"Connection not secure" and odd details of certificate

My domain is: omf.fyi

I ran this command: Pulled up my domain in a Web broswer

It produced this output: Firstly, although I have run certbot --nginx successfully and installed the certificate, the site shows the "Connection not secure error" in my browsers, secondly, when I inspect the certificate, there are some odd features: firstly "organization" on the certificate is "mail.omc.fyi" (when my domain is omc.fyi, though I do have a mailserver at mail.omf.fyi), and there are some other confusing items (the location is ShenZhen in China, and the organization "IT").

I'm guessing that I made a mistake along the way, and would very much appreciate some help.

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04 LTS

My hosting provider, if applicable, is: vps.net

I can login to a root shell on my machine (yes or no, or I don't know): Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.10.1

Thanks in advance, and for all the wonderful work you do!

2 Likes

Hi @olivercox,

Although you successfully created a Let's Encrypt certificate, the certificate that you're seeing when connecting to the site is not your Let's Encrypt certificate. It seems like there is some kind of device in front of your nginx server that's serving a self-signed certificate.

(I saw that you wrote "omf.fyi" a couple of times but that you meant "omc.fyi".)

If your mailserver is a separate server, why are the DNS names mail.omc.fyi and omc.fyi both pointed at the same address, 209.95.52.144?

3 Likes

If your mail server and web server are at this same IP, please show the outputs of:

nginx -t
nginx -T | grep -Ei 'listen|root|server_name|cert|encrypt|virt|config|location'

If they are at different IPs, then you need to fix your DNS entries.

2 Likes

Thanks team!

Sorry for the typos; and yes, there is just one IP address, 209.95.52.144.

Here are the outputs!

nginx -t:

nginx: [warn] conflicting server name "omc.fyi" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "www.omc.fyi" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "omc.fyi" on [::]:443, ignored
nginx: [warn] conflicting server name "www.omc.fyi" on [::]:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

And nginx -T | grep -Ei 'listen|root|server_name|cert|encrypt|virt|config|location':

nginx: [warn] conflicting server name "omc.fyi" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "www.omc.fyi" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "omc.fyi" on [::]:443, ignored
nginx: [warn] conflicting server name "www.omc.fyi" on [::]:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# configuration file /etc/nginx/conf-enabled/0-general.conf:
# configuration file /etc/nginx/conf-enabled/cache.conf:
# configuration file /etc/nginx/conf-enabled/client_max_body_size.conf:
# configuration file /etc/nginx/conf-enabled/default_type.conf:
# configuration file /etc/nginx/conf-enabled/gzip.conf:
text/vnd.rim.location.xloc
# configuration file /etc/nginx/conf-enabled/headers.conf:
# configuration file /etc/nginx/conf-enabled/log.conf:
# configuration file /etc/nginx/conf-enabled/mime_types.conf:
# configuration file /etc/nginx/mime.types:
application/x-x509-ca-cert            der pem crt;
# configuration file /etc/nginx/conf-enabled/php_fpm.conf:
# configuration file /etc/nginx/conf-enabled/sendfile.conf:
# configuration file /etc/nginx/conf-enabled/server_tokens.conf:
# configuration file /etc/nginx/conf-enabled/types_hash_max_size.conf:
# configuration file /etc/nginx/sites-enabled/00-default-ssl.conf:
# Note: This file must be loaded before other virtual host config files,
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name omc.fyi www.omc.fyi;
root /var/www/omc.fyi/html;
# configuration file /etc/nginx/templates/misc.tmpl:
location ~ ^/.well-known/ {
#root /var/www/html;
location ~ /\. { deny all; }
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
# configuration file /etc/nginx/templates/ssl.tmpl:
# To use your own ssl cert (e.g. "Let's Encrypt"), please create symbol link to
# ssl cert/key used below, so that we can manage this config file with Ansible.
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/<domain>/privkey.pem /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/<domain>/fullchain.pem /etc/ssl/certs/iRedMail.crt
# To request free "Let's Encrypt" cert, please check our tutorial:
# https://docs.iredmail.org/letsencrypt.html
ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;
# configuration file /etc/nginx/templates/iredadmin.tmpl:
location ~ ^/iredadmin/static/(.*) {
location ~ ^/iredadmin(.*) {
location = /iredadmin {
location ~ ^/newsletter/ {
# configuration file /etc/nginx/templates/hsts.tmpl:
#          certificate.
# configuration file /etc/nginx/uwsgi_params:
uwsgi_param  DOCUMENT_ROOT      $document_root;
uwsgi_param  SERVER_NAME        $server_name;
# configuration file /etc/nginx/templates/roundcube.tmpl:
# Running Roundcube as a subfolder on an existing virtual host
location ~ ^/mail/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { deny all; }
location ~ ^/mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
# Block plugin config files and sample config files.
location ~ ^/mail/plugins/.*/config.inc.php.* { deny all; }
location ~ ^/mail/plugins/enigma/home($|/.*) { deny all; }
location = /mail {
location ~ ^/mail/(.*\.php)$ {
location ~ ^/mail/(.*) {
# configuration file /etc/nginx/templates/fastcgi_php.tmpl:
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_NAME        $server_name;
# configuration file /etc/nginx/templates/sogo.tmpl:
location ~ ^/sogo { rewrite ^ https://$host/SOGo; }
location ~ ^/SOGO { rewrite ^ https://$host/SOGo; }
#location ~ ^/mail { rewrite ^ https://$host/SOGo; }
location ^~ /SOGo {
location ^~ /Microsoft-Server-ActiveSync {
location ^~ /SOGo/Microsoft-Server-ActiveSync {
location /SOGo.woa/WebServerResources/ {
location /SOGo/WebServerResources/ {
location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {
# configuration file /etc/nginx/templates/netdata.tmpl:
# Running netdata as a subfolder to an existing virtual host
location = /netdata {
location ~ /netdata/(?<ndpath>.*) {
# configuration file /etc/nginx/templates/php-catchall.tmpl:
location ~ \.php$ {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# configuration file /etc/nginx/templates/stub_status.tmpl:
location = /stub_status {
location = /status {
# configuration file /etc/nginx/sites-enabled/00-default.conf:
# Note: This file must be loaded before other virtual host config files,
# Listen on ipv4
	root /var/www/omc.fyi/html;
    server_name omc.fyi www.omc.fyi;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/omc.fyi/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/omc.fyi/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
} # managed by Certbot
} # managed by Certbot
listen 80;
listen [::]:80 ipv6only=on;
    server_name omc.fyi  www.omc.fyi;
return 404; # managed by Certbot
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
2 Likes

Hi @olivercox

there

is your job. You have duplicated combinations of port and vHost, that's always fatal.

Every combination of port and domain name must be unique.

Merge the different definitions in one vHost.

Result must be: No warning.

2 Likes

Hi team, thanks again for all the help! Per your direction, @JuergenAuer, I attempted to make it one port-domain combination per virtual host file; so:

00-default.conf contains:

#
# Note: This file must be loaded before other virtual host config files,
#
# HTTP

server {
    if ($host = www.omc.fyi) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = omc.fyi) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80 ipv6only=on;

        server_name omc.fyi  www.omc.fyi;
    return 404; # managed by Certbot




}

and 00-default-ssl.conf contains:

# Note: This file must be loaded before other virtual host config files,
#
# HTTPS
server {
    # Redirect all insecure http:// requests to https://
    return 301 https://$host$request_uri;

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot


    ssl_certificate /etc/letsencrypt/live/omc.fyi/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/omc.fyi/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    server_name omc.fyi www.omc.fyi;

    root /var/www/omc.fyi/html;
    index index.php index.html index.nginx-debian.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/iredadmin.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/sogo.tmpl;
    include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    include /etc/nginx/templates/stub_status.tmpl;
}

But now, when I run nginx -t, I get:

nginx: [warn] duplicate value "TLSv1.2" in /etc/nginx/templates/ssl.tmpl:1
nginx: [emerg] "ssl_ciphers" directive is duplicate in /etc/nginx/templates/ssl.tmpl:4
nginx: configuration file /etc/nginx/nginx.conf test failed

Can you advise as to how I might resolve the duplication? Or please let me know if there's something else that I did wrong.

2 Likes

Welcome to the Let's Encrypt Community, Oliver :slightly_smiling_face:

This:

creates a redirect loop, so get rid of it.


This file:

contains the SSL parameters as managed by certbot, while this file:

contains duplications of them.

What are the contents of both files?

2 Likes

Thank you for the help!

Contents of /etc/letsencrypt/options-ssl-nginx.conf:

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

The contents of /etc/nginx/templates/ssl.tmpl are (which appears to have been generated when I set up the mail server with iRedMail):

ssl_protocols TLSv1.2;

# Fix 'The Logjam Attack'.
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dh2048_param.pem;

# To use your own ssl cert (e.g. "Let's Encrypt"), please create symbol link to
# ssl cert/key used below, so that we can manage this config file with Ansible.
#
# For example:
#
# rm -f /etc/ssl/private/iRedMail.key
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/<domain>/privkey.pem /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/<domain>/fullchain.pem /etc/ssl/certs/iRedMail.crt
#
# To request free "Let's Encrypt" cert, please check our tutorial:
# https://docs.iredmail.org/letsencrypt.html
ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

I commented out the "/etc/nginx/templates/ssl.tmpl" line, and as a result omc.fyi and www.omc.fyi now load without a warning and with the correct cert.

Now, however, my mail. subdomain loads with a security error.

Thank you so much!

3 Likes

If you are trying to access https://mail.omc.fyi/ then you will need to create a vhost config for it and then get a cert that covers that name.
Otherwise, you could try including the roundcube template into one of the current working vhost configs.
/etc/nginx/templates/roundcube.tmpl
[Which could then be accessed via https://site.name/mail/]

2 Likes

It worked!

I added updatded the "sever_name" line to include the mail. subdomain, server_name omc.fyi www.omc.fyi mail.omc.fyi; to 00-default.conf and 00-default-ssl.conf.

And now, it all works and the certificates show up correctly.

I very much appreciate all your help!

4 Likes