Resolve "This site can’t provide a secure connection" with Nginx

Home > Search
  by

This error appears when attempting to request a resource from Nginx using HTTPS with Chrome.

 

Likewise, Internet Explorer or Microsoft Edige should also display a similar message.

 

This error suggests some issue with the negotiation of the cipher between the client and server. Wireshark can be used to determine the ciphers that the client web browser can use, and the cipher being produced by Nginx.

Before modifying Nginx SSL/TLS settings, determine if the issue is client-side by navigating to https://badssl.com and selecting tests that are similar to your Nginx setup. For example, if your Nginx site is using a self-signed certificate, select the "self-signed" option at badssl.com. If "This site can’t provide a secure connection" appears on badssl.com, this suggests a client-side issue. For example, the client browser may be configured to refuse connections to sites using a self signed certificate.

Inside of the server block in the /etc/nginx/nginx.conf file will be SSL parameters. When creating the public certifcate and private key, a certain type of cipher will be used, such as RSA, DSA, or ECDSA. The browser will need to support the type of cipher being used by the public certificate and private key.

server {
   . . .
   ssl_certificate       /etc/pki/tls/Certificate.crt;
   ssl_certificate_key   /etc/pki/tls/Private.key;
   ssl_protocols         TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers           HIGH:!aNULL:!MD5;
}

 

In the prior markup, ssl_ciphers is set to High and not Null and not MD5. If you would rather specify the ciphers being used, you can use one or more of the following ciphers.

EECDH+ECDSA+AESGCM 
EECDH+aRSA+AESGCM 
EECDH+ECDSA+SHA384 
EECDH+ECDSA+SHA256 
EECDH+aRSA+SHA384 
EECDH+aRSA+SHA256 
EECDH+aRSA+RC4 
EECDH 
EDH+aRSA 
RC4

 

In the log_format block in the /etc/nginx/nginx.conf file, add $ssl_protocol/$ssl_cipher. This will allow you to see what cipher was used.

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$ssl_protocol/$ssl_cipher'
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

 

Restart nginx, and ensure nginx is active and running.

[root@server1 ~]# systemctl restart nginx
[root@server1 ~]# systemctl status nginx

 

The /var/log/nginx/access_log file will now include the SSL protocl and cipher that was used.

10.1.15.14 - - [14/Jul/2017:19:28:12 -0500] "GET /Signin HTTP/1.1" TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 . . .

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments