Want more timely Centmin Mod News Updates?
Become a Member

SSL Letsencrypt Problem, can't verify the ssl

Discussion in 'Domains, DNS, Email & SSL Certificates' started by R0rke, Jul 23, 2020.

  1. R0rke

    R0rke Member

    163
    20
    18
    Jun 2, 2016
    Iran
    Ratings:
    +34
    Local Time:
    11:01 AM
    1.11.1
    10.1
    Please fill in any relevant information that applies to you:
    • CentOS Version: 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: latest
    • PHP Version Installed: 7.4
    • MariaDB MySQL Version Installed: 10.2.xx
    • When was last time updated Centmin Mod code base ? : recently
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
      Code (Text):
      NGINX_SSLCACHE_ALLOWOVERRIDE='y'
      SET_DEFAULT_MYSQLCHARSET='utf8mb4'
      AUTOHARDTUNE_NGINXBACKLOG='y'
      ZSTD_LOGROTATE_NGINX='y'
      ZSTD_LOGROTATE_PHPFPM='y'
      #NGINX_ZERODT='y'
      NGINX_LIBBROTLI='y'
      NGXDYNAMIC_BROTLI='y'
      PHP_PGO='y'
      PHP_BROTLI='y'
      PHP_LZFOUR='y'
      PHP_LZF='y'
      PHP_ZSTD='y'
      LETSENCRYPT_DETECT='y'
      DUALCERTS='y'
      AUDITD_ENABLE='y'
      EMAIL='@gmail.com'
      PUSHOVER_EMAIL='@pomail.net'
      ZONEINFO=Asia/Tehran
      CUSTOMSERVERNAME='y'
      CUSTOMSERVERSTRING=''
      NSD_DISABLED='y'
      PUREFTPD_DISABLED='y'
      NSD_INSTALL='n'
      PHPREDIS='y'
      CLOUDFLARE_ZLIB='y'
      CLOUDFLARE_ZLIBPHP='y'
      MARIADB_INSTALLTENTWO='y'
      SELFSIGNEDSSL_C='***'
      SELFSIGNEDSSL_ST='***'
      SELFSIGNEDSSL_L='***'
      SELFSIGNEDSSL_O='***'
      SELFSIGNEDSSL_OU='***'
      
    Debug logs for webroot:

    @eva2000

     
    Last edited: Jul 23, 2020
  2. eva2000

    eva2000 Administrator Staff Member

    46,976
    10,645
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,524
    Local Time:
    4:01 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    I removed the log as it contained your email address. The log said 403 permission denied when trying to do webroot authentication and validation for your domain. Try testing your domain via the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. I can see issues which could explain 403 permission denied Let's Debug

    Code (Text):
    [URL='https://letsdebug.net/gamerpa.net/228698#BadRedirect-Error']BadRedirect[/URL]
    ERROR
    Sending an ACME HTTP validation request to gamerpa.net results in an unacceptable redirect. This is most likely a misconfiguration of your web server or your web application.
    Too many (10) redirects, last redirect was to: http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    
    Trace:
    @0ms: Making a request to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3031::6818:6842)
    @0ms: Dialing 2606:4700:3031::6818:6842
    @48ms: Server response: HTTP 302 Moved Temporarily
    @48ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @48ms: Dialing 2606:4700:3031::6818:6842
    @64ms: Server response: HTTP 301 Moved Permanently
    @64ms: Received redirect to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @101ms: Server response: HTTP 302 Moved Temporarily
    @101ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @105ms: Server response: HTTP 301 Moved Permanently
    @105ms: Received redirect to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @146ms: Server response: HTTP 302 Moved Temporarily
    @146ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @151ms: Server response: HTTP 301 Moved Permanently
    @151ms: Received redirect to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @189ms: Server response: HTTP 302 Moved Temporarily
    @189ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @193ms: Server response: HTTP 301 Moved Permanently
    @193ms: Received redirect to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @216ms: Server response: HTTP 302 Moved Temporarily
    @216ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @222ms: Server response: HTTP 301 Moved Permanently
    

    you're in a redirect loop

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags
     
  3. R0rke

    R0rke Member

    163
    20
    18
    Jun 2, 2016
    Iran
    Ratings:
    +34
    Local Time:
    11:01 AM
    1.11.1
    10.1
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
    
       server_name gamerpa.net www.gamerpa.net;
       return 302 https://gamerpa.net$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2 reuseport;
      server_name gamerpa.net www.gamerpa.net;
    
      include /usr/local/nginx/conf/ssl/gamerpa.net/gamerpa.net.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/gamerpa.net/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      http2_max_requests 50000;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/gamerpa.net/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/gamerpa.net/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/gamerpa.net/autoprotect-gamerpa.net.conf;
      root /home/nginx/domains/gamerpa.net/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      include /usr/local/nginx/conf/wpincludes/gamerpa.net/wpcacheenabler_gamerpa.net.conf;
      #include /usr/local/nginx/conf/wpincludes/gamerpa.net/wpsupercache_gamerpa.net.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/wpincludes/gamerpa.net/rediscache_gamerpa.net.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      try_files $cache_enabler_uri_webp $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        #auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/gamerpa.net/htpasswd_wplogin;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-scripts\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-styles\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/gamerpa.net/wpsecure_gamerpa.net.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
    
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/pre-staticfiles-local-gamerpa.net.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    


    curl https output:
    Code (Text):
    HTTP/1.1 526 Origin SSL Certificate Error
    Date: Thu, 23 Jul 2020 13:24:31 GMT
    Content-Type: text/html
    Connection: keep-alive
    Set-Cookie: __cfduid=d2b7731ff0d832d90d0315e8fb2125f3a1595510671; expires=Sat, 22-Aug-20 13:24:31 GMT; path=/; domain=.gamerpa.net; HttpOnly; SameSite=Lax
    Cache-Control: no-store, no-cache
    cf-request-id: 041d71e0e80000e75476be2200000001
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Strict-Transport-Security: max-age=2592000; includeSubDomains; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 5b75b8e178e7e754-EWR
    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
    

    output for HTTP curl
    Code (Text):
    curl -I http://gamerpa.net
    HTTP/1.1 302 Moved Temporarily
    Date: Thu, 23 Jul 2020 13:25:54 GMT
    Content-Type: text/html
    Connection: keep-alive
    Set-Cookie: __cfduid=d7b7590a9465960af6e31c3c55a236cb61595510754; expires=Sat, 22-Aug-20 13:25:54 GMT; path=/; domain=.gamerpa.net; HttpOnly; SameSite=Lax
    Location: https://gamerpa.net/
    X-Powered-By: centminmod
    CF-Cache-Status: DYNAMIC
    cf-request-id: 041d7326480000e6c0618e1200000001
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 5b75baea0ce4e6c0-EWR
    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
    
    
     
    Last edited: Jul 23, 2020
  4. R0rke

    R0rke Member

    163
    20
    18
    Jun 2, 2016
    Iran
    Ratings:
    +34
    Local Time:
    11:01 AM
    1.11.1
    10.1
    tried to remove vhost and create another one but still experiencing this problem
    @eva2000 I also tried to create SSL certificate using web-root but the same problem

    my DNS settings:
    [​IMG]
     
  5. buik

    buik "Nobody who ever gave his best regretted it." Premium Member

    1,408
    383
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,191
    Local Time:
    8:01 PM
    I think it's a good idea to mask the domain name in question.
    With a simple DNS history command you can easily attack the origin server.
     
  6. eva2000

    eva2000 Administrator Staff Member

    46,976
    10,645
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,524
    Local Time:
    4:01 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    in your HTTPS vhost for yourdomain.com.ssl.conf, remove the non-http to https redirect when you're behind Cloudflare
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
    
       server_name gamerpa.net www.gamerpa.net;
       return 302 https://gamerpa.net$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    

    then restart nginx and php-fpm and then set Cloudflare SSL from Flexible to Full non-strict SSL and see if that works. If works then set the non-https to https redirect at Cloudflare level instead of Nginx level.

    Or you could do it the other way, leave nginx 302 redirect in place and set Cloudflare SSL to Full non-strict but then disable Cloudflare level non-https to https redirect (i.e. always HTTPS button)

    What is happening is if you have both Cloudflare non-https to https redirect + nginx non-https to https redirect enabled, then you end up in a redirect loop.
     
  7. R0rke

    R0rke Member

    163
    20
    18
    Jun 2, 2016
    Iran
    Ratings:
    +34
    Local Time:
    11:01 AM
    1.11.1
    10.1
    @eva2000 its already disabled by default!
    edit:
    problem solved I just disable https redirect from Nginx!
     
    Last edited: Jul 24, 2020
  8. eva2000

    eva2000 Administrator Staff Member

    46,976
    10,645
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,524
    Local Time:
    4:01 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    which is disabled by default ? if it was disabled, the you wouldn't need to remove nginx's non-https to https redirect
     
  9. R0rke

    R0rke Member

    163
    20
    18
    Jun 2, 2016
    Iran
    Ratings:
    +34
    Local Time:
    11:01 AM
    1.11.1
    10.1
    yeah, I know but I don't know why this happened I just disabled Nginx HTTPS redirect and enable it on Cloudflare!
    if I disable Cloudflare's redirect then enable Nginx redirect its goes to redirect loop!

    this is weird :-}
     
  10. eva2000

    eva2000 Administrator Staff Member

    46,976
    10,645
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,524
    Local Time:
    4:01 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    That would happen if you have CF Flexible SSL and not CF Full non-strict SSL IIRC
     
  11. GASTAN

    GASTAN Member

    94
    12
    8
    Jun 28, 2017
    Ratings:
    +18
    Local Time:
    8:01 PM
    I have the same problem.
    I used option 22 to make subdomain, but Let's Encrypt cert failed, because of too many redirects
    CF has 'Always Use HTTPS' off by default.
    I tried to remove http->https redirect is ssl.conf as suggested, but then the domain does not work at all (I get default nginx Test page)
    I also 'Full' (Encryption in CF) mode, but then main domain as well as older subdomain does not work, as they dont have https :(
     
  12. eva2000

    eva2000 Administrator Staff Member

    46,976
    10,645
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,524
    Local Time:
    4:01 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Many reason for failed verification so best to start own thread with info outlined in sticky at SSL - Domains - Letsencrypt - How to troubleshoot Letsencrypt SSL certificate issuance or renewal
     
  13. R0rke

    R0rke Member

    163
    20
    18
    Jun 2, 2016
    Iran
    Ratings:
    +34
    Local Time:
    11:01 AM
    1.11.1
    10.1
    try pausing cloudflare dns only then issue a cert after everything done enable full strict
     
  14. GASTAN

    GASTAN Member

    94
    12
    8
    Jun 28, 2017
    Ratings:
    +18
    Local Time:
    8:01 PM
    I did that and it worked, but because other subdomains are not HTTPS yet, I cannot have it on FULL:(
     
  15. eva2000

    eva2000 Administrator Staff Member

    46,976
    10,645
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,524
    Local Time:
    4:01 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    set SSL mode at page rule level

    upload_2020-11-10_6-51-25.png
     
  16. GASTAN

    GASTAN Member

    94
    12
    8
    Jun 28, 2017
    Ratings:
    +18
    Local Time:
    8:01 PM
    finally migrated second domain, as WP update stopped site from working, and now I have Full encryption mode in CF and all seems to work. Alas, site is showing CF cert and not Lets Enrypts.

    Also I get B mark in SSL Labs
    upload_2021-7-21_14-54-10.png

    Is that something I should be worried about? Shall I remove TLS 1.0 and 1.1 from nginx ?
     
  17. eva2000

    eva2000 Administrator Staff Member

    46,976
    10,645
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,524
    Local Time:
    4:01 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    TLS 1.0/1.1 is Cloudflare TLS side you need to set minimum to TLS 1.2 under Cloudflare SSL/TLS -> Edge Certificates tab
     
  18. GASTAN

    GASTAN Member

    94
    12
    8
    Jun 28, 2017
    Ratings:
    +18
    Local Time:
    8:01 PM
    Thank, now I have A.
    I was sort of thinking I will see Let's Encrypts cert and not CFs
    But I noticed WeTransfer has A+ probably because of HSTS.
    Does it make sense to enable it with defaults on CF?
     
  19. eva2000

    eva2000 Administrator Staff Member

    46,976
    10,645
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,524
    Local Time:
    4:01 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    HSTS header isn't enabled by default as improperly enabling it and not understanding implications of enabling HSTS headers can cause you to DOS attack your own site - denial of service. For example, if you enabled HSTS with max-age = 1yr with include subdomains, it means you're telling web browsers only allow HTTPS version of your site to be accessed to visitors for every domain and subdomain *.domain.com and make it valid and enforceable for 1yr. Removing the HSTS after enabling won't help, as it's permanently cached in a web browser unless visitor clears their HSTS cache.

    Any subdomain or any non-subdomain without HTTPS SSL certificate will be denied access to your site for that 1yr period. So if you only had intention to enable HTTPS for say domain.com, www.domain.com and blog.domain.com but no intention for HTTPS for say host.domain.com, but you enable HSTS with include subdomain option - then you won't be able to access host.domain.com for that full 1yr period and any visitors won't be able to either as it's HSTS flag is cached in each visitor's web browser and you can't clear it on web server or your end. You effectively have DOS attacked your own site and prevented every visitor from accessing non-HTTPS host.domain.com for that 1yr. Sure you can get visitors to clear their HSTS browser cache as outlined below. But how many are tech savy enough and how do you notify those visitors if they can't access host.domain.com ?

    So I leave HSTS add_headers commented out/disabled in Centmin Mod created nginx vhosts by default and let end users like yourself decide if they want to enable HSTS.

    With that said, if you know what these security headers do and their consequences, enable them. I have for this forum https://securityheaders.com/?q=https://community.centminmod.com/&hide=on&followRedirects=on :)

    Same goes for HSTS at Cloudflare level you need to decide yourself but if you plan HTTPS for all sites then it should be fine