When browsers report "Connection timeout" errors with Nginx SSL configurations, we need to verify multiple infrastructure layers. Start by checking basic port accessibility:
# Test if port 443 is listening
netstat -tuln | grep 443
# Or using ss (modern alternative)
ss -tuln | grep 443
# Verify firewall rules
iptables -L -n -v | grep 443
For StartSSL or self-signed certificates, ensure proper file merging. The certificate chain must be complete:
# Correct way to combine certificates
cat your_domain.crt startssl_intermediate.crt > nginx.pem
# Verify certificate chain
openssl verify -CAfile /path/to/trusted_ca.crt nginx.pem
Update your configuration to current security standards:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name tarror.org www.tarror.org;
# Certificate paths (absolute paths recommended)
ssl_certificate /etc/ssl/certs/nginx_fullchain.pem;
ssl_certificate_key /etc/ssl/private/nginx.key;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';
# HSTS header
add_header Strict-Transport-Security "max-age=31536000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# Your existing PHP configuration
root /wdata/tarror.org;
index index.php index.htm index.html;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
Use these diagnostic tools when SSL connections fail:
# Test SSL handshake
openssl s_client -connect tarror.org:443 -servername tarror.org -showcerts
# Check for network-level issues
traceroute -T -p 443 tarror.org
tcptraceroute -p 443 tarror.org
# Verify Nginx error logs with debug level
tail -f /var/log/nginx/error.log -n 100
Frequent issues that cause SSL timeouts:
- Firewall blocking outbound 443 (check both server and client firewalls)
- Incorrect certificate chain (missing intermediate certificates)
- Mismatched domain names in certificate (CN or SAN fields)
- Port conflict (another service using 443)
- IPv6 misconfiguration (test with both IPv4 and IPv6)
When your Nginx SSL setup fails silently with browser timeouts while showing no errors in logs, we're typically dealing with one of these fundamental issues:
# First confirm SSL port accessibility
telnet yourdomain.com 443
# Or with OpenSSL:
openssl s_client -connect yourdomain.com:443 -showcertsBeyond the basic SSL directives, these often-missed settings can block connections:
server {
listen 443 ssl http2 reuseport; # Modern performance optimizations
listen [::]:443 ssl http2 reuseport;
# Certificate chain must be complete
ssl_certificate /srv/ssl/fullchain.pem; # Combined cert + intermediates
ssl_certificate_key /srv/ssl/privkey.pem;
# Essential for StartSSL compatibility
ssl_trusted_certificate /srv/ssl/chain.pem;
# Security headers often required for modern browsers
add_header Strict-Transport-Security "max-age=63072000" always;
}On Debian systems, multiple firewall layers might interfere:
# Check iptables rules
iptables -L -n | grep 443
# Verify netfilter
conntrack -L | grep 443
# Alternative port test
nc -l -p 443 # Then attempt connection from client machineNginx requires strict but often misunderstood permissions:
# Correct permission setup:
chmod 600 /srv/ssl/nginx.key
chown root:root /srv/ssl/nginx.key
chmod 644 /srv/ssl/nginx.pem
chown root:root /srv/ssl/nginx.pemWhen logs show nothing, trace system calls:
strace -f -p $(pgrep -f "nginx: worker") -s 1024 -e trace=network,fileFor purchased StartSSL certificates, ensure proper chain ordering:
# Create proper bundle:
cat your_domain.crt Intermediate.crt Root.crt > nginx.pem
# Then verify with:
openssl verify -CAfile nginx.pem your_domain.crt