I have been trying to setup SSL on my Docker Nginx server to no avail.

Backstory: I have a VPS on which i run multiple dockerized websites. On the front i have the jwilder nginx reverse proxy server with a network. All websites are linked to that network. For those websites that use the Cloudflare flexible certificate, everything is working fine but i have one the MUST be on the Full setting. The best i managed to achieve is a 525: SSL Handshake failed

As a certificate i use the Cloudflare Origin Server Certificate (pem/key).

Here is my setup:

Nginx Proxy:

  nginx-proxy:
    image: jwilder/nginx-proxy
    container_name: nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
    environment:
      - VIRTUAL_PROTO=https

networks:
  default:
    external: true
    name: nginx-proxy

The website:

  website-php-fpm:
    build:
      context: ./php-fpm
    volumes:
      - ../src:/var/www

  website-nginx:
    build:
      context: ./nginx
    volumes:
      - ../src:/var/www
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
      - ./nginx/sites/:/etc/nginx/sites-available
      - ./nginx/conf.d/:/etc/nginx/conf.d
      - ./nginx/ssl/:/etc/ssl
    depends_on:
      - website-php-fpm
    expose:
      - 80
      - 443
    container_name: websitenginx
    environment:
      VIRTUAL_HOST: domain.com,

networks:
  default:
    external: true
    name: nginx-proxy

The NGINX config:

worker_processes  4;
daemon off;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    access_log  /var/log/nginx/access.log;

    sendfile        on;
    keepalive_timeout  65;

    upstream php-upstream {
       server website-php-fpm:9000;
    }
   
server {
    listen 80;
    listen [::]:80;
    server_name domain.com www.domain.com;
    return 302 https://$server_name$request_uri;
}
server {
   proxy_read_timeout 300;
   proxy_connect_timeout 300;
   proxy_send_timeout 300;

   listen 443 ssl;
   listen [::]:443 ssl;
   ssl_certificate    /etc/ssl/origin.com.pem; // The one created by CloudFlare Origin
   ssl_certificate_key    /etc/ssl/origin.com.key; // The one created by CloudFlare Origin
   ssl_client_certificate /etc/ssl/origin_ca_rsa_root.pem; // The one that Cloudflare provides
   ssl_verify_client on;
   server_name domain.com www.domain.com;


    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;

    root /var/www;
    index index.php index.html index.htm;

    location / {
         try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ .php$ {
        try_files $uri /index.php =404;
        fastcgi_pass php-upstream;
        fastcgi_index index.php;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        #fixes timeouts
        fastcgi_read_timeout 600;
        include fastcgi_params;
    }

    location ~ /.ht {
        deny all;
    }

}

}

Would really appreciate any hints. Thank you all!

PS: i tried at least a dozen combinations that didn’t work, sorry I can’t remember them to list them here