Why is ALPN not supported by my server?

Solution 1:

As @AlexyTen pointed out, the root cause was that, although I had OpenSSL 1.0.2g installed, NGINX needed to be built with OpenSSL and it was built with 1.0.1f which does not support ALPN.

NGINX needs to be rebuilt with OpenSSL 1.0.2 or above and re-installed. I found a few tutorials online but because I am using a Digital Ocean server, I used this help topic to solve the issue for me: https://www.digitalocean.com/community/questions/how-to-get-already-installed-nginx-to-use-openssl-1-0-2-for-alpn

I first needed to install a few new libraries:

apt-get install libgeoip-dev libgd2-xpm-dev libperl-dev

I then just ran this script: https://gist.github.com/AJMaxwell/f6793605068813aae888216b02364d85

I restarted using sudo shutdown -r now and ran nginx -V again. This time it gave me:

nginx version: nginx/1.11.0
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
built with OpenSSL 1.0.2h  3 May 2016
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-openssl=/root/openssl-1.0.2h --add-module=/root/ngx_pagespeed-release-

I also ran keycdn's http2 test again and it passed.

Solution 2:

I have created a bash script that automatically downloads, compiles and installs Nginx with OpenSSL on Debian/Ubuntu, RHEL/CentOS and other distros. The resulting binary is exactly the same as the one that distributes Nginx through its official repository except that it comes with the latest version of OpenSSL.

The script does not modify the OpenSSL installation, only the Nginx binary. It is a good option if you don't want to rely on packages built and distributed by unofficial sources.