3

I don't understand where nginx is getting the listen ... ssl directive from. It prevents nginx from starting...

/docker-entrypoint.sh: Configuration complete; ready for start up

2020/11/16 10:25:45 [emerg] 1#1: no "ssl_certificate" is defined for the "listen ... ssl" directive in etc/nginx/conf.d/default.conf:28

nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/conf.d/default.conf:28

my conf.d/default.conf:

# redirect all traffic to https
#server {
#    listen 80 default_server;
#    listen [::]:80 default_server;
#    server_name _;
#    return 301 https://$host$request_uri;
#}

server {
    listen           80 default_server;
    listen      [::]:80 default_server;
    server_name _;

    # Write Access and Error logs
    access_log        /var/log/nginx/.access.log;
    error_log         /var/log/nginx/error.log;

    # CertBot needs either port 80 or 443 open to connect to the
    location ^~ /.well-known/acme-challenge/ {
        root           /var/www/letsencrypt;
    }

#    location / {
#        return 301 https://$host$request_uri;
#    }
}

server {
    listen       443;
    listen  [::]:443;
    server_name  _;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    # Certificates
#    ssl_certificate         /etc/letsencrypt/live/.../fullchain.pem;
#    ssl_certificate_key     /etc/letsencrypt/live/.../fullchain.pem;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
#    ssl_trusted_certificate /etc/letsencrypt/live/.../fullchain.pem;

#    include ssl.conf;

    set $upstream_webfuse_com JS_upstream;

    location / {
        # allow CORS
        #add_header 'Access-Control-Allow-Origin' '*' always;

        include proxy.conf;
        resolver 127.0.0.11 valid=30s;
        proxy_pass http://$upstream_webfuse_com:3000;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;

        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/htpasswd;
    }

    #location / {
    #    root   /usr/share/nginx/html;
    #    index  index.html index.htm;
    #}

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

    #location ~ \.php$ {
    #    root           /usr/share/nginx/html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one

    #location ~ /\.ht {
    #    deny  all;
    #}
}

server {
    listen      443;
# ssl http2;
    listen [::]:443;
# ssl http2;

    server_name coder.*;

    # Certificates
    #ssl_certificate         /etc/letsencrypt/live/.../fullchain.pem;
    #ssl_certificate_key     /etc/letsencrypt/live/.../fullchain.pem;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    #ssl_trusted_certificate /etc/letsencrypt/live/.../fullchain.pem;

    #include ssl.conf;

    client_max_body_size 0;

    # CertBot needs either port 80 or 443 open to connect to the
    location ^~ /.well-known/acme-challenge/ {
        root           /var/www/letsencrypt;
    }

    location / {
        include proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_code_server coder;
        proxy_pass http://$upstream_code_server:8443;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
    }
}
Improve this question

3 Answers 3

Reset to default
5

You listen on port 443. That's the SSL port.

server {
listen       443;
listen  [::]:443;

You need to remove the listen on port 443, or add a certificate. Otherwise, it will not work.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

hmm okay, I believe I had it working without before, while I was generating the ssl certs with certbot...
@controlol I also have the same issue - I've always commented out SSL settings in the 443 server block whilst provisioning the SSL certificate with certbot, then uncomment. However, now I don't seem to be able to, what's changed...
This solved my issue to listen on 443 without the need to define a SSL directive.
1

Actually, there is a different answer to that and I believe that is the correct one.

Using a listen 443 ssl or ssl on in any other vhost within same nginx instance - makes precedence and forces every other vhost that listening on 443 to define ssl_certificate. It's obviously a bug in my opinion and I wasted like 4 hours to debug that weird behavior.

I just discovered this today's morning and it seems not to be documented n the official documentation.

Debian 11 Bullseye and nginx 1.18.0 from official repo.

Improve this answer

2 Comments

Your nginx version is nearly three years old at this point. The issue you are describing could already be fixed. The current stable version is 1.22.1
I've received an answer from a developer (I suppose), this is how sockets works. trac.nginx.org/nginx/ticket/2460
0

In my case i configured my serverblock like this after the error i faced mentined above

server {   
    listen   443 ssl;
    #ssl    on;
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.