Maciej Dobrowolski's questions -server

Maciej Dobrowolski

Asked: 2017-03-04 03:59:14 +0800 CST

nginx ssl configuration per virtual host

I am switching configuration from a single host to several virtual hosts on the nginx server. Until my changes, ssl was working correctly, but after adding several virtual hosts, each with unique domain name and - consequently - different certificate, ssl does not want to work.

My original configuration was:

# fragment of nginx.conf file
http {
    # ...
    ssl_certificate_key /path/to/privkey.pem;
    ssl_certificate     /path/to/fullchain.pem;
    ssl_dhparam         /path/to/dhparam;
    # ...
}

So, this is a single certificate for the nginx server.

After adding several virtual hosts, I want them to present their own, correct certificates for their domains. So I removed all ssl-related params from the main nginx.conf file and added them to virtual hosts files like that:

# fragment of sites-enabled/my.server.com file
server {
   listen 443 ssl;
   root "/var/www/my.server.com/";
   server_name my.server.com www.my.server.com;
   location / {
       try_files $uri $uri/ /index.html;

   }
   ssl_certificate_key /path/to/my/server/com/privkey.pem;
   ssl_certificate     /path/to/my/server/com/fullchain.pem;
   ssl_dhparam         /path/to/my/server/com/dhparam;
}

After reloading nginx I am unable to connect to these virtual hosts:

# curl https://my.server.com 
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

# openssl s_client -connect my.server.com:443
CONNECTED(00000003) 140524682454680:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
--- no peer certificate available
--- No client certificate CA names sent
--- SSL handshake has read 0 bytes and written 305 bytes
--- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1488541876
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

For me, it really looks like an nginx cannot find/read the certificate file, but it's not the case as the paths are exactly the same as for configuration without virtual hosts.

After looking at /var/logs/nginx/error.log I also found the line:

*39 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking

I am sure it's something really small and stupid what I am missing. Can anyone see what I am doing wrong?

nginx ssl configuration per virtual host

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?