Repeated include /etc/includes/ssl.conf Passes configtest, fails SSL Handshake

Matt Silverlock matt at eatsleeprepeat.net
Wed Jul 30 02:14:05 UTC 2014


Hi all,

Had a chat with a helpful person on IRC but both are stumped as to why my configuration passes a check (nginx -t) but fails to properly handle SSL.

– I’ve split a couple of repetitive blocks out into /etc/nginx/includes/ssl.conf (-rw-r--r-- root:root - same as nginx.conf - should not be a problem)
– Doing so results in SSL handshake issues (and the connection fails appropriately)
– My cert covers both the root domain and www
– An excerpt of my configuration is here: http://p.ngx.cc/8796278344c60dcb — but the relevant part is below:
 # re-direct non-www https to https
    server {
        listen 443 ssl;
        server_name example.com;

        include /etc/nginx/includes/ssl.conf;
        
        return 301 https://www.example.com$request_uri;
    }

    server {
        listen 443 ssl default_server;
        server_name www.example.com; 

        include /etc/nginx/includes/ssl.conf;
        
        root /srv/www/www.example.com/public;

        error_page 502 503 504 /5xx.html;

        # rest of config (proxy pass to Go server)
        # STS header in location block, etc.
    }
If I move the include directive (effectively removing the duplication) into the http block and put the ssl_certificate and ssl_certificate_key directives into each of the two (2) server blocks instead of includes/ssl.conf, all is well. But this conflicts with the documentation (as I interpret it) and still results in some duplicated configuration.

Ideally I want to drop the entire “SSL config” for these two domains into a includes file that I can then just import into the server blocks. If that’s not entirely possible, that’s okay — but configs I’ve seen out in the wild (https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf) seem to do what I’m trying to achieve :)

Cheers,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140730/8518aa9c/attachment.html>


More information about the nginx mailing list