Trellis: unknown directive "ssl_reject_handshake"

Follow up to this post: @swalkinshaw I’ve given your latest a whirl (#1415), thanks for getting that up so quickly! We’ve hit an issue with the version of nginx now, so just reporting that for the benefit of others:

non-zero return code
nginx: [emerg] unknown directive "ssl_reject_handshake" in /etc/nginx/sites-
nginx: configuration file /etc/nginx/nginx.conf test failed

ssl_reject_handshake was introduced in nginx 1.19.4 and re-provisioning an already provisioned server won’t update that for you. I was fortunate enough to try on a server with 1.19.3. So close.

For those looking where to go from here: see this thread on server updates.

:sweat: this is why backwards compatibility with Trellis is hard… generally we’d prefer people to just re-create new servers instead of applying small updates to existing ones. But I also completely understand why that’s harder (or less realistic) in many cases.

1.19.4 was released almost 2 years ago, but as you mentioned, Trellis won’t auto-upgrade installed packages.

You can use apt-get install --only-upgrade nginx to only upgrade Nginx.

1 Like

I hear you. You guys have done awesome things and it’s definitely not an expectation that you’ll find all the niggles. That’s where the community steps up to help out.

Big love from a small dev team Down Under :pray: :muscle:

1 Like

So I am now getting the same issue on Ubuntu 18.04 running Nginx 1.17.3:

Provisioning a server fails with the following error:

RUNNING HANDLER [common : reload nginx] ****************************************
fatal: [xyz-staging]: FAILED! => {"changed": true, "cmd": ["nginx", "-t"], "delta": "0:00:00.051262", "end": "2022-08-18 01:12:41.068695", "msg": "non-zero return code", "rc": 1, "start": "2022-08-18 01:12:41.017433", "stderr": "nginx: [emerg] unknown directive \"ssl_reject_handshake\" in /etc/nginx/sites-enabled/no-default.conf:20\nnginx: configuration file /etc/nginx/nginx.conf test failed", "stderr_lines": ["nginx: [emerg] unknown directive \"ssl_reject_handshake\" in /etc/nginx/sites-enabled/no-default.conf:20", "nginx: configuration file /etc/nginx/nginx.conf test failed"], "stdout": "", "stdout_lines": []}

Accessing the server and running:
$ nginx -t
Comes up with the following error:

nginx: [emerg] unknown directive "ssl_reject_handshake" in /etc/nginx/sites-enabled/no-default.conf:20
nginx: configuration file /etc/nginx/nginx.conf test failed

As suggested above, running:
$ apt-get install --only-upgrade nginx
Then results in:

Unpacking nginx (1.23.1-1~bionic) over (1.17.3-0+bionic1) ...
dpkg: error processing archive /var/cache/apt/archives/nginx_1.23.1-1~bionic_amd64.deb (--unpack):
 trying to overwrite '/usr/sbin/nginx', which is also in package nginx-full 1.17.3-0+bionic1
dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
Errors were encountered while processing:
E: Sub-process /usr/bin/dpkg returned an error code (1)

Any idea how to solve this? Luckily trying this out on the staging server first but eventually will have to do the same onto production and wondering the best way to handle this.

Thanks in advance!