Letsencrypt SSl upgrade

xenbiarritz · May 1, 2019

hi

i would like to know
how to upgrade ssl on centminmod
i upgrade xf1.5 to xf2.1

how can i do this as an upgrade for ssl?
Code:
# enable letsencrypt ssl certificate + dual RSA+ECDSA ssl certs https://centminmod.com/acmetool/
echo "LETSENCRYPT_DETECT='y'" >> /etc/centminmod/custom_config.inc
echo "DUALCERTS='y'" >> /etc/centminmod/custom_config.inc

eva2000 · May 1, 2019

If your XF 1.5 install had Letsencrypt SSL certificate, then your in place upgrade to XF 2.1 on same server with same domain name, would also have the same Letsencrypt SSL certificate so nothing to upgrade. Or do you mean you want to go from single RSA 2048bit Letsencrypt SSL certificate to using dual RSA 2048bit + ECDSA 256bit SSL certificates for your domain as outlined at https://community.centminmod.com/th...-dual-ecdsa-rsa-ssl-certificate-support.7449/ ?

If you want to use dual RSA 2048bit + ECDSA 256bit SSL certificates, ensure your persistent config file /etc/centminmod/custom_config.inc has these 2 set
Code (Text):
LETSENCRYPT_DETECT='y'
DUALCERTS='y'
DUALCERTS='y' setting will create dual RSA + ECDSA ssl certs for any centmin.sh menu option 2, 22 or nv command ran new Nginx site creation in future.

But for existing Nginx vhosts created before hand you'd need one extra step. Then provided your domain is already using Centmin Mod generated Nginx HTTPS/SSL vhost and you have the nginx vhost in format /usr/local/nginx/conf/conf.d/domain.com.ssl.conf, you should be able to use acmetool.sh reissue-only option to reissue Letsencrypt SSL certs in both RSA 2048bit + ECDSA 256bit SSL certificate types.
Add new reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
Code (Text):
cd /usr/local/src/centminmod/addons
./acmetool.sh reissue-only domain.com live
It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
Click to expand...
Then test domain using SSLlabs tester to verify that your have both RSA 2048bit + ECDSA 256bit Letsencrypt SSL certificates SSL Server Test (Powered by Qualys SSL Labs)

xenbiarritz · May 1, 2019

i have made the change and when i test on SSLlabs it return
that i have 2 certficats, is it normal?

Certificate #1: EC 256 bits (SHA256withRSA)
Certificate #2: RSA 2048 bits (SHA256withRSA)

it is also return

TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
For TLS 1.3 tests, we only support RFC 8446

eva2000 · May 1, 2019

xenbiarritz said: ↑

that i have 2 certficats, is it normal?
Click to expand...

yup that is what dual RSA + ECDSA ssl cert is - serving the ssl cert type conditionally supported by web browser and clients.

xenbiarritz said: ↑

TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
For TLS 1.3 tests, we only support RFC 8446
Click to expand...

123.09beta01 now has TLS 1.3 support see https://community.centminmod.com/threads/centmin-mod-nginx-http-2-https-tls-1-3-support.15537/. Recommended to use Nginx with OpenSSL 1.1.1+ https://community.centminmod.com/threads/openssl-1-1-1-released-with-tls-1-3-support.15592/

also are you using cloudflare ? if so ssllab test is against cloudflare's servers and not centmin mod nginx

what's output for
Code (Text):
nginx -V

xenbiarritz · May 1, 2019

i don't use cloudflare anymore

here is nginx -V

Code:

nginx version: nginx/1.15.12 (240419-135718-centos7-kvm)
built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC)
built with OpenSSL 1.1.1b  26 Feb 2019
TLS SNI support enabled
configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -lpcre -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=240419-135718-centos7-kvm --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-dynamic-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-dynamic-module=../lua-nginx-module-0.10.14 --add-module=../stream-lua-nginx-module-0.0.6 --add-dynamic-module=../memc-nginx-module-0.18 --add-dynamic-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1b --with-openssl-opt='enable-ec_nistp_64_gcc_128'

eva2000 · May 1, 2019

check /usr/local/nginx/conf/ssl_include.conf if it lists TLSv1.3 as ssl_protocols
Code (Text):
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
then restart nginx

xenbiarritz · May 1, 2019

no i don't have TLSv1.3 in /usr/local/nginx/conf/ssl_include.conf
so i add it and do ngxrestart

i also have a file named ssl-include.conf with
Code:
  ssl_session_cache      shared:SSL:10m;
  ssl_session_timeout    60m;
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
but still no 1.3 in the test

eva2000 · May 1, 2019

what's contents of /etc/centminmod/custom_config.inc just seeing if anything is disabling TLS 1.3

but also check your SSL ciphers in nginx vhost as per https://community.centminmod.com/th...-with-tls-1-3-support.15592/page-2#post-67293 change to

Code (Text):

ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

xenbiarritz · May 2, 2019

i want to be sure i do it correctly tell me if i am wrong

i change the ssl_ciphers in conf.d/mywebsite.ssl.conf is that correct?

after this i run ngxrestart and it return an error "duplicate ssl_trusted_certificate" on /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com.crt.key.conf

i don't know wich one to remove

Code:

  ssl_dhparam /usr/local/nginx/conf/ssl/mywebsite.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme.key;

  ssl_certificate      /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme-ecc.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme-ecc.key;
 
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme.cer;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme-ecc.cer;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-dualcert-rsa-ecc.cer;

and here is my /etc/centminmod/custom_config.inc

Code:

NGINX_PAGESPEED=n
NGINX_ZLIBCUSTOM='y'
ORESTY_LUANGINX=y
NGINX_XSLT='n'
NGINX_LIBBROTLI='y'
NGXDYNAMIC_XSLT='n'
NGXDYNAMIC_IMAGEFILTER='y'
NGXDYNAMIC_GEOIP='y'
NGXDYNAMIC_STREAM='y'
NGXDYNAMIC_HEADERSMORE='y'
NGXDYNAMIC_SETMISC='y'
NGXDYNAMIC_ECHO='y'
NGXDYNAMIC_SRCCACHE='y'
NGXDYNAMIC_MEMC='y'
NGXDYNAMIC_REDISTWO='y'
NGXDYNAMIC_NGXPAGESPEED='n'
NGXDYNAMIC_BROTLI='y'
PHPMSSQL='y'
PHP_PGO='y'
PHP_PGO_CENTOSSIX='y'
NGINX_DEVTOOLSETGCC='y'
GENERAL_DEVTOOLSETGCC='y'
CLANG='n'
LIBRESSL_SWITCH='n'
NGX_GSPLITDWARF='y'
PHP_GSPLITDWARF='y'
NGX_LDGOLD='y'
SECOND_IP=178.32.98.216
ENABLE_MARIADBTENTWOUPGRADE='y'
ENABLE_MARIADBTENTHREEUPGRADE='y'
LETSENCRYPT_DETECT='y'
DUALCERTS='y'
PHP_ARGON='y'

thank you

eva2000 · May 2, 2019

xenbiarritz said: ↑

i change the ssl_ciphers in conf.d/mywebsite.ssl.conf is that correct?
Click to expand...

yes

xenbiarritz said: ↑

after this i run ngxrestart and it return an error "duplicate ssl_trusted_certificate" on /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com.crt.key.conf

i don't know wich one to remove
Click to expand...

comment out the 2x ssl_trusted_certificate directives as shown below with hash # in front
Code (Text):
  ssl_dhparam /usr/local/nginx/conf/ssl/mywebsite.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme.key;

  ssl_certificate      /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme-ecc.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme-ecc.key;

  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme.cer;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-acme-ecc.cer;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com-dualcert-rsa-ecc.cer;

xenbiarritz · May 2, 2019

i have made the change but still
TLS 1.3 No
in the test

eva2000 · May 2, 2019

do you have other https enabled sites on server ? you might need to change ssl cipher config for each of their domain.com.ssl.conf vhost config files

also post contents of your /usr/local/nginx/conf/conf.d/domain.com.ssl.conf in CODE bbcode tags

xenbiarritz · May 2, 2019

only 1 site on my server

here is ssl.conf

Code:

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#       listen   80;
#       server_name mywebsite.com www.mywebsite.com;
#       return 302 https://$server_name$request_uri;
# }

server {
  listen 443 ssl http2;
  server_name mywebsite.com www.mywebsite.com;
    ##  redirect https www to https non-www
      if ($host = 'mywebsite.com' ) {
         return 301 https://www.mywebsite.com$request_uri;
      }
  include /usr/local/nginx/conf/ssl/mywebsite.com/mywebsite.com.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
 
  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/mywebsite.com/log/access.log main_ext buffer=256k flush=60m;
  error_log /home/nginx/domains/mywebsite.com/log/error.log;

  include /usr/local/nginx/conf/autoprotect/mywebsite.com/autoprotect-mywebsite.com.conf;
  root /home/nginx/domains/mywebsite.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  # prevent access to ./directories and files
  #location ~ (?:^|/)\. {
  # deny all;
  #} 

  location / {

            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
  include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centminmod.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  }

location ~ ^/forum/(.*) {
     return 301 https://www.mywebsite.com/;
}
location ~ ^/annuaire/(.*) {
     return 301 https://www.mywebsite.com/;
}
location ~ ^/hypnopedia/(.*) {
     return 301 https://www.mywebsite.com/;
}
location ~ ^/encyclopedie/(.*) {
     return 301 https://www.mywebsite.com/;
}
location = /pnl.html {
     return 301 https://www.mywebsite.com/;
}
        location /internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }
  location ~ ^/(admin.php) {
     include /usr/local/nginx/conf/php.conf;
     auth_basic "Private";
     auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
        }
                location /install/ {
     include /usr/local/nginx/conf/php.conf;
             auth_basic "Private";
             auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
                
 
        }
        # xenforo 2 uncomment / remove hash from next 3 lines
        location /src/ {
        internal;
        }


  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

in /etc/centminmod/custom_config.inc
i have this line is it ok

Code:

LIBRESSL_SWITCH='n'

thank you

eva2000 · May 2, 2019

not seeing anything in nginx vhost that would prevent TLS 1.3 being supported. Probably need your real domain name to see (you can send it to me via private message) and/or check via other tools too TLS Checker - Instant Results and your web browser's dev tool > security tab

eva2000 · May 2, 2019

xenbiarritz said: ↑

i don't use cloudflare anymore

here is nginx -V

nginx version: nginx/1.15.12 (240419-135718-centos7-kvm)
built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC)
built with OpenSSL 1.1.1b 26 Feb 2019
TLS SNI support enabled
configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -lpcre -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=240419-135718-centos7-kvm --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-dynamic-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-dynamic-module=../lua-nginx-module-0.10.14 --add-module=../stream-lua-nginx-module-0.0.6 --add-dynamic-module=../memc-nginx-module-0.18 --add-dynamic-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1b --with-openssl-opt='enable-ec_nistp_64_gcc_128'
Click to expand...

Click to expand...

oh i see --with-openssl-opt='enable-ec_nistp_64_gcc_128' didn't pass the TLS 1.3 flag which should be --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3' so will need your nginx_upgrade.log details

To troubleshoot, you need to check the full nginx upgrade log at /root/centminlogs and instructions under Sharing logs and errors heading for using Pastebin.com or Gists to share a sanitised version of the contents of the nginx_upgrade.log log. You can see full details at How to troubleshoot Centmin Mod initial install issues

also what's output of
Code (Text):
nginx -t
when you run centmin.sh menu option 4 there's a nginx upgrade log timestamped at /root/centminlogs

if you type this command it lists all logs in date ascending order so latest log at bottom
Code (Text):
ls -lArt /root/centminlogs
so copy the entire contents of latest nginx_upgrade log to gist.github.com or pastebin.com

you can use grep to filter the logs, i.e. look for nginx_upgrade in log name
Code (Text):
ls -lahrt /root/centminlogs/ | grep nginx_upgrade
-rw-r--r--  1 root root 3.2M Oct 11 15:55 centminmod_1.2.3-eva2000.09.001_111016-155345_nginx_upgrade.log
-rw-r--r--  1 root root 672K Oct 11 22:06 centminmod_1.2.3-eva2000.09.001_111016-220515_nginx_upgrade.log
So the last nginx upgrade log was named centminmod_1.2.3-eva2000.09.001_111016-220515_nginx_upgrade.log and located at /root/centminlogs/centminmod_1.2.3-eva2000.09.001_111016-220515_nginx_upgrade.log

then use cat command to output the contents of that log

clear your ssh window buffer/screen and type
Code (Text):
cat /root/centminlogs/centminmod_1.2.3-eva2000.09.001_111016-220515_nginx_upgrade.log
then select and copy and paste output to pastebin.com or gist.github.com file to share. If your SSH client's scroll buffer isn't large enough using cat might not output the entire log file contents, so you may need to download the log and use local text editor to open and copy and paste.

so only need content of one specific log, in this case most recent nginx_upgrade.log log

xenbiarritz · May 3, 2019

i send you a PM

eva2000 · May 3, 2019

xenbiarritz said: ↑

i send you a PM
Click to expand...

1. you ssllab test shows no chacha20 ssl ciphers supported which doesn't match with your ssl_ciphers options set, so it could be you still have one nginx vhost or more with non-TLS 1.3 ssl_ciphers set. You can check via grep recursive search for ssl_ciphers keyword which will report back matches with the file name and the line number for that match. Make sure all ssl_ciphers are using the revised TLS 1.3 set
Code (Text):
grep -rin 'ssl_ciphers' /usr/local/nginx/conf/conf.d
2. it maybe related to setting in persistent config file ORESTY_LUANGINX=y looking at your nginx_upgrade.log - it's in nginx routine not openssl routine that TLS 1.3 gets disabled and IIRC it was due to in past Nginx Lua module not supporting OpenSSL 1.1.1 and hence not supporting TLS 1.3. Since Lua Nginx module now supports OpenSSL 1.1.1 and thus TLS 1.3, I can update that part of the routine when ORESTY_LUANGINX=y is set.

You can confirm this by setting ORESTY_LUANGINX=n and recompile nginx via centmin.sh menu option 4 to see if TLS 1.3 shows up.

eva2000 · May 3, 2019

eva2000 said: ↑

it maybe related to setting in persistent config file ORESTY_LUANGINX=y looking at your nginx_upgrade.log - it's in nginx routine not openssl routine that TLS 1.3 gets disabled and IIRC it was due to in past Nginx Lua module not supporting OpenSSL 1.1.1 and hence not supporting TLS 1.3. Since Lua Nginx module now supports OpenSSL 1.1.1 and thus TLS 1.3, I can update that part of the routine when ORESTY_LUANGINX=y is set.
Click to expand...

I have updated 123.09beta01 with fix for this now, so run cmupdate command and try recompiling nginx via centmin.sh menu option 4

xenbiarritz · May 3, 2019

hi @eva2000
grep -rin 'ssl_ciphers' /usr/local/nginx/conf/conf.d give me 2 files
ssl.conf (everything is # so i did not edit it)
phpmyadmin_ssl.conf (i change ssl_ciphers line and ssl_protocols with 1.3)
it does not help

then i just run cmupdate and recompile nginx. and YESSSSSS it workes
you are amazing like usual

thank you so much

eva2000 · May 3, 2019

xenbiarritz said: ↑

then i just run cmupdate and recompile nginx. and YESSSSSS it workes
you are amazing like usual
Click to expand...

Glad to hear. Another bug ironed out - 123.09beta01 improving everyday

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Letsencrypt SSl upgrade

xenbiarritz Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Letsencrypt SSl upgrade

xenbiarritz Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

xenbiarritz Member

eva2000 Administrator Staff Member

.