FreeKB - Nginx Resolve "This site can’t provide a secure connection"
Nginx - Resolve "This site can’t provide a secure connection"

This error appears when attempting to request a resource from Nginx using HTTPS with Chrome.


Likewise, Internet Explorer or Microsoft Edige should also display a similar message.


This error suggests some issue with the negotiation of the cipher between the client and server. Wireshark can be used to determine the ciphers that the client web browser can use, and the cipher being produced by Nginx.

Before modifying Nginx SSL/TLS settings, determine if the issue is client-side by navigating to and selecting tests that are similar to your Nginx setup. For example, if your Nginx site is using a self-signed certificate, select the "self-signed" option at If "This site can’t provide a secure connection" appears on, this suggests a client-side issue. For example, the client browser may be configured to refuse connections to sites using a self signed certificate.

Inside of the server block in the /etc/nginx/nginx.conf file will be SSL parameters. When creating the public certifcate and private key, a certain type of cipher will be used, such as RSA, DSA, or ECDSA. The browser will need to support the type of cipher being used by the public certificate and private key.

server {
   . . .
   ssl_certificate       /etc/pki/tls/Certificate.crt;
   ssl_certificate_key   /etc/pki/tls/Private.key;
   ssl_protocols         TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers           HIGH:!aNULL:!MD5;


In the prior markup, ssl_ciphers is set to High and not Null and not MD5. If you would rather specify the ciphers being used, you can use one or more of the following ciphers.



In the log_format block in the /etc/nginx/nginx.conf file, add $ssl_protocol/$ssl_cipher. This will allow you to see what cipher was used.

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';


The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to restart nginx.

systemctl restart nginx


If your system is using init, use the chkconfig and service commands to restart nginx.

service nginx restart


The /var/log/nginx/access_log file will now include the SSL protocl and cipher that was used. - - [14/Jul/2017:19:28:12 -0500] "GET /Signin HTTP/1.1" TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 . . .


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter c3580 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |