Resolved 502 Bad gateway with "Let's Encrypt" domain

[aernative]

Have followed all the suggestions I can find regarding this but nothing is sorting the problem.

Essentially - wordpress site (weather that has anything to do with it i dont know...) - PHP settings/apache settings - no combination makes any difference... Still get the same in the error log -

tail /var/www/vhosts/DOMAIN.com/logs/error_log

[Tue Sep 27 17:18:14.965210 2016] [ssl:error] [pid 24038:tid 140642564273920] [client 213.105.155.226:41814] AH02261: Re-negotiation handshake failed: Not accepted by client!?
[Tue Sep 27 17:18:15.094964 2016] [ssl:error] [pid 24038:tid 140642361489152] [client 213.105.155.226:41816] AH02261: Re-negotiation handshake failed: Not accepted by client!?, referer: https://www.DOMAIN.com/

Just tried with new domain - and all I get is -

502 Bad Gateway
nginx

I've tried the various nginx configuration tweaks, and reverted them since they made no difference...

Any pointers apreciated...

p.s. also tried the one hit wonder plesk fix everything tool and it just broke other things, however it still didn't fix this issue.

 

[aernative]

Having seem similar issue https://talk.plesk.com/threads/letsencrypt.339350/ tried installing the last patches again -

plesk installer --select-release-current --reinstall-patch --upgrade-installed-components

No difference - still getting bad gateway.

Also - I do have a domain with a regular SSL certificate and that domain works no problem...! I've only got one IP assigned - is this related to SNI I wonder....

BINGO - think I know what the problem is now - disabling the other certificate and having just one enabled works - which leads me to believe this is lack of SNI support... time for a google...

 

[aernative]

Nopte - solved this - i dont know why - if you have a domain with your own SSL certificate and you later add more domains and use LetsEncrypt that is the problem - it appears if your using letsencrypt *you have to use that software will all domains* requiring SSL presently as otherwise you may get the 502 bad gateway!

 

[aernative]

OK - I've now found more info - I also get 502 Gateway issues if one of the domains secured by letsencrypt is also the same domain used by plesk admin - as soon as you do this all the domains are 502 except the domain matching the control panel domain.

The only way I can get around this is to turn off the SSL for my main domain altogether (smb/web/settings/id/X - SSL support unchecked) ! - that enables it for all the others if that domain is the domain securing plesk too... which is a real problem since I want my main domain to work with both control panel and out main site...

Any pointers appreciated!

 

[aernative]

Now looks like this is a problem with one domain only - our main domain, cant enable letsencrypt for that domain without all the others returning bad gateway!

Very frustrating.... no idea where to look...

 

[aernative]

Solved this now.

Had some entries in the - Apache & nginx Settings settings - specifically -

Additional directives for HTTPS

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

Removing the above from the domain in question everything works again...

However it does beg the question where do you set the Cipher suite and SSL global options in plesk... thats another issue anyway, anyone experiancing this problem would do well to clear any directives and work back - I'd missed these settings completely...

 

[gmork]

In my case (plesk 17 on centos 7) I was able to solve this by uninstalling the letsencrypt extension , then running

plesk installer --select-release-current --reinstall-patch --upgrade-installed-components

and installing the extension again