Letsencrypt Let's encrypt will work on subdomain using a Cname record?

Code:

16:  include /usr/local/nginx/conf/ssl_include.conf;
19:  #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/cdn.mydomain.com/origin.crt;
20:  #ssl_verify_client on;
24:  ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
25:  ssl_prefer_server_ciphers   on;
35:  ssl_buffer_size 1369;
36:  ssl_session_tickets on;
41:  #ssl_stapling on;
42:  #ssl_stapling_verify on;

and:

Code:

-rw-r--r-- 1 root root  424 Dec 25  2018 dhparam.pem
-rw-r--r-- 1 root root 1.7K Jul  2 23:24 cdn.mydomain.com.key
-rw-r--r-- 1 root root 1.1K Jul  2 23:24 cdn.mydomain.com.csr
-rw-r--r-- 1 root root 1.4K Jul  2 23:24 cdn.mydomain.com.crt
drwxr-xr-x 7 root root 4.0K Jul  4 20:32 ..
-rw-r--r-- 1 root root 1.7K Jul  4 22:09 cdn.mydomain.com-acme.cer
-rw------- 1 root root 1.7K Jul  4 22:09 cdn.mydomain.com-acme.key
drwxr-xr-x 2 root root 4.0K Jul  4 22:09 .
-rw-r--r-- 1 root root 3.6K Jul  4 22:09 cdn.mydomain.com-fullchain-acme.key
-rw-r--r-- 1 root root  749 Jul  4 22:24 cdn.mydomain.com.crt.key.conf

---

 

I uncomment the two values and try to restart Nginx but i got the same error

Code:

Starting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey("/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.key") failed (SSL: err...alues mismatch)

There is a missmatch with a private key and something related to:

Code:

/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.key

Don't know why and what i can try

 

ls -lahrt /root/.acme.sh/cdn.mydomain.com/

Code:

-rw-r--r--  1 root root 1.7K Jul  2 23:33 cdn.mydomain.com.key
drwx------ 10 root root 4.0K Jul  4 21:27 ..
-rw-r--r--  1 root root  220 Jul  4 21:27 cdn.mydomain.com.csr.conf
-rw-r--r--  1 root root 1005 Jul  4 21:27 cdn.mydomain.com.csr
-rw-r--r--  1 root root 3.6K Jul  4 21:28 fullchain.cer
-rw-r--r--  1 root root 1.7K Jul  4 21:28 ca.cer
drwxr-xr-x  3 root root 4.0K Jul  4 21:36 .
-rw-r--r--  1 root root    0 Jul  4 21:36 cdn.mydomain.com.cer
drwxr-xr-x  2 root root 4.0K Jul  4 21:36 backup
-rw-r--r--  1 root root 1.1K Jul  4 22:09 cdn.mydomain.com.conf

Yes i create using menu 2 the subdomain first with self signed certificate and then i try to use Let's encrypt as usual (only HTTPS live) but as i didn't had the A record it was failed. Probably fall back to self signed again as Nginx was working after that....

Code:

diff -q /root/.acme.sh/cdn.mydomain.com/cdn.mydomain.com.key /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.key

output nothing so the same...

Then i did all the above following your instructions.

Thank you

 

Ok i did it and i got this:

Code:

[Fri Jul  5 21:50:33 UTC 2019] Installing cert to:/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer
[Fri Jul  5 21:50:33 UTC 2019] Installing CA to:/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer
[Fri Jul  5 21:50:33 UTC 2019] Installing key to:/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.key
[Fri Jul  5 21:50:33 UTC 2019] Installing full chain to:/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-fullchain-acme.key
[Fri Jul  5 21:50:33 UTC 2019] Run reload cmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl):  Job for nginx.service invalid.
                                                           [FAILED]
[Fri Jul  5 21:50:33 UTC 2019] Reload error for :

systemctl status nginx.service

Code:

Starting nginx: nginx: [emerg] open() "/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com.crt.key.conf" failed (2: No such file or di...nfo.ssl.conf:15

Line 15:

Code:

  include /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com.crt.key.conf;

So i copy it from:

Code:

/usr/local/nginx/conf/ssl/cdn.mydomain.com.old/cdn.mydomain.com.crt.key.conf

and i add it to:

Code:

/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com.crt.key.conf

Content of the folder:

Code:

/usr/local/nginx/conf/ssl/cdn.mydomain.com

Code:

-rw-r--r--  1 root root 1.7K Jul  2 23:33 cdn.mydomain.com.key
drwx------ 10 root root 4.0K Jul  4 21:27 ..
-rw-r--r--  1 root root  220 Jul  4 21:27 cdn.mydomain.com.csr.conf
-rw-r--r--  1 root root 1005 Jul  4 21:27 cdn.mydomain.com.csr
-rw-r--r--  1 root root 3.6K Jul  4 21:28 fullchain.cer
-rw-r--r--  1 root root 1.7K Jul  4 21:28 ca.cer
drwxr-xr-x  3 root root 4.0K Jul  4 21:36 .
-rw-r--r--  1 root root    0 Jul  4 21:36 cdn.mydomain.com.cer
drwxr-xr-x  2 root root 4.0K Jul  4 21:36 backup
-rw-r--r--  1 root root 1.1K Jul  5 21:50 cdn.mydomain.com.conf

Content of the file:

Code:

/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com.crt.key.conf

Code:

  ssl_dhparam /usr/local/nginx/conf/ssl/cdn.mydomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/cdn.supereventforall.info/cdn.mydomain.com-acme.key;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/cdn.supereventforall.info/cdn.mydomain.com-acme.cer;

ngxrestart output again issue with the Private key mismatch:

Code:

Starting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey("/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.key") failed (SSL: err...alues mismatch)

It is a test server and i can provide you login info if you want to check it....

 

I did exactly all the above except running the acmetool.sh from /root/.acme.sh/ as i didn't have that tool there and i run it from cd /usr/local/src/centminmod/addons/

All seems to be ok and i got this info:

Code:

cdn.mydomain.com is already verified, skip dns-01.
Cert success

But at the end Nginx reload didn't work again

Then i try to restart it manually using: ngxrestart and i got FAILED

Code:

systemctl status nginx.service

Output:

Code:

Starting nginx: nginx: [emerg] open() "/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com.crt.key.conf" failed (2: No such file or di...nfo.ssl.conf:15

so i create the file:

Code:

/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com.crt.key.conf

and i add inside:

Code:

  ssl_dhparam /usr/local/nginx/conf/ssl/cdn.mydomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.key;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer;

and then restart Nginx again and got FAILED but with another error this time.

Code:

systemctl status nginx.service

Output:

Code:

Starting nginx: nginx: [emerg] BIO_new_file("/usr/local/nginx/conf/ssl/cdn.mydomain.com/dhparam.pem") failed (SSL: error:02001002:system library:fopen:No such file or...

So i copy from the .old folder the dhparam.pem and place it at the correct folder.

Code:

ls -lahrt ls -lahrt /usr/local/nginx/conf/ssl/cdn.mydomain.com/

Code:

-rw-r--r-- 1 root root  424 Dec 25  2018 dhparam.pem
drwxr-xr-x 9 root root 4.0K Jul  6 13:20 ..
-rw-r--r-- 1 root root 3.6K Jul  6 13:21 cdn.mydomain.com-acme.cer
-rw------- 1 root root 1.7K Jul  6 13:21 cdn.mydomain.com-acme.key
-rw-r--r-- 1 root root 3.6K Jul  6 13:21 cdn.mydomain.com-fullchain-acme.key
-rw-r--r-- 1 root root  415 Jul  6 13:29 cdn.mydomain.com.crt.key.conf
drwxr-xr-x 2 root root 4.0K Jul  6 13:38 .

Then i restart Nginx and now it works !!!!!!

WOW SUPER !!!!

But on the site when i disable Cloudflare Ii can see the green lock and let's encrypt info there with no warnings or any problems but when i try to open homepage my images are not loading and from the inspect from Chrome i can see this error:

Code:

Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID

Checking on the net i found this:
If you happened to have a self-signed certificate that was created before the change linked below the newer browsers definitely didn't like it because they now require the FQDN of the system in the SubjectAltName field of the certificate.

Solution something like this?

Chrome Deprecates Subject CN Matching

Apparently the solution is to instruct openssl to generate a V3 compatible subjectAltName...

Thank you

 

Should i re do the:

Code:

cd /root/.acme.sh/
rm -rf /root/.acme.sh/cdn.mydomain.com
./acmetool.sh certonly-issue cdn.mydomain.com live
cd /usr/local/nginx/conf/ssl/
cp -a /usr/local/nginx/conf/ssl/cdn.mydomain.com/ /usr/local/nginx/conf/ssl/cdn.mydomain.com.old2/
rm -rf /usr/local/nginx/conf/ssl/cdn.mydomain.com/*
/root/.acme.sh/acme.sh --installcert -d cdn.mydomain.com --certpath /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.key --capath /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-fullchain-acme.key
ngxrestart

to test it?

As that change is related to the previous self signed certificates ?

 

When Cloudflare is disabled the images are coming from Wasabi Cloud....

 

Does that help?

 

This is what they told me to do to make it work....

https://knowledge.digicert.com/solution/SO11489.html

Don't know exactly how can i do that for Centminmod existing setup/certificates....

 

Don't know

This is what i got as a reply: