Nginx ssl configuration using certbot

Question

I'm trying to figure out what is wrong with my setup. I used certbot to enable https on my website.

Attached is my nginx config

map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;
}

server {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 30;
        types_hash_max_size 2048;

        client_max_body_size 500M;
        client_body_timeout 600;
        client_header_timeout 600;
        client_body_buffer_size  25m;
        client_header_buffer_size 1m;

        large_client_header_buffers 4 8k;
        send_timeout 60;
        reset_timedout_connection on;

        open_file_cache max=1000 inactive=20s;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 5;
        open_file_cache_errors off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        gzip on;
        gzip_disable "msie6";
        gzip_buffers 4 4k;
        gzip_types       text/html application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;
        gzip_vary on;

        listen 443 ssl;
        listen 80;
        root /var/www/sites/example.com/public;

        expires $expires;

        index index.html index.htm index.php;
        server_name example.com www.example.com;

        error_log /var/log/nginx/example.error error;
        location / {
                try_files $uri $uri/ /index.php?$query_string;
        }

        location ~ \.php$ {
                fastcgi_pass unix:/run/php/php7.1-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_intercept_errors off;
                fastcgi_buffer_size 16k;
                fastcgi_buffers 4 16k;
        }

        location ~ /\.ht {
                deny all;
        }

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
}

When I check if my port 443 is open

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-03 14:16 +08
Nmap scan report for example.com
Host is up (0.016s latency).
PORT     STATE    SERVICE
80/tcp   open     http
443/tcp  open     https

Curl result

curl https://example.com/ -v
*   Trying x.x.x.x...
* TCP_NODELAY set
* Connected to example.com (x.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443

Another test

openssl s_client -connect example.com:443 -msg
CONNECTED(00000005)
>>> TLS 1.2 Handshake [length 0139], ClientHello
    ...
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 318 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated

I did check /var/log/nginx/error.log and /var/log/nginx/example.error but could not find anything helpful. Anywhere else I should be looking at? — primerg, Mar 03 '18 at 06:53
Is there certificate in /etc/letsencrypt/live/example.com/fullchain.pem, and is not empty ? — liske1, Mar 03 '18 at 07:01
yes. it has the following files: cert.pem chain.pem fullchain.pem privkey.pem README — primerg, Mar 03 '18 at 07:03
added these 2 lines at the bottom of ssl_certificate_key. nginx restarted. Still getting the same error. — primerg, Mar 03 '18 at 07:24

score 1 · Answer 1 · answered Mar 03 '18 at 07:22

1

Please add to your nginx configuration:

ssl on;
ssl_protocols TLSv1.1 TLSv1.2;

answered Mar 03 '18 at 07:22

liske1

114
4

Added these 2 lines right after ssl_certificate_key. Restarted nginx and still the same. – primerg Mar 03 '18 at 07:26
Have nginx access to this certificate ? If you are using redhat distributies, please turn off selinux at check time. nginx -t return all ok ? – liske1 Mar 03 '18 at 07:38
nginx -t returns ok. im using ubuntu. how do i verify if nginx has access to this cert? when I `ls` it the display shows as `/etc/letsencrypt/live/example.com/privkey.pem -> ../../archive/example.com/privkey1.pem`. I can verify the archive folder is accessible. – primerg Mar 03 '18 at 07:54
Change your nginx configuration to /etc/letsencrypt/archive/example.com/privkey1.pem and check this certificate via openssl x509 -in certificate.crt -text -noout – liske1 Mar 03 '18 at 08:13
and? what was it? – milan Jan 11 '19 at 14:49

score 0 · Answer 2 · answered Oct 25 '19 at 06:50

In my case, there are other config files in the sites-enabled directory which are causing the issue.

Deleting them and keeping only the file created resolved the issue for me.

By the way, CERTBOT automated redirect from HTTP to HTTPS does a really good job!

Nginx ssl configuration using certbot

2 Answers2