/ Register

Join the community today
Become a Member

SSL not trusted

Discussion in 'Domains, DNS, Email & SSL Certificates' started by gamal, Nov 22, 2018.

Previous Thread Next Thread
Loading...
  1. Nov 22, 2018 #1
    gamal

    gamal Member

    99
    8
    8
    Jan 31, 2018
    Ratings:
    +11
    Local Time:
    4:58 PM
    1.13.8
    Hello,

    i have setup ssl through option 22 for wordpress, the SSL is not trusted...

    here is the SSL test: SSL Server Test: comixat.com (Powered by Qualys SSL Labs)

    and here is the output of

    cat /usr/local/nginx/conf/conf.d/comixat.com.ssl.conf
    Code:
    # Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#   server_name comixat.com www.comixat.com;
#    return 302 https://$server_name$request_uri;
# }

server {
  listen 443 ssl http2;
  server_name comixat.com www.comixat.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/comixat.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/comixat.com/comixat.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/comixat.com/comixat.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
  #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/comixat.com/origin.crt;
  #ssl_verify_client on;
  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/comixat.com/comixat.com-trusted.crt;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/comixat.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/comixat.com/log/error.log;

  include /usr/local/nginx/conf/autoprotect/comixat.com/autoprotect-comixat.com.conf;
  root /home/nginx/domains/comixat.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  #include /usr/local/nginx/conf/wpincludes/comixat.com/wpcacheenabler_comixat.com.conf;
  include /usr/local/nginx/conf/wpincludes/comixat.com/wpsupercache_comixat.com.conf;
  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/wpincludes/comixat.com/rediscache_comixat.com.conf;

  location / {
  include /usr/local/nginx/conf/503include-only.conf;


  # Enables directory listings when index file not found
  #autoindex  on;

  # for wordpress super cache plugin
  try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;

  # for wp cache enabler plugin
  #try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;

  # Wordpress Permalinks
  #try_files $uri $uri/ /index.php?q=$uri&$args;

  # Nginx level redis Wordpress
  # https://community.centminmod.com/posts/18828/
  #try_files $uri $uri/ /index.php?$args;

  }

location ~* /(wp-login\.php) {
    limit_req zone=xwplogin burst=1 nodelay;
    #limit_conn xwpconlimit 30;
    #auth_basic "Private";
    #auth_basic_user_file /home/nginx/domains/comixat.com/htpasswd_wplogin;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /(xmlrpc\.php) {
    limit_req zone=xwprpc burst=45 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /wp-admin/(load-scripts\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /wp-admin/(load-styles\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

  include /usr/local/nginx/conf/wpincludes/comixat.com/wpsecure_comixat.com.conf;
  include /usr/local/nginx/conf/php-wpsc.conf;

  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/php-rediscache.conf;
  include /usr/local/nginx/conf/pre-staticfiles-local-comixat.com.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}
     
  2. Nov 23, 2018 #2
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    4:58 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    seems you have invalid IPv6 address DNS entry for your domain according to ssllabs SSL Server Test: comixat.com (Powered by Qualys SSL Labs) so probably failed letsencrypt domain verification when it went to check your domain. Or your IPv6 networking on your server is not working properly so need to contact your web host or fix it yourself

    upload_2018-11-23_8-38-41.png

    If you don't use IPv6, then do not setup a DNS AAAA IPv6 record.

    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
Setup full Nginx vhost + Wordpress + WP Plugins
-------------------------------------------------------------

Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com

Create a self-signed SSL certificate Nginx vhost? [y/n]: n
Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y

You have 4 options:
1. issue staging test cert with HTTP + HTTPS
2. issue staging test cert with HTTPS default
3. issue live cert with HTTP + HTTPS
4. issue live cert with HTTPS default
Enter option number 1-4: 1

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    Once you fix your invalid domain DNS IPv6 AAAA record, you can re-try centmin.sh menu option 22 after uninstall/removing the existing wordpress site vhost and files/directory

    Every centmin.sh menu option 22 run has an accompanying uninstall script at /root/tools/wp_uninstall_${vhostname}.sh where ${vhostname} = your domain name. You can run that to uninstall almost everything except mysql database which you have to manually remove yourself - extra precaution in case you accidentally run the wrong uninstall script.

    Then you can re-try centmin.sh menu option 22 with the fixed DNS IPv6 AAAA record.
     
  3. Nov 23, 2018 #3
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    4:58 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    @gamal actually just updated acmetool.sh to 1.0.47 which support reissue-only option so you DO NOT need to uninstall wordpress site first Beta Branch - acmetool.sh 1.0.47 add reissue-only option in 123.09beta01

    instead after you fix your domain's IPv6 AAAA DNS record, try reissue-only option command below where domain.com is replaced with your domain name.
    Code (Text):
    cd /usr/local/src/centminmod/addons
./acmetool.sh reissue-only domain.com live

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
     
  4. Nov 24, 2018 #4
    gamal

    gamal Member

    99
    8
    8
    Jan 31, 2018
    Ratings:
    +11
    Local Time:
    4:58 PM
    1.13.8
    i have done exactly the same steps you mentioned, still the SSL not verified
     
  5. Nov 25, 2018 #5
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    4:58 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    and troubleshooting info/logs from post 2 ?
     
Previous Thread Next Thread
Loading...

.