Welcome! Log In Create A New Profile

Advanced

Trouble with SSL connection and let's encrypt certificates

Posted by Ph. Gras 
Hello there,

I'm running several websites with different domain names on a Debian 9 server and
have problems to have a connection on port 443 for some days.

Certificates are generated by let's encrypt and do the job on other services except
NginX, for example :
# openssl s_client -connect mailbox.fredlutaud.com:443 -showcerts
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1521844523
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
# openssl s_client -connect mailbox.fredlutaud.com:993 -showcerts
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = ns365710.ip-176-31-120.eu
verify return:1
---
Certificate chain
0 s:/CN=ns365710.ip-176-31-120.eu
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFFTCCA/2gAwIBAgISAz2exXicPgWK2nWjFrHdoj7UMA0GCSqGSIb3DQEBCwUA

[Blah…]

# netstat -antp | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 16773/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 16773/nginx: master
tcp6 0 0 :::80 :::* LISTEN 16773/nginx: master
tcp6 0 0 :::443 :::* LISTEN 16773/nginx: mas

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Do you have an idea to solve my problem ?

Thanks in advance,

Ph. Gras
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Hello!

On Sat, Mar 24, 2018 at 12:04:56AM +0100, Ph. Gras wrote:

> I'm running several websites with different domain names on a Debian 9 server and
> have problems to have a connection on port 443 for some days.
>
> Certificates are generated by let's encrypt and do the job on other services except
> NginX, for example :
> # openssl s_client -connect mailbox.fredlutaud.com:443 -showcerts
> CONNECTED(00000003)
> write:errno=0
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 176 bytes
> Verification: OK

As per openssl output, the were no server response to the
SSL handshake.

[...]

> Do you have an idea to solve my problem ?

First of all, you have to look into your nginx logs and
configuration to find out what's going on here.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Thank you Maxim!

> First of all, you have to look into your nginx logs and
> configuration to find out what's going on here.

:/var/log/nginx# cat error.log
2018/03/24 05:18:10 [error] 24058#24058: *573 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 162.158.78.50, server: 0.0.0.0:443
2018/03/24 05:18:14 [error] 24058#24058: *574 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 162.158.79.27, server: 0.0.0.0:443
2018/03/24 05:23:40 [error] 24058#24058: *576 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 172.69.70.147, server: 0.0.0.0:443
2018/03/24 05:29:46 [error] 24058#24058: *579 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 162.158.146.8, server: 0.0.0.0:443
2018/03/24 05:32:45 [error] 24058#24058: *581 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 172.68.174.50, server: 0.0.0.0:443
2018/03/24 05:33:09 [error] 24058#24058: *582 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 173.245.54.47, server: 0.0.0.0:443
2018/03/24 05:34:41 [error] 24058#24058: *587 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 141.101.69.85, server: 0.0.0.0:443


So, I have uncomment the include snippets/snakeoil.conf line on the default server and
it works ;-)

Does a default server necessary to make NginX efficient ?

Best regards,

Ph. Gras
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login