[nginx/php-fpm] curl: (56) SSLRead() return error -9806: how we fixed it

tl;dr: Back up /etc/nginx, uninstall nginx, install the latest version of nginx, restore your /etc/nginx backup.

Recently our own site was experiencing SSL connection issues. We first noticed it in Safari when connecting to sononaco.com and another site we host on the same server, both using SSLs. Oddly enough, another site hosted on the same server with a free LetsEncrypt SSL which was registered the same day was not having this problem.

Safari gives a very unhelpful “the server may be too busy” BS error message. Firefox and Chrome, however, were not showing any problems until we tried to publish a post in Firefox and we got a screen saying the connection had dropped unexpectedly due an SSL issue.

…so we turned to the terminal and typed:

curl -I https://sononaco.com

Which resulted in:

curl: (56) SSLRead() return error -9806

We tried the same thing with the other site:

curl -I https://roaringriotpodcast.com

Again,

curl: (56) SSLRead() return error -9806

Then we tried the most recent:

curl -I https://blueshotmedia.com
And we got:
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Tue, 13 Jun 2017 14:21:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.0.19
Link: <https://blueshotmedia.com/?rest_route=/>; rel="https://api.w.org/"
Link: <https://wp.me/P8PLln-i>; rel=shortlink

A good thing!

This tells us it’s something to do with the way nginx handles the SSLs. While the SSL on roaringriotpodcast.com is also a LetsEncypt cert the one on Sononaco is a commercial certificate so it’s not the certificate issuer.

And BTW – the reason for this blog post is because a solution to this problem is not covered anywhere else on the web that we could find. I’m sure it is and someone will be happy to let me know about it in the comments.

We also looked at PHP core dumps but this wasn’t the case, especially since PHP doesn’t give a flip about which port the web server listens on. Everything pointed to nginx.

We did a bit more investigating and found that the repo we installed nginx from (Webtatic) is no longer responding so there were no updates to the software to be gained from that repo.

We took the drastic step of uninstalling nginx and reinstalling it. Since we are using CentOS it’s simple. First, check the version of nginx you are running:

rpm -qa | grep nginx

We were running nginx 1.6 or, nginx16 as yum sees it. Installing it and reinstalling it is quick and easy:

  1. Back up the nginx configuration files in /etc/nginx:
    cp -Rp /etc/nginx /etc/nginx.bak
  2. Uninstall nginx 1.6:
    yum remove nginx16
  3. Install the latest version of nginx- this presented us with several more nginx packages than the Webtatic repo provided:
    yum install nginx
  4. After installation is complete make a backup of the new nginx config:
    mv /etc/nginx /etc/nginx-reinstall
  5. And restore your backup (nginx config files are typically cross-version compatible but YMMV):
    mv /etc/nginx.bak /etc/nginx
  6. Run a test to make sure nginx likes your config:
    nginx -t

    or

    /etc/init.d/nginx configtest
  7. Finally, kick nginx (restart it):
    /etc/init.d/nginx restart

    or, if on CentOS 7:

    systemctl restart nginx.service

And bam, your site will now load in Safari and CURL will no longer complain about it!

Leave a Comment