Letsencrypt / nginx: неправильная конфигурация SSL

Question

Недавно я приобрел доменное имя, которое я хочу указать на мой домашний сервер. Это работало очень хорошо, прежде чем я попытался реализовать SSL. С тех пор я получаю эту ошибку, когда пытаюсь получить доступ к https://cloud.mydomain.com/:

SSL_ERROR_RX_RECORD_TOO_LONG

Я вообще не знаю, как это отлаживать.

С моим хостом вот мой конфиг:

mydomain.com.   A [my external IP]

cloud.mydomain.com.   CNAME mydomain.com.

На моем сервере у меня есть это:

user www-data;
worker_processes auto;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
    multi_accept on;
    use epoll;
}

http {
    server_names_hash_bucket_size 64;
    upstream php-handler {
        server unix:/run/php/php7.3-fpm.sock;
    }

    set_real_ip_from 127.0.0.1;
    set_real_ip_from 192.168.1.0/24;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
    include /etc/nginx/mime.types;

    # include /etc/nginx/proxy.conf;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_connect_timeout 3600;
        proxy_send_timeout 3600;
        proxy_read_timeout 3600;
        proxy_redirect off;

    # include /etc/nginx/ssl.conf;
        ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # include /etc/nginx/header.conf;
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        add_header X-Robots-Tag none; 
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Frame-Options "SAMEORIGIN";

    # include /etc/nginx/optimization.conf;
        fastcgi_hide_header X-Powered-By;
        fastcgi_read_timeout 3600;
        fastcgi_send_timeout 3600;
        fastcgi_connect_timeout 3600;
        fastcgi_buffers 64 64K;
        fastcgi_buffer_size 256k;
        fastcgi_busy_buffers_size 3840K;
        fastcgi_cache_key $http_cookie$request_method$host$request_uri;
        fastcgi_cache_use_stale error timeout invalid_header http_500;
        fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
        gzip_disable "MSIE [1-6]\.";


    default_type application/octet-stream;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log warn;
    sendfile on;
    send_timeout 3600;
    tcp_nopush on;
    tcp_nodelay on;
    open_file_cache max=500 inactive=10m;
    open_file_cache_errors on;
    keepalive_timeout 65;
    reset_timedout_connection on;
    server_tokens off;
    resolver 192.168.1.1 valid=30s;
    resolver_timeout 5s;

    # include /etc/nginx/conf.d/*.conf;

        # etc/nginx/conf.d/nextcloud.conf;
        server {
            server_name cloud.mydomain.com;
            listen 80 default_server;
            listen [::]:80 default_server;

            location / {
                return 301 https://$host$request_uri;
            }
        }

        server {
            server_name cloud.mydomain.com;
            listen 443 ssl http2 default_server;
            listen [::]:443 ssl http2 default_server;
            root /var/www/nextcloud/;

            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            }

            location = /.well-known/carddav {
                return 301 $scheme://$host/remote.php/dav;
            }

            location = /.well-known/caldav {
                return 301 $scheme://$host/remote.php/dav;
            }

            #SOCIAL app enabled? Please uncomment the following row
            #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
            #WEBFINGER app enabled? Please uncomment the following two rows.
            #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
            #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

            client_max_body_size 10240M;

            location / {
                rewrite ^ /index.php;
            }

            location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
                deny all;
            }

            location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
                deny all;
            }

            location ^~ /apps/rainloop/app/data {
                deny all;
            }

            location ~ \.(?:flv|mp4|mov|m4a)$ {
                mp4;
                mp4_buffer_size 100M;
                mp4_max_buffer_size 1024M;
                fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
                set $path_info $fastcgi_path_info;
                try_files $fastcgi_script_name =404;
                include fastcgi_params;
                include php_optimization.conf;
            }

            location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+).php(?:$|\/) {
                fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
                set $path_info $fastcgi_path_info;
                try_files $fastcgi_script_name =404;
                include fastcgi_params;
                include php_optimization.conf;
            }

            location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
                try_files $uri/ =404;
                index index.php;
            }

            location ~ .(?:css|js|woff2?|svg|gif|map|png|html|ttf|ico|jpg|jpeg)$ {
                try_files $uri /index.php$request_uri;
                access_log off;
                expires 360d;
            }
        }
}

Вот команда, которую я выполнил для генерации сертификатов:

sudo certbot --nginx -d mydomain.com -d cloud.mydomain.com

Обратите внимание, что когда я получаю к нему доступ из локальной сети по адресу машины, у меня есть сертификат, и отображается следующее облако.

Мой маршрутизатор настроен на передачу вызовов 80 и 443 на моем аппарате, и я вижу журналы на /var/log/nginx/access.log

Когда я запускаю команду:

openssl s_client -connect cloud.mydomain.com:443 -servername mydomain.com

У меня следующий результат :

CONNECTED(00000003)
140509444985920:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Не могли бы вы отладить это, пожалуйста?