Nginx serving self-signed cert instead of the one defined in conf

Maxim Dounin mdounin at
Tue Aug 11 17:59:59 UTC 2015


On Tue, Aug 11, 2015 at 01:27:23PM -0400, Arno0x0x wrote:

> Hello,
> I'm facing a strange issue since I upgraded from Nginx 1.6.2 to 1.8.0. My
> configuration files have been kept identicals, as well as my official SSL
> certificates.
> The problem is Nginx keeps on serving a self-signed certificate (dunno where
> it takes it from) instead of my proper certificates that I defined in the
> config file. Here's the server section SSL config bits :
> ------------------------------------------------------------------------------------
> server {
> 	listen   443 ssl; ## listen for ipv4; this line is default and implied
> 	#listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
> 	server_name my_fqdn;
> 	ssl_certificate /etc/nginx/ssl/gandi/my_fqdn.crt;
> 	ssl_certificate_key /etc/nginx/ssl/gandi/my_fqdn.key;
> 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> 	ssl_ciphers 'AES256+EECDH:AES256+EDH';
> 	ssl_prefer_server_ciphers on;
> 	ssl_session_cache shared:SSL:10m;
> 	...
> ------------------------------------------------------------------------------------
> This configuration works fine on my other server with nginx 1.6.2.

The configuration snippet you've provided is just a snippet for a 
single server block, not a full configuration.  Depending on other 
server{} blocks it may or may not work.

Most notably, the "listen" directive doesn't have "default_server" 
parameter.  That is, if there is another server{} block defined 
for the same listening socket in the configuration, it may be used 
as a default one instead (assuming that server is defined first).

Try looking into your full configuration, nginx.conf.  When 
questions arise, it usally means that the configuration contains 
something like "include /path/to/files/*.conf;" - and you have to 
examine all files matching a given mask.

Maxim Dounin

More information about the nginx mailing list