nginx SSL_do_handshake() failed

Maxim Dounin mdounin at
Fri Nov 27 16:14:02 UTC 2015


On Fri, Nov 27, 2015 at 04:54:29PM +0100, Nicholas Wieland wrote:

> it's the first time I configure an SSL certificate on my development machine (I'm no sysadmin - I need SSL to work with facebook). I decided to go with ngingx proxying a ruby sinatra application, nothing fancy.
> This is the error I get when Facebook tries to connect to my HTTP server. AFAIK nginx is the culprit here:
> 2015/11/26 15:42:03 [info] 42872#0: *3 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking, client:, server:
> This is what I did:
> Downloaded the cert (a .key, a .crt and a .csr) from RapidSSL
> Downloaded the trusted cert from RapidSSL ( and saved locally under /etc/ssl/cert/
> Installed locally nginx and configured like this:
> Restarted both nginx and puma respectively on port 4567 and 8080
> Went to, the app responded as expected, the connection was encrypted and the certificate appears to be the correct one.
> Went to Facebook and attempted to register a new page subscription ( Had the error reported on the top (SSL_do_handshake() failed) when Facebook attempted to validate my callback url
> Any suggestion?

Make sure to properly configure certificate chains, see 
for details.

Note well that if you have no experience with SSL configuration, 
it's a good idea to avoid configuring anything but ssl_certificate 
and ssl_certificate_key (and ssl_session_cache for performance 
reasons).  That is, remove (or comment out) all other ssl_* 
directives in your configuration (including ssl_stapling, 
ssl_stapling_verify, ssl_prefer_server_ciphers, ssl_protocols, 
ssl_ciphers) unless you'll get it working.  You can re-add these 
directives later if needed.  The error you are seeing is likely 
unrelated, but it's generally better approach anyway.

Maxim Dounin

More information about the nginx mailing list