How to Troubleshoot Nginx SSL Handshake failure?

I'm trying to configure HTTPS for nginx on Ubuntu 16.04. I've already set it up with listen 443 ssl statements, and told it where to find the certificate and private key files. After that I restarted the server with sudo service nginx restart.

Now when I curl https://my_ip_address, I get the following message:

curl: (35) gnutls_handshake() failed: Handshake failed

I've checked the two log files I know about, /var/log/nginx/access.log and /var/log/nginx/error.log; but it doesn't show any trace of anything from the request.

My question: Does anything get logged when the SSL handshake fails? If so where? In general, how to I troubleshoot problems like this, where there is an error in the SSL protocol before the HTTP request is sent to, or extracted by the server?

EDIT: I got it to work by removing the following lines from my config:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Update: The ssl_ecdh_curve secp384r1; line seemed to be causing the problem. Without it, everything works fine, but with it, the SSL handshake fails. Curiously, the error message is that there is "no shared cipher". I'm not sure what it does, so I just removed it. I also removed the ssl_stapling stuff because I don't know what it is for, and it was creating its own error messages


Solution 1:

As @Paul said, the solution was to raise the log level. I changed a line in my nginx.conf file, so it now reads as follows:

error_log  /var/log/nginx/error.log debug;

And now that the log level is higher, it logs ssl handshake errors:

2016/09/19 22:38:08 [info] 10114#10114: *2 SSL_do_handshake() failed (SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher) while SSL handshaking, client: 108.162.242.24, server: 0.0.0.0:443

Solution 2:

Actually you have used the option ssl_ecdh_curve to configure Diffie Hellman key exchange in Nginx but you have not provided a parameter file. Therefore you have to use the option ssl_dhparam and must create a file with openssl.

Create file:

openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Use file and above Diffie Hellman configuration in Nginx:

ssl_dhparam                     /etc/ssl/certs/dhparam.pem;
ssl_ecdh_curve                  secp384r1;