I accidentally generated SSL for my domain without WWW and it's "insecure" (nginx + wordpress + CentOS 6)


#1

My domain is: www.aspire-learning.com

I ran this command: /certbot-auto certonly /// /certbot-auto nginx

It produced this output: [Everything here is OK]

My operating system is (include version): CentOS 6

My web server is (include version): CentOS 6 + nginx

My hosting provider, if applicable, is: private VPS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Wordpress (installed, not the host)

Details:

I used the certbot-auto on my CentOS server to create an SSL for my domain. However, I only included the domain (aspire-learning.com) WITHOUT the “www”, so after launching the site it displayed as untrustworthy. After some fiddling, I made a second mistake: I applied for a second SSL with the domain as “www.aspire-learning.com” and NO “aspire-learning.com”. I think this resulted in two separate SSL certificates being issued, while neither is correctly tied to the site.

After some looking around online I finally realized (too late) that I could have applied for them together,

And NOW, somehow I have THREE SSL certificates in the “letsencrypt/live” folder, and I really have now idea how.

I tried to revoke the certificates so I could start again clean, but for some reason the revoke command is not working at all (it keeps telling me to include the directory, even though I have tried to do that with multiple formats).

So can someone help me either: 1. Start fresh and revoke everything the right way? or 2. Combine the two SSL certificates (or three?) into something that will work with my site?

Just in case, here are my config files:

“wordpress_https.conf”

upstream php-handler-https {
server 127.0.0.1:9000;
#server unix:/var/run/php5-fpm.sock;
}

server {
listen 443 ssl default_server;
server_name www.aspire-network.com, aspire-network.com;
#server_name wordpress.example.com;
ssl_certificate /etc/letsencrypt/live/aspire-network.com-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/aspire-network.com-0001/privkey.pem; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4; # no RC4 and known insecure cipher
root /var/www/html/;
index index.php;

# set max upload size
client_max_body_size 2G;
fastcgi_buffers 64 4K;

access_log /var/log/nginx/wordpress_https_access.log combined;
error_log /var/log/nginx/wordpress_https_error.log;
	
location = /favicon.ico {
	log_not_found off;
	access_log off;
}	

location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
}

location / {
	try_files $uri $uri/ /index.php?$args ;
}

location ~* \.(htaccess|htpasswd) {
	deny all;
}

location ~ \.php(?:$|/) {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_path_info;
	fastcgi_param HTTPS on;
	fastcgi_pass php-handler-https;
	fastcgi_read_timeout 60s;
}

# set long EXPIRES header on static assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
	expires 30d;
	access_log off;
}

}

“wordpress_https.conf”

upstream php-handler-http {
server 127.0.0.1:9000;
#server unix:/var/run/php5-fpm.sock;
}

server {
listen 80 default_server;
server_name www.aspire-network.com, aspire-network.com;
#server_name wordpress.example.com;

root /var/www/html/;
index index.php;

# set max upload size
client_max_body_size 2G;
fastcgi_buffers 64 4K;

access_log /var/log/nginx/wordpress_http_access.log combined;
error_log /var/log/nginx/wordpress_http_error.log;
	
location = /favicon.ico {
	log_not_found off;
	access_log off;
}

location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
}

location / {
	try_files $uri $uri/ /index.php?$args ;
}
	
location ~* \.(htaccess|htpasswd) {
	deny all;
}

location ~ \.php(?:$|/) {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_path_info;
	fastcgi_pass php-handler-http;
	fastcgi_read_timeout 60s;
}

# set long EXPIRES header on static assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
	expires 30d;
	access_log off;
}

}

EDIT: I managed to revoke the prior certificates, which allowed me to try a fresh setup, but now I see the bigger problem: for some reason running “certbot-auto --nginx” and entering my domain as “www.aspire-network.com, aspire-network.com” results in “Cannot find a VirtualHost matching domain www.aspire-network.com.”


#2

I’ll leave it to the folks who know more about certbot to respond to those questions, but don’t revoke certificates. That’s almost never the right answer when you’re having a problem. The only real time it’s appropriate is if your private key gets compromised (and even then, it doesn’t work very well, which is one reason the 90-day lifetime of a Let’s Encrypt cert is a good thing).


#3

Well shoot, I already revoked them. But at least it showed me what the real problem was: apparently my domain name “aspire-network.com” is ok, but NOT “www.aspire-network.com.” Any idea why?


#4

At least your most recent certificate

https://crt.sh/?id=112885333

is fine and covers both names. If you’re using that one, you should be fine!


#5

Thank you so much for pointing that out! You saved me SO MUCH headache!

I found those files, restored them to the server and lo and behold, it works great now!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.