Содержание
- net::ERR_SSL_PROTOCOL_ERROR
- Vesta Control Panel — Forum
- Не работает SSL (ERR_SSL_PROTOCOL_ERROR) Topic is solved
- ERR_SSL_PROTOCOL_ERROR
net::ERR_SSL_PROTOCOL_ERROR
February 11, 2020 02:22PM Registered: 2 years ago
Posts: 28
Today I issued and installed SSL certificates for my website.
This is the rating assigned by https://www.ssllabs.com/ssltest/analyze.html :
https://drive.google.com/open?id=1-Fb4h1dmdJ8kN68JxKROWwu4ezGmjm6R
This is the result of https://check-your-website.server-daten.de/ which indicates «only» content problems: mixed, content, missing files, but nothing related to SSL_PROTOCOL
https://drive.google.com/open?id=19i-AwXwgf8tBY9p0srfHX5scN5Q0j-UH
When I connect to the local IP address, everything goes smoothly with no errors:
— after stopping nginx server: https://drive.google.com/open?id=1k4hmYpgRwCW6NyhK7ZoK39-giF9MfPAY
and
— also after restarting nginx server:
$ sudo systemctl start nginx
(base) marco@pc01:
$ sudo systemctl reload nginx
(base) marco@pc01:
$ sudo systemctl status nginx
● nginx.service — A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: en
Active: active (running) since Tue 2020-02-11 19:06:58 CET; 10s ago
Docs: man:nginx(8)
Process: 6124 ExecStop=/sbin/start-stop-daemon —quiet —stop —retry QUIT/5 —
Process: 8843 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s r
Process: 8779 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code
Process: 8770 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process
Main PID: 8784 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─8784 nginx: master process /usr/sbin/nginx -g daemon on; master_pro
├─8844 nginx: worker process
├─8846 nginx: worker process
├─8847 nginx: worker process
├─8849 nginx: worker process
├─8850 nginx: worker process
├─8851 nginx: worker process
├─8852 nginx: worker process
└─8853 nginx: worker process
the output is fine: https://drive.google.com/open?id=1-Sz1udhZfrM9bGaIhImORRnwRznXihK7
But when I connect to my website’s through website name I get net::ERR_SSL_PROTOCOL_ERROR :
https://drive.google.com/open?id=10MYySDKhPx9L-QucqzxN5NTratJEOJZR
This is my /etc/nginx/nginx.conf :
user www-data;
worker_processes auto;
pid /run/nginx.pid;
#include /etc/nginx/modules-enabled/*.conf;
events <
worker_connections 768;
# multi_accept on;
>
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss
text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
>
And this is my /etc/nginx/conf.d/default.conf :
server <
listen 443 ssl http2 default_server;
server_name ggc.world;
ssl_certificate /etc/letsencrypt/live/ggc.world/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ggc.world/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_session_timeout 5m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
access_log /var/log/nginx/ggcworld-access.log combined;
add_header Strict-Transport-Security «max-age=31536000»;
location = /favicon.ico
location / <
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection «upgrade»;
>
>
server <
listen 80 default_server;
listen [::]:80 default_server;
error_page 497 https://$host:$server_port$request_uri;
server_name www.ggc.world;
return 301 https://$server_name$request_uri;
access_log /var/log/nginx/ggcworld-access.log combined;
add_header Strict-Transport-Security «max-age=31536000»;
location = /favicon.ico
location / <
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection «upgrade»;
>
>
upstream websocket <
ip_hash;
server localhost:3000;
>
server <
listen 81;
server_name ggc.world www.ggc.world;
^/(websocket|websocket/socket-io) <
proxy_pass http://127.0.0.1:4201;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection «upgrade»;
proxy_set_header X-Forwared-For $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
>
>
What is going on? What might be the causes of this SSL_PROTOCOL?
How to solve it? What do I have to modify in /etc/nginx/conf.d/default.conf?
Looking forward to your kind help.
Marco
Источник
Vesta Control Panel — Forum
Не работает SSL (ERR_SSL_PROTOCOL_ERROR) Topic is solved
Не работает SSL (ERR_SSL_PROTOCOL_ERROR)
Post by 1RONMAN » Sat Mar 16, 2019 6:58 am
Приветствую, уважаемые форумчане! Проблема возникла довольно внезапно, всё что пришло в голову сам уже перепробовал, но знаний в этой области катастрофически не хватает, посему обращаюсь за помощью к вам.
На VPS установлена панель VestaCP, есть несколько сайтов, пара тестовых и один основной рабочий. Пару дней назад забыл продлить его домен, в итоге поимел себе следующую проблему: непродлённый домен отрубился, сайт перестал работать, после продления появилась ошибка SSL (ERR_SSL_PROTOCOL_ERROR), перевыпустил сертификат средствами панели — не помогло.
Если проверять здесь: https://www.ssllabs.com/ssltest/analyze.html
Получаю ответ «Assessment failed: No secure protocols supported»
Насколько я понимаю это говорит о том что сервер даже не пытается отдавать шифрованные данные клиенту..
При этом в панели SSL для конкретного домена включен. Работает всё на связке NGINX+PHP-FPM, используемая ОС Ubuntu 16.04.6 LTS, сайты работают на CMS WordPress. В настройках WordPress home и siteurl указаны через https://
Ранее была проблема с ошибками конфигурации NGINX:
nginx: [warn] the «ssl» directive is deprecated, use the «listen . ssl» directive instead in /home/user/conf/web/domain1.ru.nginx.ssl.conf:10
nginx: [warn] the «ssl» directive is deprecated, use the «listen . ssl» directive instead in /home/user/conf/web/domain2.ru.nginx.ssl.conf:10
nginx: [warn] the «ssl» directive is deprecated, use the «listen . ssl» directive instead in /home/user/conf/web/domain3.ru.nginx.ssl.conf:10
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Поправил соответствующие файлы, указал директиву «listen 443 ssl;» директиву «ssl on;» откомментировал подставив перед ней #
Теперь в выводе nginx -t ошибок нет:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Кстати ssl в данный момент не работает для всех доменов, хотя раньше работал и на тестовых. Сертификаты везде от Let’s Encrypt.
В error.log по домену на запрос любой страницы ошибка:
2019/03/16 13:54:16 [crit] 8372#8372: *714 open() «/home/user/web/domain.ru/public_html/» failed (13: Permission denied), client: 185.234.218.33, server: domain.ru, request: «GET /?author=4 HTTP/1.1», host: «domain.ru»
Шаблон в панели установлен wordpress2. куда копать совсем не понимаю, дайте пожалуйста какое-нибудь направление! 🙁
Re: Не работает SSL (ERR_SSL_PROTOCOL_ERROR)
Post by 1RONMAN » Sat Mar 16, 2019 10:17 am
Судя по всему проблема была связана с тем что у меня было 2 домена на 1 IP и на обоих был включен SSL. Не знаю как это связано но отключение SSL на первом домене мгновенно решило проблему со вторым — SSL заработал, сайт стал доступен. Вот так.
Хотелось бы услышать комментарии профи по этому поводу.)
Re: Не работает SSL (ERR_SSL_PROTOCOL_ERROR)
Post by DESSAR_SEGA » Sun May 26, 2019 10:02 pm
Судя по всему проблема была связана с тем что у меня было 2 домена на 1 IP и на обоих был включен SSL. Не знаю как это связано но отключение SSL на первом домене мгновенно решило проблему со вторым — SSL заработал, сайт стал доступен. Вот так.
Хотелось бы услышать комментарии профи по этому поводу.)
Re: Не работает SSL (ERR_SSL_PROTOCOL_ERROR)
Post by mr.flash » Thu May 30, 2019 2:51 am
Re: Не работает SSL (ERR_SSL_PROTOCOL_ERROR)
Post by mr.flash » Thu May 30, 2019 3:02 am
Re: Не работает SSL (ERR_SSL_PROTOCOL_ERROR)
Post by 1RONMAN » Wed Oct 23, 2019 9:07 am
Немного займусь некропостингом: после этой проблемы добавил для каждого домена свой IP, после этого всё стало работать нормально.
Однако тут стоит упомянуть что на тот момент у меня в принципе был достаточно криво настроен сервер, так что я бы не стал винить в этом Vesta. Возможно причина вообще в другом, а в чём я не знаю т.к. было принято решение тупо переустановить сервер уже с новым дистрибутивом (но это совсем другая история).
Re: Не работает SSL (ERR_SSL_PROTOCOL_ERROR)
Post by skurudo » Wed Oct 23, 2019 9:41 am
Re: Не работает SSL (ERR_SSL_PROTOCOL_ERROR)
Post by 1RONMAN » Wed Oct 23, 2019 9:55 am
Источник
ERR_SSL_PROTOCOL_ERROR
11.3 Тыс. Просмотры
Столкнулся с проблемой. Есть конфиг
server <
listen 443 http2 ssl;
server_name www.mysite1.ru;
ssl_certificate /etc/letsencrypt/live/mysite1.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite1.ru/privkey.pem;
return 301 https://mysite1.ru $request_uri;
>
server <
listen 443 http2 ssl;
server_name mysite1.ru;
ssl_certificate /etc/letsencrypt/live/mysite1.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite1.ru/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers «EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH»;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 77.88.8.8 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security «max-age=63072000; includeSubdomains»;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
root /home/user/web/mysite1.ru/public_html;
index index.php index.html index.htm;
location / <
try_files $uri $uri/ /index.php?$uri&$args;
index index.php index.html;
>
location /internal_data/ <
internal;
>
location /library/ <
internal;
>
.php$ <
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_read_timeout 600;
include fastcgi_params;
fastcgi_cache_valid 200 60m;
>
error_page 404 /404error.html;
location = /404error.html <
root /usr/share/nginx/html;
internal;
>
error_page 403 /403error.html;
location = /403error.html <
root /usr/share/nginx/html;
internal;
>
>
Но из-за него лезет ошибка из названия темы.
Если удалить блок:
server <
listen 443 http2 ssl;
server_name www.mysite1.ru;
ssl_certificate /etc/letsencrypt/live/mysite1.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite1.ru/privkey.pem;
return 301 https://mysite1.ru $request_uri;
>
то форум начинает работать, но, соответственно, пропадает редирект с www на без www по https.
Путем комментирования выяснил, что дает ошибку на эту строку: listen 443 http2 ssl;
Как быть? Где я ошибся?
Только я его допилил немного, ибо с ним оценка B была.
А какая стала? Покажите итоговый конфиг. Я не уделял внимания рейтингу надежности https.
server <
listen 80;
server_name www.mysite1.ru;
rewrite ^ https://mysite1.ru $request_uri? permanent;
>
server <
listen 443 ssl http2;
server_name mysite1.ru;
ssl_certificate /etc/letsencrypt/live/mysite1.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite1.ru/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 77.88.8.8 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security «max-age=63072000; includeSubdomains»;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
root /home/username/web/mysite1.ru/public_html;
index index.php index.html index.htm;
/.well-known <
allow all;
>
location / <
try_files $uri $uri/ /index.php?$uri&$args;
index index.php index.html;
>
location /internal_data/ <
internal;
>
location /library/ <
internal;
>
location
.php$ <
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_read_timeout 600;
include fastcgi_params;
>
server <
listen 443 ssl http2;
server_name www.mysite1.ru;
ssl_certificate /etc/letsencrypt/live/mysite1.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite1.ru/privkey.pem;
rewrite ^ https://mysite1.ru $request_uri? permanent;
>
Я удалил ваши локейшены, прописал свои — они для работы ЧПУ на моем форуме нужны. Но, самое главное, пересобрал второй блок server. С таким получил A+ на ssllabs.
Источник
EDIT:
I have verified that nodejs is running on the correct port, on http, and I have also tried with and without:
app.use('trust proxy', true);
EDIT 2:
I turned off the nodejs server and tried to serve static files just with nginx, and the error persists, so clearly this has something to do with nginx and my ssl cert.
My domain is a free domain from freenom and the ssl certificate was generated with certbot.
Original:
I have a nodejs server running, and want to use nginx and proxy to the nodejs server. (Nginx https -> nodejs http)
Running nginx -t gives no errors.
On ubuntu 20.04.2, nginx 1.18.0 node 14.5.5
I have verified that my site works fine via http (on port 3000), but i get the following error when visiting via browser on https:
ERR_SSL_PROTOCOL_ERROR
Further if i use openssl cli to try and connect, I get this
openssl s_client -connect my_domain.com:443 -servername my_domain.com
CONNECTED(00000003)
139662603941184:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 310 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
/etc/nginx/conf.d/ssl.conf
server {
listen 443 ssl;
ssl_certificate /server/resources/cert.pem;
ssl_certificate_key /server/resources/privkey.pem;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Today I issued and installed SSL certificates for my website.
This is the rating assigned by https://www.ssllabs.com/ssltest/analyze.html :
This is the result of https://check-your-website.server-daten.de/ which indicates «only» content problems: mixed, content, missing files, but nothing related to SSL_PROTOCOL
When I connect to the local IP address, everything goes smoothly with no errors:
— after stopping nginx server:
and
— also after restarting nginx server:
(base) marco@pc01:~$ sudo systemctl start nginx
(base) marco@pc01:~$ sudo systemctl reload nginx
(base) marco@pc01:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: en
Active: active (running) since Tue 2020-02-11 19:06:58 CET; 10s ago
Docs: man:nginx(8)
Process: 6124 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 -
Process: 8843 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s r
Process: 8779 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code
Process: 8770 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process
Main PID: 8784 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─8784 nginx: master process /usr/sbin/nginx -g daemon on; master_pro
├─8844 nginx: worker process
├─8846 nginx: worker process
├─8847 nginx: worker process
├─8849 nginx: worker process
├─8850 nginx: worker process
├─8851 nginx: worker process
├─8852 nginx: worker process
└─8853 nginx: worker process
the output is fine:
[![enter image description here][4]][4]
But when I connect to my website’s through website name I get net::ERR_SSL_PROTOCOL_ERROR :
This is my /etc/nginx/nginx.conf :
user www-data;
worker_processes auto;
pid /run/nginx.pid;
#include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss
text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
}
And this is my /etc/nginx/conf.d/default.conf :
server {
listen 443 ssl http2 default_server;
server_name ggc.world;
ssl_certificate /etc/letsencrypt/live/ggc.world/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ggc.world/privkey.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/ggc.world/chain.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_session_timeout 5m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
access_log /var/log/nginx/ggcworld-access.log combined;
add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
error_page 497 https://$host:$server_port$request_uri;
server_name www.ggc.world;
return 301 https://$server_name$request_uri;
access_log /var/log/nginx/ggcworld-access.log combined;
add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
upstream websocket {
ip_hash;
server localhost:3000;
}
server {
listen 81;
server_name ggc.world www.ggc.world;
#location / {
location ~ ^/(websocket|websocket/socket-io) {
proxy_pass http://127.0.0.1:4201;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwared-For $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
}
}
As suggested here: Chrome ERR_SSL_PROTOCOL_ERROR on known working site
I cleared host cache:
and also flushed socket pools:
But after clearing the browsing data, the problem persists.
nginx -v : nginx version: nginx/1.14.0 (Ubuntu)
OS: Ubuntu 18.04.4 Desktop
This is the process I followed to obtain the certificate:
I followed these well done indications:
https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8
(base) marco@pc01:~$ sudo nano /etc/nginx/sites-available
/ggc.world.conf
server {
listen 80;
listen [::]:80;
server_name ggc.world www.ggc.world;
root /var/www/ggc.world;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
(base) marco@pc01:~$ sudo rm /etc/nginx/sites-enabled/default
(base) marco@pc01:~$ sudo ln -s /etc/nginx/sites-available
/ggc.world.conf /etc/nginx/sites-enabled/ggc.world.conf
(base) marco@pc01:~$ sudo systemctl reload nginx
(base) marco@pc01:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy
server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor
preset: enabled)
Active: active (running) since Tue 2020-02-11 11:16:22 CET; 1h 3min
ago
Docs: man:nginx(8)
Process: 19025 ExecReload=/usr/sbin/nginx -g daemon on;
master_process on; -s reload (code=exited, status=0/SUCCESS)
Main PID: 4461 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─ 4461 nginx: master process /usr/sbin/nginx -g daemon on;
master_process on;
├─19026 nginx: worker process
├─19027 nginx: worker process
├─19028 nginx: worker process
├─19029 nginx: worker process
├─19030 nginx: worker process
├─19031 nginx: worker process
├─19032 nginx: worker process
└─19033 nginx: worker process
feb 11 11:16:22 pc01 systemd[1]: Starting A high performance web
server and a reverse proxy server...
feb 11 11:16:22 pc01 systemd[1]: Started A high performance web server
and a reverse proxy server.
feb 11 11:59:29 pc01 systemd[1]: Reloading A high performance web
server and a reverse proxy server.
feb 11 11:59:29 pc01 systemd[1]: Reloaded A high performance web
server and a reverse proxy server.
feb 11 12:19:28 pc01 systemd[1]: Reloading A high performance web
server and a reverse proxy server.
feb 11 12:19:28 pc01 systemd[1]: Reloaded A high performance web
server and a reverse proxy server.
(base) marco@pc01:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
(base) marco@pc01:~$ sudo apt-get update
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://it.archive.ubuntu.com/ubuntu bionic InRelease
Get:3 http://security.ubuntu.com/ubuntu bionic-security InRelease
[88,7 kB]
Get:4 http://it.archive.ubuntu.com/ubuntu bionic-updates InRelease
[88,7 kB]
Hit:5 http://dl.google.com/linux/chrome/deb stable Release
Get:6 http://it.archive.ubuntu.com/ubuntu bionic-backports InRelease
[74,6 kB]
Get:8 http://it.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages [851 kB]
Get:9 http://security.ubuntu.com/ubuntu bionic-security/main amd64
DEP-11 Metadata [38,6 kB]
Get:10 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11
48x48 Icons [17,6 kB]
Get:11 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11
64x64 Icons [41,5 kB]
Get:12 http://security.ubuntu.com/ubuntu bionic-security/universe
amd64 DEP-11 Metadata [42,1 kB]
Get:13 http://security.ubuntu.com/ubuntu bionic-security/universe
DEP-11 64x64 Icons [111 kB]
Get:14 http://security.ubuntu.com/ubuntu bionic-security/multiverse
amd64 DEP-11 Metadata [2.464 B]
Get:15 http://it.archive.ubuntu.com/ubuntu bionic-updates/main amd64
DEP-11 Metadata [294 kB]
Get:16 http://it.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11
48x48 Icons [73,8 kB]
Get:17 http://it.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11
64x64 Icons [140 kB]
Get:18 http://it.archive.ubuntu.com/ubuntu bionic-updates/universe
amd64 DEP-11 Metadata [264 kB]
Get:19 http://it.archive.ubuntu.com/ubuntu bionic-updates/universe
DEP-11 48x48 Icons [203 kB]
Get:20 http://it.archive.ubuntu.com/ubuntu bionic-updates/universe
DEP-11 64x64 Icons [464 kB]
Get:21 http://it.archive.ubuntu.com/ubuntu bionic-updates/multiverse
amd64 DEP-11 Metadata [2.468 B]
Get:22 http://it.archive.ubuntu.com/ubuntu bionic-backports/universe
amd64 DEP-11 Metadata [8.280 B]
Fetched 2.807 kB in 1s (3.005 kB/s)
Reading package lists... Done
(base) marco@pc01:~$ sudo apt-get install software-properties-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
software-properties-common is already the newest version
(0.96.24.32.12).
software-properties-common set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
(base) marco@pc01:~$ sudo add-apt-repository universe
'universe' distribution component is already enabled for all sources.
(base) marco@pc01:~$ sudo add-apt-repository ppa:certbot/certbot
This is the PPA for packages prepared by Debian Let's Encrypt Team
and backported for Ubuntu.
Note: Packages are only provided for currently supported Ubuntu
releases.
More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or Ctrl-c to cancel adding it.
Hit:1 http://it.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://it.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:3 http://it.archive.ubuntu.com/ubuntu bionic-backports InRelease
Ign:4 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:5 http://security.ubuntu.com/ubuntu bionic-security InRelease
Get:6 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
[21,3 kB]
Hit:7 http://dl.google.com/linux/chrome/deb stable Release
Get:9 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main
amd64 Packages [8.032 B]
Get:10 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main
i386 Packages [8.028 B]
Get:11 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main
Translation-en [4.176 B]
Fetched 41,5 kB in 1s (58,8 kB/s)
Reading package lists... Done
(base) marco@pc01:~$ sudo apt-get update
Hit:1 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
Hit:2 http://it.archive.ubuntu.com/ubuntu bionic InRelease
Ign:3 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:4 http://it.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:5 http://it.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:6 http://dl.google.com/linux/chrome/deb stable Release
Hit:7 http://security.ubuntu.com/ubuntu bionic-security InRelease
Reading package lists... Done
(base) marco@pc01:~$ sudo apt-get install certbot python-certbot-nginx
Reading package lists... Done
Building dependency tree
Reading state information... Done
certbot is already the newest version
(0.31.0-1+ubuntu18.04.1+certbot+1).
python-certbot-nginx is already the newest version
(0.31.0-1+ubuntu18.04.1+certbot+1).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
(base) marco@pc01:~$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You
must agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
(A)gree/(C)ancel: A
Would you be willing to share your email address with the Electronic
Frontier Foundation, a founding partner of the Let's Encrypt project
and the non-profit organization that develops Certbot? We'd like to
send you email about our work encrypting the web, EFF news, campaigns,
and ways to support digital freedom.
(Y)es/(N)o: N
Which names would you like to activate HTTPS for?
1: ggc.world
2: www.ggc.world
Select the appropriate numbers separated by commas and/or spaces, or
leave input blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ggc.world
http-01 challenge for www.ggc.world
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled
/ggc.world.conf
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled
/ggc.world.conf
Please choose whether or not to redirect HTTP traffic to HTTPS,
removing HTTP access.
1: No redirect - Make no further changes to the webserver
configuration.
2: Redirect - Make all requests redirect to secure HTTPS access.
Choose this for new sites, or if you're confident your site works on
HTTPS.
You can undo this hange by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to
cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled
/ggc.world.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled
/ggc.world.conf
Congratulations! You have successfully enabled https://ggc.world and
https://www.ggc.world
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ggc.world
https://www.ssllabs.com/ssltest/analyze.html?d=www.ggc.world
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ggc.world/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ggc.world/privkey.pem
Your cert will expire on 2020-05-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Following the indications here:
https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8
I then modified /etc/nginx/sites-available/ggc.world.conf and
/etc/letsencrypt/options-ssl-nginx.conf for a tighter security:
(base) marco@pc01:~$ sudo nano /etc/nginx/sites-available
/ggc.world.conf
server {
server_name ggc.world www.ggc.world;
root /var/www/ggc.world;
index index.html;
location / {
try_files $uri $uri/ =404;
}
#listen [::]:443 ssl ipv6only=on; # managed by Certbot
#listen 443 ssl; # managed by Certbot
listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2;
gzip off;
ssl_certificate /etc/letsencrypt/live/ggc.world
/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ggc.world
/privkey.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/ggc.world
/chain.pem;
include /etc/letsencrypt/options-ssl-nginx.conf; # managed
by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed
by Certbot
}
server {
if ($host = www.ggc.world) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = ggc.world) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name ggc.world www.ggc.world;
return 404; # managed by Certbot
}
(base) marco@pc01:~$ sudo nano /etc/letsencrypt/options-ssl-nginx.conf
# This file contains important security parameters. If you modify
this file
# manually, Certbot will be unable to automatically provide future
security
# updates. Instead, Certbot will print and log an error message
with a path to
# the up-to-date file that you will need to refer to when manually
updating
# this file.
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000;
includeSubdomains; preload;";
add_header Content-Security-Policy "default-src 'none'; frame-
ancestors 'none'; script-src 'self'; img-src 'self'; style-src
'self'; base-uri 'self'; form-action 'self';";
add_header Referrer-Policy "no-referrer, strict-origin-when-cross-
origin";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
I then reloaded and restarted nginx server:
(base) marco@pc01:~$ sudo systemctl reload nginx
(base) marco@pc01:~$ sudo systemctl start nginx
(base) marco@pc01:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy
server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor
preset: enabled)
Active: active (running) since Tue 2020-02-11 11:16:22 CET; 1h
30min ago
Docs: man:nginx(8)
Process: 23810 ExecReload=/usr/sbin/nginx -g daemon on;
master_process on; -s reload (code=exited, status=0/SUCCESS)
Main PID: 4461 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─ 4461 nginx: master process /usr/sbin/nginx -g daemon on;
master_process on;
├─23813 nginx: worker process
├─23815 nginx: worker process
├─23816 nginx: worker process
├─23817 nginx: worker process
├─23818 nginx: worker process
├─23819 nginx: worker process
├─23820 nginx: worker process
└─23821 nginx: worker process
feb 11 11:16:22 pc01 systemd[1]: Starting A high performance web
server and a reverse proxy
server...
feb 11 11:16:22 pc01 systemd[1]: Started A high performance web
server and a reverse proxy server.
feb 11 11:59:29 pc01 systemd[1]: Reloading A high performance web
server and a reverse proxy server.
feb 11 11:59:29 pc01 systemd[1]: Reloaded A high performance web
server and a reverse proxy server.
feb 11 12:19:28 pc01 systemd[1]: Reloading A high performance web
server and a reverse proxy server.
feb 11 12:19:28 pc01 systemd[1]: Reloaded A high performance web
server and a reverse proxy server.
feb 11 12:46:16 pc01 systemd[1]: Reloading A high performance web
server and a reverse proxy server.
feb 11 12:46:16 pc01 systemd[1]: Reloaded A high performance web
server and a reverse proxy server.
(base) marco@pc01:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
What is going on? What might be the causes of this SSL_PROTOCOL error?
How to solve it? What do I have to modify in /etc/nginx/conf.d/default.conf?
Looking forward to your kind help.
Marco
Today I issued and installed SSL certificates for my website.
This is the rating assigned by https://www.ssllabs.com/ssltest/analyze.html :
https://drive.google.com/open?id=1-Fb4h1dmdJ8kN68JxKROWwu4ezGmjm6R
This is the result of https://check-your-website.server-daten.de/ which indicates «only» content problems: mixed, content, missing files, but nothing related to SSL_PROTOCOL
https://drive.google.com/open?id=19i-AwXwgf8tBY9p0srfHX5scN5Q0j-UH
When I connect to the local IP address, everything goes smoothly with no errors:
— after stopping nginx server: https://drive.google.com/open?id=1k4hmYpgRwCW6NyhK7ZoK39-giF9MfPAY
and
— also after restarting nginx server:
(base) marco@pc01:~$ sudo systemctl start nginx
(base) marco@pc01:~$ sudo systemctl reload nginx
(base) marco@pc01:~$ sudo systemctl status nginx
● nginx.service — A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: en
Active: active (running) since Tue 2020-02-11 19:06:58 CET; 10s ago
Docs: man:nginx(8)
Process: 6124 ExecStop=/sbin/start-stop-daemon —quiet —stop —retry QUIT/5 —
Process: 8843 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s r
Process: 8779 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code
Process: 8770 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process
Main PID: 8784 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─8784 nginx: master process /usr/sbin/nginx -g daemon on; master_pro
├─8844 nginx: worker process
├─8846 nginx: worker process
├─8847 nginx: worker process
├─8849 nginx: worker process
├─8850 nginx: worker process
├─8851 nginx: worker process
├─8852 nginx: worker process
└─8853 nginx: worker process
the output is fine: https://drive.google.com/open?id=1-Sz1udhZfrM9bGaIhImORRnwRznXihK7
But when I connect to my website’s through website name I get net::ERR_SSL_PROTOCOL_ERROR :
https://drive.google.com/open?id=10MYySDKhPx9L-QucqzxN5NTratJEOJZR
This is my /etc/nginx/nginx.conf :
user www-data;
worker_processes auto;
pid /run/nginx.pid;
#include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss
text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
}
And this is my /etc/nginx/conf.d/default.conf :
server {
listen 443 ssl http2 default_server;
server_name ggc.world;
ssl_certificate /etc/letsencrypt/live/ggc.world/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ggc.world/privkey.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/ggc.world/chain.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_session_timeout 5m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
access_log /var/log/nginx/ggcworld-access.log combined;
add_header Strict-Transport-Security «max-age=31536000»;
location = /favicon.ico { access_log off; log_not_found off; }
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection «upgrade»;
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
error_page 497 https://$host:$server_port$request_uri;
server_name www.ggc.world;
return 301 https://$server_name$request_uri;
access_log /var/log/nginx/ggcworld-access.log combined;
add_header Strict-Transport-Security «max-age=31536000»;
location = /favicon.ico { access_log off; log_not_found off; }
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection «upgrade»;
}
}
upstream websocket {
ip_hash;
server localhost:3000;
}
server {
listen 81;
server_name ggc.world www.ggc.world;
#location / {
location ~ ^/(websocket|websocket/socket-io) {
proxy_pass http://127.0.0.1:4201;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection «upgrade»;
proxy_set_header X-Forwared-For $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
}
}
What is going on? What might be the causes of this SSL_PROTOCOL?
How to solve it? What do I have to modify in /etc/nginx/conf.d/default.conf?
Looking forward to your kind help.
Marco
|
0 / 0 / 0 Регистрация: 07.12.2020 Сообщений: 8 |
|
|
1 |
|
|
29.12.2020, 07:18. Показов 7399. Ответов 4
Всем привет! При открытии сокета возникает ошибка ERR_SSL_PROTOCOL_ERROR. На сервере работает связка Apache + Nginx, скорее всего ошибку кидает именно Nginx. Может кто сталкивался? Подскажите какие должны быть настройки.
__________________
0 |
|
Developer☭ 210 / 112 / 24 Регистрация: 01.02.2019 Сообщений: 505 Записей в блоге: 2 |
|
|
29.12.2020, 08:24 |
2 |
|
Возможно это возникает потому что вы открываете сайт через Код server {
listen 443 ssl;
server_name [url]www.example.com;[/url]
ssl_certificate [url]www.example.com.crt;[/url]
ssl_certificate_key [url]www.example.com.key;[/url]
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
...
}
Подробнее о настройке ssl в nginx можете почитать в официальной документации.
0 |
|
0 / 0 / 0 Регистрация: 07.12.2020 Сообщений: 8 |
|
|
29.12.2020, 10:05 [ТС] |
3 |
|
Panda58dev, спасибо, попробую! Добавлено через 22 минуты Код server {
listen 127.0.0.1:27800 ssl;
server_name example.ru;
ssl_certificate "/var/www/httpd-cert/example.ru_2020-11-29-12-53_48.crt";
ssl_certificate_key "/var/www/httpd-cert/example.ru_2020-11-29-12-53_48.key";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
Вместо 127.0.0.1 подставляю IP-адрес сервера
0 |
Может проблема в другом?|
Developer☭ 210 / 112 / 24 Регистрация: 01.02.2019 Сообщений: 505 Записей в блоге: 2 |
|
|
29.12.2020, 10:53 |
4 |
|
Лично я использую такие настройки:
Но опять же, ssl тут не настроен, и порт я использую Код server {
listen 443 ssl;
server_name domain.net;
ssl_certificate /etc/nginx/ssl/domain_com/domain.pem;
ssl_certificate_key /etc/nginx/ssl/domain_com/domain.key;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
Так же для лучшего понимая проблемы хотелось бы увидеть логи, какие действия Вы уже сделали или хотя бы уточнения того, касается ли вопрос упомянутой ошибки ранее или нет. Может Вы забыли перезапустить nginx, может проблема с самим сертификатом.
0 |
|
0 / 0 / 0 Регистрация: 07.12.2020 Сообщений: 8 |
|
|
29.12.2020, 12:24 [ТС] |
5 |
|
Так же для лучшего понимая проблемы хотелось бы увидеть логи, какие действия Вы уже сделали или хотя бы уточнения того, касается ли вопрос упомянутой ошибки ранее или нет. Может Вы забыли перезапустить nginx, может проблема с самим сертификатом. В том то и дело, что в error.log ничего нет, Nginx каждый раз после изменения конфигурации перезапускаю. Код socket = new WebSocket("wss://example.ru:27800/websocket");
Вот настройки Nginx: Код server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example.ru;
ssl_certificate "/var/www/httpd-cert/example.ru_2020-11-29-12-53_48.crt";
ssl_certificate_key "/var/www/httpd-cert/example.ru_2020-11-29-12-53_48.key";
location /websocket {
proxy_pass http://127.0.0.1:27800;
proxy_pass_header Server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
location / {
proxy_pass http://127.0.0.1:80;
proxy_pass_header Server;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}
0 |
|
IT_Exp Эксперт 87844 / 49110 / 22898 Регистрация: 17.06.2006 Сообщений: 92,604 |
29.12.2020, 12:24 |
|
5 |
I have a problem with setting up Discourse forum with Letsencrypt SSL cert. For the sake of example, I will refer to my page as mypage.com.
THE GOAL:
I want to set up VPS where I will have wordpress blog working on blog.mypage.com, landingpage on mypage.com and Discourse forum on forum.mypage.com. I want to use nginx with mariadb and have Letsencrypt SSL certs installed.
THE PROBLEM:
When I enter the forum.mypage.com for the first time with «fresh» browser (cookies and history deleted, new profile) in chrome I have an error
«This site can’t provide a secure connection
forum.mypage.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR»
With FIrefox, nothing happens — the window is blank and page is not loading.
However, if I go to mypage.com FIRST, everything works as expected and if I THEN enter forum.mypage.com, the DISCOURSE FORUM LOADS WITHOUT PROBLEM.
THE SETUP:
-
Digital Ocean DNS settings are configured properly, i.e. they redirect mypage.com, www.mypage.com, blog.mypage.com, www.blog.mypage.com, forum.mypage.com and www.forum.mypage.com to my VPS IP. (A record). Record for mailgun are also set properly, as I receive registarion mails from my Discourse installation.
-
I use Ubuntu 16.04 DigitalOcean droplet where I installed newest stable versions of nginx 1.12.2, php 7.2.2 and mariadb 10.2.13 from maintainers PPAs. 2GB swap file is enabled as requested for Discourse.
-
I installed certbot using instructions from https://certbot.eff.org/. I used syntax certbot —nginx -d mypage.com,www.mypage.com,blog.mypage.com,www.blog.mypage.com,forum.mypage.com,www.forum.mypage.com
-
Here is my configuration files:
All files in /var/www are readable by www-data.
/etc/nginx/sites-enabled/default
server {
root /var/www/html/;
index index.php index.html index.htm index.nginx-debian.html;
server_name mypage.com www.mypage.com _;
location / {
try_files $uri $uri/ =404;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
location ~ /.ht {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mypage.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mypage.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.mypage.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = mypage.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name mypage.com www.mypage.com _;
return 404; # managed by Certbot
}
/etc/nginx/sites-enabled/discourse
server {
listen 80; listen [::]:80;
server_name forum.mypage.com www.forum.mypage.com; # <-- change this
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2; listen [::]:443 ssl http2;
server_name forum.mypage.com; # <-- change this
ssl on;
ssl_certificate /var/discourse/shared/standalone/ssl/ssl.crt;
ssl_certificate_key /var/discourse/shared/standalone/ssl/ssl.key;
ssl_dhparam /var/discourse/shared/standalone/ssl/dhparams.pem;
#ssl_certificate /etc/letsencrypt/live/mypage.com/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/mypage.com/privkey.pem;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_session_tickets off;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
http2_idle_timeout 5m; # up from 3m default
location / {
proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
/etc/nginx/sites-enabled/blog
server {
root /var/www/blog;
index index.php index.html index.htm index.nginx-debian.html;
server_name blog.mypage.com www.blog.mypage.com;
location / {
try_files $uri $uri/ =404;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
location ~ /.ht {
deny all;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mypage.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mypage.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.blog.mypage.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = blog.mypage.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name blog.mypage.com www.blog.mypage.com;
return 404; # managed by Certbot
}
/var/discourse/containers/app.yml
templates:
- "templates/postgres.template.yml"
- "templates/redis.template.yml"
- "templates/web.template.yml"
- "templates/web.ratelimited.template.yml"
- "templates/web.socketed.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
- "templates/web.ssl.template.yml"
#- "templates/web.letsencrypt.ssl.template.yml"
## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
# - "80:80" # http
# - "443:443" # https
params:
db_default_text_search_config: "pg_catalog.english"
db_shared_buffers: "128MB"
env:
LANG: en_US.UTF-8
UNICORN_WORKERS: 2
DISCOURSE_HOSTNAME: forum.mypage.com
DISCOURSE_DEVELOPER_EMAILS: 'my@mail.com'
DISCOURSE_SMTP_ADDRESS: smtp.mailgun.org
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: postmaster@mg.mypage.com
DISCOURSE_SMTP_PASSWORD: "mypassword"
volumes:
- volume:
host: /var/discourse/shared/standalone
guest: /shared
- volume:
host: /var/discourse/shared/standalone/log/var-log
guest: /var/log
hooks:
after_code:
- exec:
cd: $home/plugins
cmd:
- git clone https://github.com/discourse/docker_manager.git
To set up Discourse I followed instructions from https://meta.discourse.org/t/running-other-websites-on-the-same-machine-as-discourse/17247
EDIT: added nginx log
nginx error log (debug mode):
http proxy header:
"POST /message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t HTTP/1.1
Host: forum.mypage.com
X-Forwarded-For: 94.254.162.203
X-Forwarded-Proto: https
Connection: close
Content-Length: 154
user-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
accept: application/json, text/javascript, */*; q=0.01
accept-language: en-GB,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://forum.mypage.com/
x-csrf-token: undefined
content-type: application/x-www-form-urlencoded; charset=UTF-8
x-silence-logger: true
dont-chunk: true
x-requested-with: XMLHttpRequest
cookie: __cfduid=dabdb09c0c5b037b730155b7e7afd7be71517471541
"
http cleanup add: 00005651877B0FF8
get rr peer, try: 1
stream socket 13
epoll add connection: fd:13 ev:80002005
connect to unix:/var/discourse/shared/standalone/nginx.http.sock, fd:13 #4
connected
http upstream connect: 0
posix_memalign: 00005651877A3A50:128 @16
http upstream send request
http upstream send request body
chain writer buf fl:0 s:705
chain writer buf fl:1 s:154
chain writer in: 000056518772D348
writev: 859 of 859
chain writer out: 0000000000000000
event timer add: 13: 60000:1519655986745
http2 frame complete pos:0000565187806582 end:0000565187806582
http2 frame out: 0000565187733EB0 sid:0 bl:0 len:4
http2 frame out: 0000565187733BF0 sid:0 bl:0 len:0
malloc: 00005651878462C0:16384
SSL buf copy: 9
SSL buf copy: 13
SSL to write: 22
SSL_write: 22
http2 frame sent: 0000565187733BF0 sid:0 bl:0 len:0
http2 frame sent: 0000565187733EB0 sid:0 bl:0 len:4
event timer del: 3: 1519656226737
http upstream request: "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
http upstream dummy handler
http upstream request: "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
http upstream dummy handler
http upstream request: "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
http upstream process header
malloc: 000056518772E040:4096
recv: eof:0, avail:1
recv: fd:13 547 of 4096
http proxy status 200 "200 OK"
http proxy header: "Server: nginx"
http proxy header: "Date: Mon, 26 Feb 2018 14:38:46 GMT"
http proxy header: "Content-Type: application/json; charset=utf-8"
http proxy header: "Transfer-Encoding: chunked"
http proxy header: "Connection: close"
http proxy header: "Vary: Accept-Encoding"
http proxy header: "Cache-Control: must-revalidate, private, max-age=0"
http proxy header: "Pragma: no-cache"
http proxy header: "Expires: 0"
http proxy header: "Access-Control-Allow-Origin: https://forum.mypage.com"
http proxy header: "Access-Control-Allow-Methods: GET, POST"
http proxy header: "Access-Control-Allow-Headers: X-SILENCE-LOGGER, X-Shared-Session-Key, Dont-Chunk, Discourse-Visible"
http proxy header: "X-Runtime: 0.012014"
http proxy header: "Content-Encoding: gzip"
http proxy header done
xslt filter header
http2 header filter
http2 output header: ":status: 200"
http2 output header: "server: nginx/1.12.2"
http2 output header: "date: Mon, 26 Feb 2018 14:38:46 GMT"
http2 output header: "content-type: application/json; charset=utf-8"
http2 output header: "vary: Accept-Encoding"
http2 output header: "cache-control: must-revalidate, private, max-age=0"
http2 output header: "pragma: no-cache"
http2 output header: "expires: 0"
http2 output header: "access-control-allow-origin: https://forum.mypage.com"
http2 output header: "access-control-allow-methods: GET, POST"
http2 output header: "access-control-allow-headers: X-SILENCE-LOGGER, X-Shared-Session-Key, Dont-Chunk, Discourse-Visible"
http2 output header: "x-runtime: 0.012014"
http2 output header: "content-encoding: gzip"
http2:15 create HEADERS frame 000056518772DB98: len:331
http cleanup add: 000056518772DC80
http2 frame out: 000056518772DB98 sid:15 bl:1 len:331
SSL buf copy: 9
SSL buf copy: 331
http2:15 HEADERS frame 000056518772DB98 was sent
http2 frame sent: 000056518772DB98 sid:15 bl:1 len:331
http cacheable: 0
http proxy filter init s:200 h:0 c:1 l:-1
http upstream process upstream
pipe read upstream: 0
pipe preread: 20
pipe buf free s:0 t:1 f:0 000056518772E040, pos 000056518772E24F, size: 20 file: 0, size: 0
pipe length: 3
http chunked byte: 66 s:0
http chunked byte: 0D s:1
http chunked byte: 0A s:3
http chunked byte: 1F s:4
input buf #0 000056518772E252
http chunked byte: 0D s:5
http chunked byte: 0A s:6
http proxy chunked state 0, length 3
input buf 000056518772E252 15
pipe write downstream: 1
pipe write busy: 0
pipe write buf ls:1 000056518772E252 15
pipe write: out:000056518772D348, f:0
http output filter "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
http copy filter: "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
image filter
xslt filter body
http postpone filter "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t" 000056518772D348
write new buf t:1 f:0 000056518772E040, pos 000056518772E252, size: 15 file: 0, size: 0
http write filter: l:0 f:1 s:15
http write filter limit 0
http2:15 available windows: conn:12582912 stream:12582912
http2:15 create DATA frame 000056518772DB98: len:15 flags:0
http2 frame out: 000056518772DB98 sid:15 bl:0 len:15
SSL buf copy: 9
SSL buf copy: 15
SSL to write: 364
SSL_write: 364
http2:15 DATA frame 000056518772DB98 was sent
http2 frame sent: 000056518772DB98 sid:15 bl:0 len:15
http write filter 0000000000000000
http copy filter: 0 "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
pipe write busy: 0
pipe write: out:0000000000000000, f:0
pipe read upstream: 0
pipe buf free s:0 t:1 f:0 000056518772E040, pos 000056518772E040, size: 0 file: 0, size: 0
pipe length: 3
event timer: 13, old: 1519655986745, new: 1519655986759
http upstream request: "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
http upstream dummy handler
http upstream request: "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
http upstream process upstream
pipe read upstream: 1
readv: eof:0, avail:1
readv: 1, last:4096
pipe recv chain: 13
pipe buf free s:0 t:1 f:0 000056518772E040, pos 000056518772E040, size: 13 file: 0, size: 0
pipe length: 3
http chunked byte: 38 s:0
http chunked byte: 0D s:1
http chunked byte: 0A s:3
http chunked byte: 8A s:4
input buf #1 000056518772E043
http chunked byte: 0D s:5
http chunked byte: 0A s:6
http proxy chunked state 0, length 3
input buf 000056518772E043 8
pipe write downstream: 1
pipe write busy: 0
pipe write buf ls:1 000056518772E043 8
pipe write: out:000056518772D348, f:0
http output filter "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
http copy filter: "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
image filter
xslt filter body
http postpone filter "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t" 000056518772D348
write new buf t:1 f:0 000056518772E040, pos 000056518772E043, size: 8 file: 0, size: 0
http write filter: l:0 f:1 s:8
http write filter limit 0
http2:15 available windows: conn:12582897 stream:12582897
http2:15 create DATA frame 000056518772DB98: len:8 flags:0
http2 frame out: 000056518772DB98 sid:15 bl:0 len:8
SSL buf copy: 9
SSL buf copy: 8
SSL to write: 17
SSL_write: 17
http2:15 DATA frame 000056518772DB98 was sent
http2 frame sent: 000056518772DB98 sid:15 bl:0 len:8
http write filter 0000000000000000
http copy filter: 0 "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
pipe write busy: 0
pipe write: out:0000000000000000, f:0
pipe read upstream: 0
pipe buf free s:0 t:1 f:0 000056518772E040, pos 000056518772E040, size: 0 file: 0, size: 0
pipe length: 3
event timer: 13, old: 1519655986745, new: 1519655986760
http upstream request: "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
http upstream dummy handler
http upstream request: "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
http upstream process upstream
pipe read upstream: 1
readv: eof:0, avail:1
readv: 1, last:4096
pipe recv chain: 20
pipe buf free s:0 t:1 f:0 000056518772E040, pos 000056518772E040, size: 20 file: 0, size: 0
pipe length: 3
http chunked byte: 61 s:0
http chunked byte: 0D s:1
http chunked byte: 0A s:3
http chunked byte: 03 s:4
input buf #2 000056518772E043
http chunked byte: 0D s:5
http chunked byte: 0A s:6
http chunked byte: 30 s:0
http chunked byte: 0D s:1
http chunked byte: 0A s:8
http chunked byte: 0D s:9
http chunked byte: 0A s:10
http proxy chunked state 0, length 3
input buf 000056518772E043 10
pipe write downstream: 1
pipe write downstream flush in
http output filter "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
http copy filter: "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
image filter
xslt filter body
http postpone filter "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t" 000056518772D348
write new buf t:1 f:0 000056518772E040, pos 000056518772E043, size: 10 file: 0, size: 0
http write filter: l:0 f:0 s:10
http copy filter: 0 "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
pipe write downstream done
event timer: 13, old: 1519655986745, new: 1519655986760
http upstream exit: 0000000000000000
finalize http upstream request: 0
finalize http proxy request
free rr peer 1 0
close http upstream connection: 13
free: 00005651877A3A50, unused: 48
event timer del: 13: 1519655986745
reusable connection: 0
http upstream temp fd: -1
http output filter "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
http copy filter: "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
image filter
xslt filter body
http postpone filter "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t" 00007FFDB2259F80
write old buf t:1 f:0 000056518772E040, pos 000056518772E043, size: 10 file: 0, size: 0
write new buf t:0 f:0 0000000000000000, pos 0000000000000000, size: 0 file: 0, size: 0
http write filter: l:1 f:0 s:10
http write filter limit 0
http2:15 available windows: conn:12582889 stream:12582889
http2:15 create DATA frame 000056518772DB98: len:10 flags:1
http2 frame out: 000056518772DB98 sid:15 bl:0 len:10
SSL buf copy: 9
SSL buf copy: 10
SSL to write: 19
SSL_write: 19
http2:15 DATA frame 000056518772DB98 was sent
http2 frame sent: 000056518772DB98 sid:15 bl:0 len:10
http write filter 0000000000000000
http copy filter: 0 "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t"
http finalize request: 0, "/message-bus/f4c00a7368eb483db0a50783f4188da6/poll?dlp=t" a:1, c:1
http request count:1 blk:0
http2 close stream 15, queued 0, processing 1
http close request
http log handler
free: 000056518772E040
free: 00005651877AF030, unused: 2
free: 00005651877B0040, unused: 8
free: 000056518772D030, unused: 35
free: 00005651877A1930, unused: 375
post event 00005651877E2470
delete posted event 00005651877E2470
http2 handle connection handler
free: 0000565187733BA0, unused: 3136
free: 00005651878462C0
reusable connection: 1
event timer add: 3: 300000:1519656226760
http2 idle handler
reusable connection: 0
posix_memalign: 0000565187733BA0:4096 @16
http2 read handler
SSL_read: 0
SSL_get_error: 1
SL_read() failed (SSL: error:140943F2:SSL routines:ssl3_read_bytes:sslv3 alert unexpected message:SSL alert number 10) while processing HTTP/2 connection, client: 94.254.162.203, server: 0.0.0.0:443
close http connection: 3
SSL_shutdown: 1
event timer del: 3: 1519656226760
reusable connection: 0
run cleanup: 00005651877A12C0
free: 0000565187733BA0, unused: 4016
free: 0000000000000000
free: 000056518772C020
free: 00005651877B1050
free: 00005651877A1130, unused: 8
free: 00005651877AE9B0, unused: 0
free: 000056518775D8A0, unused: 0
free: 000056518775DAB0, unused: 0
free: 00005651877A1D40, unused: 88
До версии Nginx 1.15 мы обычно настраивали службу HTTPS следующим образом.
server{
listen 443;
server_name доменное имя сайта;
ssl on;
ssl_certificate SSL-сертификат;
ssl_certificate_key Секретный ключ SSL-сертификата;
алгоритм шифрования ssl_ciphers;
протокол шифрования ssl_protocols;
ssl_prefer_server_ciphers on;
}
Но если такая конфигурация неверна в Nginx версии 1.15 и выше, система сообщит об ошибке при запуске Nginx, потому что такая конфигурация, как SSL ON, больше не поддерживается и ее необходимо удалить. Но когда вы удалите это предложение кода, перезапустите Nginx, и вы обнаружите, что ошибка «ERR_SSL_PROTOCOL_ERROR» появляется, когда браузер обращается к странице.
Как показано ниже
Затем в Nginx 1.15 и выше мы должны выполнить следующую настройку:
server{
listen 443 ssl;
server_name доменное имя сайта;
ssl_certificate SSL-сертификат;
ssl_certificate_key Секретный ключ SSL-сертификата;
алгоритм шифрования ssl_ciphers;
протокол шифрования ssl_protocols;
ssl_prefer_server_ciphers on;
}
После перезапуска Nginx наша служба HTTPS работает нормально.
Is your website or app showing an err_ssl_protocol_error?
Usually, it pops up when there is a problem with the SSL certificate of the website.
Website errors need an urgent fix as it would turn away your site visitors.
That’s why, at Bobcares, we help in fixing website errors as part of our Server Management Services.
Today, we’ll see how we fix err_ssl_protocol_error instantly.
What causes the err_ssl_protocol_error
Firstly, let’s get some background details about SSL websites.
These days, websites handle too much sensitive information like credit card details, personal information, bank details, etc.
Since these websites are part of the open internet, it can be prone to cyber-attacks too. Therefore, an unsecured website can be an easy target for attack. Further, any sort of data theft can result in serious consequences.
Thanks to the SSL certificate, web servers now can handle all its communication securely. Advanced website users always look for the secure “lock” symbol when browsing any website.
The active certificates encrypt the communication between the browser and the server. Thus no one can grab sensitive data.
However, if for some reason the SSL certificate fails, the browser reports the SSL protocol error. In a way, this is a security mechanism to prevent further access to an insecure website.
How does the err_ssl_protocol_error show-up?
Now its time to check on how the error would show up on any website.
For instance, one of our customers tried to access an app. He was unable to connect. And received the error as
Reasons for err_ssl_protocol_error
We understood that any problem with SSL connection results in an error. And, there can be many reasons for the error.
Here, we’ll check the common reasons that would cause an SSL failure.
1. Expired certificate
Every SSL certificate comes with an expiry date. This expiry is set by the Certificate Providers. Most paid SSL certificates have a validity period of 1 year or so.
However, free SSL providers like LetsEncrypt, Sectigo, etc. keep SSL activate for 90 days.
For SSL to work, it should be an active one.
2. Incorrect SSL configuration
At times, incorrect SSL configuration also can result in SSL protocol error. This happens when the browser connects to the wrong server due to DNS errors.
Or when the server configuration has a wrong SSL certificate file for the website.
3. Wrong date settings
Yet another common reason for SSL failure will be wrong date settings on the computer. This causes the browser to exit the connection to the website.
4. Browser cache
Likewise, if the browser has a cached wrong certificate, it can also report err_ssl_protocol_error. An easy fix here is to clear the browsing data from the browser.
It involves removing the cookies, cached images, and files.
5. Firewall
Furthermore, in many scenarios, the firewall can also impose restrictions. If any website lies in the block list of the browser, the site access can fail.
In such cases, a review of the firewall settings would help to solve the access.
The fix for err_ssl_protocol_error
It is time now to check how our Support Engineers do the troubleshooting and make the website working for the customer.
As the first step, we recreate the SSL error from our side. This helps to rule out any browser-specific errors at the client-side.
Next, we check the validity of the SSL certificate. This can be done by clicking on the ‘Lock’ symbol in the browser address bar.
Valid certificate details appear as:
Similarly, it’s worth checking the validity of the certificate using online SSL checkers too.
If there is an expired certificate, we fix it by renewing the SSL certificate at the SSL provider. Further, we update the SSL certificate for the website on the server too. In this case, the website SSL was expired. So we had to renew it to make the website working.
What if the certificate is valid and the website still shows errors?
Here the err_ssl_protocol_error denotes a problem with the computer/browser settings.
Therefore, in such cases, we ask the customer to correct the date on the computer, clear browser cache, or even disable the firewall temporarily. This helps to access the website without any errors.
Is there a way to prevent SSL errors?
Of course, Yes.
To prevent website errors, all you have to do is add the website to a reliable monitoring service. As part of our monitoring service, we constantly check the website for errors.
Thus it alerts the website owner on the errors proactively. And, you will be the first one to know about site errors and not your customers.
SSL providers do send email notifications prior to SSL renewal. Keeping a close watch of the SSL renewal emails should also help in avoiding SSL failure.
[Avoid website errors! Add websites to our 24×7 monitoring.]
Conclusion
To sum up, err_ssl_protocol_error commonly happens due to an expired SSL certificate, incorrect server settings, wrong computer date, etc.
Today, we saw how our Support Engineers check and fix website SSL errors.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
GET STARTED
var google_conversion_label = «owonCMyG5nEQ0aD71QM»;