I've been trying to get strict ssl on and off for years....surely it can't be this difficult?

sANDRO…help!!! The answer is yes to your question ";p-

In that case you should probably post it :wink:

Oh i get it…you are referring to the numerical here: it’s xxxxxx but I have only whitelisted cf to be allowed in…should I change that?

All right, that explains why it is not accessible.

Yes, can you TEMPORARILY remove that whitelisting? And you can now also remove this response here with the IP address (so that it does not stay public).

done (I hope)
I did sudo iptables -F

I am afraid it still seems to be locked down. You can verify by running a check with your IP address at sitemeer.com.

Yes I notice that also…

maybe I should start over on another machine or something (throughout the years there’s just no telling what my retarded geriatric arse may have altered)

Difficult to tell :wink:

The overall advice would be that you have a valid certificate (plus private key) and have that properly configured in your server. If both is the case, you should be able to switch to Full Strict and Cloudflare should be able to connect without issues.

Say Sandro,

When you say that I should have a valid certificate and key you are referring to simply dumping two files into my root directory, aren’t you?

I am not :slight_smile:

It is more than “dumping”. As I already mentioned earlier, these files need to be properly configured in your server configuration. Your webserver wont read them from just any location, you need to configure it according to what your server software requires.

I have the server set up like this:

server {
listen 80 default server;
listen 443 ssl default server;
root /var/www/xxx
index index.html;
server_name springfield-ohio-post.com www.springfield-ohio-post.com;
location / {
try_files $uri/ =404;
}
}

That seems to be Nginx. For precise instructions how to configure it you might want to ask at https://forum.nginx.org/

Also, https://www.google.com/search?client=firefox-b-d&q=nginx+setup+certificate might give you an idea as well.

Okay, I will visit that site that you posted. I’m just wondering if it might be my crappy at&t modem/router as the problem because even after I remove the cf whitelist I’m not able to access xxx.xxx.xxx.xxx:80 or xxx.x.xx.xx:443
but when I put on cf FLEXIBLE I can at least see that the server is accessible (just not secure)

Thats two different issues however.

The whitelisting and port issue could be because of your network provider, however if they blocked anything Cloudflare shouldnt be able to connect either, so I’d rather rule that out.

The certificate issue is another. Flexible works because you have an insecure connection in that case, where no certificate is involved at all and all data is in plain text without any encryption, hence no certificate either.

I cant comment on your network issue, but the encryption issue appears to me to be solely a configuration issue of the certificate. If you fix that you should have a proper and secure SSL setup.

1 Like

Sandro,

I x’d out of accepting the TXT file because it totally appeared to be strange. Apparently there are needed three different files to be uploaded to the server’s root:
mysite.pem
mysite.key
origin_ca_ecc_root.pem

The last one was added for the first time ever and apparently I’m working now (even with strict instead of flexible)

What I don’t get is why everytime I mentioned in my posts (years ago) that 2 files were placed in the root that nobody ever told me it was supposed to be 3 files to be placed in the root.

Can you verify that I’m working properly? I don’t have whitelist on and you already have my ip address (and at this point I hardly even care…totally frustrating work)

The server does seem to be accessible at this point, however I am afraid SSL still does not seem to be configured properly. HTTP work, HTTPS does not.
Firefox returns a PR_END_OF_FILE_ERROR error, OpenSSL SSL23_WRITE:ssl handshake failure

I guess there still is an issue with the configuration itself, which you need to have a look at. Just “placing” the files is unlikely to be sufficient. That is software specific and you best clarify this in aforementioned places.

The third file seems to be Cloudflare’s intermediate certificate for their origin certificates. You typically need the full certificate chain, up to the root certificate.

sorry i posted this in the wrong spot

You were right…it was two issues

1.) I needed to add the location and name of the pem and key in nginx configuration setup

2.) I have always added both http and https in the router setup to point to my server (took out the http)

I think it’s working now (still, that was a lot of damn learning!)

Thanks for your comment on here, the only thing that would have been more helpful is if you had placed a large carrot in front of my path

I added the following as the solution in case anybody else has a dumb moment dealing with strict full ssl

Sandro,
You were right…it was two issues

1.) I needed to add the location and name of the pem and key in nginx configuration setup

2.) I have always added both http and https in the router setup to point to my server (took out the http)

I think it’s working now (still, that was a lot of damn learning!)

Thanks for your comment on here, the only thing that would have been more helpful is if you had placed a large carrot in front of my path

USING my IP ADDRESS xx.x…x…x. works fine using 443 or 80

My domain name is not working at all now

It worked perfectly for 10 minutes using strict instead of flexible

Nothing was changed. What could do that?