Related

Tool NGINX Config Generator Tool
ERR_TOO_MANY_REDIRECTS Question Question
How to prevent bad caching on Users Browsers with Virtual Hosts on NGINX Question Question

Question

My domain doesn't allow connection

Posted April 13, 2017 3.6k views
NginxUbuntu 16.04

Hello,

(Sorry for my bad english)

I have a weird problem. I set up my droplet and domain yesterday. I bought the domain on Hover and redirect it to Digital Ocean name servers. I also set up SSL using Let’s Encrypt. Everything worked fine but after some hours, I had this error when trying to access my website: allodocteuronline.com doesn't allow connection... ERR_CONNECTION_REFUSED. I don’t always get that error but only sometimes. Another weird thing is sometimes, the Hover default web page is displayed as if the DNS is not propagated yet. I don’t see any error when analyzing my SSL with ssllabs.com. There is no error when I run sudo nginx -t. But I have this error in /var/log/nginx/error.log:

2017/04/13 11:57:20 [crit] 29675#29675: *389 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.105, server: 0.0.0.0:443
Add a comment
ismaeltoe
By:
ismaeltoe
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
jtittle1 April 13, 2017

@ismaeltoe

What does your server block look like?

Reply Report
  • ismaeltoe April 14, 2017
    Reply Report
    • jtittle1 April 14, 2017

      @ismaeltoe

      64.41.200.105 looks like one of the IP’s from SSL Labs and the error appears as one of the tests resulted in an error.

      This could be due to the rather strict cipher suite (which is noted on raymii.org). Using such a strict suite does limit backwards compatibility. SSL Labs tests for that, which is why you’ll see a few errors using such.

      You may need to swap your current cipher listing with what is recommended, i.e:

      ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

      Or use the listing provided by Mozilla.

      ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

      The rest of the configuration looks to be in order though.

      Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help