I've been trying to get strict ssl on and off for years....surely it can't be this difficult?

Does anybody know how I can find out why ssl has never worked for me?
The two files .pem and .key are both in the root directory but the “strict” option does not work.
I choose strict, as the attached photo shows but then my site is knocked off (as the other attachment shows.

It’s been like this since I started using Cloudflare (2016?)

Surely there must be an easier

Screenshot%20at%202019-09-27%2015-33-55784×407 24.3 KB

Screenshot%20at%202019-09-27%2015-34-58765×189 9.7 KB

This is my dig:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> springfield-ohio-post.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12791
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;springfield-ohio-post.com. IN A

;; ANSWER SECTION:
springfield-ohio-post.com. 300 IN A 104.28.5.102
springfield-ohio-post.com. 300 IN A 104.28.4.102

;; Query time: 38 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Fri Sep 27 15:55:13 EDT 2019
;; MSG SIZE rcvd: 86

This is the nslookup
owner@owner-iohnwk-oh ~ $ nslookup springfield-ohio-post.com
Server: 127.0.1.1
Address: 127.0.1.1#53

Non-authoritative answer:
Name: springfield-ohio-post.com
Address: 104.28.4.102
Name: springfield-ohio-post.com
Address: 104.28.5.102

And what’s the error message when on Strict?

It doesnt matter where they are, your server needs to be properly configured with them.

Would you feel comfortable sharing your server IP address here?

Thank Mark for your interest…I think this might have worked, I found it on reddit!

NEVER MIND…IT DIDN’T WORK EITHER

sANDRO…help!!! The answer is yes to your question ";p-

In that case you should probably post it

Oh i get it…you are referring to the numerical here: it’s xxxxxx but I have only whitelisted cf to be allowed in…should I change that?

All right, that explains why it is not accessible.

Yes, can you TEMPORARILY remove that whitelisting? And you can now also remove this response here with the IP address (so that it does not stay public).

done (I hope)
I did sudo iptables -F

I am afraid it still seems to be locked down. You can verify by running a check with your IP address at sitemeer.com.

Yes I notice that also…

maybe I should start over on another machine or something (throughout the years there’s just no telling what my retarded geriatric arse may have altered)

Difficult to tell

The overall advice would be that you have a valid certificate (plus private key) and have that properly configured in your server. If both is the case, you should be able to switch to Full Strict and Cloudflare should be able to connect without issues.

Say Sandro,

When you say that I should have a valid certificate and key you are referring to simply dumping two files into my root directory, aren’t you?

I am not

It is more than “dumping”. As I already mentioned earlier, these files need to be properly configured in your server configuration. Your webserver wont read them from just any location, you need to configure it according to what your server software requires.

I have the server set up like this:

server {
listen 80 default server;
listen 443 ssl default server;
root /var/www/xxx
index index.html;
server_name springfield-ohio-post.com www.springfield-ohio-post.com;
location / {
try_files $uri/ =404;
}
}

That seems to be Nginx. For precise instructions how to configure it you might want to ask at https://forum.nginx.org/

Also, nginx setup certificate - Google Search might give you an idea as well.

Okay, I will visit that site that you posted. I’m just wondering if it might be my crappy at&t modem/router as the problem because even after I remove the cf whitelist I’m not able to access xxx.xxx.xxx.xxx:80 or xxx.x.xx.xx:443
but when I put on cf FLEXIBLE I can at least see that the server is accessible (just not secure)

Thats two different issues however.

The whitelisting and port issue could be because of your network provider, however if they blocked anything Cloudflare shouldnt be able to connect either, so I’d rather rule that out.

The certificate issue is another. Flexible works because you have an insecure connection in that case, where no certificate is involved at all and all data is in plain text without any encryption, hence no certificate either.

I cant comment on your network issue, but the encryption issue appears to me to be solely a configuration issue of the certificate. If you fix that you should have a proper and secure SSL setup.

Sandro,

I x’d out of accepting the TXT file because it totally appeared to be strange. Apparently there are needed three different files to be uploaded to the server’s root:
mysite.pem
mysite.key
origin_ca_ecc_root.pem

The last one was added for the first time ever and apparently I’m working now (even with strict instead of flexible)

What I don’t get is why everytime I mentioned in my posts (years ago) that 2 files were placed in the root that nobody ever told me it was supposed to be 3 files to be placed in the root.

Can you verify that I’m working properly? I don’t have whitelist on and you already have my ip address (and at this point I hardly even care…totally frustrating work)

The server does seem to be accessible at this point, however I am afraid SSL still does not seem to be configured properly. HTTP work, HTTPS does not.
Firefox returns a PR_END_OF_FILE_ERROR error, OpenSSL SSL23_WRITE:ssl handshake failure

I guess there still is an issue with the configuration itself, which you need to have a look at. Just “placing” the files is unlikely to be sufficient. That is software specific and you best clarify this in aforementioned places.

The third file seems to be Cloudflare’s intermediate certificate for their origin certificates. You typically need the full certificate chain, up to the root certificate.