nginx ssl configuration per virtual host

Question

I am switching configuration from a single host to several virtual hosts on the nginx server. Until my changes, ssl was working correctly, but after adding several virtual hosts, each with unique domain name and - consequently - different certificate, ssl does not want to work.

My original configuration was:

# fragment of nginx.conf file
http {
    # ...
    ssl_certificate_key /path/to/privkey.pem;
    ssl_certificate     /path/to/fullchain.pem;
    ssl_dhparam         /path/to/dhparam;
    # ...
}

So, this is a single certificate for the nginx server.

After adding several virtual hosts, I want them to present their own, correct certificates for their domains. So I removed all ssl-related params from the main nginx.conf file and added them to virtual hosts files like that:

# fragment of sites-enabled/my.server.com file
server {
   listen 443 ssl;
   root "/var/www/my.server.com/";
   server_name my.server.com www.my.server.com;
   location / {
       try_files $uri $uri/ /index.html;

   }
   ssl_certificate_key /path/to/my/server/com/privkey.pem;
   ssl_certificate     /path/to/my/server/com/fullchain.pem;
   ssl_dhparam         /path/to/my/server/com/dhparam;
}

After reloading nginx I am unable to connect to these virtual hosts:

# curl https://my.server.com 
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

# openssl s_client -connect my.server.com:443
CONNECTED(00000003) 140524682454680:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
--- no peer certificate available
--- No client certificate CA names sent
--- SSL handshake has read 0 bytes and written 305 bytes
--- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1488541876
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

For me, it really looks like an nginx cannot find/read the certificate file, but it's not the case as the paths are exactly the same as for configuration without virtual hosts.

After looking at /var/logs/nginx/error.log I also found the line:

*39 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking

I am sure it's something really small and stupid what I am missing. Can anyone see what I am doing wrong?

Have you checked the permissions of the certificate and key files? — Tero Kilkanen, Mar 03 '17 at 12:25
@TeroKilkanen certificate files are `www-data:www-data` (and event temporarly readable for everyone). `www-data` is nginx user. — Maciej Dobrowolski, Mar 03 '17 at 12:45
Use `listen ssl;` then use `ssl on;` directive. Check who owns the `/path/to/my/server/com`. Also provide information about your OS and version. — Valentin Bajrami, Mar 03 '17 at 13:08

score 6 · Accepted Answer · answered Mar 03 '17 at 13:56

6

It turned out that there was at least one enabled virtual host which was bound to 443 port and didn't have ssl configured properly (ssl_certificate_key, ssl_certificate parameters were lacking).

I don't know why, but nginx didn't complain about this and instead - other virtual hosts were broken.

answered Mar 03 '17 at 13:56

Maciej Dobrowolski

203
1
3
9

1

it would be better if there was a more useful error message in a situation like this – user84207 Nov 16 '18 at 01:19

nginx ssl configuration per virtual host

1 Answers1