Join the community today
Register Now

Letsencrypt Letsencrypt SSL on subdomain, Stat Page, mainhost

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Eddie, Oct 15, 2018.

  1. Eddie

    Eddie New Member

    4
    0
    1
    Oct 4, 2018
    Ratings:
    +0
    Local Time:
    1:07 PM
    Hi,

    I have a vhoust setup 'example.com' which is configured by example.com.ssl.conf .
    The mainhost's name is 'mainhost.example.com' which is configured by vhost.conf.

    Code:
    [11:33][[email protected] addons]# cminfo
    ------------------------------------------------------------------
     Centmin Mod Quick Info:
    ------------------------------------------------------------------
    Server Location Info
    
      ip: ---
      city: Seoul
      region: Seoul
      country: KR
    
    Processors physical = 1, cores = 8, virtual = 8, hyperthreading = no
    
    ------------------------------------------------------------------
     Site Nginx Vhost Config Files:
    ------------------------------------------------------------------
    
    * /usr/local/nginx/conf/conf.d/demodomain.com.conf
    * /usr/local/nginx/conf/conf.d/example.com.conf
    * /usr/local/nginx/conf/conf.d/example.com.ssl.conf
    * /usr/local/nginx/conf/conf.d/virtual.conf
    
    ------------------------------------------------------------------
     System User Ids >81:
    ------------------------------------------------------------------
    
    ...
    ...
    The problem is that, when I access to mainhost.example.com to see my server's status,
    the web browser automatically redirect to https and the generates SSL cert error.

    Code:
    [13:13][[email protected] addons]# cat  /usr/local/nginx/conf/conf.d/virtual.conf
    server {
                listen 80 default_server backlog=2048 reuseport fastopen=256;
                server_name mainhost.example.com;
                root   html;
    
            access_log              /var/log/nginx/localhost.access.log     combined buffer=8k flush=1m;
            error_log               /var/log/nginx/localhost.error.log      error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
            location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #Enables directory listings when index file not found
    #autoindex  on;
    
    #Shows file listing times as local time
    #autoindex_localtime on;
    
    # Wordpress Permalinks example
    #try_files \$uri \$uri/ /index.php?q=\$uri&\$args;
    
                }
    location /redisadmin {
         auth_basic "Private";
         auth_basic_user_file /usr/local/nginx/conf/htpasswd_redisadmin;
            include /usr/local/nginx/conf/php.conf;
            #allow 127.0.0.1;
            #allow YOURIPADDRESS;
            #deny all;
    }
    
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/include_opcache.conf;
    include /usr/local/nginx/conf/php.conf;
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    #include /usr/local/nginx/conf/vts_mainserver.conf;
    
           }
    What should I do do access to my stat pages through SSL?
     
  2. eva2000

    eva2000 Administrator Staff Member

    41,375
    9,288
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,251
    Local Time:
    2:07 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Are the host.domain.com and HTTPS enabled site also on same top level domain.com ? did you enable HSTS with include subdomain too ? if you did then you're telling browsers to force HTTP to HTTPS redirected connections for domain.com and any *.domain.com subdomain as well

    see Enabling HSTS for SSL for specifics
    As accessing host.domain.com is usually reserved for stats and admin pages the Centmin Mod LEMP stack owner only needs to access, you can just clear your web browser's HSTS record for the domain.com and host.domain.com so the web browser no longer redirects from HTTP to HTTPS. I posted a thread at SSL - How to clear HSTS browser cache | Centmin Mod Community specifically for this :)
     
  3. Eddie

    Eddie New Member

    4
    0
    1
    Oct 4, 2018
    Ratings:
    +0
    Local Time:
    1:07 PM
    @eva2000 , Thanks for your reply!!!!

    I have solved the problem with the way of 'clearing HSTS browser cache'. Thanks again.
    I do not know why this can be a sloution because I have not accessed to mainhost.example.com before.
    Deleting HSTS caches of exmaple.com can solve the problem of accessing on mainhost.example.com. Why?

    One more querstion.

    There is no HTTP Strict Transport Security setup at all on both 'example.com' which is configured by example.com.ssl.conf AND 'mainhost.example.com' which is configured by vhost.conf which is default vhost.conf.
    I have not commented out any " #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; " on example.com.ssl.conf.

    There is no vhost.ssl.conf or ssl.conf which have to be generated automatically and I think I have to generate it manually by my side.
    Could you let me know how to activate SSL for mainhost.example.com?

    Thanks.
     
  4. eva2000

    eva2000 Administrator Staff Member

    41,375
    9,288
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,251
    Local Time:
    2:07 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Are you using cloudflare in front of Centmin Mod Nginx ? if you are then orange cloudflare might be enabled on mainhost.example.com which will enable HTTPS by default if you have in cloudflare set always use HTTPS.

    Or another possible reason is if you use a domain extension that is HTTPS only like Google's new .page extension which requires HTTPS by default and is set with HSTS preload in web browsers so any domain/subdomain on *.page domain extension will by default load over HSTS only.

    Did you install Centmin Mod phpmyadmin.sh addon too ?

    Otherwise, can't see why your mainhost.example.com would redirect to HTTPS by default.

    There's no automated way for main hostname SSL HTTPS. But you can manually setup main hostname outlined in Getting Started Guide step 1 with HTTPS using vhost generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS

    type on domain field in main host name domain which has to have valid DNS A record pointing to server ip i.e. host.domain.com and check box that says Generate Self-Signed SSL / Letsencrypt SSL HTTPS Vhost (File ONLY) *

    Vhost type = basic and hit submit

    follow first 3 acme.sh commands only to get letsencrypt ssl cert but edit web root from
    /home/nginx/domains/host.domain.com/public to point to /usr/local/nginx/html and remove www. domain from -d

    enable letsencrypt in 123.09beta01 - 3 commands
    Code (Text):
    touch /etc/centminmod/custom_config.inc
    echo "LETSENCRYPT_DETECT='y'" >> /etc/centminmod/custom_config.inc
    /usr/local/src/centminmod/addons/acmetool.sh acmeupdate
    

    get letsencrypt ssl cert - 1 line cmd - webroot defined by -w /usr/local/nginx/html
    Code (Text):
    /root/.acme.sh/acme.sh --force --issue --days 60 -d host.domain.com -w /usr/local/nginx/html -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-host.domain.com.log --log-level 2
    

    install letsencrypt ssl cert - 2 line cmds
    Code (Text):
    mkdir -p /usr/local/nginx/conf/ssl/host.domain.com
    /root/.acme.sh/acme.sh --installcert -d host.domain.com --certpath /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-acme.key --capath /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-fullchain-acme.key
    

    then make a copy of /usr/local/nginx/conf/conf.d/virtual.conf as /usr/local/nginx/conf/conf.d/virtual.ssl.conf
    Code (Text):
    cp -a /usr/local/nginx/conf/conf.d/virtual.conf /usr/local/nginx/conf/conf.d/virtual.ssl.conf
    

    now edit within /usr/local/nginx/conf/conf.d/virtual.ssl.conf with ssl cert lines so looks like
    Code (Text):
    server {
      listen 443 ssl http2;
      server_name host.domain.com;
    
      ssl_certificate      /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-acme.key;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # dual cert supported ssl ciphers
      ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-acme.cer;
    
            root   html;
            access_log              /var/log/nginx/localhost.access.log     combined buffer=8k flush=1m;
            error_log               /var/log/nginx/localhost.error.log      error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
            location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #Enables directory listings when index file not found
    #autoindex  on;
           
                }
    
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/include_opcache.conf;
    include /usr/local/nginx/conf/php.conf;
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    #include /usr/local/nginx/conf/vts_mainserver.conf;
    
           }
    

    restart nginx
    Code (Text):
    ngxrestart
    

    now you should be able to access both https and non-https hostname and then if all is working do a non-https to https 302 temp redirect



    If you do have phpmyadmin.sh installed phpmyadmin, you can probably try this to fix the conflict via these steps.

    1. Get the contents of /usr/local/nginx/conf/phpmyadmin_https.conf and place it in your above created
    /usr/local/nginx/conf/conf.d/virtual.ssl.conf main hostname HTTPS nginx vhost within server{} context

    2. Backup locally copy of phpmyadmin.sh auto generated self-signed SSL cert HTTPS vhost at /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf

    3. Then take the below following values contained within /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf and transpose them into your above created
    /usr/local/nginx/conf/conf.d/virtual.ssl.conf main hostname HTTPS nginx vhost within server{} context
    Code (Text):
    keepalive_timeout 3000;
    client_body_buffer_size 256k;
    client_body_timeout 3000s;
    client_header_buffer_size 256k;
    ## how long a connection has to complete sending
    ## it's headers for request to be processed
    client_header_timeout 60s;
    client_max_body_size 512m;
    connection_pool_size 512;
    directio 512m;
    ignore_invalid_headers on;
    large_client_header_buffers 8 256k;
    


    4. Then remove /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf

    5. Test Nginx config & Restart Nginx & PHP-FPM
    Code (Text):
    nginx -t
    nprestart