Question

Receiving 503 on Nginx after setting Cloudflare's Origin Certificate

Posted March 9, 2021 523 views
NginxSecurityUbuntu 18.04

I have a Django app running with Nginx + Gunicorn. Before, I had a Let’s Encrypt Certificate and Cloudflare SSL encryption mode as Full. After deleting the Let’s Encrypt Cert and modifying everything on my Nginx server I followed this tutorial. Now every request returns 503.

Nginx /sites-enabled/:

server {
    listen 80;
    listen [::]:80;
    server_name my-site.com www.my-site.com;
    return 302 https://$server_name$request_uri;
}

server {
    # SSL configuration

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl        on;
    ssl_certificate         /etc/ssl/cert.pem;
    ssl_certificate_key     /etc/ssl/key.pem;
    ssl_client_certificate  /etc/ssl/cloudflare.crt;
    ssl_verify_client on;


    server_name my-site.com www.my-site.com;

    location = /favicon.ico {
        access_log off;
        log_not_found off;
    }

    location /static/ {
        root /home/sammy/myproject/app;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/gunicorn.sock;
    }
}

Every status shows that everything is running and active.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers

Hi there,

What I could suggest is checking your Nginx error log so you could see the actual error rather than the generic 503 error:

  • tail -100 /var/log/nginx/error.log

Feel free to share the error here as well so I could try to advise you further.

Regards,
Bobby

  • $ sudo tail -1000f /var/log/nginx/error.log
    2021/03/09 11:00:29 [crit] 2751#2751: *1 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 192.241.228.100, server: 0.0.0.0:443
    2021/03/09 11:13:01 [crit] 3253#3253: *8 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 94.102.49.190, server: 0.0.0.0:443
    2021/03/09 11:13:09 [crit] 3253#3253: *13 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 94.102.49.190, server: 0.0.0.0:443
    2021/03/09 11:13:10 [crit] 3253#3253: *15 SSL_do_handshake() failed (SSL: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low) while SSL handshaking, client: 94.102.49.190, server: 0.0.0.0:443
    2021/03/09 11:13:10 [crit] 3253#3253: *16 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 94.102.49.190, server: 0.0.0.0:443
    2021/03/09 11:13:11 [crit] 3253#3253: *18 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 94.102.49.190, server: 0.0.0.0:443
    2021/03/09 11:44:56 [crit] 3524#3524: *6 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 192.241.226.24, server: 0.0.0.0:443
    
    $ sudo tail -10000f /var/log/nginx/access.log
    45.155.205.225 - - [09/Mar/2021:13:12:14 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    192.241.225.123 - - [09/Mar/2021:13:20:21 +0000] "GET /ReportServer HTTP/1.1" 302 170 "-" "Mozilla/5.0 zgrab/0.x"
    162.158.93.112 - - [09/Mar/2021:13:34:36 +0000] "GET /robots.txt HTTP/1.1" 302 170 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    192.241.226.139 - - [09/Mar/2021:13:35:46 +0000] "GET /hudson HTTP/1.1" 302 170 "-" "Mozilla/5.0 zgrab/0.x"
    92.118.12.93 - - [09/Mar/2021:14:06:07 +0000] "\x03\x00\x00*%\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Test" 400 182 "-" "-"
    20.188.35.5 - - [09/Mar/2021:14:06:30 +0000] "GET /.env HTTP/1.1" 302 170 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
    20.188.35.5 - - [09/Mar/2021:14:06:30 +0000] "POST / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
    223.25.98.58 - - [09/Mar/2021:15:50:49 +0000] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
    

Found the solution to this nightmare:
Instead of being a problem with Cloudflare’s SSL - altough my first thoughts were related to it because I changed the LetsEncrypt SSL certificate first - it was, indeed, a problem with how Nginx connects to Gunicorn. The server’s Nginx config is alright but the Gunicorn service was located in another folder, not in the one written in the OP.