Share

Question

Hello,

(Sorry for my bad english)

I have a weird problem. I set up my droplet and domain yesterday. I bought the domain on Hover and redirect it to Digital Ocean name servers. I also set up SSL using Let's Encrypt. Everything worked fine but after some hours, I had this error when trying to access my website: allodocteuronline.com doesn't allow connection... ERR_CONNECTION_REFUSED. I don't always get that error but only sometimes. Another weird thing is sometimes, the Hover default web page is displayed as if the DNS is not propagated yet. I don't see any error when analyzing my SSL with ssllabs.com. There is no error when I run sudo nginx -t. But I have this error in /var/log/nginx/error.log:

2017/04/13 11:57:20 [crit] 29675#29675: *389 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.105, server: 0.0.0.0:443

Answer 1

jtittle1 April 13, 2017

@ismaeltoe

What does your server block look like?

Reply

ismaeltoe April 14, 2017

See details here https://community.letsencrypt.org/t/my-domain-doesnt-allow-connection-err-connection-refused/32029

jtittle1 April 14, 2017

@ismaeltoe

64.41.200.105 looks like one of the IP's from SSL Labs and the error appears as one of the tests resulted in an error.

This could be due to the rather strict cipher suite (which is noted on raymii.org). Using such a strict suite does limit backwards compatibility. SSL Labs tests for that, which is why you'll see a few errors using such.

You may need to swap your current cipher listing with what is recommended, i.e:

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

Or use the listing provided by Mozilla.

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

The rest of the configuration looks to be in order though.

ismaeltoe April 14, 2017

Thank you! I made the changes. Let's see if it works.

Answer 2

ismaeltoe April 14, 2017

See details here https://community.letsencrypt.org/t/my-domain-doesnt-allow-connection-err-connection-refused/32029

jtittle1 April 14, 2017

@ismaeltoe

64.41.200.105 looks like one of the IP's from SSL Labs and the error appears as one of the tests resulted in an error.

This could be due to the rather strict cipher suite (which is noted on raymii.org). Using such a strict suite does limit backwards compatibility. SSL Labs tests for that, which is why you'll see a few errors using such.

You may need to swap your current cipher listing with what is recommended, i.e:

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

Or use the listing provided by Mozilla.

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

The rest of the configuration looks to be in order though.

ismaeltoe April 14, 2017

Thank you! I made the changes. Let's see if it works.

My domain doesn't allow connection

Leave a Comment

Share

Share your Question

My domain doesn't allow connection

Leave a Comment

Related Questions

Almost there!

Report a Bug