Resolved nginx ssl not working

[Thomas Horster]

Hey guys,

I am using plesk onyx together with let's encrypt and I have generated several certificates for my domains.
SSL is activated for all domains and the let's encrypt certificate is set appropriately, but I still get this error in the nginx logs:

no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking

What I have tried so far:

• /usr/local/psa/bootstrapper/pp17.0.17-bootstrapper/bootstrapper.sh repair
• /usr/local/psa/admin/sbin/httpdmng --reconfigure-all
• turning ssl on and off for domain
• checking the nginx configs to include the certs
• /usr/local/psa/admin/bin/autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component base
• checked my firewall if ports are open correctly
• plesk repair all
• try with a self-signed certificate -> same result

What I did after upgrading to onyx (in case you need to know)

• enable http2
• installed let's encrypt and added certs
• moved some sites to php7

I do not know if SSL worked with plesk 12 before, because I did not use it. I tried nearly every solution I could find on the net, but I am running out of ideas. Any hints?

Thanks in advance!

 

[Thomas Horster]

Any help? I am running out of ideas

 

[Bitpalast]

Do you have any custom directives set in Nginx or are you not using the default Nginx setup provided by Plesk in any way?

 

[Thomas Horster]

Hey there!
No, I am using the default setup without any custom directives. That's why I do not know it is broken...

 

[Bitpalast]

This should not happen with a default installation. For unknown reason, either the Nginx default configuration file or the syntax in the individual vhost configuration file probably has a syntax error. It can be a very simple thing, e.g. a missing semicolon, an additional "default_server" entry that is misplaced in a vhost.

- What Plesk extensions have you activated?
- Could you please post one Nginx configuration file as you have it for any subscription of your choice that leads to the issue? For your safety & privacy please replace your real subscription domain name with something like "example.com" before posting.

 

[Thomas Horster]

Yes, that's what I was guessing as well, but I see no problems whatsoever. I also verified the paths of the certificates already, they seem to be correct.

Extensions I have installed:

server {
        listen xx.xx.xx.xx:443 ssl http2;

        server_name somesite.de;
        server_name www.somesite.de;
        server_name ipv4.somesite.de;

        ssl_certificate             /opt/psa/var/certificates/cert-SUzwE6;
        ssl_certificate_key         /opt/psa/var/certificates/cert-SUzwE6;
        ssl_client_certificate      /opt/psa/var/certificates/cert-tY6aYW;

        client_max_body_size 128m;

        proxy_read_timeout 3000;

        root "/var/www/vhosts/somesite.de/httpdocs";
        access_log "/var/www/vhosts/system/somesite.de/logs/proxy_access_ssl_log";
        error_log "/var/www/vhosts/system/somesite.de/logs/proxy_error_log";

        if ($host ~* ^www\.somesite\.de$) {
                rewrite ^(.*)$ https://somesite.de$1 permanent;
        }

        location / {
                proxy_pass https://xx.xx.xx.xx:7081;
                proxy_set_header Host             $host;
                proxy_set_header X-Real-IP        $remote_addr;
                proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_set_header X-Accel-Internal /internal-nginx-static-location;
                access_log off;
        }

        location /internal-nginx-static-location/ {
                alias /var/www/vhosts/somesite.de/httpdocs/;
                add_header X-Powered-By PleskLin;
                internal;
        }

}

server {
        listen xx.xx.xx.xx9:80;

        server_name somesite.de;
        server_name www.somesite.de;
        server_name ipv4.somesite.de;

        client_max_body_size 128m;

        proxy_read_timeout 3000;

        root "/var/www/vhosts/somesite.de/httpdocs";
        access_log "/var/www/vhosts/system/somesite.de/logs/proxy_access_log";
        error_log "/var/www/vhosts/system/somesite.de/logs/proxy_error_log";

        if ($host ~* ^www\.somesite\.de$) {
                rewrite ^(.*)$ http://somesite.de$1 permanent;
        }

        location / {
                proxy_pass http://xx.xx.xx.xx:7080;
                proxy_set_header Host             $host;
                proxy_set_header X-Real-IP        $remote_addr;
                proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_set_header X-Accel-Internal /internal-nginx-static-location;
                access_log off;
        }

        location /internal-nginx-static-location/ {
                alias /var/www/vhosts/somesite.de/httpdocs/;
                add_header X-Powered-By PleskLin;
                internal;
        }

}

Thanks for your help!

 

[Bitpalast]

The file looks correct, the extensions should not interfere.

Could it be possible that the "no 'ssl_certificate' is defined in server listening on SSL port while SSL handshaking" message is not related to virtual hosts but to the Plesk panel or default website? In which log does that message appear? Have you set a default SSL certificate in the SSL/TLS configuration of Plesk (Tools & Settings)?

 

[Thomas Horster]

when I do a tail -f /var/log/nginx/error.log I get messages like

2017/01/23 19:50:59 [error] 12473#0: *59327 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: xx.xx.xx.xx, server: xx.xx.xx.xx:443

when I open the mentioned above page via https. Do I need to set a default certificate? Thought that is optional? I normally just accept it in the browser.

 

[Thomas Horster]

Can anyone help me with this?

 

[larryk]

https://support.plesk.com/hc/en-us/articles/213953765

PS. yes... it would be awesome if Plesk would have a paid "support" guy manning these forms...
I just can't figure out why the don't?

 

[Thomas Horster]

Hey Larry,

I tried this about 10 minutes ago with a newly created certificate. Thanks for the link, but it still does not work.
It is quite annoying if the config looks ok and you have a cert but nothing is working...
And I can also not access the statistics .... great!

 

[Bitpalast]

Besides the statistics: What errors are actually visible / can be experienced due to the SSL error message in the log? Maybe we can find the reason if you describe what the influence of the error message is.

 

[Thomas Horster]

When I try to open the page in Firefox I get:

Fehler: Gesicherte Verbindung fehlgeschlagen

Die Verbindung zum Server wurde zurückgesetzt, während die Seite geladen wurde.

Die Website kann nicht angezeigt werden, da die Authentizität der erhaltenen Daten nicht verifiziert werden konnte.
Kontaktieren Sie bitte den Inhaber der Website, um ihn über dieses Problem zu informieren.

Translation: https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message

I do not get any other errors besides the one mentioned in the logs as far as I can see...

 

[Bitpalast]

Does this error occur for users who are accessing the site through https:// from other computers, too?

 

[Thomas Horster]

If you mean it could be related to my PC or internet connection... I tried it on my mobile via mobile internet and it behaves the same. I also tried it from work.

 

[Bitpalast]

What keeps me from directions on how to figure this out is your quote "checking the nginx configs to include the certs". It makes no sense to me that in the web server configuraton file certificates are named and obviously the port 443 is configured, but then these certificates are not used to establish the connection. Have you checked whether the cert files mentioned in the web server config files (httpd.conf ana nginx.conf) are actually present on the system, have the proper file permissions and are the correct certificates for the domains (when you decode them using openssl)?

 

[Thomas Horster]

Can totally relate!
I checked them and they exist... That is what it also really confusing me... I don't see any problem either.
I mean, I created the certificates, selected them and tried to open the page in https. That's the way it should work as I read on several websites.
Nginx seems to be configured the right way, at least as far as I can see. What is the issue then? Drives me crazy...
Obviously something is broken.

Do you know which rights they need to work properly?

 

[Bitpalast]

/usr/local/psa/var/certificates should be owned by root:root and should be drwxr-xr-x.

Did you look into the cert files? Maybe the files exist but are generic certificates instead of the real ones.

However, normally Nginx and Apache are extremely picky when it comes to certificates. One small error (e.g. file does not exist, file is missing private key and so on...) and the servers with both deny reload/restart. When the certs are listed in the .conf files and neither # apachectl -t, nor # nginx -t give errors, everything should be o.k. However, if that is the case, Nginx should not throw the "no certificate" error. Are the ports configured to standard, meaning Nginx on 80 and 443, Apache on 7080 and 7081?

 

[Thomas Horster]

rights look ok, the cert files as well... neither # apachectl -t, nor # nginx -t give errors... Ports are standard. I have no effing clue...

 

[Thomas Horster]

Solution: Create a new default ssl certificate which is self-signed. Set this up as standard for plesk admin and emails under "admin/ssl-certificate/list". Profit.

The problem with nginx is that ssl does not work if you did not set a default certificate, which is set first inside the config. I would be happy if the nginx config test would have told me this earlier...