0

I have spent the whole day trying to figure out why my letsencrypt SSL setup does not work. I even switched to self-generated cert but none works

My detailed nginx setup:

https://gist.github.com/yellow1912/bf38b2993032d10b7a7bdc82167a948b

-----------------------------
NGINX setup

built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2)
built with OpenSSL 1.0.2h  3 May 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads --add-module=/etc/nginx/modules/ngx_devel_kit --add-module=/etc/nginx/modules/lua-nginx-module --add-module=/etc/nginx/modules/nginx-push-stream-module --sbin-path=/usr/sbin/nginx

-----------------------------
NGINX config

server {
    listen 80;
    listen 443 ssl;
    server_name mysite.com www.mysite.com;

    # tried both with and without ssl on
    # ssl on; 
    ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;

    # from https://cipherli.st/
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    root        /var/www/web;
    index       app.php;

    access_log /var/log/nginx/sites/site-path/access.log;
    error_log  /var/log/nginx/sites/site-path/error.log;

    location = /robots.txt  {
        alias  /var/www/local/site-path/web/robots.txt;
        access_log off;
        log_not_found off;
    }

    location = /favicon.ico {
        alias  /var/www/local/site-path/web/favicon.ico;
        access_log off;
        log_not_found off;
    }

    # we should not retry asset files further
    location /assets {
        try_files $uri =404;
        log_not_found off;
        access_log off;
    }

    # we should not retry static asset files any further
    location ~ \.(css|js|png|jpg|jpeg|bmp|gif|ico)(/|$) {
        try_files $uri =404;
        log_not_found off;
        access_log off;
    }

    location ~ /.well-known {
        allow all;
    }

    location ~ /\. {
        access_log off;
        log_not_found off;
        deny all;
    }

    rewrite ^/app\.php/?(.*)$ /$1 permanent;

    # lua rewrite module
    # already checked for possible interference with ssl by commenting out
    location / {
        access_by_lua_block {
            local rewriter = require "lua_st_redis_rewriter"
            -- lets try to see if we have to redirect here
            rewriter.redirect("1bfa3120d5534256b3bf17c37565c435")
            -- yay, no redirect? we have to skip
            rewriter.skipOn()
        }
        # include /etc/nginx/include.d/lua_st_redis_rewrites.lua;
        try_files $uri @rewriteapp;
    }

    location @rewriteapp {
        rewrite ^(.*)$ /app.php/$1 last;
    }

    # pass the PHP scripts to FastCGI server from upstream phpfcgi
    location ~ ^/(app|app_dev)\.php(/|$) {
        access_by_lua_block {
            local rewriter = require "lua_st_redis_rewriter"

            if not rewriter.skipped() then
                rewriter.skipOff()
                rewriter.redirect("1bfa3120d5534256b3bf17c37565c435", true)
            end
        }

        # Setup var defaults
        set $no_cache "";

        # If non GET/HEAD, don't cache & mark user as uncacheable for 1 second via cookie
        if ($request_method !~ ^(GET|HEAD)$) {
            set $no_cache "1";
        }

        # Drop no cache cookie if need be
        # (for some reason, add_header fails if included in prior if-block)
        if ($no_cache = "1") {
            add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
            add_header X-Microcachable "0";
        }

        # Bypass cache if no-cache cookie is set
        if ($http_cookie ~* "_mcnc") {
            set $no_cache "1";
        }

        set $no_cache "1";

        # Bypass cache if flag is set
        fastcgi_no_cache $no_cache;
        fastcgi_cache_bypass $no_cache;
        fastcgi_cache microcache;
        fastcgi_cache_key $scheme$host$request_uri$request_method;
        fastcgi_cache_valid 404 301 302 30m;
        fastcgi_cache_valid 200 1s;
        fastcgi_cache_use_stale updating error timeout invalid_header http_500;
        fastcgi_pass_header Set-Cookie;
        fastcgi_pass_header Cookie;
        fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

        fastcgi_split_path_info ^(.+\.php)(/.*)$;

        fastcgi_pass unix:/var/run/php-fpm-default.sock;
        fastcgi_index app.php;

        include fastcgi_params;
        fastcgi_param SITE_LOCAL_PATH site-path;
        fastcgi_param SITE_LOCAL_DIR /var/www/local/site-path;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param HTTPS off;

        # fastcgi buffer
        fastcgi_buffer_size 128k;
        fastcgi_buffers 256 16k;
        fastcgi_busy_buffers_size 256k;
        fastcgi_temp_file_write_size 256k;
#        fastcgi_read_timeout 480;
    }
}

Detailed error output:

https://gist.github.com/yellow1912/36be7f744f09df1ca371bad49a91b624

openssl s_client -connect mysite.com:443 -debug
CONNECTED(00000003)
write to 0xdb5010 [0xdb5da0] (305 bytes => 305 (0x131))
0000 - 16 03 01 01 2c 01 00 01-28 03 03 20 f4 14 1a 35   ....,...(.. ...5
0010 - f6 69 61 92 ce 1e 9d 51-c9 42 a1 5c 6b d1 7e fd   .ia....Q.B.\k.~.
0020 - fb e3 f0 0c 42 24 09 7d-fa 3d 30 00 00 aa c0 30   ....B$.}.=0....0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1   .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37   ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a   .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f   .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0   .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31   ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43   .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c   .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-c0 11 c0 07 c0 0c c0 02   .<./...A........
00c0 - 00 05 00 04 c0 12 c0 08-00 16 00 13 00 10 00 0d   ................
00d0 - c0 0d c0 03 00 0a 00 ff-01 00 00 55 00 0b 00 04   ...........U....
00e0 - 03 00 01 02 00 0a 00 1c-00 1a 00 17 00 19 00 1c   ................
00f0 - 00 1b 00 18 00 1a 00 16-00 0e 00 0d 00 0b 00 0c   ................
0100 - 00 09 00 0a 00 23 00 00-00 0d 00 20 00 1e 06 01   .....#..... ....
0110 - 06 02 06 03 05 01 05 02-05 03 04 01 04 02 04 03   ................
0120 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01   ................
0130 - 01                                                .
read from 0xdb5010 [0xdbb300] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1487159297
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

some network debug:

sudo tcpdump -n -i eth0 port 80 or port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:16:32.097134 IP myip.56015 > myserverip.443: Flags [S], seq 2934315372, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:16:32.097238 IP myserverip.443 > myip.56015: Flags [S.], seq 363667711, ack 2934315373, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:16:32.098754 IP myip.56014 > myserverip.443: Flags [S], seq 600640855, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:16:32.098798 IP myserverip.443 > myip.56014: Flags [S.], seq 838969497, ack 600640856, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:16:32.344237 IP myip.56015 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:16:32.344508 IP myserverip.443 > myip.56015: Flags [F.], seq 1, ack 1, win 229, length 0
08:16:32.345462 IP myip.56014 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:16:32.345538 IP myserverip.443 > myip.56014: Flags [F.], seq 1, ack 1, win 229, length 0
08:16:32.345634 IP myip.56015 > myserverip.443: Flags [P.], seq 1:166, ack 1, win 64, length 165
08:16:32.345655 IP myserverip.443 > myip.56015: Flags [R], seq 363667712, win 0, length 0
08:16:32.345800 IP myip.56014 > myserverip.443: Flags [P.], seq 1:166, ack 1, win 64, length 165
08:16:32.345814 IP myserverip.443 > myip.56014: Flags [R], seq 838969498, win 0, length 0
08:16:32.587153 IP myip.56015 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:16:32.587206 IP myserverip.443 > myip.56015: Flags [R], seq 363667713, win 0, length 0
08:16:32.588277 IP myip.56014 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:16:32.588309 IP myserverip.443 > myip.56014: Flags [R], seq 838969499, win 0, length 0
08:16:32.588919 IP myip.56015 > myserverip.443: Flags [F.], seq 166, ack 2, win 64, length 0
08:16:32.588934 IP myserverip.443 > myip.56015: Flags [R], seq 363667713, win 0, length 0
08:16:32.597684 IP myip.56014 > myserverip.443: Flags [F.], seq 166, ack 2, win 64, length 0
08:16:32.597713 IP myserverip.443 > myip.56014: Flags [R], seq 838969499, win 0, length 0
08:16:32.598303 IP myip.56017 > myserverip.443: Flags [S], seq 1175791765, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:16:32.598361 IP myserverip.443 > myip.56017: Flags [S.], seq 3583343505, ack 1175791766, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:16:32.842246 IP myip.56017 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:16:32.842434 IP myserverip.443 > myip.56017: Flags [F.], seq 1, ack 1, win 229, length 0
08:16:32.843017 IP myip.56018 > myserverip.443: Flags [S], seq 1152101190, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:16:32.843068 IP myserverip.443 > myip.56018: Flags [S.], seq 1493059739, ack 1152101191, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:16:32.858541 IP myip.56017 > myserverip.443: Flags [P.], seq 1:172, ack 1, win 64, length 171
08:16:32.858582 IP myserverip.443 > myip.56017: Flags [R], seq 3583343506, win 0, length 0
08:16:33.082638 IP myip.56017 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:16:33.082688 IP myserverip.443 > myip.56017: Flags [R], seq 3583343507, win 0, length 0
08:16:33.082800 IP myip.56017 > myserverip.443: Flags [F.], seq 172, ack 2, win 64, length 0
08:16:33.082811 IP myserverip.443 > myip.56017: Flags [R], seq 3583343507, win 0, length 0
08:16:33.083298 IP myip.56018 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:16:33.083455 IP myserverip.443 > myip.56018: Flags [F.], seq 1, ack 1, win 229, length 0
08:16:33.283115 IP myip.56019 > myserverip.443: Flags [S], seq 1894016244, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:16:33.283213 IP myserverip.443 > myip.56019: Flags [S.], seq 3244723994, ack 1894016245, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:16:33.320006 IP myip.56018 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:16:33.397840 IP myip.56018 > myserverip.443: Flags [F.], seq 1, ack 2, win 64, length 0
08:16:33.397925 IP myserverip.443 > myip.56018: Flags [.], ack 2, win 229, length 0
08:16:33.527033 IP myip.56022 > myserverip.443: Flags [S], seq 813585215, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:16:33.527107 IP myserverip.443 > myip.56022: Flags [S.], seq 1206711519, ack 813585216, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:16:33.535086 IP myip.56019 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:16:33.535258 IP myserverip.443 > myip.56019: Flags [F.], seq 1, ack 1, win 229, length 0
08:16:33.535823 IP myip.56019 > myserverip.443: Flags [P.], seq 1:166, ack 1, win 64, length 165
08:16:33.535851 IP myserverip.443 > myip.56019: Flags [R], seq 3244723995, win 0, length 0
08:16:33.802784 IP myip.56023 > myserverip.443: Flags [S], seq 1095053335, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:16:33.802825 IP myserverip.443 > myip.56023: Flags [S.], seq 22107761, ack 1095053336, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:16:33.804091 IP myip.56022 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:16:33.804222 IP myserverip.443 > myip.56022: Flags [F.], seq 1, ack 1, win 229, length 0
08:16:33.809068 IP myip.56019 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:16:33.809084 IP myserverip.443 > myip.56019: Flags [R], seq 3244723996, win 0, length 0
08:16:33.810626 IP myip.56019 > myserverip.443: Flags [F.], seq 166, ack 2, win 64, length 0
08:16:33.810638 IP myserverip.443 > myip.56019: Flags [R], seq 3244723996, win 0, length 0
08:16:34.029139 IP myip.56024 > myserverip.443: Flags [S], seq 3085295716, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:16:34.029183 IP myserverip.443 > myip.56024: Flags [S.], seq 1642672586, ack 3085295717, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:16:34.039865 IP myip.56023 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:16:34.040011 IP myserverip.443 > myip.56023: Flags [F.], seq 1, ack 1, win 229, length 0
08:16:34.054363 IP myip.56022 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:16:34.054821 IP myip.56023 > myserverip.443: Flags [P.], seq 1:172, ack 1, win 64, length 171
08:16:34.054841 IP myserverip.443 > myip.56023: Flags [R], seq 22107762, win 0, length 0
08:16:34.267730 IP myip.56024 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:16:34.268000 IP myserverip.443 > myip.56024: Flags [F.], seq 1, ack 1, win 229, length 0
08:16:34.277506 IP myip.56023 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:16:34.277529 IP myserverip.443 > myip.56023: Flags [R], seq 22107763, win 0, length 0
08:16:34.277539 IP myip.56023 > myserverip.443: Flags [F.], seq 172, ack 2, win 64, length 0
08:16:34.277541 IP myserverip.443 > myip.56023: Flags [R], seq 22107763, win 0, length 0
08:16:34.511174 IP myip.56024 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:16:39.279437 IP myip.56024 > myserverip.443: Flags [F.], seq 1, ack 2, win 64, length 0
08:16:39.279472 IP myserverip.443 > myip.56024: Flags [.], ack 2, win 229, length 0
08:16:39.287059 IP myip.56022 > myserverip.443: Flags [F.], seq 1, ack 2, win 64, length 0
08:16:39.287075 IP myserverip.443 > myip.56022: Flags [.], ack 2, win 229, length 0
08:16:39.287921 IP myip.56025 > myserverip.443: Flags [S], seq 1826371421, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:16:39.287964 IP myserverip.443 > myip.56025: Flags [S.], seq 3907985986, ack 1826371422, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:16:39.593767 IP myip.56025 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:16:39.594140 IP myserverip.443 > myip.56025: Flags [F.], seq 1, ack 1, win 229, length 0
08:16:39.596209 IP myip.56025 > myserverip.443: Flags [P.], seq 1:166, ack 1, win 64, length 165
08:16:39.596273 IP myserverip.443 > myip.56025: Flags [R], seq 3907985987, win 0, length 0
08:16:39.600372 IP myip.56026 > myserverip.443: Flags [S], seq 3161132813, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:16:39.600418 IP myserverip.443 > myip.56026: Flags [S.], seq 963446342, ack 3161132814, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:16:39.843597 IP myip.56025 > myserverip.443: Flags [F.], seq 166, ack 2, win 64, length 0
08:16:39.843647 IP myserverip.443 > myip.56025: Flags [R], seq 3907985988, win 0, length 0
08:16:39.843662 IP myip.56025 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:16:39.843665 IP myserverip.443 > myip.56025: Flags [R], seq 3907985988, win 0, length 0
08:16:39.847118 IP myip.56026 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:16:39.847314 IP myserverip.443 > myip.56026: Flags [F.], seq 1, ack 1, win 229, length 0
08:16:39.850032 IP myip.56027 > myserverip.443: Flags [S], seq 1053759215, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:16:39.850072 IP myserverip.443 > myip.56027: Flags [S.], seq 1225009996, ack 1053759216, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:16:40.091448 IP myip.56026 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:16:40.099805 IP myip.56028 > myserverip.443: Flags [S], seq 2645215989, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:16:40.099842 IP myserverip.443 > myip.56028: Flags [S.], seq 4075160069, ack 2645215990, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:16:40.102220 IP myip.56027 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:16:40.102390 IP myserverip.443 > myip.56027: Flags [F.], seq 1, ack 1, win 229, length 0
08:16:40.117653 IP myip.56027 > myserverip.443: Flags [P.], seq 1:172, ack 1, win 64, length 171
08:16:40.117686 IP myserverip.443 > myip.56027: Flags [R], seq 1225009997, win 0, length 0
08:16:40.340827 IP myip.56028 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:16:40.341089 IP myserverip.443 > myip.56028: Flags [F.], seq 1, ack 1, win 229, length 0
08:16:40.378179 IP myip.56027 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:16:40.378215 IP myserverip.443 > myip.56027: Flags [R], seq 1225009998, win 0, length 0
08:16:40.378231 IP myip.56027 > myserverip.443: Flags [F.], seq 172, ack 2, win 64, length 0
08:16:40.378235 IP myserverip.443 > myip.56027: Flags [R], seq 1225009998, win 0, length 0
08:16:40.578557 IP myip.56028 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:16:44.326833 IP myip.56028 > myserverip.443: Flags [F.], seq 1, ack 2, win 64, length 0
08:16:44.326868 IP myserverip.443 > myip.56028: Flags [.], ack 2, win 229, length 0
08:16:44.333587 IP myip.56026 > myserverip.443: Flags [F.], seq 1, ack 2, win 64, length 0
08:16:44.333600 IP myserverip.443 > myip.56026: Flags [.], ack 2, win 229, length 0
^C
105 packets captured
106 packets received by filter
0 packets dropped by kernel
root@nilead-app:/nilead/theme# sudo tcpdump -n -i eth0 port 80 or port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:17:59.490552 IP myip.56073 > myserverip.443: Flags [S], seq 4140883238, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:17:59.490629 IP myserverip.443 > myip.56073: Flags [S.], seq 436041725, ack 4140883239, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:17:59.494939 IP myip.56074 > myserverip.443: Flags [S], seq 1250819806, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:17:59.494965 IP myserverip.443 > myip.56074: Flags [S.], seq 4137076167, ack 1250819807, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:17:59.791509 IP myip.56073 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:17:59.791911 IP myserverip.443 > myip.56073: Flags [F.], seq 1, ack 1, win 229, length 0
08:17:59.802168 IP myip.56073 > myserverip.443: Flags [P.], seq 1:166, ack 1, win 64, length 165
08:17:59.802239 IP myserverip.443 > myip.56073: Flags [R], seq 436041726, win 0, length 0
08:17:59.815641 IP myip.56077 > myserverip.443: Flags [S], seq 4078944871, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:17:59.815683 IP myserverip.443 > myip.56077: Flags [S.], seq 975554701, ack 4078944872, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:17:59.837726 IP myip.56074 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:17:59.837789 IP myip.56074 > myserverip.443: Flags [P.], seq 1:166, ack 1, win 64, length 165
08:17:59.837805 IP myserverip.443 > myip.56074: Flags [.], ack 166, win 237, length 0
08:17:59.838092 IP myserverip.443 > myip.56074: Flags [R.], seq 1, ack 166, win 237, length 0
08:18:00.064210 IP myip.56073 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:18:00.064262 IP myserverip.443 > myip.56073: Flags [R], seq 436041727, win 0, length 0
08:18:00.068103 IP myip.56073 > myserverip.443: Flags [F.], seq 166, ack 2, win 64, length 0
08:18:00.068124 IP myserverip.443 > myip.56073: Flags [R], seq 436041727, win 0, length 0
08:18:00.079339 IP myip.56077 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:18:00.079559 IP myserverip.443 > myip.56077: Flags [F.], seq 1, ack 1, win 229, length 0
08:18:00.082047 IP myip.56078 > myserverip.443: Flags [S], seq 874023007, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:18:00.082101 IP myserverip.443 > myip.56078: Flags [S.], seq 3249174803, ack 874023008, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:18:00.341409 IP myip.56079 > myserverip.443: Flags [S], seq 2253393656, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:18:00.341437 IP myserverip.443 > myip.56079: Flags [S.], seq 2355967804, ack 2253393657, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:18:00.349187 IP myip.56077 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:18:00.357741 IP myip.56078 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:18:00.357922 IP myserverip.443 > myip.56078: Flags [F.], seq 1, ack 1, win 229, length 0
08:18:00.377426 IP myip.56078 > myserverip.443: Flags [P.], seq 1:172, ack 1, win 64, length 171
08:18:00.377477 IP myserverip.443 > myip.56078: Flags [R], seq 3249174804, win 0, length 0
08:18:00.610844 IP myip.56079 > myserverip.443: Flags [.], ack 1, win 64, length 0
08:18:00.611058 IP myserverip.443 > myip.56079: Flags [F.], seq 1, ack 1, win 229, length 0
08:18:00.619253 IP myip.56078 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:18:00.619312 IP myserverip.443 > myip.56078: Flags [R], seq 3249174805, win 0, length 0
08:18:00.619332 IP myip.56078 > myserverip.443: Flags [F.], seq 172, ack 2, win 64, length 0
08:18:00.619334 IP myserverip.443 > myip.56078: Flags [R], seq 3249174805, win 0, length 0
08:18:00.877467 IP myip.56079 > myserverip.443: Flags [.], ack 2, win 64, length 0
08:18:00.969848 IP myip.56079 > myserverip.443: Flags [F.], seq 1, ack 2, win 64, length 0
08:18:00.969881 IP myserverip.443 > myip.56079: Flags [.], ack 2, win 229, length 0
08:18:00.979810 IP myip.56077 > myserverip.443: Flags [F.], seq 1, ack 2, win 64, length 0
08:18:00.979876 IP myserverip.443 > myip.56077: Flags [.], ack 2, win 229, length 0
08:18:10.423048 IP myip.56084 > myserverip.80: Flags [S], seq 1953512023, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:18:10.423096 IP myserverip.80 > myip.56084: Flags [S.], seq 2835314279, ack 1953512024, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:18:10.425816 IP myip.56086 > myserverip.80: Flags [S], seq 1830331223, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:18:10.425846 IP myserverip.80 > myip.56086: Flags [S.], seq 1579049320, ack 1830331224, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:18:10.427952 IP myip.56085 > myserverip.80: Flags [S], seq 233630384, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:18:10.428034 IP myserverip.80 > myip.56085: Flags [S.], seq 557462937, ack 233630385, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:18:10.430875 IP myip.56083 > myserverip.80: Flags [S], seq 2406686340, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
08:18:10.430917 IP myserverip.80 > myip.56083: Flags [S.], seq 3592789106, ack 2406686341, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:18:10.660601 IP myip.56084 > myserverip.80: Flags [.], ack 1, win 64, length 0
08:18:10.664797 IP myip.56085 > myserverip.80: Flags [.], ack 1, win 64, length 0
08:18:10.669508 IP myip.56086 > myserverip.80: Flags [.], ack 1, win 64, length 0
08:18:10.675437 IP myip.56083 > myserverip.80: Flags [.], ack 1, win 64, length 0
08:18:10.766432 IP myip.56085 > myserverip.80: Flags [P.], seq 1:1000, ack 1, win 64, length 999: HTTP: GET / HTTP/1.1
08:18:10.766481 IP myserverip.80 > myip.56085: Flags [.], ack 1000, win 244, length 0
08:18:10.942281 IP myserverip.80 > myip.56085: Flags [.], seq 1:2905, ack 1000, win 244, length 2904: HTTP: HTTP/1.1 200 OK
08:18:10.942316 IP myserverip.80 > myip.56085: Flags [.], seq 2905:5809, ack 1000, win 244, length 2904: HTTP
08:18:10.942320 IP myserverip.80 > myip.56085: Flags [.], seq 5809:8713, ack 1000, win 244, length 2904: HTTP
08:18:10.942324 IP myserverip.80 > myip.56085: Flags [P.], seq 8713:10165, ack 1000, win 244, length 1452: HTTP
08:18:10.942328 IP myserverip.80 > myip.56085: Flags [P.], seq 10165:11670, ack 1000, win 244, length 1505: HTTP
08:18:11.187559 IP myip.56085 > myserverip.80: Flags [.], ack 2905, win 64, length 0
08:18:11.187757 IP myip.56085 > myserverip.80: Flags [.], ack 5809, win 64, length 0
08:18:11.187977 IP myip.56085 > myserverip.80: Flags [.], ack 11670, win 64, length 0

Any pointer will greatly help, I tried everything but as you can see I'm not very familiar with setting up SSL.

mr1031011
  • 215
  • 1
  • 3
  • 8
  • You have to create a completly different virtualhost. Not use the same one as the non HTTPS one. – Orphans Feb 15 '17 at 12:04
  • According to nginx document, it seems like it's possible to place all in the same block? http://nginx.org/en/docs/http/configuring_https_servers.html (check A single HTTP/HTTPS server section) – mr1031011 Feb 15 '17 at 14:21
  • Please include the complete configuration and `curl` output in the question itself, not behind external links. And you might want to have http -> https redirect anyway, and you need separate virtual hosts then. – Tero Kilkanen Feb 15 '17 at 15:29
  • @TeroKilkanen I included the content on the question but it looked very messy, the code and block quote didn't seem to work quite well so I put it on gist to make it easier to see. I understand your point of separating the http and https block, which I will do. However, I don't think putting them together is the cause of the error since i tried to comment out the http part which did not help. – mr1031011 Feb 15 '17 at 16:36
  • I formatted and added the details to the question :) – mr1031011 Feb 15 '17 at 16:42
  • @mr1031011 please include your entire nginx config. Something else is missing. Much of what you've included would be clearer separated out into the http { } block (such as ciphers). Some of the reasons you've included the odder directives, such as resolver and stapling, would be helpful— you should always justify the directives you include. – Ryder Feb 15 '17 at 21:09
  • Is there anything in the nginx logs especially error log? If not can you put a network trace on (or very near) the server and make sure it is actually receiving the clienthello? – dave_thompson_085 Feb 16 '17 at 00:03
  • @Ryder I posted now the complete nginx. You are right some part could be separated into separated file, I included them all inside for clarity. In the production environment I will separate them. – mr1031011 Feb 16 '17 at 06:58
  • There are some working example configurations you can download as part of a tutorial I wrote here. These run my website, which works only on https, once the server_name is changed. Start simple, you have a lot of things in there that aren't critical, go minimal to start with. https://www.photographerstechsupport.com/tutorials/hosting-wordpress-on-aws-tutorial-pt1-introduction-configuration-downloads/#wpmu-nginx-configuration-files – Tim Feb 16 '17 at 07:05
  • @dave_thompson_085 it's strange but i dont see any error in the syslog and the nginx log for that specific site. I'm looking into how to setup network trace as im not familiar with it. – mr1031011 Feb 16 '17 at 07:38
  • @Tim thank you i will see if it works for a minimal configuration, it's just weird because this same config was used on my other server. – mr1031011 Feb 16 '17 at 07:39
  • Simple case for Ubuntu: determine which interface should receive the traffic e.g. `eth0` and in a terminal (possibly a remote one with ssh) do `sudo tcpdump -n -i eth0 port 80 or port 443` then try both an HTTP request and an HTTPS one. This will not give all details but it will be enough to see if your server is actually getting both types of connection or not. – dave_thompson_085 Feb 17 '17 at 04:29
  • @dave_thompson_085 Im very sorry for the late response, I was stuck with other issues. I have used the command as you mentioned, no idea what the output means though. – mr1031011 Mar 08 '17 at 08:20

0 Answers0