Hi all, Problem found.
This really was caused by an SSL cert name mismatch. > On 23 Jan 2018, at 20:27, Sophie Loewenthal <[email protected]> wrote: > > Hi, > > Chrome and Firefox can connect to my webserver over https running http2. > Safari 11 cannot, and gave no error messages other than "cannot connect". > > There is a certificate name mismatch, but I thought Safari would still let me > know why it did not connect. The SSL cert is otherwise valid. > > I enabled debug on the vhost and had this logged below, but this does not > tell me much. How could I investigate this further? > > > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL certificate status callback > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: > h2-16 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: > h2-15 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: > h2-14 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: > spdy/3.1 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: > spdy/3 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: > http/1.1 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN selected: h2 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_do_handshake: -1 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_get_error: 2 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 epoll add event: fd:3 op:1 > ev:80002001 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 event timer add: 3: > 12000:1516735067367 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 reusable connection: 0 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL handshake handler: 0 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_do_handshake: -1 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_get_error: 5 > 2018/01/23 19:17:35 [info] 16054#16054: *1 peer closed connection in SSL > handshake while SSL handshaking, client: 178.xx.xx.xxx, server: 0.0.0.0:443 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 close http connection: 3 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 event timer del: 3: 1516735067367 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 reusable connection: 0 > 2018/01/23 19:17:35 [debug] 16054#16054: *1 free: 0000561F72E17370, unused: > 112 > > > The vhost is the same as the one I emailed about earlier: > listen [::]:443 ipv6only=on ssl http2 ; > > server_name xx.com xx.com; > root /var/www/xx.com; > access_log /var/log/nginx/access.log combined_ssl; > error_log /var/log/nginx/error.log debug ; > > ssl_certificate /etc/letsencrypt/live/xx/fullchain.pem ; > ssl_certificate_key /etc/letsencrypt/live/xx/privkey.pem ; > ssl_prefer_server_ciphers on; > ssl_protocols TLSv1.2; > ssl_ecdh_curve secp384r1; > ssl_session_timeout 9m; > ssl_session_tickets off; > ssl_stapling on; > ssl_stapling_verify on; > ssl_trusted_certificate /etc/letsencrypt/live/xx/chain.pem; > resolver 127.0.0.1 8.8.8.8 valid=300s; > resolver_timeout 2s; > # > add_header Strict-Transport-Security "max-age=63072000; > includeSubdomains"; > #add_header Strict-Transport-Security "max-age=0;"; > add_header X-Content-Type-Options nosniff; > add_header X-XSS-Protection "1; mode=block"; > add_header Referrer-Policy "no-referrer"; > more_set_headers "Server: MyServerName"; > > > Best, Sophie. > > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
