Issue Plesk 12.5.30 and Lets encrypt - ERR_CONNECTION_RESET

[Sven A.]

Hi community,

I'm running a server with Plesk 12.5.30 and try to use the Lets encrypt extension.
I created and installed a certificate for a domain after the instructions found everywhere in the web.
No problem so far.
But I 'm unable to run https://mydomain.tld.
In the browser it says ERR_CONNECTION_RESET and the error logs of nginx (I'm using apache2 with nginx for reverse proxy.) say:
no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: xx.xxx.x.xxx, server: xx.xxx.xxx.xxx:443

I found several threads here and elsewhere, but nothing works.

My nginx config seems fine, as far as I know.

server {
        listen xx.xxx.xxx.xxx:443 ssl;

        server_name mydomain.tld;
        server_name www.mydomain.tld;
        server_name ipv4.mydomain.tld;

        ssl_certificate             /opt/psa/var/certificates/cert-UI2T1H;
        ssl_certificate_key         /opt/psa/var/certificates/cert-UI2T1H;
        ssl_client_certificate      /opt/psa/var/certificates/cert-9GmfWB;

        client_max_body_size 128m;

        proxy_read_timeout 600;

        root "/var/www/vhosts/mydomain.tld/httpdocs";
        access_log "/var/www/vhosts/system/mydomain.tld/logs/proxy_access_ssl_log";
        error_log "/var/www/vhosts/system/mydomain.tld/logs/proxy_error_log";

        location / {
                proxy_pass https://xx.xxx.xxx.xxx:7081;
                proxy_set_header Host             $host;
                proxy_set_header X-Real-IP        $remote_addr;
                proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_set_header X-Accel-Internal /internal-nginx-static-location;
                access_log off;
        }

        location /internal-nginx-static-location/ {
                alias /var/www/vhosts/mydomain.tld/httpdocs/;
                add_header X-Powered-By PleskLin;
                internal;
        }

}

server {
        listen xx.xxx.xxx.xxx:80;

        server_name mydomain.tld;
        server_name www.mydomain.tld;
        server_name ipv4.mydomain.tld;

        client_max_body_size 128m;

        proxy_read_timeout 600;

        root "/var/www/vhosts/mydomain.tld/httpdocs";
        access_log "/var/www/vhosts/system/mydomain.tld/logs/proxy_access_log";
        error_log "/var/www/vhosts/system/mydomain.tld/logs/proxy_error_log";

        location / {
                proxy_pass http://xx.xxx.xxx.xxx:7080;
                proxy_set_header Host             $host;
                proxy_set_header X-Real-IP        $remote_addr;
                proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_set_header X-Accel-Internal /internal-nginx-static-location;
                access_log off;
        }

        location /internal-nginx-static-location/ {
                alias /var/www/vhosts/mydomain.tld/httpdocs/;
                add_header X-Powered-By PleskLin;
                internal;
        }

}

Everything is pretty standard or default. I changed nothing.

Any ideas what could go wrong?
Thanks.

 

[Bitpalast]

I don't think that this can be the true situation. If Nginx is running, it is using the configuration file, hence it loads the certificate. It cannot ignore the configuration file entries regarding the certificates.

What is the output of
# /usr/local/psa/admin/sbin/nginxmng -s
# service nginx status
?

You can try to
# nginx -t
and on success (syntax good)
# service nginx restart
to restart the service so that you can be sure that the latest versions of the configuration files are used.

You can try to
# plesk repair web -y
to fix potential issues with symbolic links to configuration files and to reconfigure the web servers with the data currently stored in psa database.

 

[Sven A.]

/usr/local/psa/admin/sbin/nginxmng -s
Enabled
service nginx status
* nginx is running
Before and after nginx restart:
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

 

[Sven A.]

Hm ... I 'm not so experienced with nginx configs, but I had a look into /etc/nginx/nginx.conf and I can't see the include of the domain specific nginx config
/var/www/vhosts/system/mydomain.tld/conf/nginx.conf which includes the part with the certificate.

#user  nginx;
worker_processes  1;

#error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

#pid        /var/run/nginx.pid;

include /etc/nginx/modules.conf.d/*.conf;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    #tcp_nodelay        on;

    #gzip  on;
    #gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    server_tokens off;

    include /etc/nginx/conf.d/*.conf;
}

# override global parameters e.g. worker_rlimit_nofile
include /etc/nginx/*global_params;

But as I said, it's a default configuration of everything. Nothing is custom.

 

[UFHH01]

Hi Sven A.,

and I can't see the include of the domain specific nginx config

include /etc/nginx/conf.d/*.conf;

links to => /etc/nginx/conf.d/zz010_psa_nginx.conf , which links again to configuration files ( with symlinks ) at: /etc/nginx/plesk.conf.d


You could as well being interested in the following KB - article:

Plesk for Linux services logs and configuration files ( KB - article: 213403509 )​

 

[Sven A.]

Ah ok. I see.
Thanks.

So that's not the problem.

I tried plesk repair web -y, but it changes nothing.

Any ideas where else I could something could wrong?

 

[UFHH01]

Hi Sven A.,

for further investigations, let's have a look at your settings, pls.:

=> HOME > Subscriptions > YOUR-DOMAIN.COM > Hosting Settings​

 

[Sven A.]

Sure. Thanks.
Dropbox - plesk-hostingsettings.jpg

 

[UFHH01]

Hi Sven A.,

pls. change the webserver setting to "FastCGI served by NGINX" ( or FPM, if you consider to change that! ^^ ). If the correct certificate isn't written into the domain specific configuration files at "/var/www/vhosts/system/YOUR-DOMAIN.COM/conf", pls. consider to change the certificate again from Let's - Encrypt to "none", or "deafult" ( Plesk?!? ) - and afterwards, re-change it back to your Let's Encrypt certificate.

 

[Sven A.]

"FastCGI served by nginx" isn't in the select, so I chosed "FPM served by nginx", but the error message in the nginx logs remains the same.

I also changed from Lets encrypt to none and also to the default certificate.
Nothing changes. I can't access the domain via https. With http everything is fine.

So it seems not to be an issue with Lets encrypt, but with ssl and https on this server in general?
Or better, an issue with port 443, because https via port 8443 works great (with the default certificate).

 

[UFHH01]

Hi Sven A.,

hm... there could be as well an issue because of browser cache or/and internet settings on your computer.

Pls. check for example at:

=> SSL Server Test (Powered by Qualys SSL Labs) ( to test your current certificate ) ( just "YOUR-DOMAIN.COM", pls. )
=> View HTTP Request and Response Header ( to test the headers ) ( the full URL, as for example: https://www.YOUR-DOMAIN.COM or https://YOUR-DOMAIN.COM )

... and consider as well to use a different browser on your computer, to verify, that the root - cause is not on your side.


Could you pls. as well CONFIRM, that apache AND NGINX use the same certificate - files in their configuration files?

 

[Sven A.]

Both tests fail.
SSL Server Test says
"Assessment failed: No secure protocols supported" (I think because it can't connect to the server)
and HTTP Request and Response Header says
"Connect to xx.xxx.xxx.xxx on port 443 ... failed
Error while fetching URL"

But why?

And also I tried to run the domain with Firefox and Edge. With the same result ... I can't connect to the domain.

 

[UFHH01]

Hi Sven A.,

you are giving us a hard time here, to investigate your root cause...

Could you pls. as well CONFIRM, that apache AND NGINX use the same certificate - files in their configuration files?

hint, where to find these files:

into the domain specific configuration files at "/var/www/vhosts/system/YOUR-DOMAIN.COM/conf"

In addition, could you pls. provide additional informations about your used operating system, the current Plesk version ( incl. #MU ) AND the nginx AND openssl - version on your server?


Can you as well CONFIRM, that no firewall is blocking your port 443 ?
And that your server IPs are not blacklisted by Fail2Ban for specific ports?


Have you got SELinux installed and setup some unusual settings / rules? Did you try to disable SELinux to see, if this might be a cause of your issue?


Pls. post the output of the commands:

lsof -i :443

netstat -nlp | grep 443
netstat -nlp | grep nginx

service nginx status​

 

[Bitpalast]

I remember a similar thread some months ago. I think it went into the direction that this was not a web server issue, but a cipher or openssl issue. It think the other tread remained unsolved, but there, too, all typical causes related to web server were checked with no result. Can't find it.

 

[UFHH01]

It think the other tread remained unsolved

Noooo... we won't give up, @Peter Debik ... we will find the root cause!

 

[Sven A.]

Damn, sorry.

Ok.

1. Yes. Apache AND nginx use the same certificate.
2. ‪Ubuntu 14.04.3 LTS‬ and Plesk 12.5.30 Update #62, nginx version: nginx/1.11.1, openssl 1.0.1f
3. Yes. No firewall blocks port 443. And yes, Fail2Ban doesn't block this port.
4. No, I don't have SELinux installed.

lsof -i :443

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 13403 root 178u IPv4 7135315 0t0 TCP hxxxxxx.xxxxxx.net:https (LISTEN)
nginx 28005 nginx 178u IPv4 7135315 0t0 TCP hxxxxxx.xxxxxx.net:https (LISTEN)

netstat -nlp | grep 443

tcp 0 0 xx.xxx.xxx.xxx:443 0.0.0.0:* LISTEN 13403/nginx
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 26565/sw-cp-serverd
tcp6 0 0 :::8443 :::* LISTEN 26565/sw-cp-serverd
unix 2 [ ACC ] STREAM HÖRT 5794431 2277/anvil private/anvil
unix 2 [ ACC ] STREAM HÖRT 5794434 28706/master private/scache
unix 2 [ ACC ] STREAM HÖRT 5794437 28706/master private/maildrop
unix 2 [ ACC ] STREAM HÖRT 5794443 28706/master private/ifmail

netstat -nlp | grep nginx

tcp 0 0 xx.xxx.xxx.xxx:80 0.0.0.0:* LISTEN 13403/nginx
tcp 0 0 xx.xxx.xxx.xxx:443 0.0.0.0:* LISTEN 13403/nginx

service nginx status

* nginx is running

 

[UFHH01]

Hi Sven A.,

did you secure the corresponding IP with a certificate at "HOME > Tools & Settings > IP Addresses > YOUR-IP-ADDRESS" ?


Another way to investigate issues/errors/problems with port "443" ( in combination with apache2+nginx ) is to inspect ALL your corresponding *.conf files. Pls. remember, that nginx now uses port 80/443 and apache2 has changed the ports to 7080/7081.

Find possible misconfigurations in your apache2 - configuration files, looking for OLD and not valid ":443" - settings ( Example for Debian/Ubuntu - bases systems! ):

find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni ":443" {} \;​

 

[Sven A.]

Yes. The IP is secured with the default certificate.

Ok. Thanks.

I will investigate these files. Let's see what's wrong with my Plesk.

 

[Sven A.]

Ok. I can't find anything special or wrong.

First I used find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni ":443" {} \;, which found nothing.
Then I used find / -type f -name "*.conf" -exec grep --color -Hni ":443" {} \; which listed several things:
1. the nginx and httpd conf files for each domain like
/var/www/vhosts/system/this-domain.tld/conf/nginx.conf:7: listen xx.xxx.xxx.xxx:443 ssl;
/var/www/vhosts/system/this-domain.tld/conf/httpd.conf:11: ServerName "this-domain.tld:443"
2. and this
/etc/nginx/plesk.conf.d/server.conf:28: listen xx.xxx.xxx.xxx:443 ssl;
/etc/nginx/plesk.conf.d/webmail.conf:7: listen xx.xxx.xxx.xxx:443 ssl;

Any thoughts?

Hm, in another forum I read something about this issue and there a user said that ssl_certificate and ssl_certificate_key in one file and without a file extension must be wrong.
Maybe that's the cause? But that's the way it's done if you generate the certificate in Plesk.

 

[Bitpalast]

But isn't that exactly the problem, that in httpd.conf your account is listening to port 443 and in nginx.conf it is listening to the same port? That will not work. The httpd.conf file is wrong, it must not be set to listen to port 443, but port 7081 if you are using Nginx as a reverse proxy. It can only listen to port 443 if you are not using Nginx for reverse proxy, but Apache only.