Nginx – TLS v1 enabled in nginx config but not working and certificates not available

nginxopensslsslssl-certificateUbuntu

I have an Ubuntu 18.04.1 server running PHP 5.6 with Forge on Digital Ocean. I'm trying to to enable TLSv1 and TLSv1.1 for a site. So Ive edited my NGINX config to include them:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Restarted NGINX and done a check with:

openssl s_client -host mydomain.co.uk -port 443 -tls1

which returns:

no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1537432315
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

So I've tried to create a new certificate with Let's Encrypt in Forge and activated it, restarted NGINX and checked again which returned the same response.

Any ideas, i'm not sure what i'm missing to get this working.

Edit: Full NGINX config:

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/www.mydomain.co.uk/before/*;

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.mydomain.co.uk;
    root /home/forge/www.mydomain.co.uk/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/www.mydomain.co.uk/414422/server.crt;
    ssl_certificate_key /etc/nginx/ssl/www.mydomain.co.uk/414422/server.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers LONG-CIPHER-IS-HERE;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/www.mydomain.co.uk/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/www.mydomain.co.uk-error.log error;

    #error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php5.6-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/www.mydomain.co.uk/after/*;

Best Answer

As far as I know HTTP/2 uses only TLS1.2 and above. You can find more information in the relevant RFC 7540

Related Topic