I accidentally modified my original domain.crt Now nginx doesn't start

[rdn]

How can I fix this?

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/nginx/conf/ssl/phcornernet/www_phcorner_net.key") fail                      ed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

 

[Null]

If you don't have it backed up somewhere, you'd have to ask the people you bought the SSL certificate from. They should have a copy of your signed certified.

If you've lost your key, you need to generate a new CSR and see if your SSL provider will reissue a certificate (most do).

openssl req -new -newkey rsa:2048 -nodes -keyout www.example.com.key -out www.example.com.csr

 

[p4guru]

As you're using Centmin Mod http://centminmod.com/nginx.html, every time you update your Nginx version, an automatic backup of your full nginx directory is created including nginx/conf/ssl directory.

You can find your automatic backups at /usr/local/nginxbackup

i.e. /usr/local/nginxbackup/confbackup/conf_datetimestamp folder is backup of your /usr/local/nginx/conf directory and subdirectories

Automatic Nginx Config Backup
Nginx upgrade process will also backup your existing Nginx conf directory and file via 3 options in centmin.sh: NGINXBACKUP='y', NGINXCONFDIR='/usr/local/nginx/conf', NGINXBACKUPDIR='/usr/local/nginxbackup'. You will find backups of previous Nginx versions in timestamped directories located within /usr/local/nginxbackup.

 

[rdn]

As you're using Centmin Mod http://centminmod.com/nginx.html, every time you update your Nginx version, an automatic backup of your full nginx directory is created including nginx/conf/ssl directory.

You can find your automatic backups at /usr/local/nginxbackup

i.e. /usr/local/nginxbackup/confbackup/conf_datetimestamp folder is backup of your /usr/local/nginx/conf directory and subdirectories

WoW let me scan this.
Thanks for pointing this out, didn't know this before

I am using Startssl temporarily

 

[p4guru]

yeah the info straight from the web site http://centminmod.com/nginx.html

 

[rdn]

By the way, What is the reliable ssl checker?
I couldn't get my site 100 fully working / 100% no error.

I always got issues here: https://www.sslchecker.com/sslchecker
and here: https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

Thanks !

 

[p4guru]

what error root chain missing ? ignore that as it isn't required..

i use

• https://www.ssllabs.com/ssltest/index.html
• https://sslcheck.globalsign.com/
• https://www.geocerts.com/ssl_checker

 

[rdn]

Thanks!
Now How can I fix this?


This is my config:

server {
    server_name phcorner.net www.phcorner.net;
    return 301 https://www.phcorner.net$request_uri;
}

server {
    listen 192.99.1.216:443 ssl spdy default_server;
    server_name www.phcorner.net;

     ssl_certificate /usr/local/nginx/conf/ssl/phcorner_net/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/phcorner_net/www_phcorner_net.key;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!kEDH:!EDH:!CAMELLIA;
        ssl_prefer_server_ciphers  on;
        add_header Alternate-Protocol 443:npn-spdy/2;
        # enable ocsp stapling
        # resolver 8.8.8.8;
        # ssl_stapling on;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcorner_net/ssl-trusted.crt;
    resolver 8.8.8.8 8.8.4.4 valid=10m;
    resolver_timeout 10s;
   
  # custom added
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  add_header  X-Content-Type-Options "nosniff";
  add_header X-Frame-Options DENY;

  # logs
  access_log /home/nginx/domains/phcorner.net/log/access.log combined buffer=32k;
  error_log /home/nginx/domains/phcorner.net/log/error.log;

  root /home/nginx/domains/phcorner.net/public;

  # block common exploits, sql injections etc
  include /usr/local/nginx/conf/block.conf;

  # Start XenForo
  location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$uri&$args;
        }

        location /internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }
        location = /data/taigachat/ {
     open_file_cache off;
        }   
  # End Xenforo

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
}

 

[rdn]

Should I fix this error notice?
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp



Other ssl checker's reported fine already.
This is the only tester reported an error.

 

[Floren]

By the way, What is the reliable ssl checker?

I use ssllabs.com.

Should I fix this error notice?
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

View attachment 64968

Other ssl checker's reported fine already.
This is the only tester reported an error.

I don't have an error, test "axivo.com" or "www.axivo.com".

 

[p4guru]

Should I fix this error notice?
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

Other ssl checker's reported fine already.
This is the only tester reported an error.

you have 2 intermediate certs from 2 different providers ! hence the problem

 

[rdn]

you have 2 intermediate certs from 2 different providers ! hence the problem

I think rapidssl and geo trust is just the same, or connected.

 

[p4guru]

if that is case, change order of the last 2 certs

 

[rdn]

From this page: https://knowledge.rapidssl.com/supp...?page=content&id=AR1548&actp=RELATED_RESOURCE

For my ssl certificate: I use

1. Mydomain.crt +
2. (root) Secondary Intermediate CA.crt +
3. Primary Intermediate CA.crt

Then for ssl_trusted_certificate:

1. (root) Secondary Intermediate CA.crt +
2. Primary Intermediate CA.crt

Did i missed somethings?

 

[Floren]

Did i missed somethings?

All you have to do is execute what @Marcus told you.

 

[rdn]

Post #14 edited.
Yes I follow what he said.

But when my ssl_certificate has only:

1. Mydomain.crt +
2. (root) Secondary Intermediate CA.crt +

No Primary Intermediate CA.crt, I got a recommendation to add it to support older browser's.
Still both of this doesn't fix my OCSP Stapling

 

[Marcus]

Try this:

ssl certificate:

1. Mydomain.crt +
2. (root) Secondary Intermediate CA.crt

ssl_trusted_certificate: (different order here)

1. Primary Intermediate CA.crt
2. (root) Secondary Intermediate CA.crt

From my understanding, the browser fetches the trusted certificate (oscp ...) if it doesn't trust your ssl certificate. So it is fine to not put the root certificate into the ssl certificate.

 

[rdn]

That's what I have now, still ssllabs.com reported OCSP not working.
https://www.ssllabs.com/ssltest/analyze.html?d=phcorner.net&hideResults=on&ignoreMismatch=on

 

[Floren]

https://sslcheck.globalsign.com

I get an erroneous report, for that site.
They say I use weak ciphers, less than 128 bits... which is false.
https://sslcheck.globalsign.com/en_US/sslcheck?host=axivo.com

 

[Floren]

From my understanding, the browser fetches the trusted certificate (oscp ...) if it doesn't trust your ssl certificate. So it is fine to not put the root certificate into the ssl certificate.

Yes, you have a very good understanding.