NGINX SSL set up Trying to add a SSL certificate to a site, it was working before the SSL but now trying to connect it times out. My nginx conf file is
listen 80 default_server;
listen [::]:80;
server_name gpsuk.net;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# Webroot Directory for Laravel project
root /var/www/html/laravel/public;
index index.php index.html index.htm;
server_name gpsuk.net;
# ssl on;
ssl_certificate /etc/nginx/ssl/gpsuk_net/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/gpsuk_net/gpsuk_net.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
# Log files for Debugging
access_log /var/log/nginx/laravel-access.log;
error_log /var/log/nginx/laravel-error.log;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# include snippets/phpmyadmin.conf;
include /etc/nginx/snippets/phpMyAdmin.conf;
# PHP-FPM Configuration Nginx
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
When you are configuring and testing SSL, you don't want the Strict-Transport-Security header or the OCSP stapling enabled until after you're sure everything is working.
It looks like your domain currently resolves to two different IP addresses. Depending on your setup, this may be valid but can make debugging a single server issue harder.
Nothing stands out to me in your config file but when checking from multiple sources it does seem like the server fails to respond. I'd check your nginx log files. If the log files for this site don't have any failure details then look for generic nginx log files as well.
Nothing stands out in the error logs, unless I'm looking at the wrong ones. Which would you recommend looking at?
The default log location is logs/error.log, the absolute path depends on the operating system and installation according to the docs. https://docs.nginx.com/nginx/admin-guide/monitoring/logging/ might provide more details.
If you still don't see anything in the log then I'd try a different set of ciphers.
This is what I have on my server:
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers on;
Thanks for your help kbush.
Following your original reply saying the config looks ok, I spoke to the host. Apparently port 443 was closed on there end, so all my testing to see if the firewall had it open, etc didn't show anything up.
They opened it and now its working.
Please sign in or create an account to participate in this conversation.
