.html index.htm;
  server_name elkinoo.tv www.elkinoo.tv;

  location /home/elkinoo_tv/web {
    try_files $uri $uri/ index.html;
  }
  location ~ \/(src\/assets\/.*) {
    try_files $uri $uri/ =404;
  }
  location ~ \/(node_modules\/|src\/|package(-lock)?.json|README.md|webpack.config.js) {
    return 404;
  }

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/elkinoo.tv-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/elkinoo.tv-0001/privkey.pem; # managed by Certbot
ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
ssl_session_timeout 1440m; # managed by Certbot

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
ssl_prefer_server_ciphers on; # managed by Certbot

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-A$
}
6

Can you show the full parsed configuration - nginx -T ? It will help understand that warning.

1 Like
7

Oh my, how dumb was I. Seeing the output of the command you gave me, I noticed I had a vhost listening to 443 but had no ssl certificate defined. This was probably taking down all 443 vhosts; I disabled it and it nows load correctly using HTTPS on Elkinoo.tv ;

Thanks a LOT @_az !! :heart:

1 Like
8

You're absolutely right. SSL virtual hosts without certificates and keys make Nginx malfunction. :sweat:

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.