Want more timely Centmin Mod News Updates?
Become a Member

SSL ERR_CERT_AUTHORITY_INVALID error on paid cert

Discussion in 'Domains, DNS, Email & SSL Certificates' started by moshbit, Jul 3, 2016.

  1. moshbit

    moshbit Member

    53
    10
    8
    Jun 15, 2014
    Ratings:
    +13
    Local Time:
    2:30 AM
    1.15.0
    MariaDB 10.1.33
    Hey, hopefully I'm posting in the right spot? I followed the instructions here:


    Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

    and here:

    Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS

    and i'm still getting a ERR_CERT_AUTHORITY_INVALID error on my domain:

    http://community.locationindie.com

    i've re-concatonated the files several times, and i've done this before on my other server without problems, but this time around it's not working for me and i'm not sure how i should go about diagnosing it.

    i've set up http to https forwarding per these instructions, and ive disabled the main vhost and am using the ssl one. oh, and this is a wordpress site i set up using option 22 of centmin.sh.

    below is my ssl conf. can someone tell me where i should start to look to figure out what i did wrong here? thank you!

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
       server_name community.locationindie.com www.community.locationindie.com;
        return 302 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name community.locationindie.com www.community.locationindie.com;
    
    ##  redirect https www to https non-www
          if ($host = 'www.community.locationindie.com' ) {
             return 302 https://community.locationindie.com$request_uri;
          }
    
      ssl_dhparam /usr/local/nginx/conf/ssl/community.locationindie.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/community.locationindie.com/community.locationindie.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/community.locationindie.com/community.locationindie.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
      add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/community.locationindie.com/ssl-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/community.locationindie.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/community.locationindie.com/log/error.log;
    
      root /home/nginx/domains/community.locationindie.com/public;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
       deny all;
      }
    
    include /usr/local/nginx/conf/wpsupercache_community.locationindie.com.conf;
    
      location / {
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        #auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/community.locationindie.com/htpasswd_wplogin;  
        include /usr/local/nginx/conf/php-wpsc.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    }
    
      include /usr/local/nginx/conf/wpsecure_community.locationindie.com.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    8:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    from Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS
    should be able to see if you chained it correctly

    other tests
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    8:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you seem to be using the self-signed ssl cert as the cert expiry is in year 2116 which is 100yrs not the 1-3 yr valid periods for commercial paid ssl certs.
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    8:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  5. moshbit

    moshbit Member

    53
    10
    8
    Jun 15, 2014
    Ratings:
    +13
    Local Time:
    2:30 AM
    1.15.0
    MariaDB 10.1.33
    ugh... okay, so i think i fixed one part, i changed:

    Code:
      ssl_certificate      /usr/local/nginx/conf/ssl/community.locationindie.com/community.locationindie.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/community.locationindie.com/community.locationindie.com.key;
    to:

    Code:
      ssl_certificate      /usr/local/nginx/conf/ssl/community.locationindie.com/community_locationindie_com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/community.locationindie.com/community.locationindie.com.key;
    after going through the whole cat process again, and now it's showing as working when i test it in incognito in chrome.

    but, when i check it with the ssl checker you pointed out here:

    https://cryptoreport.geotrust.com/checker/views/certCheck.jsp

    it still says my certificate is not installed correctly. the checker here says i'm missing a root certificate:

    GeoCerts SSL Checker

    i don't understand what's wrong, since i feel like i followed the directions about 10 times over pretty closely, and i got this ssl cert from namecheap, which i used for a different domain last week and updated it (following the instructions here) with no problems. it came with these two files:

    community_locationindie_com.ca-bundle
    community_locationindie_com.crt

    and i followed the instructions, so i'm at a loss as to what i could be missing?

    thanks for letting me know about that. i followed the upgrade instructions and restarted nginx and it's still saying i'm vulnerable?

    thank you for your help by the way!
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    8:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  7. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    8:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    if you subscribe to forum mailings, security updates like this will be conveyed to you most of the time ;)

    what's output of these commands
    Code (Text):
    nginx -V
    yum list openssl

    Might want to use CODE tags for output code How to use forum BBCODE code tags :)
     
  8. moshbit

    moshbit Member

    53
    10
    8
    Jun 15, 2014
    Ratings:
    +13
    Local Time:
    2:30 AM
    1.15.0
    MariaDB 10.1.33
    i will make sure to do that!

    Code:
    nginx -v
    nginx version: nginx/1.9.10
    Code:
    yum list openssl
    Loaded plugins: fastestmirror, priorities
    Determining fastest mirrors
    * base: mirrors.linode.com
    * epel: mirror.steadfast.net
    * extras: mirrors.linode.com
    * rpmforge: mirror.team-cymru.org
    * updates: mirrors.linode.com
    217 packages excluded due to repository priority protections
    Installed Packages
    openssl.x86_64                   1:1.0.1e-51.el7_2.5                    @updates
    yeah, but my ssl is from namecheap, so it just has the ca.bundle and crt as described here:

    i used those instructions for building a ssl cert for another server (that i was renewing the certificate for) and it worked fine. but on this new server i've cat those files at least 5-6 times now and double checked them afterwards with nano, and they look okay but the ssl checker says the root certificate is missing.

    is it possible i didn't get a root certificate for some reason? the only files i got in the zip were community_locationindie_com.ca-bundle and community_locationindie_com.crt.
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    8:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    from Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS
    Old and insecure - centmin mod nginx 1.11.1 is latest News - CentminMod.com LEMP Nginx web stack for CentOS and Nginx - [nginx-announce] nginx security advisory (CVE-2016-4450) | Centmin Mod Community
     
  10. moshbit

    moshbit Member

    53
    10
    8
    Jun 15, 2014
    Ratings:
    +13
    Local Time:
    2:30 AM
    1.15.0
    MariaDB 10.1.33
    i'm not sure why you just repeated what i posted above?

    i'll run the update on nginxto 1.11.1. i assumed that hitting enter when prompted updated to the latest version. i'll type in the number this time.
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    8:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ssllabs and geocert test checker report missing ca root cert. The proper concat as outlined/quoted for CA provided bundle will have ca root cert. Logic would suggest you missed a step if both online tests report the same issue :)

    yeah centmin.sh menu option 4 for nginx requires entering a nginx version number, so you can download or upgrade versions or recompile the same nginx version
     
  12. moshbit

    moshbit Member

    53
    10
    8
    Jun 15, 2014
    Ratings:
    +13
    Local Time:
    2:30 AM
    1.15.0
    MariaDB 10.1.33
    woooooo finally got the root cert thing figured out. i decided to restart the whole process from the beginning and reissued the cert and went through the whole process again (very meticulously this time :p). turned out i was linking to the wrong cert in my ssl.conf file:

    Code (Text):
    ssl_dhparam /usr/local/nginx/conf/ssl/community.locationindie.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/community.locationindie.com/community_locationindie_com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/community.locationindie.com/community_locationindie_com.key;
      include /usr/local/nginx/conf/ssl_include.conf;


    should have been:

    Code (Text):
    ssl_dhparam /usr/local/nginx/conf/ssl/community.locationindie.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/community.locationindie.com/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/community.locationindie.com/community_locationindie_com.key;
      include /usr/local/nginx/conf/ssl_include.conf;


    so that's where i was making my mistake.

    i'm unable to update nginx due to the following error:

    Code (Text):
    checking for C compiler ... not found
    
    ./configure: error: C compiler ccache /usr/bin/clang -ferror-limit=0 is not found


    i found this in the forums:

    Upgrade - ./configure: error: C compiler ccache /usr/bin/clang -ferror-limit=0 is not found | Centmin Mod Community

    but i'm still getting the same error after installing the svr-setup files. when i try to do it manually:

    Code (Text):
    sudo make${MAKETHREADS}
    sudo: make2: command not found


    should i start another thread for this?
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    8:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Nginx issue is related to sudo user try via full root user instead
     
  14. moshbit

    moshbit Member

    53
    10
    8
    Jun 15, 2014
    Ratings:
    +13
    Local Time:
    2:30 AM
    1.15.0
    MariaDB 10.1.33
    ah, i did that and it worked without any snags. thanks so much for your help!