Join the community today
Become a Member

SSL Letsencrypt Cloudflare Full (strict) not works Error 526 Invalid SSL certificate Authenticated Origin Pulls

Discussion in 'Domains, DNS, Email & SSL Certificates' started by adamus007p, Dec 27, 2021.

  1. adamus007p

    adamus007p Member

    274
    17
    18
    Feb 8, 2019
    Ratings:
    +29
    Local Time:
    8:45 AM
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed:123.09beta01.b760
      Nginx Version Installed: 1.21.4
    • PHP Version Installed: 8.0.14
    • When was last time updated Centmin Mod code base ? : today
    • Persistent Config:
      Code (Text):
      CF_DNSAPI_GLOBAL='y'
      CF_Token="xxxxxxxxxxxx"
      CF_Account_ID="xxxxxxxxxxxxxxxx"
      NGINX_SSLCACHE_ALLOWOVERRIDE='y'
      NGINX_STAPLE_CACHE_OVERRIDE='y'
      NGINX_STAPLE_CACHE_TTL='86400'
      SET_DEFAULT_MYSQLCHARSET='utf8mb4'
      AUTOHARDTUNE_NGINXBACKLOG='y'
      ZSTD_LOGROTATE_NGINX='y'
      ZSTD_LOGROTATE_PHPFPM='y'
      NGINX_LIBBROTLI='y'
      NGXDYNAMIC_BROTLI='y'
      PHP_PGO='y'
      PHP_BROTLI='y'
      PHP_LZFOUR='y'
      PHP_LZF='y'
      PHP_ZSTD='y'
      MARCH_TARGETNATIVE='n'
      LETSENCRYPT_DETECT='y'
      DUALCERTS='y'
      AUDITD_ENABLE='y'
      PHPINTL='y'
      PHPFINFO='y'
      LIBRESSL_SWITCH='n'
      DMOTD_PHPCHECK='y'
      WPCLI_CE_QUERYSTRING_INCLUDED='y'
      NGINX_ZERODT='y'
      
      
      
    Hello, I have 10 blogs (domains) and I wanted to configure it with cloudflare and Authenticated Origin Pulls.

    Code (Text):
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
      ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
    
    and
    # uncomment cloudflare.conf include if using cloudflare for
    # server and/or vhost site
    include /usr/local/nginx/conf/cloudflare.conf;
    
    


    have follow
    https://community.centminmod.com/th...d-origin-pulls-protecting-your-origins.13847/
    https://servermanager.guide/203/wordpress-cache-enabler-advanced-full-page-caching-guide/

    I have cofigured domains in Cloudflare too.


    Interesting thing is that some domains are working with full strict some only with full.
    Your SSL/TLS encryption mode is Full (strict)
    from SSL tab


    why some domains are not working with full strict?
    I have done all the same steps and some domains are working some not.
    What is wrong? How to correct it? May you help?

    When i want to use full strict on domain what is not working there is
    Error 526
    Invalid SSL certificate

    how to correct it?
     
  2. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:45 PM
    Nginx 1.21.x
    MariaDB 10.x
    Cloudflare Full strict requires Centmin Mod Nginx HTTPS site's SSL certificate be a valid Letsencrypt SSL certificate. Or any other browser trusted SSL certificate i.e. ZeroSSL, Comodo/Sectigo, Digicert etc.

    Cloudflare Full non-strict only requires Centmin Mod Nginx HTTPS site's SSL certificate to exist - it can be a self-signed no browser valid certificate

    So question is before you switched to Cloudflare, was HTTPS working on all 10 of your blogs with Letsencrypt SSL certificates? Are they still valid now or have any expired ?

    If all blogs were setup via Centmin Mod Nginx creation menus like centmin.sh menu option 2, 22 or nv command with Letsencrypt SSL certificates, then addons/acmetool.sh can list and check all the issued Letsencrypt SSL certificates and list all the SSL certificates installed on each Centmin Mod Nginx vhost via acmetool.sh checkdates command.

    Run this command within SSH logged in session for Centmin Mod server
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    It will list all SSL certificate location paths + SHA1 fingerprint for SSL certificate + certificate expirate day and how many days until the SSL certificate expires. It will list them in 2 groups, 1st group is nginx installed ones and then 2nd group is Letsencrypt issued certificates. Generally both lists should match as Letsencrypt issued certificate will be installed and configured for Nginx.

    Note: I wouldn't post the output for checkdates on public forum as it reveals your Nginx vhost domain name and the SHA1 fingerprint and link to crt.sh public transparency log page for your SSL certificate - which can be queried in public SSL certificate transparency logs i.e. crt.sh to get your domain name as well. You can mask the info for public displaying/posting.

    The key point is looking to see if any of the listed SSL certificates are missing for your domain or already expired. This may indicate, that the Letsencrypt SSL certificate wasn't issued for a blog domain you have suggesting you blog maybe using self-signed SSL certificates which is used as fall back if Letsencrypt issuance and domain validation failed. Or that your blog issued Letsencrypt SSL certificate has expired. Though cases would give you Cloudflare 526 error if you use Cloudflare Full Strict SSL mode. If you switch to Full non-strict SSL mode, using self-signed SSL certificate should still work.

    example output from addon/acmetools.sh checkdates command for domain.com which shows Letsencrypt SSL issued/obtained and nginx installed is the same as they have matching SHA1 fingerprints and that the SSL certificate expires in 76 days time on March 14, 2022
    Code (Text):
     /usr/local/src/centminmod/addons/acmetool.sh checkdates
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
    SHA1 Fingerprint=EDBFC***********E68A3851CF*************
    certificate expires in 76 days on 14 Mar 2022
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/domain.com/domain.com.cer
    SHA1 Fingerprint=EDBFC***********E68A3851CF*************
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=EDBFC***********E68A3851CF*************
    certificate expires in 76 days on 14 Mar 2022
    
     
  3. adamus007p

    adamus007p Member

    274
    17
    18
    Feb 8, 2019
    Ratings:
    +29
    Local Time:
    8:45 AM
    Hello @eva2000 thank you for your answer.

    All blogs were installed using option 22.

    All SSL are and were valid.
    how may I double check it?

    interesting thing is that

    Code (Text):
     /usr/local/src/centminmod/addons/acmetool.sh checkdates
    


    some domains are not listed here....
    That one where there are problems with strict full.

    How to fix it?



    2. Do protect Cloudflare Authenticated Origin do I have to use full strict or only full will be ok?
     
  4. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:45 PM
    Nginx 1.21.x
    MariaDB 10.x
    That suggests either those domains had a failed Letsencrypt domain validation, so fell back to self-signed SSL certificate or if didn't have HTTPS setup in the first place ? i.e. created non-HTTPS Nginx vhost?

    More likely Letsencrypt SSL domain validation failed. If so, disable Cloudflare Authenticated Origin pull on problematic Nginx vhost site's nginx config files domain.ssl.conf by commenting out the lines with a hash # in front and restart Nginx. Then switch to Cloudflare Full non-strict SSL mode and see if the domain works. If it works, then try acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.com live
    

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
     
  5. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:45 PM
    Nginx 1.21.x
    MariaDB 10.x
    Cloudflare Authenticated Origin Pull doesn't depend on site's HTTPS status, it's only for validating the connection between Cloudflare edge servers and origin Centmin Mod Nginx site.
     
  6. adamus007p

    adamus007p Member

    274
    17
    18
    Feb 8, 2019
    Ratings:
    +29
    Local Time:
    8:45 AM
    @eva2000 I remember that I was using option 4 so only https.

    How may I double check it?
    O see only domain1.com.ssl.conf only ssl.conf there is no .conf without ssl in names.

    Ok I have followed your instruction


    So when I will run below command for each domain
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.com live
    



    It helped :) Thank you very much.

    Shall I do any further steps? Like add something to cron?
    or anything else regards SSL? any https://community.centminmod.com/th...s-to-origin-server-use-ecdsa-ssl-certs.14817/
     
    Last edited: Dec 28, 2021
  7. adamus007p

    adamus007p Member

    274
    17
    18
    Feb 8, 2019
    Ratings:
    +29
    Local Time:
    8:45 AM
    One thing I have noticed that some domains have in domain.com.ssl.conf files:

    Code (Text):
     # mozilla recommended
    ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256......
    


    some other newer domains
    Code (Text):
     # mozilla recommended
    TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13......
    


    why?

    should be the same?
    shall I update it and how?
     
  8. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:45 PM
    Nginx 1.21.x
    MariaDB 10.x
    must of been very old nginx vhosts, as since Oct 1, 2018, that changed reorder chacha20 ssl_ciphers in 123.09beta01 ยท centminmod/centminmod@7786092 AFAIK

    If only domain.com.ssl.conf, then all domains were HTTPS

    Glad to see :)
     
  9. adamus007p

    adamus007p Member

    274
    17
    18
    Feb 8, 2019
    Ratings:
    +29
    Local Time:
    8:45 AM
    Besides that:
    @eva2000 do I need to add anything to cron? Will SSL be automatically updated?



    Yes it is very old vhost how may I update it? Just copy it or run any command?


    Should I add to persistent config file /etc/centminmod/custom_config.inc
    Code (Text):
    PRIORITIZE_CHACHA_OPENSSL='y'
    


    and 4 recompile nginx?


    2. Is it possible to refresh vhosts?
     
    Last edited: Dec 28, 2021
  10. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:45 PM
    Nginx 1.21.x
    MariaDB 10.x
    acmetool.sh uses acme.sh underlying client and that has a cronjob setup for automatic renewals

    No need to refresh host, just updating should be enough - pay attention to below 123.09beta01 update info.

    Upgrading Centmin Mod Code to Latest Version



    Getting Started Guide step 19 outlines also how to keep Centmin Mod code updated or how to switch version branches or you can run cmupdate command that was recently added.

    Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch switching via Git backed environment you can setup.

    For 123.08stable that means centmin.sh menu option 23 submenu option 2 (if you previously ran submenu option 1) first, then exit centmin.sh, re-enter /usr/local/src/centminmod and re-run centmin.sh menu.

    For 123.09beta01 and higher that means running SSH command = cmupdate and then re-enter /usr/local/src/centminmod and re-run centmin.sh menu.

    Example of using 123.09beta01 cmupdate command to update Centmin Mod code on your server
    Code (Text):
    cmupdate
    No local changes to save
    Updating 5f92047..9d06ee8
    Fast-forward
     stackscripts/stackscript.sh | 11 ++++++++---
     1 file changed, 8 insertions(+), 3 deletions(-)
    


    For full details read the following links:
    Upgrading Centmin Mod involves 2 parts.
    1. Upgrading the actual Centmin Mod code outlined at Upgrade Centmin Mod. This is heart of Centmin Mod where the code is the engine that runs centmin.sh shell based menu and all the automation you're accustomed to. You can easily update within a Centmin Mod version branch or switch version branches via centmin.sh menu option 23 outlined here.
    2. Upgrade software that Centmin Mod installed or manages. For this part following outline at How to upgrade Centmin Mod software installed on your server.
    So essentially, you can upgrade from one version branch to another i.e. 123.08stable to 123.09beta01 or higher in place, but not everything is upgraded as some things like server initial environment setup isn't changed i.e. how swap, tmp setup and allocation are created etc. The main parts from part 2 above are what in place upgrades do i.e. Nginx and PHP-FPM compilation and config/settings parameters and MariaDB version from 5.5 to 10.0.x. If you want the full environment changed including tmp and swap setup to 123.09beta01 etc configuration, then you would need a fresh OS install and fresh 123.09beta01 initial install. You can think of it like upgrading Windows 7 to Windows 8. An in place upgrade will upgrade code but won't change your computer environment from when you installed Windows 7 i.e. disk configuration and partition sizes won't change from when you initially installed Windows 7. Only way to change that would be fresh Windows 8 install.
     
  11. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:45 PM
    Nginx 1.21.x
    MariaDB 10.x
    The gist of previous post is to update existing 123.09beta01 just run

    cmupdate

    then run centmin.sh menu option 4 and 5 to recompile nginx and PHP to latest versions would be enough to take care of most updates, then ensure run centmin.sh menu option 24 to exit and you will see an yum update command listed if there are yum updates, so run that yum update command.
     
  12. adamus007p

    adamus007p Member

    274
    17
    18
    Feb 8, 2019
    Ratings:
    +29
    Local Time:
    8:45 AM
    Hello @eva2000 thank you for your time and replay.

    I have already done this thing but it did not update my very old vhost, what can I do with such case? Still my vhosts are not updated. Is there anything what can I do?
     
    Last edited: Dec 29, 2021