Want more timely Centmin Mod News Updates?
Become a Member

Cloudflare authentication pull resulted in error

Discussion in 'Install & Upgrades or Pre-Install Questions' started by Jay Chen, Jul 6, 2018.

  1. Jay Chen

    Jay Chen Member

    52
    11
    8
    Sep 10, 2017
    Ratings:
    +19
    Local Time:
    7:00 AM
    I follow the instruction here, Cloudflare - Setting Up Cloudflare Authenticated Origin Pulls Protecting IP Leaks, bu uncomment the two lines below
    Code:
    # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/yourdomain.com/origin.crt;
      ssl_verify_client on;
    then I restart the nginx and got the follow error
    Code:
    Restarting nginx (via systemctl):  Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
                                                               [FAILED]
    when I run systemctl status nginx.service, I got the following error:
    Code:
    ● nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
       Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)
       Active: failed (Result: exit-code) since Fri 2018-07-06 01:00:14 UTC; 9s ago
         Docs: man:systemd-sysv-generator(8)
      Process: 4129 ExecStop=/etc/rc.d/init.d/nginx stop (code=exited, status=0/SUCCESS)
      Process: 2322 ExecReload=/etc/rc.d/init.d/nginx reload (code=exited, status=0/SUCCESS)
      Process: 4144 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=1/FAILURE)
     Main PID: 3996 (code=exited, status=0/SUCCESS)
    
    Jul 06 01:00:14 newvps-85656 systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and...er...
    Jul 06 01:00:14 newvps-85656 nginx[4144]: Starting nginx: nginx: [warn] could not build optimal map_hash, you..._size
    Jul 06 01:00:14 newvps-85656 nginx[4144]: nginx: [emerg] SSL_CTX_load_verify_locations("/usr/local/nginx/conf/ssl/...
    Jul 06 01:00:14 newvps-85656 nginx[4144]: [FAILED]
    Jul 06 01:00:14 newvps-85656 systemd[1]: nginx.service: control process exited, code=exited status=1
    Jul 06 01:00:14 newvps-85656 systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse pr...rver.
    Jul 06 01:00:14 newvps-85656 systemd[1]: Unit nginx.service entered failed state.
    Jul 06 01:00:14 newvps-85656 systemd[1]: nginx.service failed.
    I am not sure what I did wrong, I install the latest beta version with php7.2.
     
  2. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    9:00 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    output for
    Code (Text):
    nginx -t
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    9:00 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    you may need to download the cert manually if it didn't download properly as per post #1

    in SSH type the following 5 lines where first prompts you to enter your domain name for site intended
    Code (Text):
    read -ep "enter vhost domain name you want to setup cloudflare origin pull for: " vhostname ;
    mkdir -p /usr/local/nginx/conf/ssl/cloudflare/$vhostname ;
    cd /usr/local/nginx/conf/ssl/cloudflare/$vhostname ;
    wget https://support.cloudflare.com/hc/en-us/article_attachments/201243967/origin-pull-ca.pem -O origin.crt ;
    echo -e "ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhostname/origin.crt;\nssl_verify_client on;" ;

    then restart nginx
    Code (Text):
    ngxrestart
    
     
  4. Jay Chen

    Jay Chen Member

    52
    11
    8
    Sep 10, 2017
    Ratings:
    +19
    Local Time:
    7:00 AM
    Code:
    [00:03][[email protected]~]# nginx -t
    nginx: [warn] could not build optimal map_hash, you should increase either map_hash_max_size: 4096 or map_hash_bucket_size: 128; ignoring map_hash_bucket_size
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    9:00 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    looks ok besides the warning that would be unrelated to your origin issue

    what's output for
    Code (Text):
    grep -n hash /usr/local/nginx/conf/nginx.conf
    

    i.e.
    Code (Text):
    grep -n hash /usr/local/nginx/conf/nginx.conf
    25: map_hash_bucket_size 128;
    26: map_hash_max_size 4096;
    27: server_names_hash_bucket_size 128;
    28: server_names_hash_max_size 2048;
    29: variables_hash_max_size 2048;
    136: types_hash_max_size 2048;
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    9:00 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  7. Jay Chen

    Jay Chen Member

    52
    11
    8
    Sep 10, 2017
    Ratings:
    +19
    Local Time:
    7:00 AM
    Code:
    [00:19][[email protected]
    newvps~]# grep -n hash /usr/local/nginx/conf/nginx.conf
    25: map_hash_bucket_size 128;
    26: map_hash_max_size 4096;
    27: server_names_hash_bucket_size 128;
    28: server_names_hash_max_size 2048;
    29: variables_hash_max_size 2048;
    136: types_hash_max_size 2048;
    
     
  8. Jay Chen

    Jay Chen Member

    52
    11
    8
    Sep 10, 2017
    Ratings:
    +19
    Local Time:
    7:00 AM
  9. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    9:00 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    looks right to me do you have those settings listed elsewhere ? you can check with recursive egrep
    Code (Text):
    egrep -rn 'hash_bucket|hash_max' /usr/local/nginx/conf
    

    i.e.
    Code (Text):
    egrep -rn 'hash_bucket|hash_max' /usr/local/nginx/conf 
    /usr/local/nginx/conf/nginx.conf:25: map_hash_bucket_size 128;
    /usr/local/nginx/conf/nginx.conf:26: map_hash_max_size 4096;
    /usr/local/nginx/conf/nginx.conf:27: server_names_hash_bucket_size 128;
    /usr/local/nginx/conf/nginx.conf:28: server_names_hash_max_size 2048;
    /usr/local/nginx/conf/nginx.conf:29: variables_hash_max_size 2048;
    /usr/local/nginx/conf/nginx.conf:136: types_hash_max_size 2048;
    

    also have you added additional nginx map directives to your nginx configuration ?
     
  10. Jay Chen

    Jay Chen Member

    52
    11
    8
    Sep 10, 2017
    Ratings:
    +19
    Local Time:
    7:00 AM
    I have a lot of redirect like the following in the beginning of website.ssl.conf
    Code:
    map $request_uri $new_uri {
     default $request_uri;
    /funny-picture-141 /2-reasons-why-i-watch-food-channel/;
    /funny-picture-1335 /2-things-i-love-the-most/;
    /funny-picture-459 /2-things-that-control-the-world/;
    /funny-picture-527 /3-biggest-tradedies-in-a-man-life/;
    /funny-picture-1931 /3-stages-after-getting-paid/;
     
  11. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    9:00 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    maps need to be set in /usr/local/nginx/conf/nginx.conf within http{} context right after the hash_bucket related directives lines and not within nginx vhosts
     
  12. Jay Chen

    Jay Chen Member

    52
    11
    8
    Sep 10, 2017
    Ratings:
    +19
    Local Time:
    7:00 AM
    I don't understand, but I have two websites in the same server, /usr/local/nginx/conf/nginx.conf doesn't have server block, only nginx vhosts do, that is why I placed the maps there
     
  13. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    9:00 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    because nginx documentation says so Module ngx_http_map_module :)

    context = http context only
    Code (Text):
    Syntax:    map string $variable { ... }
    Default:    —
    Context:    http
    
     
    • Like Like x 1
  14. Jay Chen

    Jay Chen Member

    52
    11
    8
    Sep 10, 2017
    Ratings:
    +19
    Local Time:
    7:00 AM
    Looks like I have a lot of readings to do. Thanks Eva
     
    • Like Like x 1
..