Trellis: unknown directive "ssl_reject_handshake"

Follow up to this post: @swalkinshaw I’ve given your latest a whirl (#1415), thanks for getting that up so quickly! We’ve hit an issue with the version of nginx now, so just reporting that for the benefit of others:

non-zero return code
nginx: [emerg] unknown directive "ssl_reject_handshake" in /etc/nginx/sites-
nginx: configuration file /etc/nginx/nginx.conf test failed

ssl_reject_handshake was introduced in nginx 1.19.4 and re-provisioning an already provisioned server won’t update that for you. I was fortunate enough to try on a server with 1.19.3. So close.

For those looking where to go from here: see this thread on server updates.

1 Like

:sweat: this is why backwards compatibility with Trellis is hard… generally we’d prefer people to just re-create new servers instead of applying small updates to existing ones. But I also completely understand why that’s harder (or less realistic) in many cases.

1.19.4 was released almost 2 years ago, but as you mentioned, Trellis won’t auto-upgrade installed packages.

You can use apt-get install --only-upgrade nginx to only upgrade Nginx.


I hear you. You guys have done awesome things and it’s definitely not an expectation that you’ll find all the niggles. That’s where the community steps up to help out.

Big love from a small dev team Down Under :pray: :muscle:


So I am now getting the same issue on Ubuntu 18.04 running Nginx 1.17.3:

Provisioning a server fails with the following error:

RUNNING HANDLER [common : reload nginx] ****************************************
fatal: [xyz-staging]: FAILED! => {"changed": true, "cmd": ["nginx", "-t"], "delta": "0:00:00.051262", "end": "2022-08-18 01:12:41.068695", "msg": "non-zero return code", "rc": 1, "start": "2022-08-18 01:12:41.017433", "stderr": "nginx: [emerg] unknown directive \"ssl_reject_handshake\" in /etc/nginx/sites-enabled/no-default.conf:20\nnginx: configuration file /etc/nginx/nginx.conf test failed", "stderr_lines": ["nginx: [emerg] unknown directive \"ssl_reject_handshake\" in /etc/nginx/sites-enabled/no-default.conf:20", "nginx: configuration file /etc/nginx/nginx.conf test failed"], "stdout": "", "stdout_lines": []}

Accessing the server and running:
$ nginx -t
Comes up with the following error:

nginx: [emerg] unknown directive "ssl_reject_handshake" in /etc/nginx/sites-enabled/no-default.conf:20
nginx: configuration file /etc/nginx/nginx.conf test failed

As suggested above, running:
$ apt-get install --only-upgrade nginx
Then results in:

Unpacking nginx (1.23.1-1~bionic) over (1.17.3-0+bionic1) ...
dpkg: error processing archive /var/cache/apt/archives/nginx_1.23.1-1~bionic_amd64.deb (--unpack):
 trying to overwrite '/usr/sbin/nginx', which is also in package nginx-full 1.17.3-0+bionic1
dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
Errors were encountered while processing:
E: Sub-process /usr/bin/dpkg returned an error code (1)

Any idea how to solve this? Luckily trying this out on the staging server first but eventually will have to do the same onto production and wondering the best way to handle this.

Thanks in advance!

Are you running that command as root? If not, you need to run sudo apt-get install --only-upgrade nginx. Hard to tell from the error, but it could be permissions.

Should have made that a bit more clear Scott, yes, I am accessing the server as root and running it with sudo with the error above.

I found apt - dpkg error: "trying to overwrite file, which is also in..." - Ask Ubuntu which might be helpful.

Thanks Scott, it seemed like that was a disputed solution and one of the comments in that thread actually lead to a pretty simple fix, although one that will result in some down time on the production level:

Do you reckon this would produce any issues down the line of manually removing and reinstating nginx? Seems to have passed a test re-provisioning and deploying to a staging server after this without any issues.

Thanks again for all your help, always appreciated!

1 Like

Nope, that’s fine too!

1 Like