Join the community today
Become a Member

Xenforo unfurling on own domain

Discussion in 'Forum software usage' started by tonmo, Apr 26, 2020.

  1. tonmo

    tonmo Member

    34
    1
    8
    Jul 20, 2019
    Ratings:
    +4
    Local Time:
    1:36 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    I'm having the same exact issue as described in this thread (unfurl does not work but only for my own site), but with a slightly different cURL error. The XF unfurl tool returns this result for any unfurl attempt from my own site:
    My hosts file is as follows:
    Code:
    127.0.0.1 localhost localhost.localdomain
    127.0.0.1 localhost4 localhost4.localdomain4
    ::1 localhost localhost.localdomain
    ::1 localhost6 localhost6.localdomain6
    Also, I recently changed everything to resolve to DOMAIN.com (vs. www.DOMAIN.com). Here's the start of my ssl.conf:
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
       server_name DOMAIN.com www.DOMAIN.com;
       return 301 https://DOMAIN.com$request_uri;
     }
     server {
      listen 443 ssl http2;
      server_name DOMAIN.com www.DOMAIN.com;

     
  2. eva2000

    eva2000 Administrator Staff Member

    44,163
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    3:36 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    what version of curl used
    Code (Text):
    yum list curl -q

    Code (Text):
    curl -V

    php version ?
    Code (Text):
    php -v

    php curl info
    Code (Text):
    php --ri curl

    output for
    Code (Text):
    ls -lah /etc/ssl/certs/cacert.pem

    example
    Code (Text):
    ls -lah /etc/ssl/certs/cacert.pem
    -rw-r--r-- 1 root root 219K Jan  1 04:12 /etc/ssl/certs/cacert.pem
    

    Code (Text):
    php --ri curl
    
    curl
    
    cURL support => enabled
    cURL Information => 7.29.0
    Age => 3
    Features
    AsynchDNS => Yes
    CharConv => No
    Debug => No
    GSS-Negotiate => Yes
    IDN => Yes
    IPv6 => Yes
    krb4 => No
    Largefile => Yes
    libz => Yes
    NTLM => Yes
    NTLMWB => Yes
    SPNEGO => No
    SSL => Yes
    SSPI => No
    TLS-SRP => No
    Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtsp, scp, sftp, smtp, smtps, telnet, tftp
    Host => x86_64-redhat-linux-gnu
    SSL Version => NSS/3.44
    ZLib Version => 1.2.7
    libSSH Version => libssh2/1.8.0
    
    Directive => Local Value => Master Value
    curl.cainfo => /etc/ssl/certs/cacert.pem => /etc/ssl/certs/cacert.pem
     
  3. tonmo

    tonmo Member

    34
    1
    8
    Jul 20, 2019
    Ratings:
    +4
    Local Time:
    1:36 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    curl.x86_64 7.29.0-54.el7_7.2 @updates

    curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
    Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

    7.4.1

    curl
    cURL support => enabled
    cURL Information => 7.29.0
    Age => 3
    Features
    AsynchDNS => Yes
    CharConv => No
    Debug => No
    GSS-Negotiate => Yes
    IDN => Yes
    IPv6 => Yes
    krb4 => No
    Largefile => Yes
    libz => Yes
    NTLM => Yes
    NTLMWB => Yes
    SPNEGO => No
    SSL => Yes
    SSPI => No
    TLS-SRP => No
    Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtsp, scp, sftp, smtp, smtps, telnet, tftp
    Host => x86_64-redhat-linux-gnu
    SSL Version => NSS/3.44
    ZLib Version => 1.2.7
    libSSH Version => libssh2/1.8.0
    Directive => Local Value => Master Value
    curl.cainfo => /etc/ssl/certs/cacert.pem => /etc/ssl/certs/cacert.pem


    -rw-r--r-- 1 root root 217K Nov 27 04:12 /etc/ssl/certs/cacert.pem
     
  4. tonmo

    tonmo Member

    34
    1
    8
    Jul 20, 2019
    Ratings:
    +4
    Local Time:
    1:36 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    I followed instructions found here, and made sure I have the three server {} entries as described; it seems to be working such that all traffic goes to Domain.com (i.e., www, and http goes to non-www and https respectively, which is good).

    here are the results of various curl checks on my domain; all looks good except last check (the desired resolved site), which provides the same error found in the xf admincp for the Unfurl Testing Tool, albeit more verbose here:

    Code:
    [02:39][root@web.DOMAIN.com conf.d]# curl -I http://DOMAIN.com
    HTTP/1.1 301 Moved Permanently
    Date: Mon, 27 Apr 2020 02:41:39 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: keep-alive
    Location: https://DOMAIN.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    [02:41][root@web.DOMAIN.com conf.d]# curl -I http://www.DOMAIN.com
    HTTP/1.1 301 Moved Permanently
    Date: Mon, 27 Apr 2020 02:41:56 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: keep-alive
    Location: https://DOMAIN.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    [02:41][root@web.DOMAIN.com conf.d]# curl -I https://DOMAIN.com
    curl: (60) Peer's Certificate issuer is not recognized.
    More details here: http://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.
    [02:42][root@web.DOMAIN.com conf.d]# ^C
    
     
  5. tonmo

    tonmo Member

    34
    1
    8
    Jul 20, 2019
    Ratings:
    +4
    Local Time:
    1:36 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    apologies for multiple replies, but reading further on your https instructions, you state the following:

    ...and you show the 4 lines in the ssl.conf that reference the ssl cert info. I do believe I fall into this category. It looks like the suggestion is that instead of the four lines, it should instead show the following two lines:

    I checked, and while I do have a directory at /usr/local/nginx/conf/ssl/newdomain.com/, the file referenced (newdomain.com.crt.key.conf) does not exist. There are other files in that directory, but nothing ending in .conf. Do I need to create it?
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,163
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    3:36 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    1. Are you running behind Cloudflare ?
    2. How did you create your Nginx HTTPS Letsencrypt SSL certificated based vhost via centmin.sh menu option 2, 22 ?
    3. What is output for
      Code (Text):
      curl -Ikv https://DOMAIN.com
      
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
     
    Last edited: Apr 27, 2020
  7. tonmo

    tonmo Member

    34
    1
    8
    Jul 20, 2019
    Ratings:
    +4
    Local Time:
    1:36 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    Thanks.
    Well, I *was* running cloudflare until about a week ago. I was on Ezoic, but I've since left that program and re-pointed my DNS to my AWS host. Even after changing DNS, I went back to Ezoic settings just yesterday afternoon, and saw that I still had some cloudflare CDN settings associated with Cloudflare in their dashboard, so I deleted / "uninstalled" those records... I assumed none of that matters because I've already re-pointed DNS away from Ezoic, but now I'm not so sure. At this point though, all that data is (should be) deleted/uninstalled from Ezoic.

    Someone else set this up for me a couple / few years ago. Should I re-run this?

    Output is:
    Code:
    [11:13][root@web.DOMAIN.com centos]# curl -Ikv https://DOMAIN.com
    * About to connect() to DOMAIN.com port 443 (#0)
    *   Trying x.xx.xx.xxx...
    * Connected to DOMAIN.com (x.xx.xx.xxx) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    * skipping SSL peer certificate verification
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=DOMAIN.com
    *       start date: Mar 14 00:07:41 2020 GMT
    *       expire date: Jun 12 00:07:41 2020 GMT
    *       common name: DOMAIN.com
    *       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: DOMAIN.com
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    < Content-Type: text/html; charset=utf-8
    Content-Type: text/html; charset=utf-8
    < Connection: keep-alive
    Connection: keep-alive
    < Vary: Accept-Encoding
    Vary: Accept-Encoding
    < X-Frame-Options: SAMEORIGIN
    X-Frame-Options: SAMEORIGIN
    < X-Content-Type-Options: nosniff
    X-Content-Type-Options: nosniff
    < Set-Cookie: xf_csrf=cbIIT12HAOBY64Db; path=/; secure
    Set-Cookie: xf_csrf=cbIIT12HAOBY64Db; path=/; secure
    < Server: nginx centminmod
    Server: nginx centminmod
    < X-Powered-By: centminmod
    X-Powered-By: centminmod
    < Date: Mon, 27 Apr 2020 11:13:29 GMT
    Date: Mon, 27 Apr 2020 11:13:29 GMT
    < X-Page-Speed: 1.13.35.2-0
    X-Page-Speed: 1.13.35.2-0
    < Cache-Control: max-age=0, no-cache
    Cache-Control: max-age=0, no-cache
    
    <
    * Connection #0 to host DOMAIN.com left intact
    [11:13][root@web.DOMAIN.com centos]#
    Long ago, I had renamed newdomain.com.conf to DOMAIN.com.conf-bak, because I understand it is not in use, given my ssl.conf file. Let me know if you still want to see those contents.

    Here is DOMAIN.com.ssl.conf:

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
       server_name DOMAIN.com www.DOMAIN.com;
       return 301 https://DOMAIN.com$request_uri;
     }
    
     server {
      listen 443 ssl http2;
      server_name www.DOMAIN.com;
      ssl_dhparam /usr/local/nginx/conf/ssl/DOMAIN.com/dhparam.pem;
      ssl_certificate      /root/.acme.sh/DOMAIN.com/DOMAIN.com.cer;
      ssl_certificate_key  /root/.acme.sh/DOMAIN.com/DOMAIN.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      return 302 https://DOMAIN.com$request_uri;
    }
    
     server{
      listen 443 ssl http2;
      server_name DOMAIN.com;
      ssl_dhparam /usr/local/nginx/conf/ssl/DOMAIN.com/dhparam.pem;
      ssl_certificate      /root/.acme.sh/DOMAIN.com/DOMAIN.com.cer;
      ssl_certificate_key  /root/.acme.sh/DOMAIN.com/DOMAIN.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
    rewrite ^/forums/images/smilies/ammonicon.gif /images/smilies/ammonicon.gif permanent;
    <SNIPPED CONTENTS TO REMOVE A BUNCH OF REDIRECTS SIMILAR TO THE LINE ABOVE>
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
    
      # dual cert supported ssl ciphers
      ssl_ciphers <SNIPPED FOR SECURITY?>
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 4229;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      ssl_trusted_certificate /root/.acme.sh/DOMAIN.com/fullchain.cer;
    
    # ngx_pagespeed & ngx_pagespeed handler
    include /usr/local/nginx/conf/pagespeed.conf;
    include /usr/local/nginx/conf/pagespeedhandler.conf;
    include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
      access_log /home/nginx/domains/DOMAIN.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/DOMAIN.com/log/error.log;
      root /home/nginx/domains/DOMAIN.com/public;
    
      location / {
      try_files $uri $uri/ /index.php?$uri&$args;
      index index.php index.html index.htm;
    
      # block common exploits, sql injections etc
      # include /usr/local/nginx/conf/block.conf;
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
      }
    
    location /install/data/ {
        internal;
    }
    
    location /install/templates/ {
        internal;
    }
    
    location /internal_data/ {
        internal;
    }
    
    location /library/ {
    internal;
    }
    
    location /src/ {
        internal;
    }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      #include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/php_disable_openbasedir.conf;
      #include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    44,163
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    3:36 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I see you're using PHP 7.4.1, try updating to PHP 7.4.5 as well
    no you can't re-run centmin.sh menu option 2, 22 or nv on existing nginx vhost domains but i see your nginx vhost has non standard Centmin Mod paths setup to directly reference /root/.acme.sh/DOMAIN.com/* files instead of Centmin Mod method which has them copied from /root/.acme.sh/DOMAIN.com/* to /usr/local/nginx/conf/ssl/domain.com/* which is technically same files with a different name. So technically should cause any problems. But I believe your ssl_certificate path setup is only linking to SSL cert without proper chaining that Centmin Mod does when it creates /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer and referenced as
    Code (Text):
    ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;

    so your nginx vhost would have references like with ssl_stapling and resolver directives enabled and not commented out like in yours
    Code (Text):
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
    
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key;
    

    Code (Text):
    [02:41][root@web.DOMAIN.com conf.d]# curl -I https://DOMAIN.com
    curl: (60) Peer's Certificate issuer is not recognized.
    More details here: http://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.
    

    Your CA certificates on system might be outdated. When was last time you did a yum update ?

    output for
    Code (Text):
    yum history list nss -q
    yum history list ca-certificates -q; ls -lah /etc/pki/tls/certs; uptime
    

    example for me would be
    Code (Text):
    yum history list nss -q
    ID     | Command line             | Date and time    | Action(s)      | Altered
    -------------------------------------------------------------------------------
       614 | -y update                | 2019-12-23 22:48 | E, I, U        |   39 EE
       556 | update --disableplugin=p | 2019-09-19 05:56 | E, I, O, U     |  329 EE
       437 | -y update                | 2019-03-20 18:26 | E, I, U        |  117 EE
       390 | update --disableplugin=p | 2018-11-16 19:31 | E, I, U        |  108 
       349 | update --disableplugin=p | 2018-05-22 08:06 | E, I, U        |  395 EE
       178 | update --disableplugin=p | 2017-10-26 21:22 | E, I, O, U     |  148 EE
       162 | -y update                | 2017-10-01 13:35 | Update         |    4 
       156 | update --disableplugin=p | 2017-09-14 13:12 | E, I, O, U     |  443 EE
        66 | -y update                | 2017-05-31 22:24 | Update         |   12 
        45 | update --disableplugin=p | 2017-04-21 23:40 | Update         |   20 
         2 | update --assumeyes --qui | 2017-04-04 07:25 | Update         |    8
    

    Code (Text):
    yum history list ca-certificates -q; ls -lah /etc/pki/tls/certs; uptime
    ID     | Command line             | Date and time    | Action(s)      | Altered
    -------------------------------------------------------------------------------
       614 | -y update                | 2019-12-23 22:48 | E, I, U        |   39 EE
       349 | update --disableplugin=p | 2018-05-22 08:06 | E, I, U        |  395 EE
       156 | update --disableplugin=p | 2017-09-14 13:12 | E, I, O, U     |  443 EE
        79 | update --disableplugin=p | 2017-06-15 22:33 | Update         |   12 EE
        40 | -y update                | 2017-04-13 18:23 | I, U           |   30 
    total 252K
    drwxr-xr-x. 2 root root 4.0K Dec 23 22:48 .
    drwxr-xr-x. 5 root root 4.0K Dec 23 22:48 ..
    lrwxrwxrwx  1 root root   49 Dec 23 22:48 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    lrwxrwxrwx  1 root root   55 Dec 23 22:48 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    -rw-r--r--. 1 root root 219K Jan  1 04:12 cacert.pem
    -rw-------  1 root root 3.2K Aug  3  2017 imapd.pem
    -rw-------  1 root root 3.2K Aug  3  2017 ipop3d.pem
    -rwxr-xr-x  1 root root  610 Aug  9  2019 make-dummy-cert
    -rw-r--r--  1 root root 2.5K Aug  9  2019 Makefile
    -rwxr-xr-x  1 root root  829 Aug  9  2019 renew-dummy-cert
     20:21:35 up 11 days, 19:53,  1 user,  load average: 0.04, 0.06, 0.10
    
     
  9. eva2000

    eva2000 Administrator Staff Member

    44,163
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    3:36 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  10. eva2000

    eva2000 Administrator Staff Member

    44,163
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    3:36 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    You can try to manually fix up your letsencrypt SSL cert and where the files are by doing a letsencrypt reissue by following steps 2, 3 and 4 of manual migration guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates

    replace newdomain.com with yourdomain.com
    Code (Text):
    mkdir -p /usr/local/nginx/conf/ssl/newdomain.com
    cd /usr/local/nginx/conf/ssl/newdomain.com
    openssl dhparam -out dhparam.pem 2048
    
    touch /etc/centminmod/custom_config.inc
    echo "LETSENCRYPT_DETECT='y'" >> /etc/centminmod/custom_config.inc
    /usr/local/src/centminmod/addons/acmetool.sh acmeupdate
    
    # issue ssl certs to /root/.acme.sh/newdomain.com
    /root/.acme.sh/acme.sh --force --issue --days 60 -d newdomain.com -d www.newdomain.com -w /home/nginx/domains/newdomain.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-newdomain.com.log --log-level 2
    
    # install ssl certs to /usr/local/nginx/conf/ssl/newdomain.com
    /root/.acme.sh/acme.sh --installcert -d newdomain.com -d www.newdomain.com --certpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key --capath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-fullchain-acme.key
    

    then nginx vhost references are updated to the installed ssl cert paths
    Code (Text):
      ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer;
    

    then restart nginx
    Code (Text):
    ngxrestart
     
  11. tonmo

    tonmo Member

    34
    1
    8
    Jul 20, 2019
    Ratings:
    +4
    Local Time:
    1:36 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    Done.
    Code:
    ID     | Login user               | Date and time    | Action(s)      | Altered
    -------------------------------------------------------------------------------
        82 | root <root>              | 2019-12-13 09:01 | Update         |    8
        62 | root <root>              | 2019-09-18 06:14 | I, O, U        |  270
         1 | Cloud User <centos>      | 2019-07-11 15:07 | I, U           |   63
    
    and

    Code:
    ID     | Login user               | Date and time    | Action(s)      | Altered
    -------------------------------------------------------------------------------
        79 | root <root>              | 2019-12-04 03:49 | E, I, U        |   27
    total 232K
    drwxr-xr-x. 2 root root  135 Dec  4 03:50 .
    drwxr-xr-x. 5 root root   81 Dec  4 03:50 ..
    lrwxrwxrwx  1 root root   49 Dec  4 03:50 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    lrwxrwxrwx  1 root root   55 Dec  4 03:50 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    -rw-r--r--  1 root root 219K Jan  1 04:12 cacert.pem
    -rwxr-xr-x  1 root root  610 Aug  9  2019 make-dummy-cert
    -rw-r--r--  1 root root 2.5K Aug  9  2019 Makefile
    -rwxr-xr-x  1 root root  829 Aug  9  2019 renew-dummy-cert
     21:59:21 up 264 days,  4:03,  1 user,  load average: 0.10, 1.02, 1.23
    
    done. I scored a B:
    This server's certificate chain is incomplete. Grade capped to B.
    This server supports TLS 1.0 and TLS 1.1. Grade capped to B.
    This server supports TLS 1.3.

    OK, I followed all those steps you outlined in post #10, but the unfurling issue still exists; same error.
     
  12. eva2000

    eva2000 Administrator Staff Member

    44,163
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    3:36 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    that would be the problem
    the manual ssl cert reissue should of fixed it

    restart both nginx and php-fpm services and also manually purge your cloudflare cache if behind cloudflare
    Code (Text):
    nprestart

    then retest in SSL labs SSL Server Test (Powered by Qualys SSL Labs) too
     
  13. tonmo

    tonmo Member

    34
    1
    8
    Jul 20, 2019
    Ratings:
    +4
    Local Time:
    1:36 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    Got it - I had 3 {server entries; I was supposed to update both #2 (www) and #3 (non-www), but I had only updated #2. I've now updated #3 as well, and it works! Unfurling works!
    I'm still scoring a B, but the only cited issue is:
    This server supports TLS 1.0 and TLS 1.1. Grade capped to B. MORE INFO ยป
     
  14. eva2000

    eva2000 Administrator Staff Member

    44,163
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    3:36 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Looks good then. The TLS 1.0/1.1 is fine for now
     
    • Like Like x 1
  15. tonmo

    tonmo Member

    34
    1
    8
    Jul 20, 2019
    Ratings:
    +4
    Local Time:
    1:36 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    • Like Like x 1
  16. eva2000

    eva2000 Administrator Staff Member

    44,163
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    3:36 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    • Like Like x 1