NGINX wont setup ssl connection (unknown protocol error)

nginxreverse-proxyssl

Heeey all,

I've got an nginx reverse proxy with valid SSL certificates (done by lets encrypt) but I cant get the ssl working.

upstream backend_haakselsenkwaaksels_nl {
    server amaya.leonweemen.nl:9050;
}

server {
    listen      80;
    server_name haakselsenkwaaksels.nl;
    return 301 https://$server_name$request_uri;
}

server {
    listen       80;
    server_name  www.haakselsenkwaaksels.nl;
    return 301 https://haakselsenkwaaksels.nl$request_uri;
}

server {
    listen 443 ssl;
    server_name haakselsenkwaaksels.nl;

    ssl_certificate           /domain-certificates/haakselsenkwaaksels.nl/fullchain.pem;
    ssl_certificate_key       /domain-certificates/haakselsenkwaaksels.nl/privkey.pem;

#    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/haakselsenkwaaksels.nl.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          https://backend_haakselsenkwaaksels_nl;
      proxy_read_timeout  90;

      proxy_redirect      https://127.0.0.1:9050 https://haakselsenkwaaksels.nl;
    }
}

nginx says my configuration is fine:

weemen@amaya:/domain-certificates# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

I only get data in my general access log (/var/log/nginx/access.log)

XXX.XXX.XXX.XXX - - [30/Dec/2016:10:20:26 +0000] "\x16\x03\x01\x00\xD3\x01\x00\x00\xCF\x03\x03\xBD\x07\xDA" 400 182 "-" "-"
XXX.XXX.XXX.XXX - - [30/Dec/2016:10:20:26 +0000] "\x16\x03\x01\x00\xD3\x01\x00\x00\xCF\x03\x03\xABFB\xC158\x8AE\xF7V\xEE\xE2}%i\xF4\x86!\xFA\xCE\xF7\xF4l\xF55\xD0%Ev\xEE\xFFb\x00\x00$\xAA\xAA\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xC0\x09\xC0\x13\xC0" 400 182 "-" "-"

If I connect with the openssl client I see this:

 ~  openssl s_client -connect haakselsenkwaaksels.nl:443                                                                                                                                                                                                     
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
   Protocol  : TLSv1.2
   Cipher    : 0000
   Session-ID: 
   Session-ID-ctx: 
   Master-Key: 
   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1483094367
   Timeout   : 300 (sec)
   Verify return code: 0 (ok)

I've tried a number of things but I'm really getting out options does anyone see something strange here in this configuration?

If you need more info just let me know.

Already many many many thanks in advance.

Best Answer

The problem was in my docker container. The certificate there wasnt readable because it was a symlink.

weemen@amaya:/# ls -la
total 404
drwxr-xr-x  27 root   root     4096 Dec 29 15:12 .
drwxr-xr-x  27 root   root     4096 Dec 29 15:12 ..
lrwxrwxrwx   1 root   root       21 Dec 15 12:08 domain-certificates -> /etc/letsencrypt/live


weemen@amaya:/domain-certificates/haakselsenkwaaksels.nl# ls -la
total 8
drwxr-xr-x 2 root root 4096 Dec 30 17:46 .
drwx------ 7 root root 4096 Dec 30 17:46 ..
lrwxrwxrwx 1 root root   46 Dec 30 17:46 cert.pem -> ../../archive/haakselsenkwaaksels.nl/cert3.pem
lrwxrwxrwx 1 root root   47 Dec 30 17:46 chain.pem -> ../../archive/haakselsenkwaaksels.nl/chain3.pem
lrwxrwxrwx 1 root root   51 Dec 30 17:46 fullchain.pem -> ../../archive/haakselsenkwaaksels.nl/fullchain3.pem
lrwxrwxrwx 1 root root   49 Dec 30 17:46 privkey.pem -> ../../archive/haakselsenkwaaksels.nl/privkey3.pem

I mount this folder in my docker container with:

--mount type=bind,source=/domain-certificates,destination=/domain-certificates

Only ../../archive isnt available there

Related Topic