4

I am switching configuration from a single host to several virtual hosts on the nginx server. Until my changes, ssl was working correctly, but after adding several virtual hosts, each with unique domain name and - consequently - different certificate, ssl does not want to work.

My original configuration was:

# fragment of nginx.conf file http { # ... ssl_certificate_key /path/to/privkey.pem; ssl_certificate /path/to/fullchain.pem; ssl_dhparam /path/to/dhparam; # ... }

So, this is a single certificate for the nginx server.

After adding several virtual hosts, I want them to present their own, correct certificates for their domains. So I removed all ssl-related params from the main nginx.conf file and added them to virtual hosts files like that:

# fragment of sites-enabled/my.server.com file server { listen 443 ssl; root "/var/www/my.server.com/"; server_name my.server.com www.my.server.com; location / { try_files $uri $uri/ /index.html; } ssl_certificate_key /path/to/my/server/com/privkey.pem; ssl_certificate /path/to/my/server/com/fullchain.pem; ssl_dhparam /path/to/my/server/com/dhparam; }

After reloading nginx I am unable to connect to these virtual hosts:

# curl https://my.server.com curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated. # openssl s_client -connect my.server.com:443 CONNECTED(00000003) 140524682454680:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 305 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1488541876 Timeout : 300 (sec) Verify return code: 0 (ok) ---

For me, it really looks like an nginx cannot find/read the certificate file, but it's not the case as the paths are exactly the same as for configuration without virtual hosts.

After looking at /var/logs/nginx/error.log I also found the line:

*39 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking

I am sure it's something really small and stupid what I am missing. Can anyone see what I am doing wrong?

Improve this question
3
  • Have you checked the permissions of the certificate and key files? Commented Mar 3, 2017 at 12:25
  • @TeroKilkanen certificate files are www-data:www-data (and event temporarly readable for everyone). www-data is nginx user. Commented Mar 3, 2017 at 12:45
  • Use listen ssl; then use ssl on; directive. Check who owns the /path/to/my/server/com. Also provide information about your OS and version. Commented Mar 3, 2017 at 13:08

1 Answer 1

Reset to default
6

It turned out that there was at least one enabled virtual host which was bound to 443 port and didn't have ssl configured properly (ssl_certificate_key, ssl_certificate parameters were lacking).

I don't know why, but nginx didn't complain about this and instead - other virtual hosts were broken.

Improve this answer
1
  • 1
    it would be better if there was a more useful error message in a situation like this Commented Nov 16, 2018 at 1:19

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.