SSL issue with rewrite_www_to_non_www parameter

[cscheib]

The nginx::resource::vhost module seems to create an invalid config when rewrite_www_to_non_www is true.

I had to add the SSL parameters to resolve the error message. The error message occurs when accessing https://www.site.io and https://site.io (i.e. ssl is effectively completely broken for the site config).

Please let me know if I'm using the parameter incorrectly, I am fairly new to nginx and this module.

It looks as though the vhost_header.erb should include some ssl parameters (at least "ssl on"?) in the conf file.

version: commit 1620e18 (latest commit as of issue submission)

error message from nginx:

2015/01/04 16:42:57 [error] 11025#0: *52 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: *redacted*, server: 0.0.0.0:443

puppet manifest:

include nginx
nginx::resource::vhost { 'site.io':
    ensure         => present,
    www_root       => '/var/www/site_io',
    ipv6_enable    => true,
    ssl            => true,
    ssl_cert       => '/root/siteio-ca/keys/site.io.crt',
    ssl_key        => '/root/siteio-ca/keys/site.io.key',
    listen_port    => '80',
    ssl_port       => '443',
    rewrite_www_to_non_www => true,
  }

complete nginx configuration that was generated:

server {
  listen       *:80;
  server_name  www.site.io;
  return       301 http://site.io$uri;
}

server {
  listen                *:80;
  listen [::]:80 default ipv6only=on;
  server_name           site.io;

  index  index.html index.htm index.php;

  access_log            /var/log/nginx/site.io.access.log combined;
  error_log             /var/log/nginx/site.io.error.log;

  location / {
    root      /var/www/site_io;
  }
}
server {
  listen       *:443 ssl;
  server_name  www.site.io;
  return       301 https://site.io$uri;
}

server {
  listen       *:443 ssl;
  listen [::]:443 ssl default ipv6only=on;
  server_name  site.io;

  ssl on;

  ssl_certificate           /etc/nginx/site.io.crt;
  ssl_certificate_key       /etc/nginx/site.io.key;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
  ssl_prefer_server_ciphers on;

  index  index.html index.htm index.php;

  access_log            /var/log/nginx/ssl-site.io.access.log combined;
  error_log             /var/log/nginx/ssl-site.io.error.log;


  location / {
    root      /var/www/site_io;
  }
}

offending snippet from above nginx conf:

server {
  listen       *:443 ssl;
  server_name  www.site.io;
  return       301 https://site.io$uri;
}

repaired snippet from nginx conf:

server {
  listen       *:443 ssl;
  server_name  www.site.io;
  return       301 https://site.io$uri;
  ssl on;
  ssl_certificate           /etc/nginx/site.io.crt;
  ssl_certificate_key       /etc/nginx/site.io.key;
}

[joehillen]

I think my fix is more complete/modular.

[cscheib]

@joehillen agreed it's probably the right way to go (I only made a quick fix)... but appears to be failing the Travis CI build... have you verified valid output? you may need to fix the spec test

[joehillen]

I tested it. If you look at the test error, the spec is wrong, but I don't know rspec, so I don't immediately know how to fix it.

[cscheib]

I don't know it either, unfortunately, or I would have likely fixed it already. I may have time to learn and mess with it another day, but I'm working on other projects the next couple days.

[paul91]

Currently experiencing this issue with release 0.2.2