I added a Nginx as reverse proxy for my Node server, my certificates were generated by Let's Encrypt Certbot. Everything works fine when my Node is listening on port 443 and using the certificates, but when I use Nginx for listening on port 443 using the same certificates, I am having this error (from browser) :

(failed)net::ERR_SSL_PROTOCOL_ERROR

Here is my Nginx site-available conf for my domain :

server{
    listen 443 ssl;
    server_name xxxxxx.hstgr.cloud;
    
    ssl_certificate /...path.../fullchain.pem;
    ssl_certificate_key /...path.../privkey.pem;
    
    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        location /.well-known/acme-challenge/ {
            autoindex on;
            root  /...path.../.well-known/acme-challenge;
        }
    }
}

Can anyone enlight me, what is wrong with this conf giving the ERR_SSL_PROTOCOL_ERROR ?

I added a Nginx as reverse proxy for my Node server, my certificates were generated by Let's Encrypt Certbot. Everything works fine when my Node is listening on port 443 and using the certificates, but when I use Nginx for listening on port 443 using the same certificates, I am having this error (from browser) :

(failed)net::ERR_SSL_PROTOCOL_ERROR

Here is my Nginx site-available conf for my domain :

server{
    listen 443 ssl;
    server_name xxxxxx.hstgr.cloud;
    
    ssl_certificate /...path.../fullchain.pem;
    ssl_certificate_key /...path.../privkey.pem;
    
    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        location /.well-known/acme-challenge/ {
            autoindex on;
            root  /...path.../.well-known/acme-challenge;
        }
    }
}

Can anyone enlight me, what is wrong with this conf giving the ERR_SSL_PROTOCOL_ERROR ?

• nginx
• ssl
• https
• nginx-reverse-proxy
• lets-encrypt

• 2 What do the NGINX logfiles show? – robertklep Commented Apr 1 at 5:20
• @robertklep unless I misunderstood something, it seems that no error is generated in logs. The last errors are few hours ago and I do not see anything being written in error.log when I'm having errors on the browser side. My Nginx.conf has the right error_log /var/log/nginx/error.log; so i guess no error is generated in Nginx ? – Jean-Loup Commented Apr 1 at 5:40
• 2 Try openssl s_client -connect xxxxxx.hstgr.cloud:443 – robertklep Commented Apr 1 at 6:01
• Web server administration is a very specific role, so I don't expect a typical developer to master it completely. Since you only mentioned "site-available conf" I assume you might not have access to other nginx config files (or you are familiar with how they work together). OpenSSL might get you some hints to move on, but you'd better ask your server administrators for help who should know more about how to troubleshoot such issues. – Lex Li Commented Apr 1 at 7:26
• @robertklep I added the result of the openssl command, gave me some more clues and I'll check it out, thanks for the idea. In case you read this and see an obvious missing thing, let me know :) – Jean-Loup Commented Apr 2 at 7:42

1 Answer 1

Ok, here is the checklist of everything I did, including the steps that were already valid for me.

Maybe it can help someone else :

• Make sure the configuration file in sites-available that you are working on is enabled for Nginx:

  ls -l /etc/nginx/sites-enabled/

  You should see a symlink with the same name as your file in sites-available. If not, you need to create it.

• Make sure the Nginx configuration is correct :

  sudo nginx -t

  It should confirm that the test was successful. If not, fix it according to the message.

• Make sure the certificates and the paths you are trying to use in your configuration file are correct (in my case) :

  sudo ls -l /etc/letsencrypt/live/xxxxxx.hstgr.cloud/

  This should list the required files. If not, regenerate your certificates or update their paths.

• At the same time, make sure your certificate permissions allow Nginx to access them. If not, fix them.

• Make sure your certificate is not expired (in my case) :

  openssl x509 -in /etc/letsencrypt/live/xxxxxxx.hstgr.cloud/fullchain.pem -noout -text | grep "Not After"

  If the expiration date has passed, regenerate your certificates.

• Make sure there are no compatibility issues between your private and public keys (in my case) :

  openssl x509 -noout -modulus -in /etc/letsencrypt/live/xxxxxx.hstgr.cloud/fullchain.pem | openssl md5

  openssl rsa -noout -modulus -in /etc/letsencrypt/live/xxxxxx.hstgr.cloud/privkey.pem | openssl md5

  You should see the same string twice. If not, regenerate your certificates.

• Make sure the correct file is loaded for port 443 :

  sudo nginx -T | grep -i "listen 443"

  You should see something like listen 443 ssl;

  In my case, there was an issue because I had listen 443 default_server;

• Check the configurations that are listening on port 443 :

  sudo grep -R "listen 443" /etc/nginx/

  In my case I had a line with /etc/nginx/sites-enabled/default.conf: listen 443 default_server;

  The default.conf file was causing a conflict with my available-sites configuration because it was already listening on port 443 without SSL. So I removed the file and it fixed the error for me.

I hope this process can helps people having issues with SSL configuration in Nginx. If you have anything to add to the checklist, feel free to update my post.