CODEWITHSUNDEEP
sslnginx
controlol
controlol

Reputation: 88

nginx listen ... ssl directive error, but there is no ssl directive set

I don't understand where nginx is getting the listen ... ssl directive from. It prevents nginx from starting...

/docker-entrypoint.sh: Configuration complete; ready for start up

2020/11/16 10:25:45 [emerg] 1#1: no "ssl_certificate" is defined for the "listen ... ssl" directive in etc/nginx/conf.d/default.conf:28

nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/conf.d/default.conf:28

my conf.d/default.conf:

# redirect all traffic to https
#server {
#    listen 80 default_server;
#    listen [::]:80 default_server;
#    server_name _;
#    return 301 https://$host$request_uri;
#}

server {
    listen           80 default_server;
    listen      [::]:80 default_server;
    server_name _;

    # Write Access and Error logs
    access_log        /var/log/nginx/.access.log;
    error_log         /var/log/nginx/error.log;

    # CertBot needs either port 80 or 443 open to connect to the
    location ^~ /.well-known/acme-challenge/ {
        root           /var/www/letsencrypt;
    }

#    location / {
#        return 301 https://$host$request_uri;
#    }
}

server {
    listen       443;
    listen  [::]:443;
    server_name  _;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    # Certificates
#    ssl_certificate         /etc/letsencrypt/live/.../fullchain.pem;
#    ssl_certificate_key     /etc/letsencrypt/live/.../fullchain.pem;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
#    ssl_trusted_certificate /etc/letsencrypt/live/.../fullchain.pem;

#    include ssl.conf;

    set $upstream_webfuse_com JS_upstream;

    location / {
        # allow CORS
        #add_header 'Access-Control-Allow-Origin' '*' always;

        include proxy.conf;
        resolver 127.0.0.11 valid=30s;
        proxy_pass http://$upstream_webfuse_com:3000;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;

        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/htpasswd;
    }

    #location / {
    #    root   /usr/share/nginx/html;
    #    index  index.html index.htm;
    #}

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

    #location ~ \.php$ {
    #    root           /usr/share/nginx/html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one

    #location ~ /\.ht {
    #    deny  all;
    #}
}

server {
    listen      443;
# ssl http2;
    listen [::]:443;
# ssl http2;

    server_name coder.*;

    # Certificates
    #ssl_certificate         /etc/letsencrypt/live/.../fullchain.pem;
    #ssl_certificate_key     /etc/letsencrypt/live/.../fullchain.pem;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    #ssl_trusted_certificate /etc/letsencrypt/live/.../fullchain.pem;

    #include ssl.conf;

    client_max_body_size 0;

    # CertBot needs either port 80 or 443 open to connect to the
    location ^~ /.well-known/acme-challenge/ {
        root           /var/www/letsencrypt;
    }

    location / {
        include proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_code_server coder;
        proxy_pass http://$upstream_code_server:8443;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
    }
}

Upvotes: 3

Views: 7353

Answers (3)

Zeeshan Ali
Zeeshan Ali

Reputation: 96

In my case i configured my serverblock like this after the error i faced mentined above

server {   
    listen   443 ssl;
    #ssl    on;
}

Upvotes: 0

NRE
NRE

Reputation: 674

You listen on port 443. That's the SSL port.

server {
listen       443;
listen  [::]:443;

You need to remove the listen on port 443, or add a certificate. Otherwise, it will not work.

Upvotes: 5

logi
logi

Reputation: 11

Actually, there is a different answer to that and I believe that is the correct one.

Using a listen 443 ssl or ssl on in any other vhost within same nginx instance - makes precedence and forces every other vhost that listening on 443 to define ssl_certificate. It's obviously a bug in my opinion and I wasted like 4 hours to debug that weird behavior.

I just discovered this today's morning and it seems not to be documented n the official documentation.

Debian 11 Bullseye and nginx 1.18.0 from official repo.

Upvotes: 1

Related Questions