Letsencrypt certbot leads to ssl protocol error

Ian Hobson hobson42 at gmail.com
Fri Jun 24 09:20:26 UTC 2022 

Hi All,

Two of my sites have suffered problems since I updated them to https, 
from http. In fact since the latest
scheduled update by certbot.

The home page of coachmaster.co.uk should be a log in screen.

Brave shows me
This site can’t provide a secure connection
coachmaster.co.uk sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

I think the protocol message it doesn't like is Upgrade-Insecure-Requests: 1

Edge is really informative:
The connection for this site is not secure coachmaster.co.uk sent an 
invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

Browser: Brave Version 1.40.105  Chromium: 103.0.5060.53 (Official 
Build)  (64-bit)
All others I've tried also fail.

nginx version 1.21.6
openSSL version 1.1.1.n
special compile.

certbot applies configuration of

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers 
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

This last is all one line.

The server block(s) for the site are is (removing a lot of comments to 
save space).
------------- file begins ----------------
#  redirect from http at bottom of file
server {
     server_name coachmaster.co.uk  www.coachmaster.co.uk;
     add_header Strict-Transport-Security "max-age=31536000; 
includeSubDomains";

     add_header X-Frame-Options DENY always;
     add_header X-Content-Type-Options nosniff always;
     add_header X-Xss-Protection "1; mode=block" always;
     ssl_stapling on;
     ssl_stapling_verify on;
     ssl_trusted_certificate 
/etc/letsencrypt/live/coachmaster.co.uk-0001/fullchain.pem;

     limit_req zone=ip burst=12 delay=8;
     location ^~ /Avatars {
        limit_req zone=fp burst=70 nodelay;
     }
     root /var/www/coachmaster.co.uk/htsecure;
     access_log /var/log/nginx/coachmaster.co.uk.access.log;

     # error_log  /var/log/nginx/error.log;  set in nginx.conf

     index index.php;
     location = /Coachmaster.html {
         rewrite ^(.*)  http://thecoachmasternetwork.com/software/;

     }
     location = / {
         rewrite ^ /index.php last;
     }
     location /easyrtc {
         proxy_pass http://localhost:5006;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
         proxy_set_header Host $host;
         proxy_cache_bypass $http_upgrade;
     }
     location /socket.io {
         proxy_pass http://localhost:5006;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
         proxy_set_header Host $host;
         proxy_cache_bypass $http_upgrade;
     }
     # serve php files via fastcgi if the file exists
     location ~ \.php$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_param  SCRIPT_FILENAME 
$document_root$fastcgi_script_name;

         fastcgi_param  CENTRAL_ROOT       $document_root;
         fastcgi_param  RESELLER_ROOT      $document_root;
         fastcgi_param  ENVIRONMENT        production;
         fastcgi_param  HTTPS ON;
         include /etc/nginx/fastcgi.conf;
         fastcgi_pass 127.0.0.1:9000;
     }
     # serve static files
     try_files $uri $uri/ /index.php;
     expires 30m;
     location /publish {
         nchan_publisher;
         nchan_channel_id $arg_id;
         nchan_channel_id $arg_id;
         nchan_message_buffer_length 10;
         nchan_message_timeout 90s;
     }
     location /activity {
         nchan_subscriber;
         nchan_channel_id $arg_id;
     }

     listen 443 ssl; # managed by Certbot
     ssl_certificate 
/etc/letsencrypt/live/coachmaster.co.uk-0001/fullchain.pem; # managed by 
Certbot

     ssl_certificate_key 
/etc/letsencrypt/live/coachmaster.co.uk-0001/privkey.pem; # managed by 
Certbot

     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
     if ($host = www.coachmaster.co.uk) {
         return 301 https://$host$request_uri;
     } # managed by Certbot

     if ($host = coachmaster.co.uk) {
         return 301 https://$host$request_uri;
     } # managed by Certbot

     server_name coachmaster.co.uk  www.coachmaster.co.uk;
     listen 80;
     return 404; # managed by Certbot
}
------------ end of file -----------
I have inserted a blank line after long lines that wrap.

According to the UptimeRobot the site is up.

The service at 
https://www.ssllabs.com/ssltest/analyze.html?d=coachmaster.co.uk give no 
obvious errors,
except that it shows the TLS 1.2 protocol NOT enabled.

I'm way out of my depth now. Can anyone suggest something that is not 
weakening the security.

Regards

Ian

-- 
Ian Hobson
Tel (+66) 626 544 695

More information about the nginx mailing list