Why does my website at diagnosischeck.com still says unsecure even though I am paying for advanced edge certificates?

I still see 1020 Access Denied and unfortunately, cannot provide some feedback regarding it.

Furthermore, can you post a screenshot of this error?

Croatia :croatia: :wave:

Nevertheless, can you copy/paste your nginx block here (preformatted)?

May I ask are you using Cloudflare Origin CA Certificate, or rather your own self-signed, or maybe generated via certbot (Let’s Encrypt)?

This is great, the error you are getting sounds like something is missing or misconfigured.

Furthermore, did you also enabled Authenticated Origin Pulls?

If yes, then you might be missing something, at least the certificate from here:

Also, maybe you need to install/update ca-certificates package at your origin host / server.
In case if missing, here is the Cloudflare one:
https://github.com/cloudflare/cloudflare-docs/blob/production/products/ssl/src/content/static/origin_ca_ecc_root.pem

See below link if so:

Can you re-check if you have got below line added (or set to on or off maybe)?:

ssl_verify_client on;

For the Nginx vhost file for your domain, a hand helpful configuration example (generated by the needed and selected options) can be found at the below link:

I like to keep it like below example from mine nginx vhost file for a domain:

server {
        # in case of origin redirection HTTP to HTTPS, keep in one block, later below we do redirect
        listen *:80;
        listen [::]:80;
        listen *:443 ssl http2;
        listen [::]:443 ssl http2;

        # TLS 1.2 and 1.3 only
        # intermediate configuration
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;
        ssl_protocols TLSv1.2 TLSv1.3;
        
        # SSL cert and key
        ssl_certificate /path-to-the-certificate/yourdomain.com.crt;
        ssl_certificate_key /path-to-the-key/yourdomain.com.key;

        # Cloudflare Authenticated Origin Pulls
        ssl_client_certificate /path-to-the/origin-pull-ca.pem; # find it here https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up#certificate-value
        ssl_verify_client on;

        # Mozilla config helpful
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets off;
        # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
        ssl_dhparam /path-to-the-dhparam/dhparam-mozilla.pem;

        server_name yourdomain.com www.yourdomain.com;

        root   /var/www/yourdomain.com/web/;
        disable_symlinks if_not_owner from=$document_root;

        # actual redirection
        if ($scheme != "https") {
            rewrite ^ https://$http_host$request_uri? permanent;
        }
        if ($http_host = "yourdomain.com") {
            rewrite ^ $scheme://www.yourdomain.com$request_uri? permanent;
        }
1 Like