I added a Nginx as reverse proxy for my Node server, my certificates were generated by Let's Encrypt Certbot. Everything works fine when my Node is listening on port 443 and using the certificates, but when I use Nginx for listening on port 443 using the same certificates, I am having this error (from browser) :
(failed)net::ERR_SSL_PROTOCOL_ERROR
Here is my Nginx site-available conf for my domain :
server{
listen 443 ssl;
server_name xxxxxx.hstgr.cloud;
ssl_certificate /...path.../fullchain.pem;
ssl_certificate_key /...path.../privkey.pem;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
location /.well-known/acme-challenge/ {
autoindex on;
root /...path.../.well-known/acme-challenge;
}
}
}
Can anyone enlight me, what is wrong with this conf giving the ERR_SSL_PROTOCOL_ERROR ?
Ok, here is the checklist of everything I did, including the steps that were already valid for me.
Maybe it can help someone else :
Make sure the configuration file in sites-available that you are working on is enabled for Nginx:
ls -l /etc/nginx/sites-enabled/
You should see a symlink with the same name as your file in sites-available. If not, you need to create it.
Make sure the Nginx configuration is correct :
sudo nginx -t
It should confirm that the test was successful. If not, fix it according to the message.
Make sure the certificates and the paths you are trying to use in your configuration file are correct (in my case) :
sudo ls -l /etc/letsencrypt/live/xxxxxx.hstgr.cloud/
This should list the required files. If not, regenerate your certificates or update their paths.
At the same time, make sure your certificate permissions allow Nginx to access them. If not, fix them.
Make sure your certificate is not expired (in my case) :
openssl x509 -in /etc/letsencrypt/live/xxxxxxx.hstgr.cloud/fullchain.pem -noout -text | grep "Not After"
If the expiration date has passed, regenerate your certificates.
Make sure there are no compatibility issues between your private and public keys (in my case) :
openssl x509 -noout -modulus -in /etc/letsencrypt/live/xxxxxx.hstgr.cloud/fullchain.pem | openssl md5
openssl rsa -noout -modulus -in /etc/letsencrypt/live/xxxxxx.hstgr.cloud/privkey.pem | openssl md5
You should see the same string twice. If not, regenerate your certificates.
Make sure the correct file is loaded for port 443 :
sudo nginx -T | grep -i "listen 443"
You should see something like listen 443 ssl;
In my case, there was an issue because I had listen 443 default_server;
Check the configurations that are listening on port 443 :
sudo grep -R "listen 443" /etc/nginx/
In my case I had a line with /etc/nginx/sites-enabled/default.conf: listen 443 default_server;
The default.conf file was causing a conflict with my available-sites configuration because it was already listening on port 443 without SSL. So I removed the file and it fixed the error for me.
I hope this process can helps people having issues with SSL configuration in Nginx. If you have anything to add to the checklist, feel free to update my post.