Learn about Centmin Mod LEMP Stack today
Become a Member

Letsencrypt Letsencrypt failed ssl renewal

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Jon Snow, Nov 12, 2017.

  1. Jon Snow

    Jon Snow Active Member

    188
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    2:20 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    Hey @eva2000,

    I've been trying to renew an expired LE SSL cert but I keep failing :
    Code (Text):
    domain.com:Verify error:Invalid response from http://domain.com/.well-known/acme-challenge/numbers-here:
    Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-numbers-here.log
    LECHECK = 1

     
  2. Jon Snow

    Jon Snow Active Member

    188
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    2:20 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    Seems like a problem with the challenge I think. I sent a PM with the /root/centminlogs/acmetool.sh-debug-log-numbers-here.log
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,581
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:20 PM
    Nginx 1.13.x
    MariaDB 5.5
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags
     
  4. Jon Snow

    Jon Snow Active Member

    188
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    2:20 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    Only SSL config :
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
      
       server_name domain.com www.domain.com;
       return 302 https://$server_name$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    # For SPDY SSL Setup
    
    #       listen   80;
    #       server_name domain.com www.domain.com;
    #       return 302 https://$server_name$request_uri;
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
      location / {
        # Wordpress Permalinks
        try_files $uri $uri/ /index.php?q=$request_uri;
    
        include /usr/local/nginx/conf/wpsecure.conf;
        include /usr/local/nginx/conf/wpnocache.conf;
        include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    


    #1: curl: (60) Peer's Certificate has expired.
    #2: curl: (60) Peer's Certificate has expired.
    #3: HTTP/1.1 302 Moved Temporarily
    #4: HTTP/1.1 302 Moved Temporarily
     
  5. Jon Snow

    Jon Snow Active Member

    188
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    2:20 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    I think I've ran into too many failed attempts :
    Code (Text):
    new-authz error: {"type":"urn:acme:error:rateLimited","detail":"Error creating new authz :: Too many failed authorizations recently.","status": 429}
     
  6. Jon Snow

    Jon Snow Active Member

    188
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    2:20 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    It's working again but the challenges still fail :(
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,581
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:20 PM
    Nginx 1.13.x
    MariaDB 5.5
    Problem is you have a https redirect loop going on

    First server context chage $server_name to desired domain redirect www or non-www version of domain

    Second server context should only have listed on server_name line the desired default domain either www or non-www version not both otherwise the non default will enter a redirect loop
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
    
       server_name domain.com www.domain.com;
       return 302 https://$server_name$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    # For SPDY SSL Setup
    
    #       listen   80;
    #       server_name domain.com www.domain.com;
    #       return 302 https://$server_name$request_uri;
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
     
  8. Jon Snow

    Jon Snow Active Member

    188
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    2:20 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    @eva2000 did all of that and ran ./acmetool.sh acme-menu > #5 > #4.

    Same error :(

    The second context was changed back to the two domains :
    Code (Text):
    server {
     listen 443 ssl http2;
     server_name domain.com www.domain.com;
    
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,581
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:20 PM
    Nginx 1.13.x
    MariaDB 5.5
    Don't change it back use only the default domain you redirecting to
     
  10. eva2000

    eva2000 Administrator Staff Member

    30,581
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:20 PM
    Nginx 1.13.x
    MariaDB 5.5
    acme menu method hasn't bee tested much.. for renewals just run manually the cronjob

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
     
  11. Jon Snow

    Jon Snow Active Member

    188
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    2:20 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    Same error :
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    ===Starting cron===
    Renew: 'domain.com'
    Multi domain='DNS:www.domain.com'
    Getting domain auth token for each domain
    Getting webroot for domain='domain.com'
    Getting new-authz for domain='domain.com'
    The new-authz request is ok.
    Getting webroot for domain='www.domain.com'
    Getting new-authz for domain='www.domain.com'
    The new-authz request is ok.
    Verifying:domain.com
    domain.com:Verify error:Invalid response from http://domain.com/.well-known/acme-challenge/anLnfnpfXUHqjV0dX3EUpky786Gzaz_ife4x2P8BgeM:
    Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-131117-033020.log
    Error renew domain.com.
    ===End cron===
    
    


    This is the updated confif file after running :
    Code (Text):
    server {
       
       server_name domain.com www.domain.com;
       return 302 https://domain.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name domain.com;
    
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,581
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:20 PM
    Nginx 1.13.x
    MariaDB 5.5
    output for
    Code (Text):
    curl -Iv http://domain.com
    
     
  13. Jon Snow

    Jon Snow Active Member

    188
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    2:20 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    Code (Text):
    curl -Iv http://domain.com
    * About to connect() to domain.com port 80 (#0)
    *   Trying xx.xxx.xxx.xx...
    * Connected to domain.com (xx.xxx.xxx.xx) port 80 (#0)
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: domain.com
    > Accept: */*
    >
    < HTTP/1.1 302 Moved Temporarily
    HTTP/1.1 302 Moved Temporarily
    < Date: Tue, 14 Nov 2017 12:13:06 GMT
    Date: Tue, 14 Nov 2017 12:13:06 GMT
    < Content-Type: text/html
    Content-Type: text/html
    < Content-Length: 154
    Content-Length: 154
    < Connection: keep-alive
    Connection: keep-alive
    < Location: https://domain.com/
    Location: https://domain.com/
    < Server: -
    Server: -
    < X-Powered-By: -
    X-Powered-By: -
    
    <
    * Connection #0 to host domain.com left intact
     
  14. eva2000

    eva2000 Administrator Staff Member

    30,581
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:20 PM
    Nginx 1.13.x
    MariaDB 5.5
    try commenting out in vhost
    Code (Text):
    include /usr/local/nginx/conf/drop.conf;
    
     
  15. Jon Snow

    Jon Snow Active Member

    188
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    2:20 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    No luck :
    Code (Text):
    Verifying:domain.com
    domain.com:Verify error:Invalid response from http://domain.com/.well-known/acme-challenge/piYRhI3FgnP5ivD4mu8YZlde3gO9eQErtdg02bi2di4:
    Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-121117-131407.log
    Error renew domain.com.
    ===End cron===
    
     
  16. Jon Snow

    Jon Snow Active Member

    188
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    2:20 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    Is there anything blocking the contents of /.well-known/ from going live? I noticed that if I create the folder under domain.com, it says 404 Page Not Found when I try to access any contents of the folder I uploaded.
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,581
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:20 PM
    Nginx 1.13.x
    MariaDB 5.5
    if it was blocked it would be a 403 permission denied error not 404 not found so suggests maybe you have another nginx vhost referencing the domain.com which may give it an incorrect web root

    double check all references for domain.com of yours using recursive grep of nginx conf directory
    Code (Text):
    grep -rn 'domain.com' /usr/local/nginx/conf
    

    what output do you get
     
  18. eva2000

    eva2000 Administrator Staff Member

    30,581
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:20 PM
    Nginx 1.13.x
    MariaDB 5.5
    also what's contents of /usr/local/nginx/conf/wpsecure.conf ?
     
  19. Jon Snow

    Jon Snow Active Member

    188
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    2:20 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    What's strange about this is :

    include /usr/local/nginx/conf/ssl/domain.org/domain.or .crt.key.conf;

    This one is another domain/server I mentioned in the PM with the same problem. I saw something similar on my other server with the .com domain when nginx was failing to restart because I added "old" to my ssl config file's name.
    Code (Text):
    grep -rn 'domain.org' /usr/local/nginx/conf
    /usr/local/nginx/conf/acmevhostbackup/domain.org.conf-backup-removal-https-default-040917-170554:9:#            server_name domain.org;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.conf-backup-removal-https-default-040917-170554:10:#            return 301 $scheme://www.domain.org$request_uri;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.conf-backup-removal-https-default-040917-170554:15:  server_name domain.org www.domain.org;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.conf-backup-removal-https-default-040917-170554:29:  access_log /home/nginx/domains/domain.org/log/access.log combined buffer=256k flush=5m;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.conf-backup-removal-https-default-040917-170554:30:  error_log /home/nginx/domains/domain.org/log/error.log;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.conf-backup-removal-https-default-040917-170554:32:  include /usr/local/nginx/conf/autoprotect/domain.org/autoprotect-domain.org.conf;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.conf-backup-removal-https-default-040917-170554:33:  root /home/nginx/domains/domain.org/public;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.conf-backup-removal-https-default-040917-170554:56:  include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.conf;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-040917-170554:12:  server_name domain.org www.domain.org;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-040917-170554:18:  server_name domain.org www.domain.org;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-040917-170554:20:  include /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-040917-170554:53:  access_log /home/nginx/domains/domain.org/log/access.log combined buffer=256k flush=5m;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-040917-170554:54:  error_log /home/nginx/domains/domain.or /log/error.log;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-040917-170554:56:  include /usr/local/nginx/conf/autoprotect/domain.org/autoprotect-domain.org.conf;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-040917-170554:57:  root /home/nginx/domains/domain.org/public;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-040917-170554:80:  include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.conf;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-121117-131407:5:  server_name domain.org www.domain.org;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-121117-131407:11:  server_name domain.org www.domain.org;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-121117-131407:13:  include /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-121117-131407:46:  access_log /home/nginx/domains/domain.org/log/access.log combined buffer=256k flush=5m;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-121117-131407:47:  error_log /home/nginx/domains/domain.or /log/error.log;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-121117-131407:49:  include /usr/local/nginx/conf/autoprotect/domain.org/autoprotect-domain.org.conf;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-121117-131407:50:  root /home/nginx/domains/domain.org/public;
    /usr/local/nginx/conf/acmevhostbackup/domain.org.ssl.conf-acmebackup-121117-131407:76:  include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.conf;
    /usr/local/nginx/conf/ssl/domain.org/acme-vhost-config.txt:1:  ssl_dhparam /usr/local/nginx/conf/ssl/domain.org/dhparam.pem;
    /usr/local/nginx/conf/ssl/domain.org/acme-vhost-config.txt:2:  ssl_certificate      /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer;
    /usr/local/nginx/conf/ssl/domain.org/acme-vhost-config.txt:3:  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.key;
    /usr/local/nginx/conf/ssl/domain.org/acme-vhost-config.txt:4:  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer;
    /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf:1:  ssl_dhparam /usr/local/nginx/conf/ssl/domain.org/dhparam.pem;
    /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf:2:  ssl_certificate      /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer;
    /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf:3:  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.key;
    /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf:4:  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:5:  server_name domain.org www.domain.org;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:6:  return 302 https://domain.org$request_uri;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:11:  server_name domain.org;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:13:  include /usr/local/nginx/conf/ssl/domain.org/domain.or .crt.key.conf;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:46:  access_log /home/nginx/domains/domain.org/log/access.log combined buffer=256k flush=5m;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:47:  error_log /home/nginx/domains/domain.org/log/error.log;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:49:  include /usr/local/nginx/conf/autoprotect/domain.org/autoprotect-domain.org.conf;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:50:  root /home/nginx/domains/domain.org/public;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:76:  include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.conf;
    

    Code (Text):
    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    location ~* /(?:uploads|files)/.*\.php$ {
            deny all;
    }
    
    # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
    location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
    {
            return 444;
    }
    
    #nocgi
    location ~* \.(pl|cgi|py|sh|lua)\$ {
            return 444;
    }
    
    #disallow
        location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) {
            return 444;
    }
    
    location ~ /(\.|wp-config\.php|readme\.html|license\.txt) { deny all; }
    
     
  20. Jon Snow

    Jon Snow Active Member

    188
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    2:20 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    The SSL config of the .org site :
    Code (Text):
    #x# HTTPS-DEFAULT
    server {
     
      server_name domain.org www.domain.org;
      return 302 https://domain.org$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name domain.org;
    
      include /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.org/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.org/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.org/autoprotect-domain.org.conf;
      root /home/nginx/domains/domain.org/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      try_files $uri $uri/ /index.php?q=$request_uri;
      include /usr/local/nginx/conf/wpsecure.conf;
      include /usr/local/nginx/conf/wpnocache.conf;
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
     
      # include /usr/local/nginx/conf/drop.conf;
      # include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }