Help thread with cremationlab

Help
28

It might... let me tattoo that to my closed eyelid - lol

29

wat lol? So the chain.pem has two certs in it, do i delete both?

1 Like
30

NO; only the last one (the bottom one)

31

Okay, so I have added the above cert to the blacklist folder, deleted the second one from my chain.pem file, run sudo update-ca-trust and rebooted but we still get the error can't connect to cremation.plus:443

If I use this tool SSL Checker - Test Certificate and Installation

it says the certificate has expired? On cremation.plus domain

32

Well it's still serving that "untrusted" cert:

---
Certificate chain
 0 s:/CN=cremation.plus
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Try switching out the cross-signed "ISRG Root X1" for the self-signed "ISRG Root X1"

1 Like
33

How do i do that? I am solid with linux but I don't know much about SSL, sorry.. I appreciate all this help. Just a dumb engineer.

1 Like
34

No problem :wink: I'm a really dumb piano player!
The file we want is:
https://letsencrypt.org/certs/isrgrootx1.pem
The file it replaces/goes into depends... Let me check my eyelids...
...plesk...

No, which ACME client do you use?
[where are the cert pem files?]

I think I'm... deja vu... repeating myself...

What web server do you use?
Let's find it there.

35

Nginx I believe

36

OK try:
grep -Ri 'server_name|ssl_cert' /etc/nginx

37

null response

38

Looks like they are in /usr/local/psa/var/modules/letsencrypt

39

so do I find the domain file in there and replace it with the link above?

40

Try:
sudo netstat -pant | grep -Ei 'nginx|80|443'

41

No, let's stay out of there for now.

42 
sudo netstat -pant | grep -Ei 'nginx|80|443'
tcp        0      0 64.207.185.212:443      0.0.0.0:*               LISTEN      1109/nginx: master  
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      484/sw-cp-server: m 
tcp        0      0 0.0.0.0:7080            0.0.0.0:*               LISTEN      584/httpd           
tcp        0      0 64.207.185.212:80       0.0.0.0:*               LISTEN      1109/nginx: master  
tcp        0      0 0.0.0.0:8880            0.0.0.0:*               LISTEN      484/sw-cp-server: m 
tcp        0      0 64.207.185.212:443      66.249.66.82:49178      ESTABLISHED 1119/nginx: worker  
tcp        0      0 64.207.185.212:443      114.119.134.148:18394   TIME_WAIT   -                   
tcp        0      0 64.207.185.212:443      114.119.134.148:16652   TIME_WAIT   -                   
tcp        0      0 64.207.185.212:443      78.157.40.245:53960     TIME_WAIT   -                   
tcp        0      0 64.207.185.212:443      78.157.40.245:53646     TIME_WAIT   -                   
tcp        0      0 64.207.185.212:443      107.215.18.195:49674    ESTABLISHED 1119/nginx: worker  
tcp        0      0 64.207.185.212:7081     64.207.185.212:40808    TIME_WAIT   -                   
tcp6       0      0 :::8443                 :::*                    LISTEN      484/sw-cp-server: m 
tcp6       0      0 :::8880                 :::*
43

Ok, so it is definitely nginx - good

Try these:
ps -ef | grep nginx
which nginx
find / -name nginx.conf

44 
ps -ef | grep nginx
root      1109     1  0 02:51 ?        00:00:00 nginx: master process /usr/sbin/nginx
nginx     1119  1109  0 02:51 ?        00:00:03 nginx: worker process
root      2514  1825  0 03:20 pts/0    00:00:00 grep --color=auto nginx
[root@kdjf-x2z7 ~]# which nginx
/usr/sbin/nginx
[root@kdjf-x2z7 ~]# find / -name nginx.conf
/etc/nginx/nginx.conf
/var/www/vhosts/system/cremation.plus/conf/nginx.conf
45

If that still fails to find anything, then show the file:
/etc/nginx/nginx.conf

46

Like open it in Vim? Not sure what you mean by show.

47

cat /etc/nginx/nginx.conf