Xenforo unfurling on own domain

tonmo · Apr 26, 2020

I'm having the same exact issue as described in this thread (unfurl does not work but only for my own site), but with a slightly different cURL error. The XF unfurl tool returns this result for any unfurl attempt from my own site:

Could not fetch metadata from URL with error: cURL error 60: Peer's Certificate issuer is not recognized. (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)
Click to expand...

My hosts file is as follows:
Code:
127.0.0.1 localhost localhost.localdomain
127.0.0.1 localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain
::1 localhost6 localhost6.localdomain6
Also, I recently changed everything to resolve to DOMAIN.com (vs. www.DOMAIN.com). Here's the start of my ssl.conf:
Code:
# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html
# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
server {
   server_name DOMAIN.com www.DOMAIN.com;
   return 301 https://DOMAIN.com$request_uri;
 }
 server {
  listen 443 ssl http2;
  server_name DOMAIN.com www.DOMAIN.com;

eva2000 · Apr 27, 2020

what version of curl used

Code (Text):

yum list curl -q

Code (Text):

curl -V

php version ?

Code (Text):

php -v

php curl info

Code (Text):

php --ri curl

output for

Code (Text):

ls -lah /etc/ssl/certs/cacert.pem

example

Code (Text):

ls -lah /etc/ssl/certs/cacert.pem
-rw-r--r-- 1 root root 219K Jan  1 04:12 /etc/ssl/certs/cacert.pem

Code (Text):

php --ri curl

curl

cURL support => enabled
cURL Information => 7.29.0
Age => 3
Features
AsynchDNS => Yes
CharConv => No
Debug => No
GSS-Negotiate => Yes
IDN => Yes
IPv6 => Yes
krb4 => No
Largefile => Yes
libz => Yes
NTLM => Yes
NTLMWB => Yes
SPNEGO => No
SSL => Yes
SSPI => No
TLS-SRP => No
Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtsp, scp, sftp, smtp, smtps, telnet, tftp
Host => x86_64-redhat-linux-gnu
SSL Version => NSS/3.44
ZLib Version => 1.2.7
libSSH Version => libssh2/1.8.0

Directive => Local Value => Master Value
curl.cainfo => /etc/ssl/certs/cacert.pem => /etc/ssl/certs/cacert.pem

tonmo · Apr 27, 2020

eva2000 said: ↑

what version of curl used
Click to expand...

curl.x86_64 7.29.0-54.el7_7.2 @updates

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

eva2000 said: ↑

php version ?
Click to expand...

7.4.1

eva2000 said: ↑

php curl info
Click to expand...

curl
cURL support => enabled
cURL Information => 7.29.0
Age => 3
Features
AsynchDNS => Yes
CharConv => No
Debug => No
GSS-Negotiate => Yes
IDN => Yes
IPv6 => Yes
krb4 => No
Largefile => Yes
libz => Yes
NTLM => Yes
NTLMWB => Yes
SPNEGO => No
SSL => Yes
SSPI => No
TLS-SRP => No
Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtsp, scp, sftp, smtp, smtps, telnet, tftp
Host => x86_64-redhat-linux-gnu
SSL Version => NSS/3.44
ZLib Version => 1.2.7
libSSH Version => libssh2/1.8.0
Directive => Local Value => Master Value
curl.cainfo => /etc/ssl/certs/cacert.pem => /etc/ssl/certs/cacert.pem

eva2000 said: ↑

output for
Click to expand...

-rw-r--r-- 1 root root 217K Nov 27 04:12 /etc/ssl/certs/cacert.pem

tonmo · Apr 27, 2020

I followed instructions found here, and made sure I have the three server {} entries as described; it seems to be working such that all traffic goes to Domain.com (i.e., www, and http goes to non-www and https respectively, which is good).

here are the results of various curl checks on my domain; all looks good except last check (the desired resolved site), which provides the same error found in the xf admincp for the Unfurl Testing Tool, albeit more verbose here:

Code:

[02:39][root@web.DOMAIN.com conf.d]# curl -I http://DOMAIN.com
HTTP/1.1 301 Moved Permanently
Date: Mon, 27 Apr 2020 02:41:39 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://DOMAIN.com/
Server: nginx centminmod
X-Powered-By: centminmod

[02:41][root@web.DOMAIN.com conf.d]# curl -I http://www.DOMAIN.com
HTTP/1.1 301 Moved Permanently
Date: Mon, 27 Apr 2020 02:41:56 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://DOMAIN.com/
Server: nginx centminmod
X-Powered-By: centminmod

[02:41][root@web.DOMAIN.com conf.d]# curl -I https://DOMAIN.com
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[02:42][root@web.DOMAIN.com conf.d]# ^C

tonmo · Apr 27, 2020

apologies for multiple replies, but reading further on your https instructions, you state the following:

The above non-www non-HTTPS to non-www HTTPS redirect vhost examples might slightly differ if you use Centmin Mod 123.09beta01 or higher's Letsencrypt SSL integrated tools as the following SSL certificate paths slightly differ for this part:
Click to expand...

...and you show the 4 lines in the ssl.conf that reference the ssl cert info. I do believe I fall into this category. It looks like the suggestion is that instead of the four lines, it should instead show the following two lines:

include /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt.key.conf;
include /usr/local/nginx/conf/ssl_include.conf;
Click to expand...

I checked, and while I do have a directory at /usr/local/nginx/conf/ssl/newdomain.com/, the file referenced (newdomain.com.crt.key.conf) does not exist. There are other files in that directory, but nothing ending in .conf. Do I need to create it?

eva2000 · Apr 27, 2020

Are you running behind Cloudflare ?

How did you create your Nginx HTTPS Letsencrypt SSL certificated based vhost via centmin.sh menu option 2, 22 ?
What is output for
Code (Text):
curl -Ikv https://DOMAIN.com
When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)

Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf

Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com

Vhost public web root will be at /home/nginx/domains/newdomain.com/public

Vhost log directory will be at /home/nginx/domains/newdomain.com/log

Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

tonmo · Apr 27, 2020

Thanks.

Well, I *was* running cloudflare until about a week ago. I was on Ezoic, but I've since left that program and re-pointed my DNS to my AWS host. Even after changing DNS, I went back to Ezoic settings just yesterday afternoon, and saw that I still had some cloudflare CDN settings associated with Cloudflare in their dashboard, so I deleted / "uninstalled" those records... I assumed none of that matters because I've already re-pointed DNS away from Ezoic, but now I'm not so sure. At this point though, all that data is (should be) deleted/uninstalled from Ezoic.

Someone else set this up for me a couple / few years ago. Should I re-run this?

Output is:

Code:

[11:13][root@web.DOMAIN.com centos]# curl -Ikv https://DOMAIN.com
* About to connect() to DOMAIN.com port 443 (#0)
*   Trying x.xx.xx.xxx...
* Connected to DOMAIN.com (x.xx.xx.xxx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=DOMAIN.com
*       start date: Mar 14 00:07:41 2020 GMT
*       expire date: Jun 12 00:07:41 2020 GMT
*       common name: DOMAIN.com
*       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: DOMAIN.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Connection: keep-alive
Connection: keep-alive
< Vary: Accept-Encoding
Vary: Accept-Encoding
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Set-Cookie: xf_csrf=cbIIT12HAOBY64Db; path=/; secure
Set-Cookie: xf_csrf=cbIIT12HAOBY64Db; path=/; secure
< Server: nginx centminmod
Server: nginx centminmod
< X-Powered-By: centminmod
X-Powered-By: centminmod
< Date: Mon, 27 Apr 2020 11:13:29 GMT
Date: Mon, 27 Apr 2020 11:13:29 GMT
< X-Page-Speed: 1.13.35.2-0
X-Page-Speed: 1.13.35.2-0
< Cache-Control: max-age=0, no-cache
Cache-Control: max-age=0, no-cache

<
* Connection #0 to host DOMAIN.com left intact
[11:13][root@web.DOMAIN.com centos]#

Long ago, I had renamed newdomain.com.conf to DOMAIN.com.conf-bak, because I understand it is not in use, given my ssl.conf file. Let me know if you still want to see those contents.

Here is DOMAIN.com.ssl.conf:

Code:

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
server {
   server_name DOMAIN.com www.DOMAIN.com;
   return 301 https://DOMAIN.com$request_uri;
 }

 server {
  listen 443 ssl http2;
  server_name www.DOMAIN.com;
  ssl_dhparam /usr/local/nginx/conf/ssl/DOMAIN.com/dhparam.pem;
  ssl_certificate      /root/.acme.sh/DOMAIN.com/DOMAIN.com.cer;
  ssl_certificate_key  /root/.acme.sh/DOMAIN.com/DOMAIN.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  return 302 https://DOMAIN.com$request_uri;
}

 server{
  listen 443 ssl http2;
  server_name DOMAIN.com;
  ssl_dhparam /usr/local/nginx/conf/ssl/DOMAIN.com/dhparam.pem;
  ssl_certificate      /root/.acme.sh/DOMAIN.com/DOMAIN.com.cer;
  ssl_certificate_key  /root/.acme.sh/DOMAIN.com/DOMAIN.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

rewrite ^/forums/images/smilies/ammonicon.gif /images/smilies/ammonicon.gif permanent;
<SNIPPED CONTENTS TO REMOVE A BUNCH OF REDIRECTS SIMILAR TO THE LINE ABOVE>

  http2_max_field_size 16k;
  http2_max_header_size 32k;

  # dual cert supported ssl ciphers
  ssl_ciphers <SNIPPED FOR SECURITY?>
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 4229;
  ssl_session_tickets on;

  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  ssl_trusted_certificate /root/.acme.sh/DOMAIN.com/fullchain.cer;

# ngx_pagespeed & ngx_pagespeed handler
include /usr/local/nginx/conf/pagespeed.conf;
include /usr/local/nginx/conf/pagespeedhandler.conf;
include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;
  access_log /home/nginx/domains/DOMAIN.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/DOMAIN.com/log/error.log;
  root /home/nginx/domains/DOMAIN.com/public;

  location / {
  try_files $uri $uri/ /index.php?$uri&$args;
  index index.php index.html index.htm;

  # block common exploits, sql injections etc
  # include /usr/local/nginx/conf/block.conf;
  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;
  # Wordpress Permalinks example
  #try_files $uri $uri/ /index.php?q=$uri&$args;
  }

location /install/data/ {
    internal;
}

location /install/templates/ {
    internal;
}

location /internal_data/ {
    internal;
}

location /library/ {
internal;
}

location /src/ {
    internal;
}

  include /usr/local/nginx/conf/staticfiles.conf;
  #include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/php_disable_openbasedir.conf;
  #include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

eva2000 · Apr 28, 2020

I see you're using PHP 7.4.1, try updating to PHP 7.4.5 as well

no you can't re-run centmin.sh menu option 2, 22 or nv on existing nginx vhost domains but i see your nginx vhost has non standard Centmin Mod paths setup to directly reference /root/.acme.sh/DOMAIN.com/* files instead of Centmin Mod method which has them copied from /root/.acme.sh/DOMAIN.com/* to /usr/local/nginx/conf/ssl/domain.com/* which is technically same files with a different name. So technically should cause any problems. But I believe your ssl_certificate path setup is only linking to SSL cert without proper chaining that Centmin Mod does when it creates /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer and referenced as

Code (Text):

ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;

so your nginx vhost would have references like with ssl_stapling and resolver directives enabled and not commented out like in yours

Code (Text):

  ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;

  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key;

Code (Text):

[02:41][root@web.DOMAIN.com conf.d]# curl -I https://DOMAIN.com
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Your CA certificates on system might be outdated. When was last time you did a yum update ?

output for

Code (Text):

yum history list nss -q
yum history list ca-certificates -q; ls -lah /etc/pki/tls/certs; uptime

example for me would be

Code (Text):

yum history list nss -q
ID     | Command line             | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
   614 | -y update                | 2019-12-23 22:48 | E, I, U        |   39 EE
   556 | update --disableplugin=p | 2019-09-19 05:56 | E, I, O, U     |  329 EE
   437 | -y update                | 2019-03-20 18:26 | E, I, U        |  117 EE
   390 | update --disableplugin=p | 2018-11-16 19:31 | E, I, U        |  108 
   349 | update --disableplugin=p | 2018-05-22 08:06 | E, I, U        |  395 EE
   178 | update --disableplugin=p | 2017-10-26 21:22 | E, I, O, U     |  148 EE
   162 | -y update                | 2017-10-01 13:35 | Update         |    4 
   156 | update --disableplugin=p | 2017-09-14 13:12 | E, I, O, U     |  443 EE
    66 | -y update                | 2017-05-31 22:24 | Update         |   12 
    45 | update --disableplugin=p | 2017-04-21 23:40 | Update         |   20 
     2 | update --assumeyes --qui | 2017-04-04 07:25 | Update         |    8

Code (Text):

yum history list ca-certificates -q; ls -lah /etc/pki/tls/certs; uptime
ID     | Command line             | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
   614 | -y update                | 2019-12-23 22:48 | E, I, U        |   39 EE
   349 | update --disableplugin=p | 2018-05-22 08:06 | E, I, U        |  395 EE
   156 | update --disableplugin=p | 2017-09-14 13:12 | E, I, O, U     |  443 EE
    79 | update --disableplugin=p | 2017-06-15 22:33 | Update         |   12 EE
    40 | -y update                | 2017-04-13 18:23 | I, U           |   30 
total 252K
drwxr-xr-x. 2 root root 4.0K Dec 23 22:48 .
drwxr-xr-x. 5 root root 4.0K Dec 23 22:48 ..
lrwxrwxrwx  1 root root   49 Dec 23 22:48 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx  1 root root   55 Dec 23 22:48 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. 1 root root 219K Jan  1 04:12 cacert.pem
-rw-------  1 root root 3.2K Aug  3  2017 imapd.pem
-rw-------  1 root root 3.2K Aug  3  2017 ipop3d.pem
-rwxr-xr-x  1 root root  610 Aug  9  2019 make-dummy-cert
-rw-r--r--  1 root root 2.5K Aug  9  2019 Makefile
-rwxr-xr-x  1 root root  829 Aug  9  2019 renew-dummy-cert
 20:21:35 up 11 days, 19:53,  1 user,  load average: 0.04, 0.06, 0.10

eva2000 · Apr 28, 2020

also run your domain through SSL labs tester at SSL Server Test (Powered by Qualys SSL Labs)

eva2000 · Apr 28, 2020

eva2000 said: ↑

no you can't re-run centmin.sh menu option 2, 22 or nv on existing nginx vhost domains but i see your nginx vhost has non standard Centmin Mod paths setup to directly reference /root/.acme.sh/DOMAIN.com/* files instead of Centmin Mod method which has them copied from /root/.acme.sh/DOMAIN.com/* to /usr/local/nginx/conf/ssl/domain.com/* which is technically same files with a different name. So technically should cause any problems. But I believe your ssl_certificate path setup is only linking to SSL cert with proper chaining that Centmin Mod does when it creates /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
Click to expand...

You can try to manually fix up your letsencrypt SSL cert and where the files are by doing a letsencrypt reissue by following steps 2, 3 and 4 of manual migration guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates

replace newdomain.com with yourdomain.com
Code (Text):
mkdir -p /usr/local/nginx/conf/ssl/newdomain.com
cd /usr/local/nginx/conf/ssl/newdomain.com
openssl dhparam -out dhparam.pem 2048

touch /etc/centminmod/custom_config.inc
echo "LETSENCRYPT_DETECT='y'" >> /etc/centminmod/custom_config.inc
/usr/local/src/centminmod/addons/acmetool.sh acmeupdate

# issue ssl certs to /root/.acme.sh/newdomain.com
/root/.acme.sh/acme.sh --force --issue --days 60 -d newdomain.com -d www.newdomain.com -w /home/nginx/domains/newdomain.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-newdomain.com.log --log-level 2

# install ssl certs to /usr/local/nginx/conf/ssl/newdomain.com
/root/.acme.sh/acme.sh --installcert -d newdomain.com -d www.newdomain.com --certpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key --capath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-fullchain-acme.key
then nginx vhost references are updated to the installed ssl cert paths
Code (Text):
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer;
then restart nginx
Code (Text):
ngxrestart

tonmo · Apr 28, 2020

eva2000 said: ↑

I see you're using PHP 7.4.1, try updating to PHP 7.4.5 as well
Click to expand...

Done.

eva2000 said: ↑

Your CA certificates on system might be outdated. When was last time you did a yum update ?
Click to expand...
Code:
ID     | Login user               | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
    82 | root <root>              | 2019-12-13 09:01 | Update         |    8
    62 | root <root>              | 2019-09-18 06:14 | I, O, U        |  270
     1 | Cloud User <centos>      | 2019-07-11 15:07 | I, U           |   63
and
Code:
ID     | Login user               | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
    79 | root <root>              | 2019-12-04 03:49 | E, I, U        |   27
total 232K
drwxr-xr-x. 2 root root  135 Dec  4 03:50 .
drwxr-xr-x. 5 root root   81 Dec  4 03:50 ..
lrwxrwxrwx  1 root root   49 Dec  4 03:50 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx  1 root root   55 Dec  4 03:50 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--  1 root root 219K Jan  1 04:12 cacert.pem
-rwxr-xr-x  1 root root  610 Aug  9  2019 make-dummy-cert
-rw-r--r--  1 root root 2.5K Aug  9  2019 Makefile
-rwxr-xr-x  1 root root  829 Aug  9  2019 renew-dummy-cert
 21:59:21 up 264 days,  4:03,  1 user,  load average: 0.10, 1.02, 1.23
eva2000 said: ↑

also run your domain through SSL labs tester at SSL Server Test (Powered by Qualys SSL Labs)
Click to expand...

done. I scored a B:
This server's certificate chain is incomplete. Grade capped to B.
This server supports TLS 1.0 and TLS 1.1. Grade capped to B.
This server supports TLS 1.3.

eva2000 said: ↑

You can try to manually fix up your letsencrypt SSL cert and where the files are by doing a letsencrypt reissue by following steps 2, 3 and 4 of manual migration guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates
Click to expand...

OK, I followed all those steps you outlined in post #10, but the unfurling issue still exists; same error.

eva2000 · Apr 28, 2020

tonmo said: ↑

This server's certificate chain is incomplete. Grade capped to B.
Click to expand...

that would be the problem

tonmo said: ↑

OK, I followed all those steps you outlined in post #10, but the unfurling issue still exists; same error.
Click to expand...

the manual ssl cert reissue should of fixed it

restart both nginx and php-fpm services and also manually purge your cloudflare cache if behind cloudflare
Code (Text):
nprestart
then retest in SSL labs SSL Server Test (Powered by Qualys SSL Labs) too

tonmo · Apr 28, 2020

eva2000 said: ↑

the manual ssl cert reissue should of fixed it
Click to expand...

Got it - I had 3 {server entries; I was supposed to update both #2 (www) and #3 (non-www), but I had only updated #2. I've now updated #3 as well, and it works! Unfurling works!

eva2000 said: ↑

then retest in SSL labs
Click to expand...

I'm still scoring a B, but the only cited issue is:
This server supports TLS 1.0 and TLS 1.1. Grade capped to B. MORE INFO »

eva2000 · Apr 28, 2020

tonmo said: ↑

Got it - I had 3 {server entries; I was supposed to update both #2 (www) and #3 (non-www), but I had only updated #2. I've now updated #3 as well, and it works! Unfurling works!
Click to expand...

Looks good then. The TLS 1.0/1.1 is fine for now

tonmo · May 11, 2020

eva2000 said: ↑

Looks good then. The TLS 1.0/1.1 is fine for now
Click to expand...

Now resolved thanks to this:
Beta Branch - add SSL_PROTOCOL_MODERN variable in 123.09beta01

eva2000 · May 11, 2020

tonmo said: ↑

Now resolved thanks to this:
Beta Branch - add SSL_PROTOCOL_MODERN variable in 123.09beta01
Click to expand...

Glad to hear

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Xenforo unfurling on own domain

tonmo Member

eva2000 Administrator Staff Member

tonmo Member

tonmo Member

tonmo Member

eva2000 Administrator Staff Member

tonmo Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

tonmo Member

eva2000 Administrator Staff Member

tonmo Member

eva2000 Administrator Staff Member

tonmo Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Xenforo unfurling on own domain

tonmo Member

eva2000 Administrator Staff Member

tonmo Member

tonmo Member

tonmo Member

eva2000 Administrator Staff Member

tonmo Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

tonmo Member

eva2000 Administrator Staff Member

tonmo Member

eva2000 Administrator Staff Member

tonmo Member

eva2000 Administrator Staff Member

.