I had set up my website on NGINX with LetsEncrypt for SSL. All was good until the browser refused to open the site with an error “SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET” in Firefox and ERR_SSL_PROTOCOL_ERROR” a vague message in Chrome. In case, if you are getting this error, here’s the solution.
I’ve used the below configuration for SSL on NGINX.
ssl_certificate /etc/letsencrypt/live/digisparksinfotech.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/digisparksinfotech.com/privkey.pem; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; ssl_buffer_size 4k;
After googling, I only see a few references to this on the internet and everyone says to change ssl_session_tickets off to ssl_session_tickets on. The default value, if you haven’t set this, is on and need not worry as you shouldn’t get the above error message.
Add the below configuration in the server block of SSL if you have only one website running under the webserver. If you have many domains hosted on the same web server, then it is preferred to add it to the http{} block.
ssl_session_tickets on
Restart the NGINX service
systemctl restart nginx
If you are curious, then this link explains ssl_session_tickets should be enabled only in conjunction with ssl_session_cache.
Wait, I have another site hosted on the same web server, but uses COMODO SSL does not seem to have this issue. So the errors “SSL_PROTOCOL_ERROR and SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET” seems to occur in sites that use LetsEncrypt with ‘ssl_session_tickets off‘ in NGINX? Let me know your thoughts.
Sama.sama – Thank you!