Want to subscribe to topics you're interested in?
Become a Member

SSL Letsencrypt Problem, can't verify the ssl

Discussion in 'Domains, DNS, Email & SSL Certificates' started by R0rke, Jul 23, 2020.

  1. R0rke

    R0rke Member

    163
    20
    18
    Jun 2, 2016
    Iran
    Ratings:
    +34
    Local Time:
    4:15 AM
    1.11.1
    10.1
    Please fill in any relevant information that applies to you:
    • CentOS Version: 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: latest
    • PHP Version Installed: 7.4
    • MariaDB MySQL Version Installed: 10.2.xx
    • When was last time updated Centmin Mod code base ? : recently
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
      Code (Text):
      NGINX_SSLCACHE_ALLOWOVERRIDE='y'
      SET_DEFAULT_MYSQLCHARSET='utf8mb4'
      AUTOHARDTUNE_NGINXBACKLOG='y'
      ZSTD_LOGROTATE_NGINX='y'
      ZSTD_LOGROTATE_PHPFPM='y'
      #NGINX_ZERODT='y'
      NGINX_LIBBROTLI='y'
      NGXDYNAMIC_BROTLI='y'
      PHP_PGO='y'
      PHP_BROTLI='y'
      PHP_LZFOUR='y'
      PHP_LZF='y'
      PHP_ZSTD='y'
      LETSENCRYPT_DETECT='y'
      DUALCERTS='y'
      AUDITD_ENABLE='y'
      EMAIL='@gmail.com'
      PUSHOVER_EMAIL='@pomail.net'
      ZONEINFO=Asia/Tehran
      CUSTOMSERVERNAME='y'
      CUSTOMSERVERSTRING=''
      NSD_DISABLED='y'
      PUREFTPD_DISABLED='y'
      NSD_INSTALL='n'
      PHPREDIS='y'
      CLOUDFLARE_ZLIB='y'
      CLOUDFLARE_ZLIBPHP='y'
      MARIADB_INSTALLTENTWO='y'
      SELFSIGNEDSSL_C='***'
      SELFSIGNEDSSL_ST='***'
      SELFSIGNEDSSL_L='***'
      SELFSIGNEDSSL_O='***'
      SELFSIGNEDSSL_OU='***'
      
    Debug logs for webroot:

    @eva2000
     
    Last edited: Jul 23, 2020
  2. eva2000

    eva2000 Administrator Staff Member

    45,633
    10,356
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,070
    Local Time:
    10:15 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    I removed the log as it contained your email address. The log said 403 permission denied when trying to do webroot authentication and validation for your domain. Try testing your domain via the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. I can see issues which could explain 403 permission denied Let's Debug

    Code (Text):
    [URL='https://letsdebug.net/gamerpa.net/228698#BadRedirect-Error']BadRedirect[/URL]
    ERROR
    Sending an ACME HTTP validation request to gamerpa.net results in an unacceptable redirect. This is most likely a misconfiguration of your web server or your web application.
    Too many (10) redirects, last redirect was to: http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    
    Trace:
    @0ms: Making a request to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3031::6818:6842)
    @0ms: Dialing 2606:4700:3031::6818:6842
    @48ms: Server response: HTTP 302 Moved Temporarily
    @48ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @48ms: Dialing 2606:4700:3031::6818:6842
    @64ms: Server response: HTTP 301 Moved Permanently
    @64ms: Received redirect to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @101ms: Server response: HTTP 302 Moved Temporarily
    @101ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @105ms: Server response: HTTP 301 Moved Permanently
    @105ms: Received redirect to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @146ms: Server response: HTTP 302 Moved Temporarily
    @146ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @151ms: Server response: HTTP 301 Moved Permanently
    @151ms: Received redirect to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @189ms: Server response: HTTP 302 Moved Temporarily
    @189ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @193ms: Server response: HTTP 301 Moved Permanently
    @193ms: Received redirect to http://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @216ms: Server response: HTTP 302 Moved Temporarily
    @216ms: Received redirect to https://gamerpa.net/.well-known/acme-challenge/letsdebug-test
    @222ms: Server response: HTTP 301 Moved Permanently
    

    you're in a redirect loop

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags
     
  3. R0rke

    R0rke Member

    163
    20
    18
    Jun 2, 2016
    Iran
    Ratings:
    +34
    Local Time:
    4:15 AM
    1.11.1
    10.1
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
    
       server_name gamerpa.net www.gamerpa.net;
       return 302 https://gamerpa.net$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2 reuseport;
      server_name gamerpa.net www.gamerpa.net;
    
      include /usr/local/nginx/conf/ssl/gamerpa.net/gamerpa.net.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/gamerpa.net/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      http2_max_requests 50000;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/gamerpa.net/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/gamerpa.net/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/gamerpa.net/autoprotect-gamerpa.net.conf;
      root /home/nginx/domains/gamerpa.net/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      include /usr/local/nginx/conf/wpincludes/gamerpa.net/wpcacheenabler_gamerpa.net.conf;
      #include /usr/local/nginx/conf/wpincludes/gamerpa.net/wpsupercache_gamerpa.net.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/wpincludes/gamerpa.net/rediscache_gamerpa.net.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      try_files $cache_enabler_uri_webp $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        #auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/gamerpa.net/htpasswd_wplogin;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-scripts\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-styles\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/gamerpa.net/wpsecure_gamerpa.net.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
    
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/pre-staticfiles-local-gamerpa.net.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    


    curl https output:
    Code (Text):
    HTTP/1.1 526 Origin SSL Certificate Error
    Date: Thu, 23 Jul 2020 13:24:31 GMT
    Content-Type: text/html
    Connection: keep-alive
    Set-Cookie: __cfduid=d2b7731ff0d832d90d0315e8fb2125f3a1595510671; expires=Sat, 22-Aug-20 13:24:31 GMT; path=/; domain=.gamerpa.net; HttpOnly; SameSite=Lax
    Cache-Control: no-store, no-cache
    cf-request-id: 041d71e0e80000e75476be2200000001
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Strict-Transport-Security: max-age=2592000; includeSubDomains; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 5b75b8e178e7e754-EWR
    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
    

    output for HTTP curl
    Code (Text):
    curl -I http://gamerpa.net
    HTTP/1.1 302 Moved Temporarily
    Date: Thu, 23 Jul 2020 13:25:54 GMT
    Content-Type: text/html
    Connection: keep-alive
    Set-Cookie: __cfduid=d7b7590a9465960af6e31c3c55a236cb61595510754; expires=Sat, 22-Aug-20 13:25:54 GMT; path=/; domain=.gamerpa.net; HttpOnly; SameSite=Lax
    Location: https://gamerpa.net/
    X-Powered-By: centminmod
    CF-Cache-Status: DYNAMIC
    cf-request-id: 041d7326480000e6c0618e1200000001
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 5b75baea0ce4e6c0-EWR
    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
    
    
     
    Last edited: Jul 23, 2020
  4. R0rke

    R0rke Member

    163
    20
    18
    Jun 2, 2016
    Iran
    Ratings:
    +34
    Local Time:
    4:15 AM
    1.11.1
    10.1
    tried to remove vhost and create another one but still experiencing this problem
    @eva2000 I also tried to create SSL certificate using web-root but the same problem

    my DNS settings:
    [​IMG]
     
  5. buik

    buik “A winner never stops trying.” Premium Member

    1,316
    361
    83
    Apr 29, 2016
    Ratings:
    +1,080
    Local Time:
    1:15 PM
    I think it's a good idea to mask the domain name in question.
    With a simple DNS history command you can easily attack the origin server.
     
  6. eva2000

    eva2000 Administrator Staff Member

    45,633
    10,356
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,070
    Local Time:
    10:15 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    in your HTTPS vhost for yourdomain.com.ssl.conf, remove the non-http to https redirect when you're behind Cloudflare
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
    
       server_name gamerpa.net www.gamerpa.net;
       return 302 https://gamerpa.net$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    

    then restart nginx and php-fpm and then set Cloudflare SSL from Flexible to Full non-strict SSL and see if that works. If works then set the non-https to https redirect at Cloudflare level instead of Nginx level.

    Or you could do it the other way, leave nginx 302 redirect in place and set Cloudflare SSL to Full non-strict but then disable Cloudflare level non-https to https redirect (i.e. always HTTPS button)

    What is happening is if you have both Cloudflare non-https to https redirect + nginx non-https to https redirect enabled, then you end up in a redirect loop.
     
  7. R0rke

    R0rke Member

    163
    20
    18
    Jun 2, 2016
    Iran
    Ratings:
    +34
    Local Time:
    4:15 AM
    1.11.1
    10.1
    @eva2000 its already disabled by default!
    edit:
    problem solved I just disable https redirect from Nginx!
     
    Last edited: Jul 24, 2020
  8. eva2000

    eva2000 Administrator Staff Member

    45,633
    10,356
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,070
    Local Time:
    10:15 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    which is disabled by default ? if it was disabled, the you wouldn't need to remove nginx's non-https to https redirect
     
  9. R0rke

    R0rke Member

    163
    20
    18
    Jun 2, 2016
    Iran
    Ratings:
    +34
    Local Time:
    4:15 AM
    1.11.1
    10.1
    yeah, I know but I don't know why this happened I just disabled Nginx HTTPS redirect and enable it on Cloudflare!
    if I disable Cloudflare's redirect then enable Nginx redirect its goes to redirect loop!

    this is weird :-}
     
  10. eva2000

    eva2000 Administrator Staff Member

    45,633
    10,356
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,070
    Local Time:
    10:15 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    That would happen if you have CF Flexible SSL and not CF Full non-strict SSL IIRC
     
  11. GASTAN

    GASTAN Member

    92
    12
    8
    Jun 28, 2017
    Ratings:
    +18
    Local Time:
    1:15 PM
    I have the same problem.
    I used option 22 to make subdomain, but Let's Encrypt cert failed, because of too many redirects
    CF has 'Always Use HTTPS' off by default.
    I tried to remove http->https redirect is ssl.conf as suggested, but then the domain does not work at all (I get default nginx Test page)
    I also 'Full' (Encryption in CF) mode, but then main domain as well as older subdomain does not work, as they dont have https :(
     
  12. eva2000

    eva2000 Administrator Staff Member

    45,633
    10,356
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,070
    Local Time:
    10:15 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Many reason for failed verification so best to start own thread with info outlined in sticky at SSL - Domains - Letsencrypt - How to troubleshoot Letsencrypt SSL certificate issuance or renewal
     
  13. R0rke

    R0rke Member

    163
    20
    18
    Jun 2, 2016
    Iran
    Ratings:
    +34
    Local Time:
    4:15 AM
    1.11.1
    10.1
    try pausing cloudflare dns only then issue a cert after everything done enable full strict
     
  14. GASTAN

    GASTAN Member

    92
    12
    8
    Jun 28, 2017
    Ratings:
    +18
    Local Time:
    1:15 PM
    I did that and it worked, but because other subdomains are not HTTPS yet, I cannot have it on FULL:(
     
  15. eva2000

    eva2000 Administrator Staff Member

    45,633
    10,356
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,070
    Local Time:
    10:15 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    set SSL mode at page rule level

    upload_2020-11-10_6-51-25.png