TLS handshake wouldn't work

hi LE community,

I ran certbot certonly with webrootplugin everything went well. certificates looks ok.
Conf : debian8 / nginx 1.11 / openssl 1.0.1

I ran this command: curl -iv
It produced this output:

  • Rebuilt URL to:
  • Trying…
  • Connected to ( port 443 (#0)
  • Server aborted the SSL handshake
  • Closing connection 0
    curl: (35) Server aborted the SSL handshake

nginx conf :

server {
listen [::]:80;
listen 80;
root /home/netviza/www;
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
include h5bp/directive-only/ssl.conf;
return 301$request_uri;
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
root /home/netviza/www;

default h5bp conf

include h5bp/directive-only/ssl.conf;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;
access_log /home/netviza/log/access.log;
error_log /home/netviza/log/error.log;
error_page 404 /404.html;
index index.php index.html index.htm;
client_max_body_size 20m;
charset utf-8;

default h5bp conf

include h5bp/basic.conf;

firewall shouldn’t be a problem

tcp 0 0* LISTEN 20391/nginx.conf
tcp 0 0* LISTEN 20391/nginx.conf
tcp6 0 0 :::80 :::* LISTEN 20391/nginx.conf
tcp6 0 0 :::443 :::* LISTEN 20391/nginx.conf

not sure if I messed something up…
help would be greatly appreciated.

error.log didn’t produce anything usefull :frowning:


Ah, that’s a funny one. Could be what I have described some time ago - :slight_smile: I remember when I first tried http2 and Firefox was just not connecting without showing any errors, it was … strange :confused:

Check what’s in your “h5bp/directive-only/ssl.conf” - you might have configured the ciphers in a way that it won’t work.

Hello Alexander,
Thanks for ur answer.

I tried using the cypher you suggested in the article. made no difference.
here is my ssl.conf :

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;


ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h;
keepalive_timeout 300s;

I tried to activate SSLv3 in order to get an error while connecting with openssl
using sslv3 and tls1.2 :
openssl s_client -connect -servername
openssl s_client -ssl3 -connect

I got this generic error output :



15563:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/BuildRoot/Library/Caches/

Interestingly, telnet 443 is able to connect, but the connection is instantly closed by your server (Connection closed by foreign host.).

Any iptable rules that could be interfering? I don’t think nginx would do that.

The fact that process is able to bind and listen, does not mean the connection to that port is actually allowed. Try connecting again and watch logs with tail -f - not only the error log you specified in the configuration, but also /var/log/nginx/error.log and /var/log/syslog (or /var/log/kern.log)

btw, I’m not sure why you listen on ipv6 as well in the configuration, considering that there is no AAAA record for the domain (unless you’re going to add it later) :slight_smile:


tail -f /var/log/nginx/error.log

[error] 743#743: *472 no “ssl_certificate” is defined in server listening on SSL port while SSL handshaking, client:, server:

as for iptables rules

-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT

edit : OK I fixed it by adding “default_server” in my server block conf.

listen 443 default_server ssl http2;

PS : gonna add this AAAA record :stuck_out_tongue:

Thank you very much for your time
enjoy your sunday :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.