SSL Letsencrypt Problem, can't verify the ssl

R0rke · Jul 23, 2020

Please fill in any relevant information that applies to you:
CentOS Version: 7 64bit

Centmin Mod Version Installed: 123.09beta01

Nginx Version Installed: latest

PHP Version Installed: 7.4

MariaDB MySQL Version Installed: 10.2.xx

When was last time updated Centmin Mod code base ? : recently
Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
Code (Text):
NGINX_SSLCACHE_ALLOWOVERRIDE='y'
SET_DEFAULT_MYSQLCHARSET='utf8mb4'
AUTOHARDTUNE_NGINXBACKLOG='y'
ZSTD_LOGROTATE_NGINX='y'
ZSTD_LOGROTATE_PHPFPM='y'
#NGINX_ZERODT='y'
NGINX_LIBBROTLI='y'
NGXDYNAMIC_BROTLI='y'
PHP_PGO='y'
PHP_BROTLI='y'
PHP_LZFOUR='y'
PHP_LZF='y'
PHP_ZSTD='y'
LETSENCRYPT_DETECT='y'
DUALCERTS='y'
AUDITD_ENABLE='y'
EMAIL='@gmail.com'
PUSHOVER_EMAIL='@pomail.net'
ZONEINFO=Asia/Tehran
CUSTOMSERVERNAME='y'
CUSTOMSERVERSTRING=''
NSD_DISABLED='y'
PUREFTPD_DISABLED='y'
NSD_INSTALL='n'
PHPREDIS='y'
CLOUDFLARE_ZLIB='y'
CLOUDFLARE_ZLIBPHP='y'
MARIADB_INSTALLTENTWO='y'
SELFSIGNEDSSL_C='***'
SELFSIGNEDSSL_ST='***'
SELFSIGNEDSSL_L='***'
SELFSIGNEDSSL_O='***'
SELFSIGNEDSSL_OU='***'
Debug logs for webroot:

@eva2000

eva2000 · Jul 23, 2020

I removed the log as it contained your email address. The log said 403 permission denied when trying to do webroot authentication and validation for your domain. Try testing your domain via the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. I can see issues which could explain 403 permission denied Let's Debug
Code (Text):
[URL='https://letsdebug.net/gamerpa.net/228698#BadRedirect-Error']BadRedirect[/URL]
ERROR
Sending an ACME HTTP validation request to gamerpa.net results in an unacceptable redirect. This is most likely a misconfiguration of your web server or your web application.
Too many (10) redirects, last redirect was to: http://gamerpa.net/.well-known/acme-challenge/letsdebug-test

Trace:
@0ms: Making a request to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3031::6818:6842)
@0ms: Dialing 2606:4700:3031::6818:6842
@48ms: Server response: HTTP 302 Moved Temporarily
@48ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
@48ms: Dialing 2606:4700:3031::6818:6842
@64ms: Server response: HTTP 301 Moved Permanently
@64ms: Received redirect to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
@101ms: Server response: HTTP 302 Moved Temporarily
@101ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
@105ms: Server response: HTTP 301 Moved Permanently
@105ms: Received redirect to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
@146ms: Server response: HTTP 302 Moved Temporarily
@146ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
@151ms: Server response: HTTP 301 Moved Permanently
@151ms: Received redirect to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
@189ms: Server response: HTTP 302 Moved Temporarily
@189ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
@193ms: Server response: HTTP 301 Moved Permanently
@193ms: Received redirect to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
@216ms: Server response: HTTP 302 Moved Temporarily
@216ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
@222ms: Server response: HTTP 301 Moved Permanently
you're in a redirect loop

When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)

Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf

Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com

Vhost public web root will be at /home/nginx/domains/newdomain.com/public

Vhost log directory will be at /home/nginx/domains/newdomain.com/log

Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

what is output of these commands in ssh
Code (Text):
curl -I https://domain.com
Code (Text):
curl -I https://www.domain.com
Code (Text):
curl -I http://domain.com
Code (Text):
curl -I http://www.domain.com
wrap output in CODE tags

R0rke · Jul 23, 2020

Code (Text):

#x# HTTPS-DEFAULT
 server {

   server_name gamerpa.net www.gamerpa.net;
   return 302 https://gamerpa.net$request_uri;
   include /usr/local/nginx/conf/staticfiles.conf;
 }

server {
  listen 443 ssl http2 reuseport;
  server_name gamerpa.net www.gamerpa.net;

  include /usr/local/nginx/conf/ssl/gamerpa.net/gamerpa.net.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
  #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/gamerpa.net/origin.crt;
  #ssl_verify_client on;
  http2_max_field_size 16k;
  http2_max_header_size 32k;
  http2_max_requests 50000;
  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;

  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/gamerpa.net/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/gamerpa.net/log/error.log;

  include /usr/local/nginx/conf/autoprotect/gamerpa.net/autoprotect-gamerpa.net.conf;
  root /home/nginx/domains/gamerpa.net/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  include /usr/local/nginx/conf/wpincludes/gamerpa.net/wpcacheenabler_gamerpa.net.conf;
  #include /usr/local/nginx/conf/wpincludes/gamerpa.net/wpsupercache_gamerpa.net.conf;
  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/wpincludes/gamerpa.net/rediscache_gamerpa.net.conf;

  location / {
  include /usr/local/nginx/conf/503include-only.conf;


  # Enables directory listings when index file not found
  #autoindex  on;

  # for wordpress super cache plugin
  #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;

  # for wp cache enabler plugin
  try_files $cache_enabler_uri_webp $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;

  # Wordpress Permalinks
  #try_files $uri $uri/ /index.php?q=$uri&$args;

  # Nginx level redis Wordpress
  # https://community.centminmod.com/posts/18828/
  #try_files $uri $uri/ /index.php?$args;

  }

location ~* /(wp-login\.php) {
    limit_req zone=xwplogin burst=1 nodelay;
    #limit_conn xwpconlimit 30;
    #auth_basic "Private";
    #auth_basic_user_file /home/nginx/domains/gamerpa.net/htpasswd_wplogin;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /(xmlrpc\.php) {
    limit_req zone=xwprpc burst=45 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /wp-admin/(load-scripts\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /wp-admin/(load-styles\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

  include /usr/local/nginx/conf/wpincludes/gamerpa.net/wpsecure_gamerpa.net.conf;
  include /usr/local/nginx/conf/php-wpsc.conf;

  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/php-rediscache.conf;
  include /usr/local/nginx/conf/pre-staticfiles-local-gamerpa.net.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

curl https output:

Code (Text):

HTTP/1.1 526 Origin SSL Certificate Error
Date: Thu, 23 Jul 2020 13:24:31 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d2b7731ff0d832d90d0315e8fb2125f3a1595510671; expires=Sat, 22-Aug-20 13:24:31 GMT; path=/; domain=.gamerpa.net; HttpOnly; SameSite=Lax
Cache-Control: no-store, no-cache
cf-request-id: 041d71e0e80000e75476be2200000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Strict-Transport-Security: max-age=2592000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 5b75b8e178e7e754-EWR
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

output for HTTP curl

Code (Text):

curl -I http://gamerpa.net
HTTP/1.1 302 Moved Temporarily
Date: Thu, 23 Jul 2020 13:25:54 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d7b7590a9465960af6e31c3c55a236cb61595510754; expires=Sat, 22-Aug-20 13:25:54 GMT; path=/; domain=.gamerpa.net; HttpOnly; SameSite=Lax
Location: https://gamerpa.net/
X-Powered-By: centminmod
CF-Cache-Status: DYNAMIC
cf-request-id: 041d7326480000e6c0618e1200000001
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 5b75baea0ce4e6c0-EWR
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

R0rke · Jul 23, 2020

tried to remove vhost and create another one but still experiencing this problem
@eva2000 I also tried to create SSL certificate using web-root but the same problem

my DNS settings:

buik · Jul 24, 2020

I think it's a good idea to mask the domain name in question.
With a simple DNS history command you can easily attack the origin server.

eva2000 · Jul 24, 2020

R0rke said: ↑

Code (Text):

#x# HTTPS-DEFAULT
 server {

   server_name gamerpa.net www.gamerpa.net;
   return 302 https://gamerpa.net$request_uri;
   include /usr/local/nginx/conf/staticfiles.conf;
 }

server {
  listen 443 ssl http2 reuseport;
  server_name gamerpa.net www.gamerpa.net;

  include /usr/local/nginx/conf/ssl/gamerpa.net/gamerpa.net.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
  #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/gamerpa.net/origin.crt;
  #ssl_verify_client on;
  http2_max_field_size 16k;
  http2_max_header_size 32k;
  http2_max_requests 50000;
  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;

  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/gamerpa.net/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/gamerpa.net/log/error.log;

  include /usr/local/nginx/conf/autoprotect/gamerpa.net/autoprotect-gamerpa.net.conf;
  root /home/nginx/domains/gamerpa.net/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  include /usr/local/nginx/conf/wpincludes/gamerpa.net/wpcacheenabler_gamerpa.net.conf;
  #include /usr/local/nginx/conf/wpincludes/gamerpa.net/wpsupercache_gamerpa.net.conf;
  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/wpincludes/gamerpa.net/rediscache_gamerpa.net.conf;

  location / {
  include /usr/local/nginx/conf/503include-only.conf;


  # Enables directory listings when index file not found
  #autoindex  on;

  # for wordpress super cache plugin
  #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;

  # for wp cache enabler plugin
  try_files $cache_enabler_uri_webp $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;

  # Wordpress Permalinks
  #try_files $uri $uri/ /index.php?q=$uri&$args;

  # Nginx level redis Wordpress
  # https://community.centminmod.com/posts/18828/
  #try_files $uri $uri/ /index.php?$args;

  }

location ~* /(wp-login\.php) {
    limit_req zone=xwplogin burst=1 nodelay;
    #limit_conn xwpconlimit 30;
    #auth_basic "Private";
    #auth_basic_user_file /home/nginx/domains/gamerpa.net/htpasswd_wplogin;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /(xmlrpc\.php) {
    limit_req zone=xwprpc burst=45 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /wp-admin/(load-scripts\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /wp-admin/(load-styles\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

  include /usr/local/nginx/conf/wpincludes/gamerpa.net/wpsecure_gamerpa.net.conf;
  include /usr/local/nginx/conf/php-wpsc.conf;

  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/php-rediscache.conf;
  include /usr/local/nginx/conf/pre-staticfiles-local-gamerpa.net.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

curl https output:

Code (Text):

HTTP/1.1 526 Origin SSL Certificate Error
Date: Thu, 23 Jul 2020 13:24:31 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d2b7731ff0d832d90d0315e8fb2125f3a1595510671; expires=Sat, 22-Aug-20 13:24:31 GMT; path=/; domain=.gamerpa.net; HttpOnly; SameSite=Lax
Cache-Control: no-store, no-cache
cf-request-id: 041d71e0e80000e75476be2200000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Strict-Transport-Security: max-age=2592000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 5b75b8e178e7e754-EWR
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

output for HTTP curl

Code (Text):

curl -I http://gamerpa.net
HTTP/1.1 302 Moved Temporarily
Date: Thu, 23 Jul 2020 13:25:54 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d7b7590a9465960af6e31c3c55a236cb61595510754; expires=Sat, 22-Aug-20 13:25:54 GMT; path=/; domain=.gamerpa.net; HttpOnly; SameSite=Lax
Location: https://gamerpa.net/
X-Powered-By: centminmod
CF-Cache-Status: DYNAMIC
cf-request-id: 041d7326480000e6c0618e1200000001
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 5b75baea0ce4e6c0-EWR
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

Click to expand...

in your HTTPS vhost for yourdomain.com.ssl.conf, remove the non-http to https redirect when you're behind Cloudflare

Code (Text):

#x# HTTPS-DEFAULT
 server {

   server_name gamerpa.net www.gamerpa.net;
   return 302 https://gamerpa.net$request_uri;
   include /usr/local/nginx/conf/staticfiles.conf;
 }

then restart nginx and php-fpm and then set Cloudflare SSL from Flexible to Full non-strict SSL and see if that works. If works then set the non-https to https redirect at Cloudflare level instead of Nginx level.

Or you could do it the other way, leave nginx 302 redirect in place and set Cloudflare SSL to Full non-strict but then disable Cloudflare level non-https to https redirect (i.e. always HTTPS button)

What is happening is if you have both Cloudflare non-https to https redirect + nginx non-https to https redirect enabled, then you end up in a redirect loop.

R0rke · Jul 24, 2020

@eva2000 its already disabled by default!
edit:
problem solved I just disable https redirect from Nginx!

eva2000 · Jul 24, 2020

R0rke said: ↑

its already disabled by default!
Click to expand...

which is disabled by default ? if it was disabled, the you wouldn't need to remove nginx's non-https to https redirect

R0rke · Jul 24, 2020

yeah, I know but I don't know why this happened I just disabled Nginx HTTPS redirect and enable it on Cloudflare!
if I disable Cloudflare's redirect then enable Nginx redirect its goes to redirect loop!

this is weird :-}

eva2000 · Jul 24, 2020

R0rke said: ↑

if I disable Cloudflare's redirect then enable Nginx redirect its goes to redirect loop!
Click to expand...

That would happen if you have CF Flexible SSL and not CF Full non-strict SSL IIRC

GASTAN · Nov 5, 2020

I have the same problem.
I used option 22 to make subdomain, but Let's Encrypt cert failed, because of too many redirects
CF has 'Always Use HTTPS' off by default.
I tried to remove http->https redirect is ssl.conf as suggested, but then the domain does not work at all (I get default nginx Test page)
I also 'Full' (Encryption in CF) mode, but then main domain as well as older subdomain does not work, as they dont have https

eva2000 · Nov 5, 2020

GASTAN said: ↑

I have the same problem.
I used option 22 to make subdomain, but Let's Encrypt cert failed, because of too many redirects
CF has 'Always Use HTTPS' off by default.
I tried to remove http->https redirect is ssl.conf as suggested, but then the domain does not work at all (I get default nginx Test page)
I also 'Full' (Encryption in CF) mode, but then main domain as well as older subdomain does not work, as they dont have https
Click to expand...

Many reason for failed verification so best to start own thread with info outlined in sticky at SSL - Domains - Letsencrypt - How to troubleshoot Letsencrypt SSL certificate issuance or renewal

R0rke · Nov 9, 2020

GASTAN said: ↑

I have the same problem.
I used option 22 to make subdomain, but Let's Encrypt cert failed, because of too many redirects
CF has 'Always Use HTTPS' off by default.
I tried to remove http->https redirect is ssl.conf as suggested, but then the domain does not work at all (I get default nginx Test page)
I also 'Full' (Encryption in CF) mode, but then main domain as well as older subdomain does not work, as they dont have https
Click to expand...

try pausing cloudflare dns only then issue a cert after everything done enable full strict

GASTAN · Nov 10, 2020

I did that and it worked, but because other subdomains are not HTTPS yet, I cannot have it on FULL

eva2000 · Nov 10, 2020

GASTAN said: ↑

I did that and it worked, but because other subdomains are not HTTPS yet, I cannot have it on FULL
Click to expand...

set SSL mode at page rule level

GASTAN · Jul 22, 2021

finally migrated second domain, as WP update stopped site from working, and now I have Full encryption mode in CF and all seems to work. Alas, site is showing CF cert and not Lets Enrypts.

Also I get B mark in SSL Labs

Is that something I should be worried about? Shall I remove TLS 1.0 and 1.1 from nginx ?

eva2000 · Jul 22, 2021

TLS 1.0/1.1 is Cloudflare TLS side you need to set minimum to TLS 1.2 under Cloudflare SSL/TLS -> Edge Certificates tab

GASTAN · Jul 23, 2021

Thank, now I have A.
I was sort of thinking I will see Let's Encrypts cert and not CFs
But I noticed WeTransfer has A+ probably because of HSTS.
Does it make sense to enable it with defaults on CF?

eva2000 · Jul 25, 2021

HSTS header isn't enabled by default as improperly enabling it and not understanding implications of enabling HSTS headers can cause you to DOS attack your own site - denial of service. For example, if you enabled HSTS with max-age = 1yr with include subdomains, it means you're telling web browsers only allow HTTPS version of your site to be accessed to visitors for every domain and subdomain *.domain.com and make it valid and enforceable for 1yr. Removing the HSTS after enabling won't help, as it's permanently cached in a web browser unless visitor clears their HSTS cache.

Any subdomain or any non-subdomain without HTTPS SSL certificate will be denied access to your site for that 1yr period. So if you only had intention to enable HTTPS for say domain.com, www.domain.com and blog.domain.com but no intention for HTTPS for say host.domain.com, but you enable HSTS with include subdomain option - then you won't be able to access host.domain.com for that full 1yr period and any visitors won't be able to either as it's HSTS flag is cached in each visitor's web browser and you can't clear it on web server or your end. You effectively have DOS attacked your own site and prevented every visitor from accessing non-HTTPS host.domain.com for that 1yr. Sure you can get visitors to clear their HSTS browser cache as outlined below. But how many are tech savy enough and how do you notify those visitors if they can't access host.domain.com ?

So I leave HSTS add_headers commented out/disabled in Centmin Mod created nginx vhosts by default and let end users like yourself decide if they want to enable HSTS.

With that said, if you know what these security headers do and their consequences, enable them. I have for this forum https://securityheaders.com/?q=https://community.centminmod.com/&hide=on&followRedirects=on

Same goes for HSTS at Cloudflare level you need to decide yourself but if you plan HTTPS for all sites then it should be fine

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

SSL Letsencrypt Problem, can't verify the ssl

R0rke Member

eva2000 Administrator Staff Member

R0rke Member

R0rke Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

R0rke Member

eva2000 Administrator Staff Member

R0rke Member

eva2000 Administrator Staff Member

GASTAN Member

eva2000 Administrator Staff Member

R0rke Member

GASTAN Member

eva2000 Administrator Staff Member

GASTAN Member

eva2000 Administrator Staff Member

GASTAN Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

SSL Letsencrypt Problem, can't verify the ssl

R0rke Member

eva2000 Administrator Staff Member

R0rke Member

R0rke Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

R0rke Member

eva2000 Administrator Staff Member

R0rke Member

eva2000 Administrator Staff Member

GASTAN Member

eva2000 Administrator Staff Member

R0rke Member

GASTAN Member

eva2000 Administrator Staff Member

GASTAN Member

eva2000 Administrator Staff Member

GASTAN Member

eva2000 Administrator Staff Member

.