SSL ERR_CERT_AUTHORITY_INVALID error on paid cert

Hey, hopefully I'm posting in the right spot? I followed the instructions here:

Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

and here:

Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS

and i'm still getting a ERR_CERT_AUTHORITY_INVALID error on my domain:

http://community.locationindie.com

i've re-concatonated the files several times, and i've done this before on my other server without problems, but this time around it's not working for me and i'm not sure how i should go about diagnosing it.

i've set up http to https forwarding per these instructions, and ive disabled the main vhost and am using the ssl one. oh, and this is a wordpress site i set up using option 22 of centmin.sh.

below is my ssl conf. can someone tell me where i should start to look to figure out what i did wrong here? thank you!

Code:

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
server {
   server_name community.locationindie.com www.community.locationindie.com;
    return 302 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name community.locationindie.com www.community.locationindie.com;

##  redirect https www to https non-www
      if ($host = 'www.community.locationindie.com' ) {
         return 302 https://community.locationindie.com$request_uri;
      }

  ssl_dhparam /usr/local/nginx/conf/ssl/community.locationindie.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/community.locationindie.com/community.locationindie.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/community.locationindie.com/community.locationindie.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  # mozilla recommended
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
  ssl_prefer_server_ciphers   on;
  add_header Alternate-Protocol  443:npn-spdy/3;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header  X-Content-Type-Options "nosniff";
  #add_header X-Frame-Options DENY;
  spdy_headers_comp 5;
  ssl_buffer_size 1400;
  ssl_session_tickets on;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/community.locationindie.com/ssl-trusted.crt;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/community.locationindie.com/log/access.log combined buffer=256k flush=60m;
  error_log /home/nginx/domains/community.locationindie.com/log/error.log;

  root /home/nginx/domains/community.locationindie.com/public;

  # prevent access to ./directories and files
  location ~ (?:^|/)\. {
   deny all;
  }

include /usr/local/nginx/conf/wpsupercache_community.locationindie.com.conf;

  location / {

  # Enables directory listings when index file not found
  #autoindex  on;

  # for wordpress super cache plugin
  try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;

  # Wordpress Permalinks
  #try_files $uri $uri/ /index.php?q=$uri&$args;

  }

location ~* /(wp-login\.php) {
    limit_req zone=xwplogin burst=1 nodelay;
    #limit_conn xwpconlimit 30;
    #auth_basic "Private";
    #auth_basic_user_file /home/nginx/domains/community.locationindie.com/htpasswd_wplogin;  
    include /usr/local/nginx/conf/php-wpsc.conf;
}

location ~* /(xmlrpc\.php) {
    limit_req zone=xwprpc burst=45 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
}

  include /usr/local/nginx/conf/wpsecure_community.locationindie.com.conf;
  include /usr/local/nginx/conf/php-wpsc.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

 

ugh... okay, so i think i fixed one part, i changed:

Code:

  ssl_certificate      /usr/local/nginx/conf/ssl/community.locationindie.com/community.locationindie.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/community.locationindie.com/community.locationindie.com.key;

to:

Code:

  ssl_certificate      /usr/local/nginx/conf/ssl/community.locationindie.com/community_locationindie_com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/community.locationindie.com/community.locationindie.com.key;

after going through the whole cat process again, and now it's showing as working when i test it in incognito in chrome.

but, when i check it with the ssl checker you pointed out here:

https://cryptoreport.geotrust.com/checker/views/certCheck.jsp

it still says my certificate is not installed correctly. the checker here says i'm missing a root certificate:

GeoCerts SSL Checker

i don't understand what's wrong, since i feel like i followed the directions about 10 times over pretty closely, and i got this ssl cert from namecheap, which i used for a different domain last week and updated it (following the instructions here) with no problems. it came with these two files:

community_locationindie_com.ca-bundle
community_locationindie_com.crt

and i followed the instructions, so i'm at a loss as to what i could be missing?

thanks for letting me know about that. i followed the upgrade instructions and restarted nginx and it's still saying i'm vulnerable?

thank you for your help by the way!

 

i will make sure to do that!

Code:

nginx -v
nginx version: nginx/1.9.10

Code:

yum list openssl
Loaded plugins: fastestmirror, priorities
Determining fastest mirrors
* base: mirrors.linode.com
* epel: mirror.steadfast.net
* extras: mirrors.linode.com
* rpmforge: mirror.team-cymru.org
* updates: mirrors.linode.com
217 packages excluded due to repository priority protections
Installed Packages
openssl.x86_64                   1:1.0.1e-51.el7_2.5                    @updates

yeah, but my ssl is from namecheap, so it just has the ca.bundle and crt as described here:

i used those instructions for building a ssl cert for another server (that i was renewing the certificate for) and it worked fine. but on this new server i've cat those files at least 5-6 times now and double checked them afterwards with nano, and they look okay but the ssl checker says the root certificate is missing.

is it possible i didn't get a root certificate for some reason? the only files i got in the zip were community_locationindie_com.ca-bundle and community_locationindie_com.crt.

 

i'm not sure why you just repeated what i posted above?

i'll run the update on nginxto 1.11.1. i assumed that hitting enter when prompted updated to the latest version. i'll type in the number this time.

 

woooooo finally got the root cert thing figured out. i decided to restart the whole process from the beginning and reissued the cert and went through the whole process again (very meticulously this time ). turned out i was linking to the wrong cert in my ssl.conf file:

Code (Text):

ssl_dhparam /usr/local/nginx/conf/ssl/community.locationindie.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/community.locationindie.com/community_locationindie_com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/community.locationindie.com/community_locationindie_com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

should have been:

Code (Text):

ssl_dhparam /usr/local/nginx/conf/ssl/community.locationindie.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/community.locationindie.com/ssl-unified.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/community.locationindie.com/community_locationindie_com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

so that's where i was making my mistake.

i'm unable to update nginx due to the following error:

Code (Text):

checking for C compiler ... not found

./configure: error: C compiler ccache /usr/bin/clang -ferror-limit=0 is not found

i found this in the forums:

Upgrade - ./configure: error: C compiler ccache /usr/bin/clang -ferror-limit=0 is not found | Centmin Mod Community

but i'm still getting the same error after installing the svr-setup files. when i try to do it manually:

Code (Text):

sudo make${MAKETHREADS}
sudo: make2: command not found

should i start another thread for this?

 

ah, i did that and it worked without any snags. thanks so much for your help!