Nginx serving self-signed cert instead of the one defined in conf

Hello,

I’m facing a strange issue since I upgraded from Nginx 1.6.2 to 1.8.0.
My
configuration files have been kept identicals, as well as my official
SSL
certificates.

The problem is Nginx keeps on serving a self-signed certificate (dunno
where
it takes it from) instead of my proper certificates that I defined in
the
config file. Here’s the server section SSL config bits :


server {
listen 443 ssl; ## listen for ipv4; this line is default and implied
#listen [::]:80 default_server ipv6only=on; ## listen for ipv6

server_name my_fqdn;

ssl_certificate /etc/nginx/ssl/gandi/my_fqdn.crt;
ssl_certificate_key /etc/nginx/ssl/gandi/my_fqdn.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ‘AES256+EECDH:AES256+EDH’;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

This configuration works fine on my other server with nginx 1.6.2.

I tried to increase error log to the debug level, but I get stricly no
error
message when starting Nginx (I was hoping for some clue like "nginx
cannot
read the file / path of the defined certs … but nothing).

The config file checks is fine :

sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Example with openssl client :


openssl s_client -connect myfqdn:443
CONNECTED(00000003)
depth=0 C = EU, ST = NoWhere, O = Internet Widgits Pty Ltd, CN = myfqdn
verify error:num=18:self signed certificate
verify return:1
depth=0 C = EU, ST = NoWhere, O = Internet Widgits Pty Ltd, CN = myfqdn
verify return:1

Certificate chain
0 s:/C=EU/ST=NoWhere/O=Internet Widgits Pty Ltd/CN=myfqdn
i:/C=EU/ST=NoWhere/O=Internet Widgits Pty Ltd/CN=myfqdn

Server certificate
etc…

I’m lost. Any help is welcomed !

Regards,
Arno

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,260935,260935#msg-260935

Hello!

On Tue, Aug 11, 2015 at 01:27:23PM -0400, Arno0x0x wrote:


ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;


This configuration works fine on my other server with nginx 1.6.2.

The configuration snippet you’ve provided is just a snippet for a
single server block, not a full configuration. Depending on other
server{} blocks it may or may not work.

Most notably, the “listen” directive doesn’t have “default_server”
parameter. That is, if there is another server{} block defined
for the same listening socket in the configuration, it may be used
as a default one instead (assuming that server is defined first).

Try looking into your full configuration, nginx.conf. When
questions arise, it usally means that the configuration contains
something like “include /path/to/files/*.conf;” - and you have to
examine all files matching a given mask.


Maxim D.
http://nginx.org/

Hi Maxim,

Thanks for your answer. Alas ! I check all config files in my /etc/nginx
directory, there’s only one containing the server{} directive (for the
sake
of it, I added the default_server to the listen directive, but it
doesn’t
change anything) :


[email protected] /etc/nginx $ grep -r server *
fastcgi.conf:fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi.conf:fastcgi_param SERVER_ADDR $server_addr;
fastcgi.conf:fastcgi_param SERVER_PORT $server_port;
fastcgi.conf:fastcgi_param SERVER_NAME $server_name;

scgi_params:scgi_param SERVER_PROTOCOL $server_protocol;
scgi_params:scgi_param SERVER_PORT $server_port;
scgi_params:scgi_param SERVER_NAME $server_name;

sites-available/myfqdn:# server {
sites-available/myfqdn:server {
sites-available/myfqdn: listen 443 ssl default_server; ## listen for
ipv4;
this line is default and implied
sites-available/lmyfqdn: #listen [::]:80 default_server ipv6only=on;

listen for ipv6
sites-available/myfqdn: server_name myfqdn;
sites-available/myfqdn: ssl_prefer_server_ciphers on;
sites-available/myfqdn: # redirect server error pages to the static
page
/50x.html

uwsgi_params:uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_params:uwsgi_param SERVER_PORT $server_port;
uwsgi_params:uwsgi_param SERVER_NAME $server_name;


Could it be possible that nginx reads some other config files from
another
location than /etc/nginx ?
What are my other options (some more debug info would be useful to check
where nginx gets its config from).

any idea ?

Thanks
Arno

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,260935,260942#msg-260942

For the record: problem solved.

SHAME on me !!

The problem was simply that I copied the wrong certificates from my old
installation (nginx 1.6.2) to the new one (nginx 1.8.0).

As often, the problem lies in front of the keyboard :slight_smile:

Thanks Maxim for your assistance in any case, I learnt a few things on
the
way.

Regards,
Arno

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,260935,260957#msg-260957

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs