Unable to establish SSL connection

[indapublic]

Hi! I need help.

I have staging with 3 subdomains. Each domain have this configuration:

version: '2'

services:
    nginx:
        build:
            context: ./docker/nginx
            args:
                DOMAIN: $DOMAIN
        ports:
            - $PORT:80
        environment:
            - VIRTUAL_HOST=$DOMAIN
            - VIRTUAL_PORT=$PORT
            - LETSENCRYPT_HOST=$DOMAIN
            - LETSENCRYPT_EMAIL=mymail

networks:
    default:
        external:
            name: nginx-proxy

All domains is working well, opened on each port.

Nginx proxy configuration:

version: '2'

services:
    nginx-proxy:
        image: jwilder/nginx-proxy
        ports:
            - "80:80"
            - "443:443"
        volumes:
            - conf:/etc/nginx/conf.d
            - vhost:/etc/nginx/vhost.d
            - html:/usr/share/nginx/html
            - dhparam:/etc/nginx/dhparam
            - certs:/etc/nginx/certs:ro
            - /var/run/docker.sock:/tmp/docker.sock:ro

    letsencrypt:
        image: jrcs/letsencrypt-nginx-proxy-companion
        container_name: nginx-proxy-le
        volumes_from:
            - nginx-proxy
        volumes:
            - certs:/etc/nginx/certs:rw
            - /var/run/docker.sock:/var/run/docker.sock:ro

volumes:
    conf:
    vhost:
    html:
    dhparam:
    certs:

networks:
    default:
        external:
            name: nginx-proxy

Nginx proxy logs:

docker logs nginx-proxy-le
Generating a RSA private key
.........................................++++
.........++++
writing new private key to '/etc/nginx/certs/default.key.new'
-----
Info: a default key and certificate have been created at /etc/nginx/certs/default.key and /etc/nginx/certs/default.crt.
Info: Creating Diffie-Hellman group in the background.
A pre-generated Diffie-Hellman group will be used for now while the new one
is being created.
Generating DH parameters, 2048 bit long safe prime, generator 2
Reloading nginx proxy (5bf5d1e6e9246575b33d13a95e6c246b3072ccbc302a92efb6b2a5b1d4d2cc7e)...
2019/06/23 13:55:26 Generated '/etc/nginx/conf.d/default.conf' from 5 containers
2019/06/23 13:55:26 [notice] 66#66: signal process started
2019/06/23 13:55:26 Generated '/app/letsencrypt_service_data' from 5 containers
2019/06/23 13:55:26 Running '/app/signal_le_service'
2019/06/23 13:55:26 Watching docker events
2019/06/23 13:55:26 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
/etc/nginx/certs/test1.mywebsite.com /app
Reloading nginx proxy (5bf5d1e6e9246575b33d13a95e6c246b3072ccbc302a92efb6b2a5b1d4d2cc7e)...
2019/06/23 13:55:27 Generated '/etc/nginx/conf.d/default.conf' from 5 containers
2019/06/23 13:55:27 [notice] 91#91: signal process started
Creating/renewal test1.mywebsite.com certificates... (test1.mywebsite.com)
2019-06-23 13:55:28,816:INFO:simp_le:1382: Generating new account key
2019-06-23 13:55:30,500:INFO:simp_le:1407: By using simp_le, you implicitly agree to the CA's terms of service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2019-06-23 13:55:31,388:INFO:simp_le:1479: Generating new certificate private key
2019-06-23 13:55:34,033:INFO:simp_le:360: Saving account_key.json
2019-06-23 13:55:34,034:INFO:simp_le:360: Saving key.pem
2019-06-23 13:55:34,034:INFO:simp_le:360: Saving chain.pem
2019-06-23 13:55:34,035:INFO:simp_le:360: Saving fullchain.pem
2019-06-23 13:55:34,035:INFO:simp_le:360: Saving cert.pem
/app
/etc/nginx/certs/test2.mywebsite.com /app
Creating/renewal test2.mywebsite.com certificates... (test2.mywebsite.com)
2019-06-23 13:55:37,375:INFO:simp_le:1479: Generating new certificate private key
2019-06-23 13:55:40,026:INFO:simp_le:360: Saving key.pem
2019-06-23 13:55:40,027:INFO:simp_le:360: Saving chain.pem
2019-06-23 13:55:40,028:INFO:simp_le:360: Saving fullchain.pem
2019-06-23 13:55:40,028:INFO:simp_le:360: Saving cert.pem
/app
/etc/nginx/certs/test3.mywebsite.com /app
Creating/renewal test3.mywebsite.com certificates... (test3.mywebsite.com)
2019-06-23 13:55:43,003:INFO:simp_le:1479: Generating new certificate private key
2019-06-23 13:55:45,103:INFO:simp_le:360: Saving key.pem
2019-06-23 13:55:45,105:INFO:simp_le:360: Saving chain.pem
2019-06-23 13:55:45,106:INFO:simp_le:360: Saving fullchain.pem
2019-06-23 13:55:45,106:INFO:simp_le:360: Saving cert.pem
/app
Reloading nginx proxy (5bf5d1e6e9246575b33d13a95e6c246b3072ccbc302a92efb6b2a5b1d4d2cc7e)...
2019/06/23 13:55:46 Generated '/etc/nginx/conf.d/default.conf' from 5 containers
2019/06/23 13:55:46 [notice] 116#116: signal process started
Sleep for 3600s
This is going to take a long time
Info: Diffie-Hellman group creation complete, reloading nginx.
Reloading nginx proxy (5bf5d1e6e9246575b33d13a95e6c246b3072ccbc302a92efb6b2a5b1d4d2cc7e)...
2019/06/23 13:56:41 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2019/06/23 13:56:41 [notice] 145#145: signal process started

Seems ok for me, isn’t it?

But SSL is not working.

wget http://test2.mywebsite.com
--2019-06-24 00:09:40-- http://test2.mywebsite.com/
Resolving test2.mywebsite.com (test2.mywebsite.com)... 95.217.12.121
Connecting to test2.mywebsite.com (test2.mywebsite.com)|95.217.12.121|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://test2.mywebsite.com/ [following]
--2019-06-24 00:09:40-- https://test2.mywebsite.com/
Connecting to test2.mywebsite.com (test2.mywebsite.com)|95.217.12.121|:443... connected.
Unable to establish SSL connection.

wget https://test2.mywebsite.com
--2019-06-24 00:09:48-- https://test2.mywebsite.com/
Resolving test2.mywebsite.com (test2.mywebsite.com)... 95.217.12.121
Connecting to test2.mywebsite.com (test2.mywebsite.com)|95.217.12.121|:443... connected.
Unable to establish SSL connection.

nginx-proxy only is working ok

services:
    nginx-proxy:
        image: jwilder/nginx-proxy
        ports:
            - "80:80"
        volumes:
            - /var/run/docker.sock:/tmp/docker.sock:ro

networks:
    default:
        external:
            name: nginx-proxy

[indapublic]

Anyone?

[buchdag]

Hi. Could you share nginx-proxy log output when SSL isn't working ?

[indapublic]

Thank for reply, @buchdag

Attaching to nginx-proxy-le, nginx-proxy_nginx-proxy_1
nginx-proxy_1  | Custom dhparam.pem file found, generation skipped
nginx-proxy_1  | forego     | starting dockergen.1 on port 5000
nginx-proxy_1  | forego     | starting nginx.1 on port 5100
nginx-proxy_1  | dockergen.1 | 2019/06/30 11:17:30 Generated '/etc/nginx/conf.d/default.conf' from 4 containers
nginx-proxy_1  | dockergen.1 | 2019/06/30 11:17:30 Running 'nginx -s reload'
nginx-proxy_1  | dockergen.1 | 2019/06/30 11:17:30 Watching docker events
nginx-proxy_1  | dockergen.1 | 2019/06/30 11:17:31 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx-proxy_1  | dockergen.1 | 2019/06/30 11:17:31 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx-proxy_1  | nginx.1    | test1.website.com 109.126.20.82 - - [30/Jun/2019:11:17:39 +0000] "GET / HTTP/1.1" 301 185 "-" "Wget/1.20.3 (darwin18.6.0)"
nginx-proxy_1  | nginx.1    | 95.217.12.121 85.28.195.250 - - [30/Jun/2019:11:17:56 +0000] "GET / HTTP/1.1" 503 615 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
nginx-proxy_1  | nginx.1    | 95.217.12.121 185.27.128.50 - - [30/Jun/2019:11:18:06 +0000] "GET / HTTP/1.1" 503 615 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
nginx-proxy-le | Info: Custom Diffie-Hellman group found, generation skipped.
nginx-proxy-le | Reloading nginx proxy (2809d5b8590d52e36e3d3d862f0f8088fbe04349547824775fe51a6d1c646495)...
nginx-proxy-le | 2019/06/30 11:17:33 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nginx-proxy-le | 2019/06/30 11:17:33 [notice] 62#62: signal process started
nginx-proxy-le | 2019/06/30 11:17:33 Generated '/app/letsencrypt_service_data' from 5 containers
nginx-proxy-le | 2019/06/30 11:17:33 Running '/app/signal_le_service'
nginx-proxy-le | 2019/06/30 11:17:33 Watching docker events
nginx-proxy-le | 2019/06/30 11:17:33 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
nginx-proxy-le | /etc/nginx/certs/test1.website.com /app
nginx-proxy-le | Creating/renewal test1.website.com certificates... (test1.website.com)
nginx-proxy-le | 2019-06-30 11:17:34,904:INFO:simp_le:1564: Certificates already exist and renewal is not necessary, exiting with status code 1.
nginx-proxy-le | /app
nginx-proxy-le | /etc/nginx/certs/test2.website.com /app
nginx-proxy-le | Creating/renewal test2.website.com certificates... (test2.website.com)
nginx-proxy-le | 2019-06-30 11:17:36,254:INFO:simp_le:1564: Certificates already exist and renewal is not necessary, exiting with status code 1.
nginx-proxy-le | /app
nginx-proxy-le | /etc/nginx/certs/test3.website.com /app
nginx-proxy-le | Creating/renewal test3.website.com certificates... (test3.website.com)
nginx-proxy-le | 2019-06-30 11:17:37,588:INFO:simp_le:1564: Certificates already exist and renewal is not necessary, exiting with status code 1.
nginx-proxy-le | /app
nginx-proxy-le | Sleep for 3600s

[buchdag]

Could you try to reach your subdomains over http and https and post what happens in the logs when you do ?

[indapublic]

@buchdag Nothing. Sleep for 3600s is last line in logs

[buchdag]

Could you try removing the config parts that use $PORT from your compose files ?

[indapublic]

@buchdag So I shouldn't expose any ports?

[buchdag]

Port 80 is already exposed by nginx Dockerfile, so no.

By the way - $PORT:80 does not only expose port 80 of your container but also publish it to port $PORT of the host, not of the container.

[indapublic]

It's okay for me, I wanted to test those containers without nginx-proxy.
Ok, I will try today later without port exposing

[buchdag]

I think that the issue is probably more with - VIRTUAL_PORT=$PORT because that instruct nginx-proxy to reach the container on a port that isn't actually exposed on it.

[indapublic]

@buchdag, removed exposed ports and VIRTUAL_PORT from clients.

So client config is:

version: '2'

services:
    nginx:
        build:
            context: ./docker/nginx
            args:
                DOMAIN: $DOMAIN
        environment:
            - VIRTUAL_HOST=$DOMAIN
            - LETSENCRYPT_HOST=$DOMAIN
            - LETSENCRYPT_EMAIL=mymail
        
networks:
    default:
        external:
            name: nginx-proxy

docker-compose logs:

Attaching to nginx-proxy-le, nginx-proxy_nginx-proxy_1
nginx-proxy_1  | Custom dhparam.pem file found, generation skipped
nginx-proxy_1  | forego     | starting dockergen.1 on port 5000
nginx-proxy_1  | forego     | starting nginx.1 on port 5100
nginx-proxy_1  | dockergen.1 | 2019/07/01 13:10:41 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx-proxy_1  | dockergen.1 | 2019/07/01 13:10:41 Watching docker events
nginx-proxy_1  | dockergen.1 | 2019/07/01 13:10:41 Error inspecting container: e6cc73f5275431ad1b111a351aa1a70f0e82111ded359dfffe64d32cd222a88f: No such container: e6cc73f5275431ad1b111a351aa1a70f0e82111ded359dfffe64d32cd222a88f
nginx-proxy_1  | dockergen.1 | 2019/07/01 13:10:41 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx-proxy_1  | dockergen.1 | 2019/07/01 13:10:43 Received event start for container e6cc73f52754
nginx-proxy_1  | dockergen.1 | 2019/07/01 13:10:43 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx-proxy-le | Info: Custom Diffie-Hellman group found, generation skipped.
nginx-proxy-le | Reloading nginx proxy (4f76f985bf4ccd87d4d8d738ce781ece089ff4bc64591e64f80d7371d24121ce)...
nginx-proxy-le | 2019/07/01 13:10:44 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nginx-proxy-le | 2019/07/01 13:10:44 [notice] 58#58: signal process started
nginx-proxy-le | 2019/07/01 13:10:44 Generated '/app/letsencrypt_service_data' from 5 containers
nginx-proxy-le | 2019/07/01 13:10:44 Running '/app/signal_le_service'
nginx-proxy-le | 2019/07/01 13:10:44 Watching docker events
nginx-proxy-le | 2019/07/01 13:10:44 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
nginx-proxy-le | /etc/nginx/certs/test1.mywebsite.com /app
nginx-proxy-le | Reloading nginx proxy (4f76f985bf4ccd87d4d8d738ce781ece089ff4bc64591e64f80d7371d24121ce)...
nginx-proxy-le | 2019/07/01 13:10:45 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nginx-proxy-le | 2019/07/01 13:10:45 [notice] 81#81: signal process started
nginx-proxy-le | Creating/renewal test1.mywebsite.com certificates... (test1.mywebsite.com)
nginx-proxy-le | 2019-07-01 13:10:46,787:INFO:simp_le:1564: Certificates already exist and renewal is not necessary, exiting with status code 1.
nginx-proxy-le | /app
nginx-proxy-le | /etc/nginx/certs/test2.mywebsite.com /app
nginx-proxy-le | Creating/renewal test2.mywebsite.com certificates... (test2.mywebsite.com)

[buchdag]

And does it work now, can you access testn.mywebsite.com over https ?

[indapublic]

@buchdag Unfortunately no

[indapublic]

nginx-proxy_1 | dockergen.1 | 2019/07/01 13:10:41 Error inspecting container: e6cc73f5275431ad1b111a351aa1a70f0e82111ded359dfffe64d32cd222a88f: No such container: e6cc73f5275431ad1b111a351aa1a70f0e82111ded359dfffe64d32cd222a88f

Is it okay?

[buchdag]

Nope, it means that docker-gen was unable to inspect a container, but without knowing which container it is, I can't tell you if this is related to your issue or not.

Could you dump the content of /etc/nginx/conf.d/default.config once everything (nginx-proxy, companion, subdomains containers) is up ?

[indapublic]

Cannot reproduce Error inspecting container anymore.

docker-compose logs

Attaching to nginx-proxy-le, nginx-proxy_nginx-proxy_1
nginx-proxy_1 | Custom dhparam.pem file found, generation skipped
nginx-proxy_1 | forego | starting dockergen.1 on port 5000
nginx-proxy_1 | forego | starting nginx.1 on port 5100
nginx-proxy_1 | dockergen.1 | 2019/07/07 00:00:24 Generated '/etc/nginx/conf.d/default.conf' from 2 containers
nginx-proxy_1 | dockergen.1 | 2019/07/07 00:00:24 Watching docker events
nginx-proxy_1 | dockergen.1 | 2019/07/07 00:00:24 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx-proxy_1 | dockergen.1 | 2019/07/07 00:00:25 Received event start for container fc2fe94924e7
nginx-proxy_1 | dockergen.1 | 2019/07/07 00:00:25 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx-proxy_1 | nginx.1 | test1.mywebsite.com 37.8.156.115 - - [07/Jul/2019:00:00:29 +0000] "GET / HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3845.0 Safari/537.36"
nginx-proxy_1 | nginx.1 | 95.217.12.121 82.114.3.221 - - [07/Jul/2019:00:01:24 +0000] "GET / HTTP/1.1" 503 615 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
nginx-proxy-le | Info: Custom Diffie-Hellman group found, generation skipped.
nginx-proxy-le | Reloading nginx proxy (68c055c24ca2c88ba831bdf1a1710bb22756a92382c996c868db1db1cdb3edd4)...
nginx-proxy-le | 2019/07/07 00:00:27 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nginx-proxy-le | 2019/07/07 00:00:27 [notice] 63#63: signal process started
nginx-proxy-le | 2019/07/07 00:00:27 Generated '/app/letsencrypt_service_data' from 3 containers
nginx-proxy-le | 2019/07/07 00:00:27 Running '/app/signal_le_service'
nginx-proxy-le | 2019/07/07 00:00:27 Watching docker events
nginx-proxy-le | 2019/07/07 00:00:27 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
nginx-proxy-le | /etc/nginx/certs/test1.mywebsite.com /app
nginx-proxy-le | Reloading nginx proxy (68c055c24ca2c88ba831bdf1a1710bb22756a92382c996c868db1db1cdb3edd4)...
nginx-proxy-le | 2019/07/07 00:00:28 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nginx-proxy-le | 2019/07/07 00:00:28 [notice] 88#88: signal process started
nginx-proxy-le | Creating/renewal test1.mywebsite.com certificates... (test1.mywebsite.com)
nginx-proxy-le | 2019-07-07 00:00:29,935:INFO:simp_le:1564: Certificates already exist and renewal is not necessary, exiting with status code 1.
nginx-proxy-le | /app
nginx-proxy-le | Sleep for 3600s

[indapublic]

/etc/nginx/conf.d/default.config

# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
	server_name _; # This is just an invalid value which will never trigger on a real hostname.
	listen 80;
	access_log /var/log/nginx/access.log vhost;
	return 503;
}
server {
	server_name _; # This is just an invalid value which will never trigger on a real hostname.
	listen 443 ssl http2;
	access_log /var/log/nginx/access.log vhost;
	return 503;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/default.crt;
	ssl_certificate_key /etc/nginx/certs/default.key;
}
# test1.mywebsite.com
upstream test1.mywebsite.com {
				## Can be connected with "nginx-proxy" network
			# test1_nginx_1
			server 172.26.0.2:80;
}
server {
	server_name test1.mywebsite.com;
	listen 80 ;
	access_log /var/log/nginx/access.log vhost;
	return 301 https://$host$request_uri;
}
server {
	server_name test1.mywebsite.com;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/access.log vhost;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/test1.mywebsite.com.crt;
	ssl_certificate_key /etc/nginx/certs/test1.mywebsite.com.key;
	ssl_dhparam /etc/nginx/certs/test1.mywebsite.com.dhparam.pem;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/certs/test1.mywebsite.com.chain.pem;
	add_header Strict-Transport-Security "max-age=31536000" always;
	include /etc/nginx/vhost.d/default;
	location / {
		proxy_pass http://test1.mywebsite.com;
	}
}

[buchdag]

Seems to me that letsencrypt-nginx-proxy-companion is doing its work and that the issue comes from elsewhere : the certificates are correctly generated, are picked up by docker-gen and are included in nginx configuration.

Are you certain your host's port 443 is accessible from the outside ?

Can you curl https://test1.mywebsite.com from the host itself ?

[indapublic]

Oh! Works. There was a classic nginx with a Lets Encrypt and there were no problems, so I didn’t even think to look there.
It’s weird.
But many thanks to you for help!

[buchdag]

@indapublic can I close the issue ?

[indapublic]

Sure. Closing

[indapublic]

Just investigated that website is not opened while Cloudflare switcher is turn off.

After turning on all works.