New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SSL]VIRTUAL_HOST + (+.crt/.key) does not work for me #74

Closed
tobiasbaehr opened this Issue Dec 28, 2014 · 11 comments

Comments

Projects
None yet
6 participants
@tobiasbaehr

tobiasbaehr commented Dec 28, 2014

  • my VIRTUAL_HOST is mysite.dev.
    -> So my files are mysite.dev.crt and mysite.dev.key.

But the nginx response in the log is:

no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking

What means he found something. \o/ ;-)

When I rename the files to default(.crt/.key) then it works.

What is here wrong?

@ilijaljubicic

This comment has been minimized.

Show comment
Hide comment
@ilijaljubicic

ilijaljubicic Jan 9, 2015

Hi

I had same issue and altered nginx.tpl file by replacing:
listen 443 ssl;
with:
listen 443 default_server ssl;

in this part:
server {
error_log /app/file.log debug;

    server_name {{ $host }};
    listen 443 default_server ssl;

and it works now.

Did this by making new image, Dockerfile:
FROM jwilder/nginx-proxy
COPY ./nginx.tmpl /app/nginx.tmpl

ilijaljubicic commented Jan 9, 2015

Hi

I had same issue and altered nginx.tpl file by replacing:
listen 443 ssl;
with:
listen 443 default_server ssl;

in this part:
server {
error_log /app/file.log debug;

    server_name {{ $host }};
    listen 443 default_server ssl;

and it works now.

Did this by making new image, Dockerfile:
FROM jwilder/nginx-proxy
COPY ./nginx.tmpl /app/nginx.tmpl

@log0ymxm

This comment has been minimized.

Show comment
Hide comment
@log0ymxm

log0ymxm Jan 9, 2015

This also worked for me. I've only got one ssl service running and a few non-ssl, will this cause an issue if there are multiple ssl services? Otherwise this is worth fixing.

log0ymxm commented Jan 9, 2015

This also worked for me. I've only got one ssl service running and a few non-ssl, will this cause an issue if there are multiple ssl services? Otherwise this is worth fixing.

@phal0r

This comment has been minimized.

Show comment
Hide comment
@phal0r

phal0r Jan 14, 2015

I have some problems with your suggested fix. Is anyone of you running more than one docker image with ssl?

If i start one everything is working, but if i start a second container that uses ssl i get the following error in nginx:

[emerg] 35#0: a duplicate default server for 0.0.0.0:443 in /etc/nginx/conf.d/default.conf:243

and it does not connect the second container to nginx. Any ideas?

phal0r commented Jan 14, 2015

I have some problems with your suggested fix. Is anyone of you running more than one docker image with ssl?

If i start one everything is working, but if i start a second container that uses ssl i get the following error in nginx:

[emerg] 35#0: a duplicate default server for 0.0.0.0:443 in /etc/nginx/conf.d/default.conf:243

and it does not connect the second container to nginx. Any ideas?

@Nitesedge

This comment has been minimized.

Show comment
Hide comment
@Nitesedge

Nitesedge Jan 14, 2015

How are you testing this fix? I tried to update the template after pulling and running the trusted image and ran into the same issue. When I built from the repo (git clone https://github.com/jwilder/nginx-proxy.git) it worked with no changes (since this fix was already in the repo).

edit: I have noticed that the nginx-proxy container needs to be restarted after adding an SSL cert or it directs the new one to the first site.

Nitesedge commented Jan 14, 2015

How are you testing this fix? I tried to update the template after pulling and running the trusted image and ran into the same issue. When I built from the repo (git clone https://github.com/jwilder/nginx-proxy.git) it worked with no changes (since this fix was already in the repo).

edit: I have noticed that the nginx-proxy container needs to be restarted after adding an SSL cert or it directs the new one to the first site.

@log0ymxm

This comment has been minimized.

Show comment
Hide comment
@log0ymxm

log0ymxm Jan 14, 2015

@phal0r I figured that might be an issue. I've only got the one ssl container.

log0ymxm commented Jan 14, 2015

@phal0r I figured that might be an issue. I've only got the one ssl container.

@phal0r

This comment has been minimized.

Show comment
Hide comment
@phal0r

phal0r Jan 14, 2015

@log0ymxm The behaviour is really strange. Now i am using the nginx-proxy without the fix suggested here and the following does work:

when you provide an crt and key for default AND the virtual host ssl is working. if you only have one of both ssl is not working. However i don't know which cert nginx is using, but it does not use the else branch in the template since the "Strict-Transport-Security" header is set. Maybe this is helpful for someone to investigate further.

phal0r commented Jan 14, 2015

@log0ymxm The behaviour is really strange. Now i am using the nginx-proxy without the fix suggested here and the following does work:

when you provide an crt and key for default AND the virtual host ssl is working. if you only have one of both ssl is not working. However i don't know which cert nginx is using, but it does not use the else branch in the template since the "Strict-Transport-Security" header is set. Maybe this is helpful for someone to investigate further.

@Nitesedge

This comment has been minimized.

Show comment
Hide comment
@Nitesedge

Nitesedge Jan 14, 2015

As I mentioned, it works fine for me with multiple (9 non-ssl and 3 SSL) sites. I cloned the repo and performed a docker build before running the container. I suggest stop & start each time an SSL container is added as the dynamic doesn't seem to work correctly though I haven't had time to inspect the config files and determine why.

Nitesedge commented Jan 14, 2015

As I mentioned, it works fine for me with multiple (9 non-ssl and 3 SSL) sites. I cloned the repo and performed a docker build before running the container. I suggest stop & start each time an SSL container is added as the dynamic doesn't seem to work correctly though I haven't had time to inspect the config files and determine why.

@phal0r

This comment has been minimized.

Show comment
Hide comment
@phal0r

phal0r Jan 15, 2015

@Nitesedge Ah, I overread your response, sorry. I tested the trusted containter from the docker hub, which has this issue and then cloned the repo and applied this fix. This fix here is not included as far as i can see it in the nginx template, but i will try to build the Dockerfile from the repo as you suggested. Thanks for the tip.

phal0r commented Jan 15, 2015

@Nitesedge Ah, I overread your response, sorry. I tested the trusted containter from the docker hub, which has this issue and then cloned the repo and applied this fix. This fix here is not included as far as i can see it in the nginx template, but i will try to build the Dockerfile from the repo as you suggested. Thanks for the tip.

@phal0r

This comment has been minimized.

Show comment
Hide comment
@phal0r

phal0r Jan 22, 2015

Unfortunately, building the image from the repo didn't change anything for me.

phal0r commented Jan 22, 2015

Unfortunately, building the image from the repo didn't change anything for me.

pirelenito added a commit to pirelenito/nginx-proxy that referenced this issue Jan 22, 2015

fixes SSL support while mixing HTTPS and non-HTTPS services
nginx was throwing the following error: `no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking`

ref: jwilder#74
@stefanfoulis

This comment has been minimized.

Show comment
Hide comment
@stefanfoulis

stefanfoulis Feb 8, 2015

I get the no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking error as soon as I have mixed SSL and non-SSL VirtualHosts.
When I see that error in the console, only the non-SSL sites work. I get ERR_CONNECTION_RESET in the browser when trying to connect to any SSL sites.

One workaround seems to be to add a default.crt and default.key (even if it's just a copy of any of the other certificates you're using).

It seems that in nginx it is not allowed to have a listen 443 ssl; without ssl_certificate. So changing

server {
    server_name {{ $host }};
    listen 443 ssl;
    return 503;

    {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
    {{ end }}
}

to

{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
server {
    server_name {{ $host }};
    listen 443 ssl;
    return 503;

    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
}
{{ end }}

did the trick for me. Of course you'll potentially get the contents of a different site when connecting with https to a site which does not have a certificate.

stefanfoulis commented Feb 8, 2015

I get the no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking error as soon as I have mixed SSL and non-SSL VirtualHosts.
When I see that error in the console, only the non-SSL sites work. I get ERR_CONNECTION_RESET in the browser when trying to connect to any SSL sites.

One workaround seems to be to add a default.crt and default.key (even if it's just a copy of any of the other certificates you're using).

It seems that in nginx it is not allowed to have a listen 443 ssl; without ssl_certificate. So changing

server {
    server_name {{ $host }};
    listen 443 ssl;
    return 503;

    {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
    {{ end }}
}

to

{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
server {
    server_name {{ $host }};
    listen 443 ssl;
    return 503;

    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
}
{{ end }}

did the trick for me. Of course you'll potentially get the contents of a different site when connecting with https to a site which does not have a certificate.

@tobiasbaehr

This comment has been minimized.

Show comment
Hide comment
@tobiasbaehr

tobiasbaehr Mar 18, 2015

My use case was fixed in #91. thx for the work.

tobiasbaehr commented Mar 18, 2015

My use case was fixed in #91. thx for the work.

byrnedo added a commit to byrnedo/nginx-proxy that referenced this issue May 8, 2015

fixes SSL support while mixing HTTPS and non-HTTPS services
nginx was throwing the following error: `no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking`

ref: jwilder#74
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment