Home>

I will ask you a question for the first time.
Forgive me because it is unfamiliar and may be rude.

I would like to install SSL on the Sakura VPS server and build a website.
When SSL is set according to the procedure, an error is displayed and connection cannot be established.
The server certificate and the intermediate certificate are incomplete,
Since ssl.crt was created with vim and pasted and saved, there is no possibility of typos.
I sent an email to Sakura VPS's help for the time being, but I think there might be a flaw in the settings.
I posted here.

Error message
This site cannot connect securely
An invalid response was sent from sample-web.com.
ERR_SSL_PROTOCOL_ERROR
Applicable source code
# nginx.conf
user nginx;
worker_processes auto;
worker_rlimit_nofile 100000;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 2048;
    multi_accept on;
    use epoll;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    log_format main '$remote_addr-$remote_user [$time_local] "$request"'
                      '$status $body_bytes_sent "$http_referer"'
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log /var/log/nginx/access.log main;
    server_tokens off;
    sendfile on;
    #tcp_nopush on;
    keepalive_timeout 10;
    client_header_timeout 10;
    client_body_timeout 10;
    reset_timedout_connection on;
    send_timeout 10;
    limit_conn_zone $binary_remote_addr zone = addr: 5m;
    limit_conn addr 100;
    gzip on;
    gzip_http_version 1.0;
    gzip_disable "msie6";
    gzip_proxied any;
    gzip_min_length 1024;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml + rss text/javascript application/javascript application/json;
    open_file_cache max = 100000 inactive = 20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;

    include /etc/nginx/conf.d/*.conf;
}
server {
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/ssl.crt;# crt file
    ssl_certificate_key /etc/pki/tls/certs/server.key;# secret key
    server_name sample-web.com;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256 : DHE-DSS-AES128-GCM-SHA256: kEDH + AESGCM: ECDHE-RSA-AES128-SHA256: ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA: ECDHE-ECDSA-AES128-SHA: ECDHE-RSA -AES256-SHA384: ECDHE-ECDSA-AES256-SHA384: ECDHE-RSA-AES256-SHA: ECDHE-ECDSA-AES256-SHA: DHE-RSA-AES128-SHA256: DHE-RSA-AES128-SHA: DHE-DSS-AES128 -SHA256: DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA: DHE-RSA-AES256-SHA: AES128-GCM-SHA256: AES256-GCM-SHA384: AES128-SHA256: AES256-SHA256: AES128-SHA : AES256-SHA: AES: CAMELLIA: DES-CBC3-SHA:! ANULL:! ENULL:! EXPORT:! DES:! RC4:! MD5:! PSK:! AECDH:! EDH-DSS-DES-CBC3-SHA: ! EDH-RSA-DES-CBC3-SHA:! KRB5-DES-CBC3-SHA;
   Ssl_prefer_server_ciphers on;
    location/{
        root/usr/share/nginx/html;
        index index.html;
    }

}
Tried

Is there a flaw in Nginx settings?

nginx -t
↓
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful


Can I connect with http

server {listen 80;
  server_name sample-web.com;
    charset koi8-r;
    access_log /var/log/nginx/host.access.log main;

    location/{
        root/usr/share/nginx/html;
        index index.html index.htm;
    }
}
↓
index.html is displayed

Check firewall settings

firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh-51110 http https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
This is from the answers given below. Confirm with openssl
CONNECTED (00000003)
139875657488272: error: 140770FC: SSL routines: SSL23_GET_SERVER_HELLO: unknown protocol: s23_clnt.c: 794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol: TLSv1.2
    Cipher: 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg: None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1535102954
    Timeout: 300 (sec)
    Verify return code: 0 (ok)
---


Add 172.16.0.1 (IP address of website) sample-web.com to hosts
Run openssl again->The same error has occurred.

Is the secret key, CSR, or certificate complete?
Confirm CSR Modulus
openssl req -in server.csr -modulus -noout
Check Modulus of SSL server certificate
openssl x509 -in ssl.crt -modulus -noout
Confirm Modulus of private key
openssl rsa -in server.key -modulus -noout
Consistency confirmed.
Confirm that the private key is not damaged
openssl rsa -in server.key -check -noout
no problem
Confirm SSL certificate contents
openssl x509 -in ssl.crt -text -noout
Subject: CN = sample-web.com
CPS: https://www.digicert.com/CPS
I didn't see any incomplete certificate settings
Supplemental information (FW/tool version etc.)

CentOS Linux release 7.5.1804 (Core)
nginx version: nginx/1.15.2
ssl Rapid SSL digicert Newly issued on August 18

  • Answer # 1

    Thank you for watching.
    Since it has been resolved, the procedure will be described here.
    I don't know if it will help you a lot, but if you have the same symptoms, try it.

    First I edited /etc/nginx/conf.d/***.conf again.

    server {
        listen 443 ssl;
        ssl_certificate /etc/nginx/ssl/ssl.crt;
            ssl_certificate_key /etc/pki/tls/certs/server.key;
        server_name sample-web.com;
             ssl_session_cache shared: SSL: 1m;* Added
            ssl_session_timeout 5m;* Add
            ssl_ciphers HIGH:! aNULL:! MD5;* Added
            ssl_prefer_server_ciphers on;* Add
            ssl_protocols TLSv1.1 TLSv1.2;* Added
            ssl_stapling on;* Add
            resolver 000.000.000.000 valid = 300s;* Add (Please enter the server IP address)
        location/{
                            root/usr/share/nginx/html;
                            index index.html index.htm;
                       }
    }

    And instead of nginx -s reload, stop nginx once with nginx -s stop,
    When it was started again with nginx, html.index was displayed with https successfully.

    It was a pretty fluffy self-solve, but I'm glad that it was successfully converted to https.
    Thank you very much, daisuke 7.

  • Answer # 2

    How about checking the certificate with the openssl s_client command?

    Example: I want to check the certificate information with the openssl command.