Updated on March 19, 2020

I had set up my website on NGINX with LetsEncrypt for SSL. All was good until the browser refused to open the site with an error “SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET” in Firefox and ERR_SSL_PROTOCOL_ERROR” a vague message in Chrome.  In case, if you are getting this error, here’s the solution.

I’ve used the below configuration for SSL on NGINX.

ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_buffer_size 4k;

After googling, I only see a few references to this on the internet and everyone says to change ssl_session_tickets off to ssl_session_tickets on.  The default value, if you haven’t set this, is on and need not worry as you shouldn’t get the above error message.

Add the below configuration in the server block of SSL if you have only one website running under the webserver. If you have many domains hosted on the same web server, then it is preferred to add it to the http{} block.

ssl_session_tickets on

Restart the NGINX service

systemctl restart nginx

If you are curious, then this link explains ssl_session_tickets should be enabled only in conjunction with ssl_session_cache.

Wait, I have another site hosted on the same web server, but uses COMODO SSL does not seem to have this issue. So the errors “SSL_PROTOCOL_ERROR and SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET” seems to occur in sites that use LetsEncrypt with ‘ssl_session_tickets off‘ in NGINX? Let me know your thoughts.

Was this article helpful?

Related Articles

Comments Leave a Comment

Leave a Comment