Recently, neponyatki occur with SSL and NGINX: there is a confusion of certificates among themselves. There are many domains on the server (500+). If earlier it showed that the certificate was not from that domain (for example, going to test.ru issued that the certificate belongs to test1.ru) and everything was solved by deleting the test1.ru certificate, now everything is completely deadlocked, it gives: "Error when establishing a secure connection. " without any additional information.

The syntax is normal (nginx -t), I also visually run over - everything is OK (although I can miss something with such a volume).

Config for domain:

server { server_name s1.com www.s1.com; listen 1.1.1.1; listen 1.1.1.1:443 ssl; disable_symlinks if_not_owner from=$root_path; set $root_path /var/www/red/data/www/s1.com; location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ { root $root_path; access_log /var/www/nginx-logs/red isp; access_log /var/www/httpd-logs/s1.access.log ; error_page 404 = @fallback; } location / { proxy_pass http://1.1.1.1:81; proxy_redirect 1.1.1.1:81 /; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; } location ~* ^/(webstat|awstats|webmail|myadmin|pgadmin)/ { proxy_pass http://1.1.1.1:81; proxy_redirect 1.1.1.1:81 /; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; } location @fallback { proxy_pass http://1.1.1.1:81; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; } limit_conn red 200; ssl_certificate /var/www/httpd-cert/s1.crt; ssl_certificate_key /var/www/httpd-cert/s1.key; }

Tell me, please, in which direction to dig.

  • I added the answer. - aleksandr barakin
  • IP addresses in listen is a bad sign. Do you exactly use them in all server blocks? - Alexey Ten

1 answer 1

So check: maybe, you, really, files with certificates are confused.

The domain (s) for which the certificate was issued are recorded in the subject field of the certificate, in the form CN=имя.домСна and in X509v3 Subject Alternative Name in the form of DNS:имя.домСна .

 $ cat /ΠΏΡƒΡ‚ΡŒ/ΠΊ/Ρ„Π°ΠΉΠ»Ρƒ | openssl x509 -noout -text | grep -E '(DNS|Subj.*CN)' Subject: CN=mail.domain.ru DNS:imap.domain.ru, DNS:mail.domain.ru, DNS:smtp.domain.ru

to check the information in the certificate that gives the http-server, the cat /ΠΏΡƒΡ‚ΡŒ/ΠΊ/Ρ„Π°ΠΉΠ»Ρƒ command can be replaced with a construction:

 $ :| openssl s_client -showcerts -servername имя.домСна -connect имя.домСна:443 2>/dev/null

for example, for yandex.ru (I split the output into lines for easy viewing):

 $ :| openssl s_client -showcerts -servername yandex.ru -connect yandex.ru:443 \ 2>/dev/null | openssl x509 -noout -text | grep -E '(DNS|Subj.*CN)' Subject: C=RU, O=Yandex LLC, OU=ITO, L=Moscow, ST=Russia, CN=yandex.ru DNS:xmlsearch.yandex.ua, DNS:yandex.net, DNS:images.yandex.ru, DNS:xmlsearch.yandex.com.tr, DNS:family.yandex.com.tr, DNS:people.yandex.kz, DNS:m.yandex.kz, DNS:xmlsearch.yandex.com, DNS:play.yandex.com.tr, DNS:gorsel.yandex.com.tr, DNS:images.yandex.com, DNS:aile.yandex.com.tr, DNS:m.yandex.ua, DNS:game.yandex.com.tr, DNS:video.yandex.ua, DNS:yandex.com.tr, DNS:video.yandex.ru, DNS:yandex.kz, DNS:video.yandex.com.tr, DNS:m.yandex.ru, DNS:www.yandex.ua, DNS:www.yandex.kz, DNS:games.yandex.com.tr, DNS:m.yandex.com, DNS:yandex.ua, DNS:yandex.by, DNS:images.yandex.ua, DNS:xmlsearch.yandex.kz, DNS:m.yandex.by, DNS:www.yandex.ru, DNS:video.yandex.com, DNS:video.yandex.by, DNS:oyun.yandex.com.tr, DNS:xmlsearch.yandex.ru, DNS:people.yandex.by, DNS:people.yandex.ru, DNS:images.yandex.kz, DNS:www.yandex.com, DNS:yandex.com, DNS:m.yandex.com.tr, DNS:images.yandex.com.tr, DNS:www.yandex.com.tr, DNS:xmlsearch.yandex.by, DNS:people.yandex.ua, DNS:yandex.ru, DNS:www.yandex.by, DNS:video.yandex.kz, DNS:images.yandex.by

"Error establishing secure connection."

about this you need to watch http-server logs.

and on the client side, for example, wget can be used as the initial diagnostic tool:

 $ wget -S --spider https://имя.домСна

about the provided configuration

This fragment is puzzling:

 listen 1.1.1.1; listen 1.1.1.1:443 ssl;

it turns out that you have one section for port 80 and port 443:

If only the address is specified, port 80 is used.

i.e., on port 80, you, as far as I understand, attempt to respond to a client to an https request, and not to http.

  • Thanks for the helpful information, but the certificates are spelled correctly. Attached the config to the question. The problem is that I register any certificate to the domain - it does not work, as if the lines connecting ssl are not readable by nginx. - Aleksey Secret
  • maybe another section of the server . - aleksandr barakin
  • Yes, it is possible, but how to determine which section is being read? for the syntax, if you believe nginx -t, the correct one is Aleksey Sekretnyy
  • as usual: remove all descriptions except for one site, check, then by the half division method: return half the descriptions, check. etc. - aleksandr barakin