Want more timely Centmin Mod News Updates?
Become a Member

SSL SSL Connection Error

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Jota, Jul 22, 2017.

  1. Jota

    Jota Member

    77
    18
    8
    Oct 9, 2014
    Barcelona
    Ratings:
    +20
    Local Time:
    1:26 AM
    Hey guys ! ;)

    I tried this in different Centmin mod servers, and always getting same issue.

    When I do create a WP site with let's encrypt enabled, all works fine, but any kind of problem with SSL, I always get SSL Connection error on Pingdom tests.

    See --> Snaggy - easy screenshots

    Anyone knows how to fix this ?

    Seems a root or CA issue, but don't know how to fix this.

    I do have latest centmin mod beta just installed a fresh box 2h ago, centos 6.9 fully updated, openvz VPS.

    Thanks ;)
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,194
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    8:26 AM
    Nginx 1.13.x
    MariaDB 5.5
    • Like Like x 1
  3. Jon Snow

    Jon Snow Active Member

    161
    25
    28
    Jun 30, 2017
    Ratings:
    +30
    Local Time:
    7:26 PM
    Nginx 1.13.4
    MariaDB 10.1.26
    Disabling IPv6 worked for me since SSL was properly installed according to the tools I used to check.

    To disable IPv6 :

    Edit /etc/sysctl.conf and add the following (if it's set to 0, just change it to 1):
    Code (Text):
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1

    Run the following command via SSH :
    Code (Text):
    sysctl -p

    Pingdom's test should work fine after.
     
    • Like Like x 2
  4. Jota

    Jota Member

    77
    18
    8
    Oct 9, 2014
    Barcelona
    Ratings:
    +20
    Local Time:
    1:26 AM
  5. eva2000

    eva2000 Administrator Staff Member

    30,194
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    8:26 AM
    Nginx 1.13.x
    MariaDB 5.5
    the ssllabs report looks good to me so nothing wrong there

    tested site with gtmetrix.com and webpagetest.org as well ?
     
  6. Jota

    Jota Member

    77
    18
    8
    Oct 9, 2014
    Barcelona
    Ratings:
    +20
    Local Time:
    1:26 AM
    Rest of sites load fine, I also can access and manage WP admin panel with SSL without any issue.

    But I've been seeing this just with centmin mod, and I tested on different servers, always same issue.

    Anyone can help please ? thanks !
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,194
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    8:26 AM
    Nginx 1.13.x
    MariaDB 5.5
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -Iv https://domain.com
    

    Code (Text):
    curl -Iv https://www.domain.com
    

    Code (Text):
    curl -Iv http://domain.com
    

    Code (Text):
    curl -Iv http://www.domain.com
    

    Code (Text):
    nginx -V

    wrap output in CODE tags
     
  8. Jota

    Jota Member

    77
    18
    8
    Oct 9, 2014
    Barcelona
    Ratings:
    +20
    Local Time:
    1:26 AM
    I just came back from travelling, let's go to work :)

    There's just SSL conf file, as I installed it.

    Code:
    cat /usr/local/nginx/conf/conf.d/sub.domain.net.ssl.conf
    
    
    #x# HTTPS-DEFAULT
     server {
     
       server_name sub.domain.net www.sub.domain.net;
       return 302 https://$server_name$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name sub.domain.net www.sub.domain.net;
    
      include /usr/local/nginx/conf/ssl/sub.domain.net/sub.domain.net.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/sub.domain.net/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/sub.domain.net/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/sub.domain.net/autoprotect-sub.domain.net.conf;
      root /home/nginx/domains/sub.domain.net/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      include /usr/local/nginx/conf/wpincludes/sub.domain.net/wpcacheenabler_sub.domain.net.conf;
      #include /usr/local/nginx/conf/wpincludes/sub.domain.net/wpsupercache_sub.domain.net.conf;
      # Redis - How to install Redis server on Centmin Mod LEMP stack
      #include /usr/local/nginx/conf/wpincludes/sub.domain.net/rediscache_sub.domain.net.conf; 
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args; 
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # Redis - How to install Redis server on Centmin Mod LEMP stack
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/sub.domain.net/htpasswd_wplogin;  
        include /usr/local/nginx/conf/php-wpsc.conf;
     
        # Redis - How to install Redis server on Centmin Mod LEMP stack
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
     
        # Redis - How to install Redis server on Centmin Mod LEMP stack
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/sub.domain.net/wpsecure_sub.domain.net.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
    
      # Redis - How to install Redis server on Centmin Mod LEMP stack
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/pre-staticfiles-local-sub.domain.net.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    Code:
    curl -Iv https://sub.domain.net
    * About to connect() to sub.domain.net port 443 (#0)
    *   Trying 10.20.30.40... connected
    * Connected to sub.domain.net (185.47.129.166) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=sub.domain.net
    *       start date: Jul 21 18:10:00 2017 GMT
    *       expire date: Oct 19 18:10:00 2017 GMT
    *       common name: sub.domain.net
    *       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
    > Host: sub.domain.net
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    < Date: Fri, 04 Aug 2017 15:10:39 GMT
    Date: Fri, 04 Aug 2017 15:10:39 GMT
    < Content-Type: text/html; charset=UTF-8
    Content-Type: text/html; charset=UTF-8
    < Connection: keep-alive
    Connection: keep-alive
    < Vary: Accept-Encoding
    Vary: Accept-Encoding
    < Server: nginx centminmod
    Server: nginx centminmod
    < X-Powered-By: centminmod
    X-Powered-By: centminmod
    
    <
    * Connection #0 to host sub.domain.net left intact
    * Closing connection #0
    
    
    Code:
    curl -Iv http://sub.domain.net
    * About to connect() to sub.domain.net port 80 (#0)
    *   Trying 10.20.30.40... connected
    * Connected to sub.domain.net (185.47.129.166) port 80 (#0)
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
    > Host: sub.domain.net
    > Accept: */*
    >
    < HTTP/1.1 302 Moved Temporarily
    HTTP/1.1 302 Moved Temporarily
    < Date: Fri, 04 Aug 2017 15:12:48 GMT
    Date: Fri, 04 Aug 2017 15:12:48 GMT
    < Content-Type: text/html
    Content-Type: text/html
    < Content-Length: 154
    Content-Length: 154
    < Connection: keep-alive
    Connection: keep-alive
    < Location: https://sub.domain.net/
    Location: https://sub.domain.net/
    < Server: nginx centminmod
    Server: nginx centminmod
    < X-Powered-By: centminmod
    X-Powered-By: centminmod
    
    <
    * Connection #0 to host sub.domain.net left intact
    * Closing connection #0
    
    Code:
    curl -Iv https://www.sub.domain.net
    * About to connect() to www.sub.domain.net port 443 (#0)
    *   Trying 10.20.30.40... connected
    * Connected to www.sub.domain.net (185.47.129.166) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=sub.domain.net
    *       start date: Jul 21 18:10:00 2017 GMT
    *       expire date: Oct 19 18:10:00 2017 GMT
    *       common name: sub.domain.net
    *       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
    > Host: www.sub.domain.net
    > Accept: */*
    >
    < HTTP/1.1 301 Moved Permanently
    HTTP/1.1 301 Moved Permanently
    < Date: Fri, 04 Aug 2017 15:18:42 GMT
    Date: Fri, 04 Aug 2017 15:18:42 GMT
    < Content-Type: text/html; charset=UTF-8
    Content-Type: text/html; charset=UTF-8
    < Connection: keep-alive
    Connection: keep-alive
    < Set-Cookie: PHPSESSID=7n25q9k669qpk4ma5a29phhtk4; path=/
    Set-Cookie: PHPSESSID=7n25q9k669qpk4ma5a29phhtk4; path=/
    < Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    < Cache-Control: no-store, no-cache, must-revalidate
    Cache-Control: no-store, no-cache, must-revalidate
    < Pragma: no-cache
    Pragma: no-cache
    < Location: https://sub.domain.net/
    Location: https://sub.domain.net/
    < Server: nginx centminmod
    Server: nginx centminmod
    < X-Powered-By: centminmod
    X-Powered-By: centminmod
    
    <
    * Connection #0 to host www.sub.domain.net left intact
    * Closing connection #0
    
    Code:
    curl -Iv http://www.sub.domain.net
    * About to connect() to www.sub.domain.net port 80 (#0)
    *   Trying 185.47.129.166... connected
    * Connected to www.sub.domain.net (185.47.129.166) port 80 (#0)
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
    > Host: www.sub.domain.net
    > Accept: */*
    >
    < HTTP/1.1 302 Moved Temporarily
    HTTP/1.1 302 Moved Temporarily
    < Date: Fri, 04 Aug 2017 15:20:21 GMT
    Date: Fri, 04 Aug 2017 15:20:21 GMT
    < Content-Type: text/html
    Content-Type: text/html
    < Content-Length: 154
    Content-Length: 154
    < Connection: keep-alive
    Connection: keep-alive
    < Location: https://sub.domain.net/
    Location: https://sub.domain.net/
    < Server: nginx centminmod
    Server: nginx centminmod
    < X-Powered-By: centminmod
    X-Powered-By: centminmod
    
    <
    * Connection #0 to host www.sub.domain.net left intact
    * Closing connection #0
    
    Code:
    nginx -V
    nginx version: nginx/1.13.3
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.5.5
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -g -O3 -fstack-protector -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.41 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.5.5
    
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,194
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    8:26 AM
    Nginx 1.13.x
    MariaDB 5.5
    your nginx vhost is missing ocsp stapling related syntax

    i.e. if you use Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS and set domain = sub.domain.net and check ssl self-signed/letsencrypt check box

    you'll see missing a single line of letsencrypt syntax for nginx ssl_trusted_certificate directive at bottom of vhost.php generated page for

    you have
    Code (Text):
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    

    while it should be
    Code (Text):
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/sub.domain.net/sub.domain.net-acme.cer;
    

    make sure /usr/local/nginx/conf/ssl/sub.domain.net/sub.domain.net-acme.cer exists first though not sure if this is why you have issues

    restart nginx service
     
  10. Jota

    Jota Member

    77
    18
    8
    Oct 9, 2014
    Barcelona
    Ratings:
    +20
    Local Time:
    1:26 AM
    Adding that line at config file and restarting gave a duplicated error, also didn't change anything in the pingdom tests:

    Code:
    nginx: [emerg] "ssl_trusted_certificate" directive is duplicate in /usr/local/nginx/conf/conf.d/sub.domain.net.ssl.conf:38
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,194
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    8:26 AM
    Nginx 1.13.x
    MariaDB 5.5
    remove that line then seems it is added to
    /usr/local/nginx/conf/ssl/sub.domain.net/sub.domain.net.crt.key.conf IIRC

    still having pingdom test issues ?
     
    • Like Like x 1
  12. Jota

    Jota Member

    77
    18
    8
    Oct 9, 2014
    Barcelona
    Ratings:
    +20
    Local Time:
    1:26 AM
    Yes, still having this issue.

    But I'm sure this is happening anyone using centmin mod + let's encrypt, coz I tested same thing on multiple fresh test centmin boxes and always same problem.
     
  13. eva2000

    eva2000 Administrator Staff Member

    30,194
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    8:26 AM
    Nginx 1.13.x
    MariaDB 5.5
    all on same server/web host or some different servers or different web hosts ?

    I haven't run into this once yet myself.

    On XF forums one person said changing their ssl ciphers from Centmin Mod ones helped with pingdom issue dispite no problems with normal non-pingdom access

    Centmin Mod ones
    Code (Text):
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    

    to Mozilla intermediates helped them
    Code (Text):
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    

    restart nginx

    but them again some XF users reported using Mozilla ones also had the pingdom problem
     
    • Like Like x 1
  14. Jota

    Jota Member

    77
    18
    8
    Oct 9, 2014
    Barcelona
    Ratings:
    +20
    Local Time:
    1:26 AM
    I'll try this next .....

    I tried this SSL tests on multiple fresh VPS servers on multiple and different providers / nodes (tested in our nodes, in Vultr, in Digital Ocean) .... always same problem. Even with a fresh clean WP site, always same problem.

    So weird ..... I'll try ur suggestion soon, let's see.
     
  15. Jota

    Jota Member

    77
    18
    8
    Oct 9, 2014
    Barcelona
    Ratings:
    +20
    Local Time:
    1:26 AM
    Hey ! seems that this one worked ! Yay ! Thanks a lot !!! ;)
     
    • Like Like x 1
  16. eva2000

    eva2000 Administrator Staff Member

    30,194
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    8:26 AM
    Nginx 1.13.x
    MariaDB 5.5
    Last edited: Aug 19, 2017
  17. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    6:26 PM
    1.13.x
    MariaDB 10.1.x
    I noticed that the old ssl_ciphers vs. the new ones lack a lot of the ! entries.

    Code:
    !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    Should those be included? It appears only !DSS is on the new list.
     
  18. eva2000

    eva2000 Administrator Staff Member

    30,194
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    8:26 AM
    Nginx 1.13.x
    MariaDB 5.5
    not needed anymore as latest openssl and libressl have deprecated most of those ssl ciphers so no need to disable them at ssl_cipher level
     
    • Informative Informative x 1