Learn about Centmin Mod LEMP Stack today
Become a Member

SSL Letsencrypt Phpmyadmin: There is a mismatch between HTTPS indicated on the server and client.

Discussion in 'Add Ons' started by pamamolf, Dec 29, 2019.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:19 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.17.7
    • PHP Version Installed: 7.3.13
    • MariaDB MySQL Version Installed:10.3.21
    • When was last time updated Centmin Mod code base ? : just now

    Hello

    Today i tried to access the phpMyAdmin and i got this:

    [​IMG]
    Welcome to phpMyAdmin

    There is a mismatch between HTTPS indicated on the server and client. This can lead to a non working phpMyAdmin or a security risk. Please fix your server configuration to indicate HTTPS properly.


    I did a check on a server that i use the orange cloud for my hostname at Cloudflare and on one that i don't and i got the same problem. So the error is the same even if i use the Cloudflare certificate or Let's encrypt certificate....

    I was used long time ago your @eva2000 instructions about how to add https support for the hostname and it was great until today...

    I check also if the certificate was expired or not renewed or something but it's ok.

    Using the Cloudflare one or Let's encrypt doesn't help...
    [​IMG]

    and:
    [​IMG]

    virtual.ssl.conf:
    Code:
    server {
      listen 443 ssl http2;
      server_name server.mydomain.com;
    
      ssl_certificate      /usr/local/nginx/conf/ssl/server.mydomain.com/server.mydomain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/server.mydomain.com/server.mydomain.com-acme.key;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/server.mydomain.com/server.mydomain.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      keepalive_timeout 3000;
      client_body_buffer_size 256k;
      client_body_timeout 3000s;
      client_header_buffer_size 256k;
      ## how long a connection has to complete sending
      ## it's headers for request to be processed
      client_header_timeout 60s;
      client_max_body_size 512m;
      connection_pool_size 512;
      directio 512m;
      ignore_invalid_headers on;
      large_client_header_buffers 8 256k;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # dual cert supported ssl ciphers
      ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/server.mydomain.com/server.mydomain.com-acme.cer;
    
            root   html;
            access_log              /var/log/nginx/localhost.access.log     main;
            error_log               /var/log/nginx/localhost.error.log      error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
            location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #Enables directory listings when index file not found
    #autoindex  on;
     
                }
    
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/include_opcache.conf;
    include /usr/local/nginx/conf/php.conf;
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    #include /usr/local/nginx/conf/vts_mainserver.conf;
    
           }
    Don't know if an autoupdate of phpMyAdmin change something :(
     
    Last edited: Dec 29, 2019
  2. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:19 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    I think the problem is related to the auto updated (using the cron) two days ago to the latest version phpMyAdmin 5.0.0 and that cause the issue... or maybe there was a conflict as they release at the same time the 4.9.3 for the old version...?

    It will be great if we can fix this error and move to the latest version 5.
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,188
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,648
    Local Time:
    10:19 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    When you run below command to check letsencrypt ssl certificates issues and installed within nginx vhost sites, do you get more than one nginx vhost site listed ?
    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates


    It could be phpmyadmin's check isn't SNI aware so can't tell the difference between multiple SSL enabled domains sharing the same IP address - so it checks the server's default SSL domain SSL cert which may not be same as the intended domain's SSL cert (phpmyadmin's is main hostname = domain to check).

    Or could be related to phpmyadmin new feature with HTTPS check reporting false positives at server-side HTTPS detection misses support for Forwarded HTTP Extension (RFC 7239) · Issue #15200 · phpmyadmin/phpmyadmin

    from server-side HTTPS detection misses support for Forwarded HTTP Extension (RFC 7239) · Issue #15200 · phpmyadmin/phpmyadmin
    Probably the latter, will need to investigate on my end what changed in phpmyadmin 5.x
     
  4. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:19 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Yes i can see my domain and hostname and another one...

    The problem started when the latest version installed automatically from the cron....

    Also if i try to login the phpMyAdmin is not usable at all :(

    So i can't use it and just ignore that message.

    Thanks !
     
    Last edited: Dec 29, 2019
  5. jcat

    jcat Member

    153
    22
    18
    Jun 21, 2015
    New Jersey
    Ratings:
    +64
    Local Time:
    8:19 PM
    We have this same problem on many servers, its not related to SSL, go into the phpmyadmin directory and run:

    note I commented out the rm and chown command to ensure you are indeed in the directory
    /usr/local/nginx/html/*_mysqladmin*

    Code:
    mv config.inc.php ..
    # rm -rf * # uncomment when you are sure you are in the right directory
    wget https://files.phpmyadmin.net/phpMyAdmin/5.0.0/phpMyAdmin-5.0.0-all-languages.zip
    unzip phpMyAdmin-5.0.0-all-languages.zip
    mv phpMyAdmin-5.0.0-all-languages/* .
    rm -rf phpMyAdmin-5.0.0-all-languages*
    mv ../config.inc.php .
    # chown -R nginx: . # uncomment when you are sure you are in the right directory
    npreload
    
    That will fix it however, there is a new problem still if you try and export a database, it throws a 500 error:

    Code:
    [28-Dec-2019 23:18:27 UTC] PHP Fatal error:  Uncaught TypeError: set_time_limit() expects parameter 1 to be integer, string given in /usr/local/nginx/html/25218_mysqladmin106/libraries/classes/Util.php:4842
    Stack trace:
    #0 /usr/local/nginx/html/25218_mysqladmin106/libraries/classes/Util.php(4842): set_time_limit('28800')
    #1 /usr/local/nginx/html/25218_mysqladmin106/export.php(333): PhpMyAdmin\Util::setTimeLimit()
    #2 {main}
      thrown in /usr/local/nginx/html/25218_mysqladmin106/libraries/classes/Util.php on line 4842
    
    So you are honestly better off just rolling back to 4x and removing the cronjob for now that updates phpmyadmin. Had to fix 20-30 of these in the past few days =X


    Tested and working:

    Code:
    mv config.inc.php ..
    # rm -rf * # uncomment when you are sure you are in the right directory
    wget https://files.phpmyadmin.net/phpMyAdmin/4.9.3/phpMyAdmin-4.9.3-all-languages.zip
    unzip phpMyAdmin-4.9.3-all-languages.zip
    mv phpMyAdmin-4.9.3-all-languages/* .
    rm -rf phpMyAdmin-4.9.3-all-languages*
    mv ../config.inc.php .
    # chown -R nginx: . # uncomment when you are sure you are in the right directory
    npreload
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,188
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,648
    Local Time:
    10:19 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks @jcat looks like the issue is with phpmyadmin 5.0 so I created phpmyadmin-4.9.sh which installs 4.9.3 tagged repo for now to test/verify the issue only. You eventually do want phpmyadmin 5 for latest updates/security though. This is to just verify if things work on older 4.9.3
    Code (Text):
    # uninstall existing phpmyadmin install
    /root/tools/phpmyadmin_uninstall.sh
    
    # download phpmyadmin-4.9.sh renamed as phpmyadmin.sh
    cd /usr/local/src/centminmod/addons
    wget --no-check-certificate https://github.com/centminmod/phpmyadmin/raw/master/phpmyadmin-4.9.sh -O phpmyadmin.sh
    
    # permissions
    chmod 0700 /usr/local/src/centminmod/addons/phpmyadmin.sh
    
    # install phpmyadmin 4.9.3
    ./phpmyadmin.sh install
    
     
  7. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:19 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    I got this when i run the installer:

    Code:
    Warning: detected possible duplicate server_name entry
    main hostname vhost server_name value has to be unique
    and separate from any other nginx vhost site you addded
    Check your server_name in /usr/local/nginx/conf/conf.d/virtual.conf
    read Step 1 of Getting Started Guide for main hostname
    proper setup https://centminmod.com/getstarted.html
    But i think that file is not in used as i have the virtual.ssl.conf ?

    Should i rename the virtual.conf ?
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,188
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,648
    Local Time:
    10:19 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you manual main hostname letsencrypt setup will conflict with phpmyadmin.sh installs as phpmyadmin.sh has it's own self-signed ssl vhost setup so you need to reverse the manual main hostname letsencrypt setup for uninstall/reinstall part first
     
  9. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:19 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Yes it works ! No issues at all using your script for the 4.x installation.

    So it seems that the issue is related to latest v5.0 ...

    Let's hope that we will have a fix asap :)
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:19 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    @jcat

    Did you report the database export issue so they can fix it?
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,188
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,648
    Local Time:
    10:19 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks for confirmation.

    FYI, if you're behind Cloudflare and don't want to expose your main hostname/real IP, generally you don't want a real SSL cert on main hostname as you expose that main hostname via SSL public certificate transparency logs for lookups when letsencrypt or any trusted ssl certificate is issued for a domain name. Self-signed SSL certs aren't logged in public SSL certificate transparency logs for lookup. And putting main hostname behind Cloudflare isn't an option if you rely on server postfix outbound emails to be reliably delivered as receiving mailservers can't do a DNS lookup of main hostname to validate the mail server main hostname is same IP as the DNS - unless of course you setup postfix relay to a 3rd party SMTP server like AWS SES. Generally, your web app end would support 3rd party SMTP servers like AWS SES which is only one to hide real IP when sending emails, so emails from web app end hide your real IP. Other 3rd party SMTP servers like mailgun/sendgrid etc pass your real server IP in mail headers.
     
    Last edited: Dec 29, 2019
  12. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:19 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    I was trying to avoid the ugly warning about not a valid certificate and i had to accept every time....

    Ok thanks for the info :)

    Let's hope that they will fix v5 so we can use it :)
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,188
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,648
    Local Time:
    10:19 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Well Centmin Mod isn't for shared hosting, so as the only person accessing phpmyadmin install via self-signed SSL, shouldn't be a problem just ignore the warning and proceed :)
     
  14. Manoj malviya

    Manoj malviya New Member

    19
    1
    3
    Dec 21, 2019
    Ratings:
    +1
    Local Time:
    5:49 AM
    1.17.6
    10.3.20

    Thanks this is working.
     
  15. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:19 AM
    Nginx-1.25.x
    MariaDB 10.3.x
  16. Manoj malviya

    Manoj malviya New Member

    19
    1
    3
    Dec 21, 2019
    Ratings:
    +1
    Local Time:
    5:49 AM
    1.17.6
    10.3.20
  17. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:19 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    @eva2000

    The solution posted at Phpmyadmin is:
    Can you please add that yarn command after git pull to see if that fixes the problem for Centminmod users also?

    If yes then we can enable the auto update cron and get the latest version :)

    Thanks
     
  18. eva2000

    eva2000 Administrator Staff Member

    53,188
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,648
    Local Time:
    10:19 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  19. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:19 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    I thought it was for the mismatch error :(
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,188
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,648
    Local Time:
    10:19 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    oh actually doing yarn install does fix phpmyadmin 5's mismatch errors it seems ! interesting :)