502 Gateway Error/NGINX with Cloudflare Origin Cert installed. using "www" CNAME as requested. SSL STRICT ON. Orgin Cert is not being passed back to Cloudflare from NGNIX

502 Gateway Error/NGINX with Cloudflare Origin Cert installed. using “www” CNAME as requested. SSL STRICT ON. Orgin Cert is not being passed back to Cloudflare from NGNIX.

I don’t have idea what do next. I submitted a Cloudflare Ticket and have NOT heard back for 3 days and I am still trying to fix this myself. I even tried to update NGNIX, OPENSSL, APACHE and then made sure they all took +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3 except my version of OPENSSL CLOUDLINUX will allow me install isn’t up-to-date. OpenSSL 1.1.1 does have TLSv1.3, but when I use “yum update -y openssl”, it replies back my version is current.

If anyone has any ideas, I would be highly grateful since I have 5 other WHM/cPanel servers to convert then transfer their domains over to Cloudflare accounts.

First, I am a Cloudflare Partner and have cPanel Cloudflare installed on WHM/cPanel Server. NGINX { TLS SNI support enabled } is installed.

SECOND, APACHE LOG HAS NO ERROR IN HTTP OR HTTPS LOGS, BUT WHEN I LOOK AT THE NGINX ERROR LOGS THIS IS WHAT I GET:

2018/09/27 05:23:36 [error] 16181#16181: *455 SSL_do_handshake() failed (SSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) while SSL handshaking to upstream, client: 97.101.xx.x, server: {my-domain-name}, request: “GET / HTTP/1.1”, upstream: “{https}://104.27.135.201:8443/”, host: “{my-domain-name}”, referrer: “{https}://{my-domain-name}/”

2018/09/27 05:49:39 [error] 16182#16182: *582 SSL_do_handshake() failed (SSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) while SSL handshaking to upstream, client: 162.158.xx.x, server: {my-domain-name}, request: “GET / HTTP/1.1”, upstream: “{https}://104.27.135.201:8443/”, host: “{my-domain-name}”

Third, I found out that OPENSSL used by NGNIX if Cloudflare ORIGIN CERTIFICATE IS USED, IT will not pass back that Cloudflare certificate to Cloudflare. I used “openssl s_client -connect www.{domain}.com:443“ and it was empty if Cloudflare certificate installed via cPanel SSL, but if I use my AutoSSL builtin to my version of WHM/cPanel, certificates will show up via OPENSSL command without a problem and turn Cloudflare it works perfectly for the domain.

====================================================================
OPENSSL CONNECTION RESULTS WITH Cloudflare ORIGIN CERTIFICATE INSTALLED ===================================================================
root [~]# openssl s_client -connect www.{my-domain-name}:443
CONNECTED(00000003)
139989107193744:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
—no peer certificate available—No client certificate CA names sent—SSL handshake has read 7 bytes and written 289 bytes—New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1538179822
Timeout : 300 (sec)
Verify return code: 0 (ok)

root [~]#

====================================================================
NGINX SETTINGS: TLS SNI support enabled

root [~]# nginx -V
nginx version: nginx/1.15.4
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC’ --with-ld-opt=’-Wl,-z,relro -Wl,-z,now -pie’
root [~]#

====================================================================
Apache version

Apache server status for xxxxxxx
Server Version: Apache/2.4.34 (cPanel) OpenSSL/1.0.2p mod_bwlimited/1.4
Server MPM: worker

====================================================================
UNIX RELEASE

root [~]# cat /proc/version
Linux version 3.10.0-862.11.6.el7.x86_64 (builder(@)kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Tue Aug 14 21:49:04 UTC 2018

root [~]# cat /etc/os-release
NAME=“CentOS Linux”
VERSION=“7 (Core)”
ID=“centos”
ID_LIKE=“rhel fedora”
VERSION_ID=“7”
PRETTY_NAME=“CentOS Linux 7 (Core)”
ANSI_COLOR=“0;31”
CPE_NAME=“cpe:/o:centos:centos:7”
HOME_URL="{https}://www.centos.org/"
BUG_REPORT_URL="{https}://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT=“CentOS-7”
CENTOS_MANTISBT_PROJECT_VERSION=“7”
REDHAT_SUPPORT_PRODUCT=“centos”
REDHAT_SUPPORT_PRODUCT_VERSION=“7”

Did you just turn Cloudflare SSL on ? as the ssl cert can take up to 24hrs to activate after switching it on. So could explain why openssl s_client test to Cloudflare backed SSL failed

WHM/Cpanel uses CentOS and this their Apache version is limited to openssl 1.0.2k for CentOS 7 as latest so you’re stuck with that. Cpanel/WHM doesn’t natively support Nginx so you must be using a 3rd party Nginx Cpanel plugin ? which one ? some of these 3rd party Nginx Cpanel plugins have SSL conflicts with WHM AutoSSL issued SSL certs sometimes too.

SSLv2 and SSLv3 have been deprecated in OpenSSL versions like 1.0.2k for CentOS 7.4+ so you won’t want to have +SSLv3 enabled and +TLSv1.3 isn’t supported by cpanel/WHM. Only way for cpanel/WHM server to have TLS 1.3 support is to switch to using Litespeed web server via cPanel plugin as LiteSpeed web server will replace Apache and LiteSpeed is built with it’s own internal crypto Library - OpenSSL or they may recently have switched to BoringSSL not sure.

Does it work if you temp disable Nginx Cpanel plugin ?

Oh one more thing if you install Cloudflare Origin Certs, try setting Cloudflare SSL to Full (non-strict) instead of Full (strict) though Full Strict should work

I had some personal health matter I had to take care of so sorry for the replay; multiple doctor visits, scans & blood tests. Two week until I know how bad.

You GREATLY helped me think and I asked why am I with Atlantic(dot)net that isn’t “cutting edge” specialists and not with somebody that is hardcore Cloudflare/LiteSpeed/WHM/cPanel with CF Railgun integrated hostinng service, so I am going to try namehero(doc)com with LightSpeed/Cloudflare/CF Railgun/MariaSQL and compared to the other host: 2gb vs 8gb ram, 2cpu vs 8cpu, 120HDD vs 120 RAID 10 SSD.

eva2000 thank you for selling me on LiteSpeed. YOU HELPED ME A LOT This first servers is just a test, so I absolutely know I feel comfortable moving all my servers & domains over. THANK THANK THANK THANK AGAIN FOR ALL YOUR HELP

I am still open, do you have any other hosting services like them? From what I read they have a very high rating so that is why I went with namehero(dot)com HERO 8 VPS. They will change APACHE for LightSpeed, MySQL for MariaSQL and any other changes I want.

You changed my perspective and thought what did I need, not trying to force a cube in round hole.

Again thank you so much. If you have any more advice to set-up the server please let me know.

Here is my list. I AM NOT A RESELLER OR HOSTER: We help advice companies to raise money for companies to go public which can take two years, We will hand over the domain, setup their own server ( will try to pursued them to keep Cloudflare and template of setup ) and GSUITE to them once they have a compentent IT hire or we can extend until they are ready to take over.

  1. I don’t want DNS service since I want everything going to Cloudflare. Do they have name servers? I will set the resolvers to 1.1.1.1 & 1.0.0.1 plus ipv6 versions.
  2. I don’t want any SMTP/LTMP/maybe Remote if the clients is willing to take responsibility. Otherwise I am going subjest use WP STMP PLUG using GMAIL Outh2 or Mailgun Outh2 with reCAPTCHA and email validator with their DNS.
  3. I want to setup silos like PHP even though it is a server, that if a hacker gets into a domain cannot harm all the sever.
  4. NO EMAIL FROM DOMAINS EXCEPT ROOT FOR ALERTS TO MY MOBILE TEXT AND MAIL FOR REPORTS TO MY SERVER ACCOUNT.
  5. TURN OFF SSH as long as WHM/cPanel has Terminal buildit in. I cut down 50% of my Chinese traffic just by doing that. I was getting 4k per hour from china hacking every port using ssh.
  6. I will or they need to install Firewall, so I can eliminate half the world since those that we want to our clients to raise money, I don’t need them to look at our website since they are the highest centers of hackers for servers and Wordpress. ( DO YOU RECOMMEND A WHM/cPANEL firewall? ConfigServer Security & Firewall (csf) ? )
  7. NGNIX is not needed since you won me over on “LiteSpeed.” THANK YOU AGAIN.
  8. I don’t need TERMINAL SHELL or any plugins for EMAIL in cPanel FOR DOMAINS except SSL and sub, park, redirect & alias, since I setup up all the domains and the domains should never receive emails directly or get pass down to the root, except through forms and using Wordpress SMTP with spammer excluder to themselves. ALL DOMAIN EMAIL IF THEY DON"T HANDLE BY THE DOMAIN I WANT TO GO INTO YOUR BLACKHOLE.

evea200. How would you divide the 2 ips provide or would you get more depending on number of domains? I had 50 domains on one ip and no problem, but now we have 3 domains that will be getting heaving traffic after 500k campaign. Should I setup a separate servers just incase? Keep in mind. I am going to take full advantage of CF, LiteSpeed and Wordpress Plugin Litespeed. THIS IS THE BIGGEST CAMPAIGN I HAVE EVER HANDLED. This is why I choose CF and Litespeed with your advice. LightSpeed website changed my mind on NGNIX. THANK YOU.

I am letting you know of this because, I am looking for your SAGE ADVICE. Please add, reformat, or delete. I plan to setup the server tonight and I want to have a strongly worded instruction list. Like no DOVENT mail service installed, no DNS installed, install LiteSpeed instead of Apache. I am the only one setting.

eva2000, sincerely thank you again for all your help. You don’t need to help more, but I would high appreciate. Because of you, I stood back and asked a simple question: why am I using this hosting company if others are fully integrate integrated with CF, LiteSpeed, MariaDB, etc.

Sincerely,

WaveCutter

As alot of the questions are more related to web hosting and not Cloudflare, you’re better suited to ask such questions on a more suited forum - https://www.webhostingtalk.com/ is the place for such questions as majority of the web hosting companies and folks in that industry are on that forum and whm/litespeed are common too.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.