Learn about Centmin Mod LEMP Stack today
Register Now

Cloudflare SSL Fails when using Cloudflare Full Strict

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Itworx4me, Jan 31, 2024.

  1. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    I just transferred my site to a new server. Setup the vhost with ssl signed certificate. I was using Full Strict with my domain through Cloudflare. I get a host error when using Full Strict. If I change to Full I can access my site just fine on the new server. I did find this error but don't know how to fix it.

    Code (Text):
    nginx -t
    nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /usr/local/nginx/conf/conf.d/domain1.com.ssl.conf:17
    nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /usr/local/nginx/conf/conf.d/domain2.com.ssl.conf:17
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful



    How do I fix the above error?

    Thanks,
    Itworx4me
     
  2. duderuud

    duderuud Active Member

    187
    69
    28
    Dec 5, 2020
    The Netherlands
    Ratings:
    +143
    Local Time:
    10:47 AM
    1.25 x
    10.6
    Change
    Code:
    listen 443 ssl http2;
    
    to
    Code:
    listen 443 ssl;
    http2 on;
    
     
  3. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    Thank You. This fixed the above error
     
  4. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    @eva2000 I am still not able to use Full Strict. Full works just fine. Do I just keep that setting?

    Thanks,
    Itworx4me
     
  5. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    Full strict worked just fine on my old server. Using centmin beta.
     
  6. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    I found that my hostname was set wrong. So I fixed the hostname. Now why would my host.domain.com goto the first vhost site I created? Shouldn't it go to the centmin tools page?
     
  7. eva2000

    eva2000 Administrator Staff Member

    51,209
    11,897
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,371
    Local Time:
    7:47 PM
    Nginx 1.25.x
    MariaDB 10.x
    Did you update main hostname /usr/local/nginx/conf/conf.d/virtual.conf nginx vhost too as outi. Getting Started Guide step 1 Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS
     
  8. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    Here is my virtual.conf
    Code (Text):
    server {
                listen 80 default_server backlog=131070 reuseport;
                server_name host.my-domain-name.com;
                root   html;
    
            access_log              /var/log/nginx/localhost.access.log     combined buffer=256k flush=5m;
            #access_log              /var/log/nginx/localhost.access.json    main_json buffer=256k flush=5m;
            error_log               /var/log/nginx/localhost.error.log      error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
            location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #Enables directory listings when index file not found
    #autoindex  on;
    
    #Shows file listing times as local time
    #autoindex_localtime on;
    
    # Wordpress Permalinks example
    #try_files \$uri \$uri/ /index.php?q=\$uri&\$args;
    
                }
    
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/include_opcache.conf;
    
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    #include /usr/local/nginx/conf/vts_mainserver.conf;
    
           }


    Code (Text):
     hostnamectl status
       Static hostname: host.my-domain-name.com
             Icon name: computer-server
               Chassis: server
            Machine ID: ************************
               Boot ID: *************************
      Operating System: Rocky Linux 8.9 (Green Obsidian)
           CPE OS Name: cpe:/o:rocky:rocky:8:GA
                Kernel: Linux 4.18.0-513.11.1.el8_9.x86_64
          Architecture: x86-64

    To me it looks like everything is set correctly.

    Thanks,
    Itworx4me
     
  9. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    Setup my test server tonight. Went through all the install process on the getting started guide. The same thing happened. The host addy pulls up a vhost account. Something fishy is going on...lol
     
  10. eva2000

    eva2000 Administrator Staff Member

    51,209
    11,897
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,371
    Local Time:
    7:47 PM
    Nginx 1.25.x
    MariaDB 10.x
    For that vhost account's nginx vhost, when you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags
     
  11. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    Code (Text):
    Server
    
    curl -I https://insidepromod.com
    HTTP/2 200
    date: Fri, 02 Feb 2024 15:17:45 GMT
    content-type: text/html; charset=utf-8
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    last-modified: Fri, 02 Feb 2024 15:17:45 GMT
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: private, no-cache, max-age=0
    vary: Accept-Encoding
    set-cookie: xf_csrf=rPX1up0iADI_Xjkc; path=/; secure
    x-powered-by: centminmod
    x-xss-protection: 1; mode=block
    cf-cache-status: DYNAMIC
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kCQcReGwwLelw48Y9OzUMk14ISpxDfPPj%2F7Uzdu783Mj9C%2F1InUqBEbn%2F7hh7ojy1lOwqPmzXtHbOBDJMIEe8ffWjitrLaVprhE7R948kLen54XToTikzHAVsJOP8vn32eXx"}],"group":"cf-nel","max_age":604800}
    nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 84f3671dad1c4940-TPA
    alt-svc: h3=":443"; ma=86400
    
    curl -I https://www.insidepromod.com
    HTTP/2 200
    date: Fri, 02 Feb 2024 15:18:39 GMT
    content-type: text/html; charset=utf-8
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    last-modified: Fri, 02 Feb 2024 15:18:39 GMT
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: private, no-cache, max-age=0
    vary: Accept-Encoding
    set-cookie: xf_csrf=le8M5riHA1KDbpIS; path=/; secure
    x-powered-by: centminmod
    x-xss-protection: 1; mode=block
    cf-cache-status: DYNAMIC
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HGOmJ9Qkfa2bfKAiv06EaV%2FQnOpApUhRH2S5SmMfIaLGOef9mePJNmzQqEInVLKUOwvfJiQbpix3EG0WRFTpTpw%2Bw6GlrnMi3cBvINgqPFjOOqLRdf3VbIWVjxguDa%2BE7HDcLmW89g%3D%3D"}],"group":"cf-nel","max_age":604800}
    nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 84f3687149524944-TPA
    alt-svc: h3=":443"; ma=86400
    
    curl -I http://insidepromod.com
    HTTP/1.1 200 OK
    Date: Fri, 02 Feb 2024 15:19:39 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Content-Type-Options: nosniff
    Last-Modified: Fri, 02 Feb 2024 15:19:39 GMT
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: private, no-cache, max-age=0
    Vary: Accept-Encoding
    Set-Cookie: xf_csrf=9e5amZhxWA0W6k28; path=/
    X-Powered-By: centminmod
    X-Xss-Protection: 1; mode=block
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4UfZtYGYP1MB9J1xyjCc0f5LVLAKAVQTkDz%2F%2BUBwC4jBSrvmEn%2F%2Btg6s%2BaPf%2BcP7ncnfSB5EwkCM0lOCsSTIYwt%2FqL93lw3sxlO1h%2BvagAnMwZtbuMWQ1nJG6FSr4LovRF1u"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 84f369e60e364948-TPA
    alt-svc: h3=":443"; ma=86400
    
    curl -I http://www.insidepromod.com
    HTTP/1.1 200 OK
    Date: Fri, 02 Feb 2024 15:20:14 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Content-Type-Options: nosniff
    Last-Modified: Fri, 02 Feb 2024 15:20:14 GMT
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: private, no-cache, max-age=0
    Vary: Accept-Encoding
    Set-Cookie: xf_csrf=PTh9cQ3HmPLgh57a; path=/
    X-Powered-By: centminmod
    X-Xss-Protection: 1; mode=block
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DYuMcPEMwgJPkIEaPPOriM5ZNu%2Bs9ClW%2FeewuoitMoRW0sXKPfnree9dZ9Z3OIbBwW0NNbGWFUQG9Q76IzNl7vYqArnpkbkCp9I7zfAGbvq35Y8CBvg0uAj7bMZ16MOwK5JmxVzV3w%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 84f36ac36967494c-TPA
    alt-svc: h3=":443"; ma=86400
     
  12. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    Code (Text):
    Server
    
    curl -I https://nitromater.com
    HTTP/2 200
    date: Fri, 02 Feb 2024 15:11:40 GMT
    content-type: text/html; charset=utf-8
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    last-modified: Fri, 02 Feb 2024 15:11:40 GMT
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: private, no-cache, max-age=0
    vary: Accept-Encoding
    set-cookie: xf_csrf=4EfWYxi86PRIoTop; path=/; secure
    x-powered-by: centminmod
    x-xss-protection: 1; mode=block
    cf-cache-status: DYNAMIC
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=G4Wz2zRVQVCq9hfvNNlcwpZQrLt5b4GUvtOZOx76o31D60ApfoAOV1lvZB7WR8oeQ7TuOmE9GOc2aQOu9%2B0ixDwzOFRp5JAzmxmPR3RisYTOQ2WwWRZYdHBlyC%2FfVFT%2B"}],"group":"cf-nel","max_age":604800}
    nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 84f35e373e5d494c-TPA
    
    curl -I https://www.nitromater.com
    HTTP/2 200
    date: Fri, 02 Feb 2024 15:13:54 GMT
    content-type: text/html; charset=utf-8
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    last-modified: Fri, 02 Feb 2024 15:13:54 GMT
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: private, no-cache, max-age=0
    vary: Accept-Encoding
    set-cookie: xf_csrf=Z0ENOxCUXfLwlFuJ; path=/; secure
    x-powered-by: centminmod
    x-xss-protection: 1; mode=block
    cf-cache-status: DYNAMIC
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=51UoJQE7pomoEpLDI%2Bs6d1OXnKanwt67rwCBIlDaY1q142GVNY5rVyPFt44%2BgoMo6qyKb9neVvZEm71vrQXjZDVzC52KZuc18ydETfGv54sH2aaSmrMjzlgMwaHZy%2BlK6rNAlg%3D%3D"}],"group":"cf-nel","max_age":604800}
    nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 84f36178df004942-TPA
    
    curl -I http://nitromater.com
    HTTP/1.1 200 OK
    Date: Fri, 02 Feb 2024 15:14:43 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Content-Type-Options: nosniff
    Last-Modified: Fri, 02 Feb 2024 15:14:43 GMT
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: private, no-cache, max-age=0
    Vary: Accept-Encoding
    Set-Cookie: xf_csrf=emA2NqWoN8zjGAUT; path=/
    X-Powered-By: centminmod
    X-Xss-Protection: 1; mode=block
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HtE%2BHvQJ%2FF51h9bamMguemwZVJM2uzdvVfdZeIjhMyNSR0SvhRCpTT3%2BtfyZpktUQw5b7H9vzT9Wgp7Ntril3lLixj7JNPOcdJqOYqRusjq4Av8DSsiKiKXGbip3PGdz"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 84f362b01ea7494e-TPA
    
    curl -I http://www.nitromater.com
    HTTP/1.1 200 OK
    Date: Fri, 02 Feb 2024 15:16:45 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Content-Type-Options: nosniff
    Last-Modified: Fri, 02 Feb 2024 15:16:45 GMT
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: private, no-cache, max-age=0
    Vary: Accept-Encoding
    Set-Cookie: xf_csrf=tzo5ztmUOjq2aMNE; path=/
    X-Powered-By: centminmod
    X-Xss-Protection: 1; mode=block
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=90fqcAJfQ6k3ndGnuaEmc4k2mKnsm2r8EqgbnANpbeu9NPuvd5ZrMHjjT3O9ju2Wa5NC%2BKXaRFoqdLUfSqMfuWhK55wUKeFaJM9EdItZEuTuuaoakT%2FxVbkiWitkihqzQLOsDg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 84f365a82f31494c-TPA
     
  13. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    I have found the issue as to why its happening but I have know idea why its happening.
    When I have cloudflare set to SSL/TLS Full it pulls the vhost. If I change it to SSL/TLS Flexible the hostname.domain.com comes up like it should.

    o_O
     
  14. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    I have found the issue as to why its happening but I have know idea why its happening.
    When I have cloudflare set to SSL/TLS Full it pulls the vhost. If I change it to SSL/TLS Flexible the hostname.domain.com comes up like it should.

    o_O
     
  15. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    @eva2000 what should I check next in order to fix this issue?
     
  16. Itworx4me

    Itworx4me Active Member

    285
    26
    28
    Mar 14, 2017
    Ratings:
    +45
    Local Time:
    1:47 AM
    Nginx 1.25.X
    MariaDB 10.6.X
    I am now getting users complaining that they can’t connect to our site using Mac and safari 16.3. They are getting a bad gateway message. Any ideas??
     
  17. eva2000

    eva2000 Administrator Staff Member

    51,209
    11,897
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,371
    Local Time:
    7:47 PM
    Nginx 1.25.x
    MariaDB 10.x
    From your first post you had Cloudflare FULL Strict, are you still using that or Cloudflare FULL non-strict. If your domain Nginx vhost has self-signed SSL setup, you want to use Cloudflare FULL non-strict so that Cloudflare connects and talks to your Nginx vhost with HTTPS and self-signed SSL cert. If you switch to Cloudflare Flexible SSL, you are telling Cloudflare to connect to non-HTTPS port 80 site and your domain may not have that if you chose HTTPS default Nginx vhost creation

    What error code 502 or 504 bad gateway ? Could be PHP being overloaded and needs tuning see https://community.centminmod.com/threads/how-to-troubleshoot-optimize-php-fpm-server.15317/