SSL not working


#1
  • What’s your URL? pudgyboston.com
  • What version of Ghost are you using? latest
  • What configuration? production

Started a new blog on my server using the installation tool. Everything was running smoothly and I decided to setup ssl by running the ‘ghost setup ssl’ command.

After going through all of the steps and the tool finishing the setup, I changed my URL in ‘config.production.json’ to https. When I try and load my url it correctly redirects to https but it won’t load the page. Firefox is giving me the error “Secure Connection Failed. The connection to pudgyboston.com was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.”

I’m not great with nginx, but I have a feeling it’s something on that front. I saw a potential answer on github by removing my letsencrypt directory and trying again but I wanted to come here first before removing it

Thanks


#2

Slightly off topic, but I’m also trying to migrate a password protected site from apache to run on nginx alongside my blog. If anyone has any tips on how to accomplish this or link me to a guide that can help it would be greatly appreciated


#3

Change your URL back to http://
It will work fine then


#4

This works, but then SSL isn’t enabled


#5

What happens if you run ghost setup ssl then ghost config url https://pudgyboston.com/ then ghost restart ?


#6

$ ghost setup ssl
SSL has already been set up, skipping
:information_source: Setting up SSL [skipped]


#7

I got frustrated and did a full ghost uninstall and apt-get purge of nginx and redid the entire setup, same problem. Is there something wrong with the ssl setup in the ghost cli?


#8

As I said change your url to http:// because after SSL certificate is issued it will automatically load over https


#9

You may have already tried this already, but I think that the SSL may have been setup correctly. I think what Ayu is saying is that you shouldn’t need to change the ‘config.production.json’ parameter for SSL to work; for me, that parameter is still pointing to the http address of my site even though I have SSL setup.

What I would suggest is to leave the ‘config.production.json’ unchanged and see if your site is still accessible over https. From the documentation at https://docs.ghost.org/docs/cli-setup, the https, SSL configuration is done over on the nginx side, which should forward the traffic to your local node process that is running the ghost blog webapp.


#10

My config.production.json URL is back to http, but I’m still not able to load the https address. The http address loads fine, but Firefox is still saying the https site is not secure and won’t load the page.

I checked what version nginx was running on my debian server just in case that was below 1.9.5 but I’m showing version 1.10.3.

Are there any extra steps I need to do in nginx after running the cli-setup to get ssl working?


#11

Seems like there might be something wrong with your nginx configuration. https://community.letsencrypt.org/t/ssl-obtained-but-https-connection-resets-itself/50364/4 suggests running nginx -T, and see if the configuration looks correct. A basic nginx configuration for SSL, TLS can be found at https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm that be used for comparison.


#12

Progress, kinda sorta. These forums only let me paste one link, so I replaced pudgyboston.com with ‘my_url’. After looking through the error logs for nginx I’m getting

2018/06/19 15:14:47 [error] 13067#13067: *1 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443

Here’s the output for curl -vvv my_url

* Rebuilt URL to: my_url
*   Trying *.*.*.*...
* TCP_NODELAY set
* connect to *.*.*.* port 443 failed: Connection refused
* Failed to connect to my_url port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to my_url port 443: Connection refused

sudo netstat -nlp | grep nginx

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      14016/nginx: master
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      14016/nginx: master
tcp6       0      0 :::443                  :::*                    LISTEN      14016/nginx: master
tcp6       0      0 :::80                   :::*                    LISTEN      14016/nginx: master

nginx -t is coming up with no errors and I know the port is open and working. I’m seriously at a loss here


#13

Can you show us your nginx.conf and site.conf files? There might be tiny details there that mess this up.


#14

/etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

/etc/nginx/sites-available/pudgyboston.com-ssl.conf

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name pudgyboston.com;
    root /var/www/ghost/system/nginx-root;

    ssl_certificate /etc/letsencrypt/pudgyboston.com/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/pudgyboston.com/pudgyboston.com.key;
    include /etc/nginx/snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;

    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

Thanks to everyone for taking the time to help


#15

Not sure if this has anything to do with this, but here are some parts of my configs:

server	{
	listen 80;
	listen [::]:80;
	listen 443 default_server ssl http2;
	listen [::]:443 default_server ssl http2;
        ssl_certificate         /srv/www/certs/domain.com.pem;
        ssl_certificate_key     /srv/www/certs/domain.com.key;
	server_name localhost;
	return 444;
	}

(this is in the nginx.conf a default server block)

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

(I listen to both 80 and 443 in my site config also)


#16

Edge is throwing me this error, maybe useful?

Can’t connect securely to this page
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

#17

I have a slightly more detailed SSL setup:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

Check to see if anything from here helps out.

You can also try to test your SSL here:
https://www.ssllabs.com/ssltest/


#19

I missed a chunk of this conversation, but one thing that I am noticing is that your “pudgyboston.com-ssl.conf” file is referencing a “fullchain.cer” file. Is that the name of the actual ssl certificate ? I also use Lets Encrypt, though with Apache, and the Apache equivalent of the Nginx parameter “ssl_certificate” points to a “fullchain.pem” file.

One thing that I should mention that there are different types of SSL cert file formats available, and I think here that the .PEM file type is most applicable.


#20

With both acme.sh and the official LE client, the cert & cert_key are correct in that config. It follows the template that both ACME clients implement


#21

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.