Err_cert_common_name_invalid

docker-compose exec nginx nginx -t should work.

1 Like

1 Like

I was looking for the complete config output via capital “T”:
nginx -T

2 Likes

Sorry @rg305, here you go now:

 [ec2-user@ip-172-31-89-184 gotobot3]$ docker-compose exec nginx nginx -T
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    # configuration file /etc/nginx/nginx.conf:

    user  nginx;
    worker_processes  1;

    error_log  /var/log/nginx/error.log warn;
    pid        /var/run/nginx.pid;


    events {
        worker_connections  1024;
    }



    http {
        include       /etc/nginx/mime.types;
        default_type  application/octet-stream;

        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';

        access_log  /var/log/nginx/access.log  main;

        sendfile        on;
        #tcp_nopush     on;

        keepalive_timeout  65;

        #gzip  on;

        include /etc/nginx/conf.d/*.conf;

        map $sent_http_content_type $expires {
            default                    off;
            text/html                  epoch;
            text/css                   max;
            application/javascript     max;
            ~image/                    max;
        }#map expires
    }


    # configuration file /etc/nginx/mime.types:

    types {
        text/html                                        html htm shtml;
        text/css                                         css;
        text/xml                                         xml;
        image/gif                                        gif;
        image/jpeg                                       jpeg jpg;
        application/javascript                           js;
        application/atom+xml                             atom;
        application/rss+xml                              rss;

        text/mathml                                      mml;
        text/plain                                       txt;
        text/vnd.sun.j2me.app-descriptor                 jad;
        text/vnd.wap.wml                                 wml;
        text/x-component                                 htc;

        image/png                                        png;
        image/svg+xml                                    svg svgz;
        image/tiff                                       tif tiff;
        image/vnd.wap.wbmp                               wbmp;
        image/webp                                       webp;
        image/x-icon                                     ico;
        image/x-jng                                      jng;
        image/x-ms-bmp                                   bmp;

        font/woff                                        woff;
        font/woff2                                       woff2;

        application/java-archive                         jar war ear;
        application/json                                 json;
        application/mac-binhex40                         hqx;
        application/msword                               doc;
        application/pdf                                  pdf;
        application/postscript                           ps eps ai;
        application/rtf                                  rtf;
        application/vnd.apple.mpegurl                    m3u8;
        application/vnd.google-earth.kml+xml             kml;
        application/vnd.google-earth.kmz                 kmz;
        application/vnd.ms-excel                         xls;
        application/vnd.ms-fontobject                    eot;
        application/vnd.ms-powerpoint                    ppt;
        application/vnd.oasis.opendocument.graphics      odg;
        application/vnd.oasis.opendocument.presentation  odp;
        application/vnd.oasis.opendocument.spreadsheet   ods;
        application/vnd.oasis.opendocument.text          odt;
        application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                         pptx;
        application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                         xlsx;
        application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                         docx;
        application/vnd.wap.wmlc                         wmlc;
        application/x-7z-compressed                      7z;
        application/x-cocoa                              cco;
        application/x-java-archive-diff                  jardiff;
        application/x-java-jnlp-file                     jnlp;
        application/x-makeself                           run;
        application/x-perl                               pl pm;
        application/x-pilot                              prc pdb;
        application/x-rar-compressed                     rar;
        application/x-redhat-package-manager             rpm;
        application/x-sea                                sea;
        application/x-shockwave-flash                    swf;
        application/x-stuffit                            sit;
        application/x-tcl                                tcl tk;
        application/x-x509-ca-cert                       der pem crt;
        application/x-xpinstall                          xpi;
        application/xhtml+xml                            xhtml;
        application/xspf+xml                             xspf;
        application/zip                                  zip;

        application/octet-stream                         bin exe dll;
        application/octet-stream                         deb;
        application/octet-stream                         dmg;
        application/octet-stream                         iso img;
        application/octet-stream                         msi msp msm;

        audio/midi                                       mid midi kar;
        audio/mpeg                                       mp3;
        audio/ogg                                        ogg;
        audio/x-m4a                                      m4a;
        audio/x-realaudio                                ra;

        video/3gpp                                       3gpp 3gp;
        video/mp2t                                       ts;
        video/mp4                                        mp4;
        video/mpeg                                       mpeg mpg;
        video/quicktime                                  mov;
        video/webm                                       webm;
        video/x-flv                                      flv;
        video/x-m4v                                      m4v;
        video/x-mng                                      mng;
        video/x-ms-asf                                   asx asf;
        video/x-ms-wmv                                   wmv;
        video/x-msvideo                                  avi;
    }

    # configuration file /etc/nginx/conf.d/default.conf:
    #Dozvoljava kompresiju
    gzip on;
    gzip_disable "msie6";
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;

    upstream rasa {
        #server  184.72.-187.19:5005;
    #I had to this for port 5005 but not for landing because there default port is 80
        server   rasa:5005;
    }
    upstream landing {
        #server  184.72.187.19:8080;
        #server 127.0.0.1:8080;
        server   landing;
    }

    upstream server {
        #server  184.72.187.19:8080;
        #server 127.0.0.1:8080;
        server   server:9000;
    }

    server {
        listen       443 ssl;
        server_name  gotobot.co www.gotobot.co;
        # server_name  localhost;

        # @TODO remove for production
        #allow  127.0.0.1;
        #allow  83.71.213.166;
        #deny   all;

        #resolver 1.1.1.1 8.8.8.8 9.9.9.10;
        resolver 127.0.0.11 valid=30s;

        include       partials/common.conf;
        include       partials/ssl.conf;

        location /.well-known/acme-challenge/ {
            root /var/www/certbot;
        }

        location ~* \.(?:ico|css|js|gif|jpeg|jpg|png)$ {
             expires 9d;
             add_header Pragma public;
             add_header Cache-Control "public";
            }

    #    location ~* \.(?:ico|css|js|gif|jpeg|jpg|png|woff|ttf|otf|svg|woff2|eot)$ {
    #        expires 365d;
    #        add_header Cache-Control "public, no-transform";
    #   }
    #location ^~ / {
        location ^~ / {
            proxy_pass    http://landing;
            include       partials/common_location.conf;
            include       partials/cors.conf;
            #include       partials/common.conf;
            #include       partials/ssl.conf;
      }

       # location / {
       #     proxy_pass    http://api/webhooks/rest/webhook;
       #     include       partials/common_location.conf;
       #     include       partials/cors.conf;
       # }
        location = /hotel { rewrite ^ /hotel/ redirect; }
        location /hotel {
            #proxy_pass    http://rasa;
            rewrite /hotel/(.*) /$1 break;
            proxy_pass    http://rasa/webhooks/rest/webhook;
            #include       partials/common.conf;
            #include       partials/ssl.conf;
            #proxy_set_header Accept '*/token';
      }


        location ^~ /server {
            proxy_pass    http://server/sendMail;
            #include       partials/common.conf;
            #include       partials/ssl.conf;
      }

    }

    map $remote_addr $proxy_forwarded_elem {
        # IPv4 addresses can be sent as-is
        ~^[0-9.]+$          "for=$remote_addr";

        # IPv6 addresses need to be bracketed and quoted
        ~^[0-9A-Fa-f:.]+$   "for=\"[$remote_addr]\"";

        # Unix domain socket names cannot be represented in RFC 7239 syntax
        default             "for=unknown";
    }

    map $http_forwarded $proxy_add_forwarded {
        # If the incoming Forwarded header is syntactically valid, append to it
        "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";

        # Otherwise, replace it
        default "$proxy_forwarded_elem";
    }

    # configuration file /etc/nginx/partials/common.conf:
    #add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options              SAMEORIGIN;
    add_header X-Content-Type-Options       nosniff;
    add_header X-XSS-Protection             "1; mode=block";

    # configuration file /etc/nginx/partials/ssl.conf:
    #ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_ecdh_curve              secp384r1:secp256k1;
    #ssl_ciphers                 "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256";
    #ssl_prefer_server_ciphers   on;
    ssl_dhparam                 /etc/letsencrypt/ssl-dhparams.pem;
    include                     /etc/letsencrypt/options-ssl-nginx.conf;
    #ssl_certificate             /etc/letsencrypt/fullchain.pem;
    #ssl_certificate_key         /etc/letsencrypt/privkey.pem;
    ssl_certificate             /etc/letsencrypt/live/www.gotobot.co/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/live/www.gotobot.co/privkey.pem;
    #ssl_session_timeout         10m;
    #ssl_session_cache           shared:SSL:10m;
    #ssl_session_tickets         off;
    ssl_stapling                on;
    ssl_stapling_verify         on;

    #ssl_session_cache shared:le_nginx_SSL:10m;
    #ssl_session_timeout 1440m;

    #ssl_protocols TLSv1.2 TLSv1.3;
    #ssl_prefer_server_ciphers off;

    #ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
    # configuration file /etc/letsencrypt/options-ssl-nginx.conf:
    # This file contains important security parameters. If you modify this file
    # manually, Certbot will be unable to automatically provide future security
    # updates. Instead, Certbot will print and log an error message with a path to
    # the up-to-date file that you will need to refer to when manually updating
    # this file.

    ssl_session_cache shared:le_nginx_SSL:10m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

    # configuration file /etc/nginx/partials/common_location.conf:
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    Host                $host;
    proxy_set_header    X-Forwarded-Host    $host;
    proxy_set_header    X-Forwarded-Port    $server_port;
    proxy_set_header    Forwarded           $proxy_add_forwarded;

    # configuration file /etc/nginx/partials/cors.conf:
    if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        #
        # Custom headers and headers various browsers *should* be OK with but aren't
        #
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
        #
        # Tell client that this pre-flight info is valid for 20 days
        #
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain; charset=utf-8';
        add_header 'Content-Length' 0;
        return 204;
    }
    if ($request_method = 'POST') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
    }
    if ($request_method = 'GET') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
    }

    # configuration file /etc/nginx/conf.d/redirect_to_https.conf:
    server {
      listen        80;

      server_name   _;

        location /.well-known/acme-challenge/ {
            # allow letsencrypt to verify challenges

            root /var/www/certbot;
            # put extra configuration here, if needed
        }

        location / {
        #    return 301 https://$server_name$request_uri;
           return 301 https://$host$request_uri;
            # return 301 http://$host$request_uri;
        }
    }

    [ec2-user@ip-172-31-89-184 gotobot3]$
1 Like

Ok try using this maping instead:
[added two lines]

        map $sent_http_content_type $expires {
            default                    off;
            text/html                  epoch;
            text/css                   max;
            application/javascript     max;
            ~image/                    max;
            ~img/                      max;
            image/png                  max;
        }#map expires

I’ve done as you said but everything is the same…

I’m sorry, but I’ve run out of ideas.
The is clearly an NGINX settings problem.
You might want to also look online, or within an NGINX forum, for additional help.

As a last comparison, please show:
nginx -V

1 Like

@Encrypt1919, just curiosity: why it the prompt a lambda? what shell/prompt are you using?

2 Likes

I’m using cmder - https://cmder.net/

But I always double check with this analysis - https://gtmetrix.com/

@rg305

I can’t search trough your image.
Does it contain --with-http_addition_module ?
If not, you might need to add that in.
See: http://nginx.org/en/docs/http/ngx_http_addition_module.html

Otherwise, I would try without gzip.
change:
gzip on;
to
gzip off;

1 Like

Yes.

image

Yes I have this:

gzip on;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;

but without that I had other compression warning which got solved…

As a test, try without gzip, then put it back on.

1 Like

Done, situation is still the same.

ok , now I really give up - sorry :frowning:

1 Like

No problem, thank you for trying! :hugs:

1 Like

9peppe do you have any ideas?

Also, here - https://intodns.com/gotobot.co

And here is my record set on aws, what should I do? My 5.77.36.127 address is for MX records only since I store them on other provider.

1 Like

what is the purpose of this record? can you move it on another zone?

*.gotobot.co.		299	IN	CNAME	_48059b2175a51f92f93ff8f77ada213c.vhzmpjdqfx.acm-validations.aws.

putting it as a wildcard conflicts with the necessity to have an A and/or AAAA record on mail.gotobot.co

for me, I only see 4 NS records, all from amazon. I see the others if I query the co. zone, you need to login into your registrar’s panel and remove the non-amazon nameservers or set the nodowntimedomains.com. ones as slaves. (backup, transfer the zone)

2 Likes

To me it looks like your caching is working:

% curl -I https://www.gotobot.co/img/home_mob-min.8acf0c60.png
HTTP/1.1 200 OK
Server: nginx/1.17.9
Date: Thu, 26 Mar 2020 09:43:42 GMT
Content-Type: image/png
Content-Length: 4325
Connection: keep-alive
Last-Modified: Tue, 24 Mar 2020 19:48:31 GMT
ETag: "5e7a640f-10e5"
Accept-Ranges: bytes
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

There are both a Last-Modified and an ETag headers.

If you want Expires too, you can use the map you wrote and add, in the server block, a line:

expires $expires;

removing the location blocks for static stuff. As in the example here at the bottom: https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires

Using Expires can have unintended consequences, though. Last-modified and Etag are usually enough, add expire if responding with some 304 not modified is something you want to avoid.

2 Likes

I think it is not working properly since I checked on “gmetrix.com”:

Also, I now double checked on Google speed check and same error is happening.

But this is my code, I already have $expires?

map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;
    ~img/                      max;
    image/png                  max;
}#map expires
1 Like

your expires is a map, see it like a js dictionary.

you need to send the actual header too. add a line

expires $expires; 

in your server block

to give you an example, you wrote

expires = {
  "default":                    "off",
  "text/html":                  "epoch",
  "text/css":                   "max"
  // and more
}

you also need

console.log(expires[mimetype])
2 Likes