SSL issue with rewrite_www_to_non_www parameter #542
Description
The nginx::resource::vhost module seems to create an invalid config when rewrite_www_to_non_www is true.
I had to add the SSL parameters to resolve the error message. The error message occurs when accessing https://www.site.io and https://site.io (i.e. ssl is effectively completely broken for the site config).
Please let me know if I'm using the parameter incorrectly, I am fairly new to nginx and this module.
It looks as though the vhost_header.erb should include some ssl parameters (at least "ssl on"?) in the conf file.
version: commit 1620e18 (latest commit as of issue submission)
error message from nginx:
2015/01/04 16:42:57 [error] 11025#0: *52 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: *redacted*, server: 0.0.0.0:443
puppet manifest:
include nginx
nginx::resource::vhost { 'site.io':
ensure => present,
www_root => '/var/www/site_io',
ipv6_enable => true,
ssl => true,
ssl_cert => '/root/siteio-ca/keys/site.io.crt',
ssl_key => '/root/siteio-ca/keys/site.io.key',
listen_port => '80',
ssl_port => '443',
rewrite_www_to_non_www => true,
}
complete nginx configuration that was generated:
server {
listen *:80;
server_name www.site.io;
return 301 http://site.io$uri;
}
server {
listen *:80;
listen [::]:80 default ipv6only=on;
server_name site.io;
index index.html index.htm index.php;
access_log /var/log/nginx/site.io.access.log combined;
error_log /var/log/nginx/site.io.error.log;
location / {
root /var/www/site_io;
}
}
server {
listen *:443 ssl;
server_name www.site.io;
return 301 https://site.io$uri;
}
server {
listen *:443 ssl;
listen [::]:443 ssl default ipv6only=on;
server_name site.io;
ssl on;
ssl_certificate /etc/nginx/site.io.crt;
ssl_certificate_key /etc/nginx/site.io.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
index index.html index.htm index.php;
access_log /var/log/nginx/ssl-site.io.access.log combined;
error_log /var/log/nginx/ssl-site.io.error.log;
location / {
root /var/www/site_io;
}
}
offending snippet from above nginx conf:
server {
listen *:443 ssl;
server_name www.site.io;
return 301 https://site.io$uri;
}
repaired snippet from nginx conf:
server {
listen *:443 ssl;
server_name www.site.io;
return 301 https://site.io$uri;
ssl on;
ssl_certificate /etc/nginx/site.io.crt;
ssl_certificate_key /etc/nginx/site.io.key;
}