My domain is: ggc.world
I ran this command: https://check-your-website.server-daten.de/?q=ggc.world
It produced this output:
https://www.ggc.world/ 2.36.58.214
Error - Certificate isn’t trusted, RemoteCertificateNameMismatch
My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 18.04.4 Desktop
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I used acme.sh client for the certificates
This is the procedure I followed for the certificates:
-
Installed acme.sh :
(base) marco@pc01:~/webMatters$ git clone https://github.com/acmesh-official/acme.sh.git
Cloning into ‘acme.sh’…
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (12/12), done.
remote: Total 9858 (delta 5), reused 2 (delta 0), pack-reused 9846
Receiving objects: 100% (9858/9858), 3.89 MiB | 5.81 MiB/s, done.
Resolving deltas: 100% (5787/5787), done.(base) marco@pc01:~/webMatters/acme.sh$ sudo su
root@pc01:/home/marco/webMatters/acme.sh# mkdir dataroot@pc01:/home/marco/webMatters/acme.sh# pwd
/home/marco/webMatters/acme.sh
root@pc01:/home/marco/webMatters/acme.sh# ./acme.sh --install --config-home /home/marco
/webMatters/acme.sh/data/
[ven 7 feb 2020, 18.28.59, CET] It is recommended to install socat first.
[ven 7 feb 2020, 18.28.59, CET] We use socat for standalone server if you use standalone mode.
[ven 7 feb 2020, 18.28.59, CET] If you don’t use standalone mode, just ignore this warning.
[ven 7 feb 2020, 18.28.59, CET] Installing to /root/.acme.sh
[ven 7 feb 2020, 18.28.59, CET] Installed to /root/.acme.sh/acme.sh
[ven 7 feb 2020, 18.28.59, CET] Installing alias to ‘/root/.bashrc’
[ven 7 feb 2020, 18.28.59, CET] OK, Close and reopen your terminal to start using acme.sh
[ven 7 feb 2020, 18.28.59, CET] Installing cron job
47 0 * * * “/home/marco/.acme.sh”/acme.sh --cron --home “/home/marco/.acme.sh” > /dev/null
[ven 7 feb 2020, 18.28.59, CET] Good, bash is found, so change the shebang to use bash as
preferred.
[ven 7 feb 2020, 18.28.59, CET] OK -
Issued and Installed certificates :
I followed the indications found here: https://www.cyberciti.biz/faq/how-to-configure-nginx-with-free-lets-encrypt-ssl-certificate-on-debian-or-ubuntu-linux/root@pc01:/home/marco/webMatters/acme.sh# D=/var/www/ggc.world
root@pc01:/home/marco/webMatters/acme.sh# mkdir -vp {D}/.well-known/acme-challenge/ mkdir: created directory '/var/www/ggc.world/.well-known' mkdir: created directory '/var/www/ggc.world/.well-known/acme-challenge/' root@pc01:/home/marco/webMatters/acme.sh# chown -R www-data:www-data {D}/.well-
known/acme-challenge/
root@pc01:/home/marco/webMatters/acme.sh# chmod -R 0555 {D}/.well-known/acme-challenge/ root@pc01:/home/marco/webMatters/acme.sh# cd /etc/nginx/ssl/ggc.world/ root@pc01:/etc/nginx/ssl/ggc.world# openssl dhparam -out dhparams.pem -dsaparam 4096 Generating DSA parameters, 4096 bit long prime ..................+........+...........+..+...........+..+........+............+.....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..............+......+.....................+.....+....+..............+.....................................+............+..............+.+..+..+..........+.........+................+...+.....+......+.root@pc01:/etc/nginx/ssl/ggc.world# acme.sh --issue -w /var/www/ggc.world/ -d ggc.world
[dom 9 feb 2020, 19.18.20, CET] Create account key ok.
[dom 9 feb 2020, 19.18.20, CET] Registering account
[dom 9 feb 2020, 19.18.21, CET] Registered
[dom 9 feb 2020, 19.18.21, CET] ACCOUNT_THUMBPRINT=’…’
[dom 9 feb 2020, 19.18.21, CET] Creating domain key
[dom 9 feb 2020, 19.18.21, CET] The domain key is here: /home/marco/webMatters/acme.sh
/data//ggc.world/ggc.world.key
[dom 9 feb 2020, 19.18.21, CET] Single domain=‘ggc.world’
[dom 9 feb 2020, 19.18.21, CET] Getting domain auth token for each domain
[dom 9 feb 2020, 19.18.23, CET] Getting webroot for domain=‘ggc.world’
[dom 9 feb 2020, 19.18.23, CET] Verifying: ggc.world
[dom 9 feb 2020, 19.18.26, CET] Success
[dom 9 feb 2020, 19.18.26, CET] Verify finished, start to sign.
[dom 9 feb 2020, 19.18.26, CET] Lets finalize the order, Le_OrderFinalize: https://acme-
v02.api.letsencrypt.org/acme/finalize/77760425/2282146886
[dom 9 feb 2020, 19.18.27, CET] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org
/acme/cert/03510d59a93f48cca51922f61d4cbc42d206
[dom 9 feb 2020, 19.18.28, CET] Cert success.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
[dom 9 feb 2020, 19.18.28, CET] Your cert is in /home/marco/webMatters/acme.sh/data//ggc.world
/ggc.world.cer
[dom 9 feb 2020, 19.18.28, CET] Your cert key is in /home/marco/webMatters/acme.sh
/data//ggc.world/ggc.world.key
[dom 9 feb 2020, 19.18.28, CET] The intermediate CA cert is in /home/marco/webMatters/acme.sh
/data//ggc.world/ca.cer
[dom 9 feb 2020, 19.18.28, CET] And the full chain certs is there: /home/marco/webMatters
/acme.sh/data//ggc.world/fullchain.cer
With this /etc/nginx/sites-enabled/default:
sudo nano root@pc01:/etc/nginx/ssl/ggc.world# nano /etc/nginx/sites-enabled/default :
server {
#listen 80 default_server;
#listen [::]:80 default_server;
#listen 80;
listen 2.36.58.214:443;
server_name ggc.world;
ssl on;
ssl_certificate_key /etc/nginx/ssl/ggc.world/ggc.world.key;
ssl_certificate /etc/nginx/ssl/ggc.world/ggc.world.cer;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/ssl/ggc.world/dhparams.pem;
ssl_prefer_server_ciphers on;
## Improves TTFB by using a smaller SSL buffer than the nginx default
ssl_buffer_size 8k;
## Enables OCSP stapling
ssl_stapling on;
resolver 8.8.8.8;
ssl_stapling_verify on;
## Send header to tell the browser to prefer https to http traffic
add_header Strict-Transport-Security max-age=31536000;
## SSL logs ##
access_log /var/log/nginx/ggc.world/ssl_access.log;
error_log /var/log/nginx/ggc.world/ssl_error.log;
#-------- END SSL config -------##
# Let's Encrypt webroot
include includes/letsencrypt-webroot;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
I installed the certs:
root@pc01:/etc/nginx/ssl/ggc.world# acme.sh --installcert -d ggc.world --keypath /etc/nginx
/ssl/ggc.world/ggc.world.key --fullchainpath /etc/nginx/ssl/ggc.world/ggc.world.cer --reloadcmd
'systemctl reloa$
[dom 9 feb 2020, 19.35.00, CET] Installing key to:/etc/nginx/ssl/ggc.world/ggc.world.key
[dom 9 feb 2020, 19.35.00, CET] Installing full chain to:/etc/nginx/ssl/ggc.world/ggc.world.cer
[dom 9 feb 2020, 19.35.00, CET] Run reload cmd: systemctl reload nginx
[dom 9 feb 2020, 19.35.00, CET] Reload success
I then opened port 443:
root@pc01:/etc/nginx/ssl/ggc.world# ufw allow proto tcp from any to 2.36.58.214 port 443
Rules updated
I then created a sudo nano /etc/nginx/conf.d/default.conf :
server {
listen 443 ssl http2 default_server;
server_name ggc.world;
ssl_certificate_key /etc/nginx/ssl/ggc.world/ggc.world.key;
ssl_certificate /etc/nginx/ssl/ggc.world/ggc.world.cer;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
#ssl_stapling on;
#ssl_stapling_verify on;
access_log /var/log/nginx/ggcworld-access.log combined;
add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
error_page 497 https://$host:$server_port$request_uri;
server_name www.ggc.world;
return 301 https://$server_name$request_uri;
access_log /var/log/nginx/ggcworld-access.log combined;
add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Reloaded and restarted nginx server:
(base) marco@pc01:~$ sudo systemctl reload nginx
(base) marco@pc01:~$ sudo systemctl start nginx
(base) marco@pc01:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
(base) marco@pc01:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-02-10 10:48:43 CET; 5min ago
Docs: man:nginx(8)
Process: 3859 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload
(code=exited, status=0/SUCCESS)
Process: 1017 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited,
status=0/SUCCESS)
Process: 998 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited,
status=0/SUCCESS)
Main PID: 1056 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─1056 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─3861 nginx: worker process
├─3863 nginx: worker process
├─3864 nginx: worker process
├─3865 nginx: worker process
├─3866 nginx: worker process
├─3867 nginx: worker process
├─3868 nginx: worker process
└─3869 nginx: worker process
feb 10 10:48:43 pc01 systemd[1]: Starting A high performance web server and a reverse proxy
server...
feb 10 10:48:43 pc01 systemd[1]: Started A high performance web server and a reverse proxy
server.
feb 10 10:50:35 pc01 systemd[1]: Reloading A high performance web server and a reverse proxy
server.
feb 10 10:50:35 pc01 systemd[1]: Reloaded A high performance web server and a reverse proxy
server.
feb 10 10:54:23 pc01 systemd[1]: Reloading A high performance web server and a reverse proxy
server.
feb 10 10:54:23 pc01 systemd[1]: Reloaded A high performance web server and a reverse proxy
server.
But I get "
Error - Certificate isn’t trusted, RemoteCertificateNameMismatch"
How to solve the problem?
Looking forward to your kind help.
Marco