Some 404 pages do not display XenForo error pages, instead just showing the nginx error

p4guru said:
yup

Code: 
cat intermediate.crt root.pem > trusted.crt

Code: 
ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcornernet/trusted.crt;
Click to expand...
Where can I generate intermediate.crt and root.pem?

There are only 2 certificate geotrust gave me.
The Web Server CERTIFICATE and INTERMEDIATE CA.

And I already inserted those two certificate blocks into: /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt
 
p4guru said:
yup

Code: 
cat intermediate.crt root.pem > trusted.crt

Code: 
ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcornernet/trusted.crt;
Click to expand...
As I understand, I'm already using the generated file for this command at:
ssl_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;

If I follow this, I will have another .crt file with the same content.
 
ssl_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;

content is mydomain.crt + intemediate.crt provided by Geotrust.
 
Hey, @RoldanLT.

From what I understand, you need the following...

  • ssl_certificate /etc/ssl/example/unified.crt; (example.com.crt + intermediate.crt)
  • ssl_trusted_certificate /etc/ssl/example/trusted.crt; (room.pem + intermediate.crt).
GeoTrust should be able to give you the correct root.pem and the intermediate.crt files.
 
To clarify, the ssl_trusted_certificate is root.crt + intermediate.crt. It is important that it is in this order.

The ssl_certificate is server.crt + intermediate.crt. In this order.

So if you had before a ssl_certificate with server + intermediate + root, do not just copy & past the last two certificates as your new ssl_trusted_certificate certificate, you have to change the order. Hope that helps anyone!
 
  • Like
Reactions: rdn
actually order for trusted is intermediate then root https://www.ruby-forum.com/topic/4409676#1091934

Something like

cat sub.class1.server.ca.pem ca.pem > trusted.pem

should be enough (files named to match ones available from
StartCom). I've just tested with a free class 1 cert from
StartCom, and it works fine. If you still see errors with
ssl_trusted_certificate configured - you may want to provide more
details.

--
Maxim Dounin
http://nginx.com/support.html
Click to expand...
 
  • Like
Reactions: rdn
Marcus said:
To clarify, the ssl_trusted_certificate is root.crt + intermediate.crt. It is important that it is in this order.

The ssl_certificate is server.crt + intermediate.crt. In this order.

So if you had before a ssl_certificate with server + intermediate + root, do not just copy & past the last two certificates as your new ssl_trusted_certificate certificate, you have to change the order. Hope that helps anyone!
Click to expand...
You really help me.
Now I understand a lot from your post, Thanks!
 
Marcus said:
To clarify, the ssl_trusted_certificate is root.crt + intermediate.crt. It is important that it is in this order.

The ssl_certificate is server.crt + intermediate.crt. In this order.

So if you had before a ssl_certificate with server + intermediate + root, do not just copy & past the last two certificates as your new ssl_trusted_certificate certificate, you have to change the order. Hope that helps anyone!
Click to expand...
p4guru said:
actually order for trusted is intermediate then root https://www.ruby-forum.com/topic/4409676#1091934
Click to expand...
This is now my domain config:
Code: 
server {
    listen 192.99.1.216:443 ssl spdy default_server;
    server_name www.phcorner.net;

     ssl_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/phcornernet/www_phcorner_net.key;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!kEDH:!EDH:!CAMELLIA;
        ssl_prefer_server_ciphers  on;
        add_header Alternate-Protocol 443:npn-spdy/2;
        # enable ocsp stapling
        # resolver 8.8.8.8;
        # ssl_stapling on;

       ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-trusted.crt;
    resolver 8.8.8.8 8.8.4.4 valid=10m;
    resolver_timeout 10s;

But still I got an error here: https://sslcheck.globalsign.com/en_US/sslcheck/?host=www.phcorner.net#192.99.1.216
and here:
https://www.sslchecker.com/sslchecker
 
RoldanLT said:
This is now my domain config:
Code: 
server {
    listen 192.99.1.216:443 ssl spdy default_server;
    server_name www.phcorner.net;

     ssl_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/phcornernet/www_phcorner_net.key;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!kEDH:!EDH:!CAMELLIA;
        ssl_prefer_server_ciphers  on;
        add_header Alternate-Protocol 443:npn-spdy/2;
        # enable ocsp stapling
        # resolver 8.8.8.8;
        # ssl_stapling on;

       ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-trusted.crt;
    resolver 8.8.8.8 8.8.4.4 valid=10m;
    resolver_timeout 10s;

But still I got an error here: https://sslcheck.globalsign.com/en_US/sslcheck/?host=www.phcorner.net#192.99.1.216
and here:
https://www.sslchecker.com/sslchecker
Click to expand...
I've just set this up myself.

I did the initial test, and downloaded a copy of the trusted certificate.

I added that to my server, and it's working with no stapling errors any more

Code: 
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/conf.d/z22se_trusted.crt;
    resolver 8.8.8.8 8.8.4.4 valid=10m;
    resolver_timeout 10s;

https://sslcheck.globalsign.com/en_GB/sslcheck/?host=z22se.co.uk#212.71.237.228
 
MattW said:
I've just set this up myself.

I did the initial test, and downloaded a copy of the trusted certificate.

I added that to my server, and it's working with no stapling errors any more

Code: 
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/conf.d/z22se_trusted.crt;
    resolver 8.8.8.8 8.8.4.4 valid=10m;
    resolver_timeout 10s;

https://sslcheck.globalsign.com/en_GB/sslcheck/?host=z22se.co.uk#212.71.237.228
Click to expand...
What's the content and order of this file: z22se_trusted.crt ?
 
Marcus said:
To clarify, the ssl_trusted_certificate is root.crt + intermediate.crt. It is important that it is in this order.

The ssl_certificate is server.crt + intermediate.crt. In this order.

So if you had before a ssl_certificate with server + intermediate + root, do not just copy & past the last two certificates as your new ssl_trusted_certificate certificate, you have to change the order. Hope that helps anyone!
Click to expand...
Already followed this, but still having the ocsp error: https://sslcheck.globalsign.com/en_US/sslcheck/?host=www.phcorner.net#192.99.1.216

This is my config:
Code: 
server {
    server_name phcorner.net www.phcorner.net;
    return 301 https://www.phcorner.net$request_uri;
}

server {
    listen 192.99.1.216:443 ssl spdy default_server;
    server_name www.phcorner.net;

     ssl_certificate /usr/local/nginx/conf/ssl/phcorner_net/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/phcorner_net/www_phcorner_net.key;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!kEDH:!EDH:!CAMELLIA;
        ssl_prefer_server_ciphers  on;
        add_header Alternate-Protocol 443:npn-spdy/2;
        # enable ocsp stapling
        # resolver 8.8.8.8;
        # ssl_stapling on;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcorner_net/ssl-trusted.crt;
    resolver 8.8.8.8 8.8.4.4 valid=10m;
    resolver_timeout 10s;
  # custom added
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  add_header  X-Content-Type-Options "nosniff";
  add_header X-Frame-Options DENY;

  # logs
  access_log /home/nginx/domains/phcorner.net/log/access.log combined buffer=32k;
  error_log /home/nginx/domains/phcorner.net/log/error.log;

  root /home/nginx/domains/phcorner.net/public;

  # block common exploits, sql injections etc
  include /usr/local/nginx/conf/block.conf;

  # Start XenForo
  location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$uri&$args;
        }

        location /internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }
        location = /data/taigachat/ {
     open_file_cache off;
        }  
  # End Xenforo

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
}
 
OK, I tried startssl server class 1 and it works fine.
So the problem is Rapidssl.
Code: 
# openssl s_client -connect phcorner.net:443 -status -tls1_2 | grep OCSP
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Autho                              rity
verify error:num=19:self signed certificate in certificate chain
verify return:0
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN = StartCom Class 1 Server OCSP Sig                              ner
        Subject: C=IL, O=StartCom Ltd. (Start Commercial Limited), CN=StartCom Class 1 Server OCSP Signer
                OCSP Signing, OCSP No Check
Fixed.
 
RoldanLT said:
OK, I tried startssl server class 1 and it works fine.
So the problem is Rapidssl.
Code: 
# openssl s_client -connect phcorner.net:443 -status -tls1_2 | grep OCSP
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Autho                              rity
verify error:num=19:self signed certificate in certificate chain
verify return:0
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN = StartCom Class 1 Server OCSP Sig                              ner
        Subject: C=IL, O=StartCom Ltd. (Start Commercial Limited), CN=StartCom Class 1 Server OCSP Signer
                OCSP Signing, OCSP No Check
Fixed.
Click to expand...
Is not fixed, proper response:
Rich (BB code): 
$ openssl s_client -connect axivo.com:443 -status -tls1_2 | grep OCSP
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
                TLS Web Server Authentication, OCSP Signing
            OCSP No Check:
 
Last edited:
  • Like
Reactions: rdn
Floren said:
Is not fixed, proper response:
Rich (BB code): 
$ openssl s_client -connect axivo.com:443 -status -tls1_2 | grep OCSP
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
                TLS Web Server Authentication, OCSP Signing
            OCSP No Check:
Click to expand...
Floren can't seem to find any documentation where it says that is the valid response ? Can you point us to some reading ?
 
  • Like
Reactions: rdn
p4guru said:
Floren can't seem to find any documentation where it says that is the valid response ? Can you point us to some reading ?
Click to expand...
Is common sense, OCSP No Check means there is no verification performed. You can also look at OpenSSL documentation.

@RoldanLT, the easiest way to fix it is to turn on the OCSP verification:
ssl_stapling_verify on;

Once this is turned on, it will the the workers approximately 10-30minutes to cache the stapling.
It will show this on SslLabs: OCSP stapling Yes
In your case you have stapling Off, or else you will see my blue marked message, with nothing below OCSP No Check:
Rich (BB code): 
$ openssl s_client -connect axivo.com:443 -status -tls1_2 | grep OCSP
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
                TLS Web Server Authentication, OCSP Signing
            OCSP No Check:
You don't get it to work because your certificates are not into right order/missing. There are many people who told you to use only 2 certificates per file, yet you continue to use 3 certificates. Is there a reason why you don't do what several people told you to? :)
@Marcus and @Null were extremely clear:
Null said:
ssl_certificate /etc/ssl/example/unified.crt; (example.com.crt + intermediate.crt)
ssl_trusted_certificate /etc/ssl/example/trusted.crt; (root.pem + intermediate.crt).
Click to expand...
Why do you keep on adding the root certificate into unified.crt? You don't see the error SslLabs is showing that you use an anchor? You suppose to have ONLY 2 certificates per file, not 3. Identify each certificate and place them into right order. Don't worry if you mess, SslLabs will tell you so you can switch them. But you NEED TO KNOW which certificate to add into each file.
 
Last edited:
  • Like
Reactions: rdn
Right now my
unified.crt = domain.crt
trusted.crt= root+intermediate.crt

OK, I will modify unified.crt now, brb.
 
You must log in or register to reply here.
Top Bottom