526 Invalid SSL certificate | Nginx 1.19

Security
#1

Hi, I tried the tutorial about fixing this error and few other posts. Nothing worked.

I’ve 2 sites on my VPS, same configuration on the web-server, and on Cloudflare.

bluepek works fine, and snapagileframework return a 526 error.

Few days ago, with Apache I fixed the problem by changing the wrong sub-domain that was added in the configuration file , and it worked.

Now with Nginx I’m back to zero, and I can’t find anything wrong in the respective conf files (below)

Could you please share some clue
Many thanks.

  • CentOS 8 Stream
  • Nginx 1.19
  • Php 7.3

bluepek.com | config
SSL: Using Cloudflare edge-cert

    listen 80;
	listen 443 ssl http2;
    server_name bluepek.com mail.bluepek.com;
    index index.php index.html index.htm default.php default.htm default.html;
    root /www/wwwroot/bluepek.com;

    #SSL-START SSL related configuration, do NOT delete or modify the next line of commented-out 404 rules
    #error_page 404/404.html;
    ssl_certificate    /www/server/panel/vhost/cert/bluepek.com/fullchain.pem;
    ssl_certificate_key    /www/server/panel/vhost/cert/bluepek.com/privkey.pem;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000";
    error_page 497  https://$host$request_uri;

    #SSL-END

    #ERROR-PAGE-START  Error page configuration, allowed to be commented, deleted or modified
    #error_page 404 /404.html;
    #error_page 502 /502.html;
    #ERROR-PAGE-END

    #PHP-INFO-START  PHP reference configuration, allowed to be commented, deleted or modified
    include enable-php-73.conf;
    #PHP-INFO-END

    #REWRITE-START URL rewrite rule reference, any modification will invalidate the rewrite rules set by the panel
    include /www/server/panel/vhost/rewrite/bluepek.com.conf;
    #REWRITE-END

    # Forbidden files or directories
    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
    {
        return 404;
    }

    # Directory verification related settings for one-click application for SSL certificate
    location ~ \.well-known{
        allow all;
    }

    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
        expires      30d;
        error_log /dev/null;
        access_log off;
    }

    location ~ .*\.(js|css)?$
    {
        expires      12h;
        error_log /dev/null;
        access_log off; 
    }
    access_log  /www/wwwlogs/bluepek.com.log;
    error_log  /www/wwwlogs/bluepek.com.error.log;
}

snapagileframework.com | config
SSL: Tried both the edge-cert from Cloudflare and the one from Lets Encrypt. Same error

server
{
    listen 80;
	listen 443 ssl http2;
    server_name snapagileframework.com mail.snapagileframework.com;
    index index.php index.html index.htm default.php default.htm default.html;
    root /www/wwwroot/snapagileframework.com;

    #SSL-START SSL related configuration, do NOT delete or modify the next line of commented-out 404 rules
    #error_page 404/404.html;
    ssl_certificate    /www/server/panel/vhost/cert/snapagileframework.com/fullchain.pem;
    ssl_certificate_key    /www/server/panel/vhost/cert/snapagileframework.com/privkey.pem;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000";
    error_page 497  https://$host$request_uri;

    #SSL-END

    #ERROR-PAGE-START  Error page configuration, allowed to be commented, deleted or modified
    #error_page 404 /404.html;
    #error_page 502 /502.html;
    #ERROR-PAGE-END

    #PHP-INFO-START  PHP reference configuration, allowed to be commented, deleted or modified
    include enable-php-73.conf;
    #PHP-INFO-END

    #REWRITE-START URL rewrite rule reference, any modification will invalidate the rewrite rules set by the panel
    include /www/server/panel/vhost/rewrite/snapagileframework.com.conf;
    #REWRITE-END

    # Forbidden files or directories
    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
    {
        return 404;
    }

    # Directory verification related settings for one-click application for SSL certificate
    location ~ \.well-known{
        allow all;
    }

    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
        expires      30d;
        error_log /dev/null;
        access_log off;
    }

    location ~ .*\.(js|css)?$
    {
        expires      12h;
        error_log /dev/null;
        access_log off; 
    }
    access_log  /www/wwwlogs/snapagileframework.com.log;
    error_log  /www/wwwlogs/snapagileframework.com.error.log;
}
#2

I assume your SSL Cert is correctly set to “Full (Strict)” which is recommended.
Full (Strict) does require a:

  1. publicly valid SSL cert
  2. Cloudflare origin SSL cert

to work properly. I assume you do not use Cloudflares origin SSL certs, but something like Lets Encrypt?

Apparently without your origin IP I can not check against your origin and see which SSL cert you implemented. Therefore I can say for sure what the problem is. Feel free to share your IP here or in a PM if you like.

EDIT:

bluepek.com seems to work now.

1 Like
#3

image

. :wink:

3 Likes
#4

Hi Martin

Thanks for your help!
Yes, bluepek is working as I posted, and it’s using the Cloudflare > SSL > Origin server certificate.
Whereas for snap**.com I tried both the Lets encrypt and Cloudflare certificates, but it always return a 526 error. Both have SSL Strict.

In aaPanel I can only have one SSL certificate, which I assume is either #1 (VPS-Browser), or #2 (Cloudflare-VPS)

both snap**.com and bluepek.com resolve to the same VPS IP (origin) which apparently I can’t share via PM as I’m fairly new to the forum, so I’ve shared securely here - hope you can see it as it works only once and expires in 24hrs - psw:{redacted}
View secure message

Thanks

#5

Well, that could be a problem, if I understand it right… you in total need two SSL certs. One for each domain.

I have inspected the SSL cert for snapagileframework.com but TBH am not too sure about the result.
For me it shows hostname missmatch, but it also shows, that it indeed is a Cloudflare origin cert. Can you please go into your dashboard and delete the old Origin cert for this domain, create a new one and implement it? Then please tell me and I will check again.

The cert of one of the domainsis getting provided for both domains, which is the problem. Please do as stated above and recreate the cert for the given domain and use this for the domain. Here a screenshot as proof:

image
image1126×737 47.2 KB

#6

Hi Martin, thanks a lot for your help.

Please have attached the result

Thanks,

526-err_Page1
526-err_Page11920×2715 141 KB

526-err_Page2
526-err_Page21920×2715 214 KB

526-err_Page3
526-err_Page32481×3508 259 KB

526-err_Page4
526-err_Page41920×2715 130 KB

526-err_Page5
526-err_Page52481×3508 264 KB

526-err_Page6
526-err_Page61920×2715 147 KB

526-err_Page7
526-err_Page72481×3508 327 KB

526-err_Page8
526-err_Page82481×3508 248 KB

#7

I just checked the SSL certificate for snapagileframework.com and it looks fine
So I’m not sure where is the problem?

Thanks

ss_0402_141328
ss_0402_1413281277×870 149 KB

#8

The SSL errors seems to be gone.

This checks against the Cloudflare Edge cert, not your origin cert. But if your setup still is on Full strict everything is fine now.

#9

Hi Martin

Thanks for your feedback
I shared the same sshot with you about SSL checker, but the problem is still open

Probably you visited the site when I switched the DNS to the shared hosting.
Now is back to the VPS and the page still doesn’t open, though no errors with SSL checker.

The VPS engineer says to check with https://www.sslshopper.com/ which returns no errors - but the website doesn’t work. SSL is Strict on Cloudflare for both domains.

Do you have any idea why this is happening?

Many thanks

#10

Well we have to differenciate between:

  1. Cloudflare triggers an SSL error
    and
  2. Website doesn’t work (which would not be related to Cloudflare)

When I call the page I see this:

image
image882×1178 63.2 KB

  1. No SSL error anymore, so if it is “Full (Strict)” this time your SSL cert is correct.
    I can even confirm, that your origin SSL certs are now correct and each of your domains offer the correct prigin SSL cert from Cloudflare.
  2. I see a 500 error and sometimes a 404 (Cloudflare did not trigger that error, since the headers state “dynamic”) and just forwarded this error, also if Cloudflare would trigger them a Cloudflare logo would appear somewhere.
    2.1. also when calling https://snapagileframework.com directly (bypassing Cloudflare), I see the same behaviour.

Over all the SSL errors seems to be solved. The problem you are having right now is not related to the SSL error. BTW also not related to Cloudflare, you will have to check your application/server why this errors (500 and 404 sometimes) are getting triggered.

1 Like
#11

Hi Martin

Thanks for your reply.
So assuming the SSL is fine (though my browser still shows 526), it could be the website itself right?

I revoked SSL , so now snap*.com is unsecure.
Then I deleted everything and added a simple index.html that says “Snap Framework”
Plus a similar index.html in bluepek.com

When I visit snapagileframework.com from a clean browser (zero cache and cookies), I get Welcome to nginx.
Where on Earth is getting that file? I’m totally lost in this mess !
There is some evil going on here…

Could you please share some light?

Thanks

#12

I acutally get greeted with a redirection loop.

That would mean: SSL is working and you are getting greeted with Nginx’s welcome message.

Actually I can’t. There seems to be some missconfiguration on your server. I can not help here, nor does it seem to be related to Cloudflare in any way.

#13

OK, I think we agree that there is something wrong in the server, and I’d add that this mess is likely created by aaPanel when I add the 2nd site under Nginx (no problem with Apache). It’s a shame because I like aaPanel as it’s way more powerful than any other free panel that I tried so far - and I wanted to use Nginx but probably I was asking too much.

So, tomorrow I’m going to install Vesta and see what happen. Vesta gave me another headache last week with “Named dns server” not starting anymore, but let’s give another try.
Worst case I’ll go back to Apache with aaPanel since last time I was able to run both websites…

May I ask you which (free) Panel and OS you normally use on Linux?

Many thanks

#14

I don’t use any free panel, since I like support, and getting good support for free is just possible in Cloudflare community :wink:

Depending on the usecase I use:

  • Debian
  • Ubuntu
  • Kali Linux (not for hosting)

You’re welcome.

#15

Great !

Thanks for your reply

I also used Kali when I was doing ethical hacking.
I’m tempted to reinstall aaPanel on Ubuntu - maybe the combination of aaPanel + Nginx is toxic.

Anyway, many thanks for your help, Cloudflare has a great community, though I’m a little disappointed that there nobody else to call when you’ve a problem.
I’ve registered some domains here, but no helpdesk, no phone numbers, no chat, no emails … it’s a bit scaring…

Regards,

#16

Of course you have. As soon as you pay the support you request.

By registering a domain they don’t earn anything and just as I said, there are numbers & emails you can contact, as soon as you pay the service you like to receive. For me this move was the absolut right decision.

Have a good day :slight_smile:

2 Likes
#17

Thanks for your reply Martin

I don’t mind paying a service providing they fix the problem.
Unfortunately most of the time they don’t.

When we host a website there are many things that can go wrong including the OS (eg. CentOS 8 Stream), the web-server (eg. NGinx), the ctrl-panel (eg. aaPanel), the CDN provider (eg. CFlare), the C-Authority (eg. Lets Encrypt or CFlare), the server-side engine (eg. PHP)…

I see no benefits on paying CFlare for a service that won’t fix someone else bugs. In this case it’s most likely a bug in aaPanel since a similar bug exist when I run Apache, but with the latter I know how to fix it.

So, yes paying for a service, but only if it’s able to fix the problem.

#18

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.