Welcome to Centmin Mod Community
Become a Member

Letsencrypt SSl upgrade

Discussion in 'Install & Upgrades or Pre-Install Questions' started by xenbiarritz, May 1, 2019.

  1. xenbiarritz

    xenbiarritz Member

    34
    3
    8
    May 7, 2017
    Ratings:
    +3
    Local Time:
    6:23 PM
    hi

    i would like to know
    how to upgrade ssl on centminmod
    i upgrade xf1.5 to xf2.1

    how can i do this as an upgrade for ssl?
    Code:
    # enable letsencrypt ssl certificate + dual RSA+ECDSA ssl certs https://centminmod.com/acmetool/
    echo "LETSENCRYPT_DETECT='y'" >> /etc/centminmod/custom_config.inc
    echo "DUALCERTS='y'" >> /etc/centminmod/custom_config.inc
     
  2. eva2000

    eva2000 Administrator Staff Member

    41,274
    9,260
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,207
    Local Time:
    2:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    If your XF 1.5 install had Letsencrypt SSL certificate, then your in place upgrade to XF 2.1 on same server with same domain name, would also have the same Letsencrypt SSL certificate so nothing to upgrade. Or do you mean you want to go from single RSA 2048bit Letsencrypt SSL certificate to using dual RSA 2048bit + ECDSA 256bit SSL certificates for your domain as outlined at https://community.centminmod.com/th...-dual-ecdsa-rsa-ssl-certificate-support.7449/ ?

    If you want to use dual RSA 2048bit + ECDSA 256bit SSL certificates, ensure your persistent config file /etc/centminmod/custom_config.inc has these 2 set
    Code (Text):
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    

    DUALCERTS='y' setting will create dual RSA + ECDSA ssl certs for any centmin.sh menu option 2, 22 or nv command ran new Nginx site creation in future.

    But for existing Nginx vhosts created before hand you'd need one extra step. Then provided your domain is already using Centmin Mod generated Nginx HTTPS/SSL vhost and you have the nginx vhost in format /usr/local/nginx/conf/conf.d/domain.com.ssl.conf, you should be able to use acmetool.sh reissue-only option to reissue Letsencrypt SSL certs in both RSA 2048bit + ECDSA 256bit SSL certificate types.
    Then test domain using SSLlabs tester to verify that your have both RSA 2048bit + ECDSA 256bit Letsencrypt SSL certificates SSL Server Test (Powered by Qualys SSL Labs)
     
    Last edited: May 1, 2019
  3. xenbiarritz

    xenbiarritz Member

    34
    3
    8
    May 7, 2017
    Ratings:
    +3
    Local Time:
    6:23 PM
    i have made the change and when i test on SSLlabs it return
    that i have 2 certficats, is it normal?

    Certificate #1: EC 256 bits (SHA256withRSA)
    Certificate #2: RSA 2048 bits (SHA256withRSA)

    it is also return

    TLS 1.3 No
    TLS 1.2 Yes
    TLS 1.1 Yes
    TLS 1.0 Yes
    SSL 3 No
    SSL 2 No
    For TLS 1.3 tests, we only support RFC 8446
     
  4. eva2000

    eva2000 Administrator Staff Member

    41,274
    9,260
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,207
    Local Time:
    2:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yup that is what dual RSA + ECDSA ssl cert is - serving the ssl cert type conditionally supported by web browser and clients.

    123.09beta01 now has TLS 1.3 support see https://community.centminmod.com/threads/centmin-mod-nginx-http-2-https-tls-1-3-support.15537/. Recommended to use Nginx with OpenSSL 1.1.1+ https://community.centminmod.com/threads/openssl-1-1-1-released-with-tls-1-3-support.15592/

    also are you using cloudflare ? if so ssllab test is against cloudflare's servers and not centmin mod nginx

    what's output for
    Code (Text):
    nginx -V
     
  5. xenbiarritz

    xenbiarritz Member

    34
    3
    8
    May 7, 2017
    Ratings:
    +3
    Local Time:
    6:23 PM
    i don't use cloudflare anymore

    here is nginx -V

    Code:
    nginx version: nginx/1.15.12 (240419-135718-centos7-kvm)
    built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC)
    built with OpenSSL 1.1.1b  26 Feb 2019
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -lpcre -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=240419-135718-centos7-kvm --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-dynamic-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-dynamic-module=../lua-nginx-module-0.10.14 --add-module=../stream-lua-nginx-module-0.0.6 --add-dynamic-module=../memc-nginx-module-0.18 --add-dynamic-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1b --with-openssl-opt='enable-ec_nistp_64_gcc_128'
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    41,274
    9,260
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,207
    Local Time:
    2:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    check /usr/local/nginx/conf/ssl_include.conf if it lists TLSv1.3 as ssl_protocols
    Code (Text):
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    then restart nginx
     
  7. xenbiarritz

    xenbiarritz Member

    34
    3
    8
    May 7, 2017
    Ratings:
    +3
    Local Time:
    6:23 PM
    no i don't have TLSv1.3 in /usr/local/nginx/conf/ssl_include.conf
    so i add it and do ngxrestart


    i also have a file named ssl-include.conf with
    Code:
      ssl_session_cache      shared:SSL:10m;
      ssl_session_timeout    60m;
      ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    but still no 1.3 in the test
     
  8. eva2000

    eva2000 Administrator Staff Member

    41,274
    9,260
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,207
    Local Time:
    2:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    what's contents of /etc/centminmod/custom_config.inc just seeing if anything is disabling TLS 1.3

    but also check your SSL ciphers in nginx vhost as per https://community.centminmod.com/th...-with-tls-1-3-support.15592/page-2#post-67293 change to
    Code (Text):
    ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    
     
  9. xenbiarritz

    xenbiarritz Member

    34
    3
    8
    May 7, 2017
    Ratings:
    +3
    Local Time:
    6:23 PM
    i want to be sure i do it correctly tell me if i am wrong

    i change the ssl_ciphers in conf.d/mywebsite.ssl.conf is that correct?

    after this i run ngxrestart and it return an error "duplicate ssl_trusted_certificate" on /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com.crt.key.conf

    i don't know wich one to remove

    Code:
      ssl_dhparam /usr/local/nginx/conf/ssl/mywebsite.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme.key;
    
      ssl_certificate      /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme-ecc.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme-ecc.key;
     
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme.cer;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme-ecc.cer;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-dualcert-rsa-ecc.cer;
    and here is my /etc/centminmod/custom_config.inc
    Code:
    NGINX_PAGESPEED=n
    NGINX_ZLIBCUSTOM='y'
    ORESTY_LUANGINX=y
    NGINX_XSLT='n'
    NGINX_LIBBROTLI='y'
    NGXDYNAMIC_XSLT='n'
    NGXDYNAMIC_IMAGEFILTER='y'
    NGXDYNAMIC_GEOIP='y'
    NGXDYNAMIC_STREAM='y'
    NGXDYNAMIC_HEADERSMORE='y'
    NGXDYNAMIC_SETMISC='y'
    NGXDYNAMIC_ECHO='y'
    NGXDYNAMIC_SRCCACHE='y'
    NGXDYNAMIC_MEMC='y'
    NGXDYNAMIC_REDISTWO='y'
    NGXDYNAMIC_NGXPAGESPEED='n'
    NGXDYNAMIC_BROTLI='y'
    PHPMSSQL='y'
    PHP_PGO='y'
    PHP_PGO_CENTOSSIX='y'
    NGINX_DEVTOOLSETGCC='y'
    GENERAL_DEVTOOLSETGCC='y'
    CLANG='n'
    LIBRESSL_SWITCH='n'
    NGX_GSPLITDWARF='y'
    PHP_GSPLITDWARF='y'
    NGX_LDGOLD='y'
    SECOND_IP=178.32.98.216
    ENABLE_MARIADBTENTWOUPGRADE='y'
    ENABLE_MARIADBTENTHREEUPGRADE='y'
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    PHP_ARGON='y'
    thank you
     
  10. eva2000

    eva2000 Administrator Staff Member

    41,274
    9,260
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,207
    Local Time:
    2:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yes

    comment out the 2x ssl_trusted_certificate directives as shown below with hash # in front
    Code (Text):
      ssl_dhparam /usr/local/nginx/conf/ssl/mywebsite.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme.key;
    
      ssl_certificate      /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme-ecc.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme-ecc.key;
    
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme.cer;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme-ecc.cer;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-dualcert-rsa-ecc.cer;
    
     
  11. xenbiarritz

    xenbiarritz Member

    34
    3
    8
    May 7, 2017
    Ratings:
    +3
    Local Time:
    6:23 PM
    i have made the change but still
    TLS 1.3 No
    in the test
     
  12. eva2000

    eva2000 Administrator Staff Member

    41,274
    9,260
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,207
    Local Time:
    2:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    do you have other https enabled sites on server ? you might need to change ssl cipher config for each of their domain.com.ssl.conf vhost config files

    also post contents of your /usr/local/nginx/conf/conf.d/domain.com.ssl.conf in CODE bbcode tags
     
  13. xenbiarritz

    xenbiarritz Member

    34
    3
    8
    May 7, 2017
    Ratings:
    +3
    Local Time:
    6:23 PM
    only 1 site on my server

    here is ssl.conf
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #       listen   80;
    #       server_name mywebsite.com www.mywebsite.com;
    #       return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
      server_name mywebsite.com www.mywebsite.com;
        ##  redirect https www to https non-www
          if ($host = 'mywebsite.com' ) {
             return 301 https://www.mywebsite.com$request_uri;
          }
      include /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/mywebsite.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/mywebsite.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/mywebsite.com/autoprotect-mywebsite.com.conf;
      root /home/nginx/domains/mywebsite.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #} 
    
      location / {
    
                index index.php index.html index.htm;
                try_files $uri $uri/ /index.php?$uri&$args;
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
    location ~ ^/forum/(.*) {
         return 301 https://www.mywebsite.com/;
    }
    location ~ ^/annuaire/(.*) {
         return 301 https://www.mywebsite.com/;
    }
    location ~ ^/hypnopedia/(.*) {
         return 301 https://www.mywebsite.com/;
    }
    location ~ ^/encyclopedie/(.*) {
         return 301 https://www.mywebsite.com/;
    }
    location = /pnl.html {
         return 301 https://www.mywebsite.com/;
    }
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
      location ~ ^/(admin.php) {
         include /usr/local/nginx/conf/php.conf;
         auth_basic "Private";
         auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
            }
                    location /install/ {
         include /usr/local/nginx/conf/php.conf;
                 auth_basic "Private";
                 auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
                    
     
            }
            # xenforo 2 uncomment / remove hash from next 3 lines
            location /src/ {
            internal;
            }
    
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    in /etc/centminmod/custom_config.inc
    i have this line is it ok
    Code:
    LIBRESSL_SWITCH='n'
    thank you
     
  14. eva2000

    eva2000 Administrator Staff Member

    41,274
    9,260
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,207
    Local Time:
    2:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    not seeing anything in nginx vhost that would prevent TLS 1.3 being supported. Probably need your real domain name to see (you can send it to me via private message) and/or check via other tools too TLS Checker - Instant Results and your web browser's dev tool > security tab
     
  15. eva2000

    eva2000 Administrator Staff Member

    41,274
    9,260
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,207
    Local Time:
    2:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    oh i see --with-openssl-opt='enable-ec_nistp_64_gcc_128' didn't pass the TLS 1.3 flag which should be --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3' so will need your nginx_upgrade.log details

    To troubleshoot, you need to check the full nginx upgrade log at /root/centminlogs and instructions under Sharing logs and errors heading for using Pastebin.com or Gists to share a sanitised version of the contents of the nginx_upgrade.log log. You can see full details at How to troubleshoot Centmin Mod initial install issues

    also what's output of
    Code (Text):
    nginx -t

    when you run centmin.sh menu option 4 there's a nginx upgrade log timestamped at /root/centminlogs

    if you type this command it lists all logs in date ascending order so latest log at bottom
    Code (Text):
    ls -lArt /root/centminlogs

    so copy the entire contents of latest nginx_upgrade log to gist.github.com or pastebin.com

    you can use grep to filter the logs, i.e. look for nginx_upgrade in log name
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep nginx_upgrade
    -rw-r--r--  1 root root 3.2M Oct 11 15:55 centminmod_1.2.3-eva2000.09.001_111016-155345_nginx_upgrade.log
    -rw-r--r--  1 root root 672K Oct 11 22:06 centminmod_1.2.3-eva2000.09.001_111016-220515_nginx_upgrade.log

    So the last nginx upgrade log was named centminmod_1.2.3-eva2000.09.001_111016-220515_nginx_upgrade.log and located at /root/centminlogs/centminmod_1.2.3-eva2000.09.001_111016-220515_nginx_upgrade.log

    then use cat command to output the contents of that log

    clear your ssh window buffer/screen and type
    Code (Text):
    cat /root/centminlogs/centminmod_1.2.3-eva2000.09.001_111016-220515_nginx_upgrade.log

    then select and copy and paste output to pastebin.com or gist.github.com file to share. If your SSH client's scroll buffer isn't large enough using cat might not output the entire log file contents, so you may need to download the log and use local text editor to open and copy and paste.

    so only need content of one specific log, in this case most recent nginx_upgrade.log log
     
  16. xenbiarritz

    xenbiarritz Member

    34
    3
    8
    May 7, 2017
    Ratings:
    +3
    Local Time:
    6:23 PM
    i send you a PM
     
  17. eva2000

    eva2000 Administrator Staff Member

    41,274
    9,260
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,207
    Local Time:
    2:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    1. you ssllab test shows no chacha20 ssl ciphers supported which doesn't match with your ssl_ciphers options set, so it could be you still have one nginx vhost or more with non-TLS 1.3 ssl_ciphers set. You can check via grep recursive search for ssl_ciphers keyword which will report back matches with the file name and the line number for that match. Make sure all ssl_ciphers are using the revised TLS 1.3 set
    Code (Text):
    grep -rin 'ssl_ciphers' /usr/local/nginx/conf/conf.d


    2. it maybe related to setting in persistent config file ORESTY_LUANGINX=y looking at your nginx_upgrade.log - it's in nginx routine not openssl routine that TLS 1.3 gets disabled and IIRC it was due to in past Nginx Lua module not supporting OpenSSL 1.1.1 and hence not supporting TLS 1.3. Since Lua Nginx module now supports OpenSSL 1.1.1 and thus TLS 1.3, I can update that part of the routine when ORESTY_LUANGINX=y is set.

    You can confirm this by setting ORESTY_LUANGINX=n and recompile nginx via centmin.sh menu option 4 to see if TLS 1.3 shows up.
     
  18. eva2000

    eva2000 Administrator Staff Member

    41,274
    9,260
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,207
    Local Time:
    2:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I have updated 123.09beta01 with fix for this now, so run cmupdate command and try recompiling nginx via centmin.sh menu option 4
     
  19. xenbiarritz

    xenbiarritz Member

    34
    3
    8
    May 7, 2017
    Ratings:
    +3
    Local Time:
    6:23 PM
    hi @eva2000
    grep -rin 'ssl_ciphers' /usr/local/nginx/conf/conf.d give me 2 files
    ssl.conf (everything is # so i did not edit it)
    phpmyadmin_ssl.conf (i change ssl_ciphers line and ssl_protocols with 1.3)
    it does not help

    then i just run cmupdate and recompile nginx. and YESSSSSS it workes
    you are amazing like usual

    thank you so much
     
    • Like Like x 1
  20. eva2000

    eva2000 Administrator Staff Member

    41,274
    9,260
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,207
    Local Time:
    2:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Glad to hear. Another bug ironed out - 123.09beta01 improving everyday :D
     
    • Like Like x 1