Invalid SSL Error

countesscat · April 16, 2024, 10:05pm

I am getting an error 426 from Cloudflare that certificate is not valid. Turning off Cloudflare shows me error SSL_ERROR_BAD_CERT_DOMAIN. Any idea how to solve this? Pretty sure it is LetsEncrypt thing. Same settings for other domains on same server work perfectly. I tried renewing, it did not work, because cert is not for renewal, so I tried to force renew. No idea how to proceed. Domain not working because of invalid SSL. What should I do!? Same thing happened for 2 other domains on the same server. For some it works, for some - not. What the... !??!?!?

My domain is: srtrak.click

I ran this command:sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /path/to/api/cloudflare.ini --domain srtrak.click,*.srtrak.click --force-renew

It produced this output: `

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/srtrak.click/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/srtrak.click/privkey.pem
   Your cert will expire on 2024-07-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le`

My web server is (include version): nginx version: nginx/1.25.4

The operating system my web server runs on is (include version): Ubuntu Linux 20.04.6 Linux 5.4.0-173-generic on x86_64

My hosting provider, if applicable, is: my own bare metal servers

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

In case you wonder about the wildcard... I do need the wildcard cert, because of how the system is using this domain for it to function. It generates random subdomains on different links.

What the problem looks like: certbot issuing certificate for another domain. Why!?

Bruce5051 · April 16, 2024, 10:13pm

Hello @countesscat,

Side note:

That is old see Certbot 2.10.0 Release

countesscat · April 16, 2024, 10:18pm

Sure....

sudo snap refresh certbot
snap "certbot" has no updates available

apt install certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
certbot is already the newest version (0.40.0-1ubuntu0.1).
0 upgraded, 0 newly installed, 0 to remove and 10 not upgraded.

Bruce5051 · April 16, 2024, 10:19pm

Probably should remove that version first then follow the Certbot Instructions | Certbot

countesscat · April 16, 2024, 10:20pm

I would not risk it. If there WAS a newer version, it should update... Either with snap or with apt... Not a linux noob here. Sorry!

Bruce5051 · April 16, 2024, 10:21pm

Here is what is presently being severed for a certificate.https://decoder.link/sslchecker/srtrak.click/443

Common Name:	*.srtrak.com
SANs:	
DNS:*.srtrak.com
DNS:srtrak.com
Total number of SANs: 2

srtrak.click and srtrak.com are 2 different names; the cert does not match.

MikeMcQ · April 16, 2024, 10:22pm

First, please stop using --force-renew. You have already issued 4 identical certs and you will become rate limited after you get 5. This is a per-week limit!

Second, the cert returned when visiting srtrak.click is for srtrak.com

Where did you get the .com cert? And, why isn't your web server configured to use the new srtrak.click certs?

Please show result of this

sudo certbot certificates

countesscat · April 16, 2024, 10:26pm

OK... I know.

It should not. Here is what nginx config says for that virtual host...

    listen 443 ssl; http2 on;
    ssl_certificate /etc/letsencrypt/live/srtrak.click/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/srtrak.click/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

I get them the very same way with certbot. That's the thing!

It is! Already stated, but here we go again...

    ssl_certificate /etc/letsencrypt/live/srtrak.click/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/srtrak.click/privkey.pem;

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: srtrak.click
    Domains: srtrak.click *.srtrak.click
    Expiry Date: 2024-07-15 20:56:43+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/srtrak.click/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/srtrak.click/privkey.pem
  Certificate Name: srtrak.com-0001
    Domains: *.srtrak.com srtrak.com
    Expiry Date: 2024-07-15 20:16:11+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/srtrak.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/srtrak.com-0001/privkey.pem
  Certificate Name: srtrak.top
    Domains: srtrak.top *.srtrak.top
    Expiry Date: 2024-07-15 20:16:15+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/srtrak.top/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/srtrak.top/privkey.pem
  Certificate Name: srtrak.xyz
    Domains: srtrak.xyz *.srtrak.xyz
    Expiry Date: 2024-07-15 20:57:12+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/srtrak.xyz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/srtrak.xyz/privkey.pem
  Certificate Name: sublimerevenue.com-0001
    Domains: *.sublimerevenue.com sublimerevenue.com
    Expiry Date: 2024-07-15 20:16:23+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/sublimerevenue.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/sublimerevenue.com-0001/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Shock and terror! All seems properly configured! See my point here? And my amazement... I stand in awe!

Bruce5051 · April 16, 2024, 10:29pm

Oh

MikeMcQ · April 16, 2024, 10:29pm

Then there is some other config issue with nginx (or something else)

You have an IPv6 problem for one but let's ignore that for now.

Please show entire output of: sudo nginx -T
An upper case T will show full active config of nginx.

Ideally add 3 backticks before and after the output to maintain formatting like
```
output of nginx -T
```

Bruce5051 · April 16, 2024, 10:35pm

Then maybe you have 2 version on your system.
I suggest removing this one

countesscat · April 16, 2024, 10:38pm

Like what? I pinged it and it works.

Sure. I exported it to some tmp file... here goes the nginx part...

# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

# configuration file /etc/nginx/modules-enabled/10-mod-http-ndk.conf:
load_module modules/ndk_http_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
load_module modules/ngx_http_auth_pam_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-cache-purge.conf:
load_module modules/ngx_http_cache_purge_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
load_module modules/ngx_http_dav_ext_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
load_module modules/ngx_http_echo_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-fancyindex.conf:
load_module modules/ngx_http_fancyindex_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-headers-more-filter.conf:
load_module modules/ngx_http_headers_more_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-lua.conf:
load_module modules/ngx_http_lua_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-perl.conf:
load_module modules/ngx_http_perl_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
load_module modules/ngx_http_subs_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-uploadprogress.conf:
load_module modules/ngx_http_uploadprogress_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
load_module modules/ngx_http_upstream_fair_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-nchan.conf:
load_module modules/ngx_nchan_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-ssl-ct.conf:
load_module modules/ngx_ssl_ct_module.so;
load_module modules/ngx_http_ssl_ct_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip.conf:
load_module modules/ngx_stream_geoip_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/avif                                       avif;
    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/wasm                                 wasm;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/ogg                                        ogv;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-matroska                                 mkv;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/stub_status.conf:
server {
	listen 127.0.0.1:80;
	server_name 127.0.0.1;
	location /nginx_status {
		stub_status on;
		allow 127.0.0.1;
		deny all;
	}
}

And here goes the srtrak.click part...

# configuration file /etc/nginx/sites-enabled/*.srtrak.click:
server { # port 80 default
    add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
        access_log /var/log/nginx/srtrak.click.access.log; 
        error_log /var/log/nginx/srtrak.click.error.log;
        root /var/www/srtrak.click/; # default directory where the files will be stored and served from
        index index.php index.html index.htm; # index defined to be served under directory
        server_name srtrak.click *.srtrak.click; # name of the virtual host or domain
    location / {
        # URLs to attempt, including pretty ones.
        try_files $uri $uri/ /index.php?$args;
    }
        error_page 404 500 502 503 504 /error.html;
        location = /error.html {
              root /var/www/srtrak.com/;
        }
        error_page 403 /error403.html;
        location = /error403.html {
              root /var/www/srtrak.com/;
        }
    # Remove trailing slash to please routing system.
    if (!-d $request_filename) {
            rewrite     ^/(.+)/$ /$1 permanent;
    }
        # Serve PHP scripts to FastCGI server our php-fpm server listening on 127.0.0.1:9000
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass 127.0.0.1:9000;
                include fastcgi_params;
        }
    include common/locations.conf;
# redirects start
rewrite ^/signup-([0-9]+).php$ /recruit.php?ref=$1 permanent;
rewrite ^/([0-9]+)-([a-z]+)-([0-9]+).php$ /idevads.php?id=$1&ad=$3 permanent;
rewrite ^/([0-9]+)-([a-z]+)-([0-9]+)-([0-9]+).php$ /idevads.php?id=$1&ad=$3&page=$4 permanent;
rewrite ^/([0-9]+).php$ /promo.php?id=$1 permanent;
rewrite ^/([0-9]+)-([0-9]+).php$ /promo.php?id=$1&page=$2 permanent;
rewrite ^/([0-9]+)-([0-9]+)-([0-9]+).php$ /promo.php?id=$1&page=$2&set=$3 permanent;
rewrite ^/([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+).php$ /promo.php?id=$1&page=$2&set=$3&link=$4 permanent;
rewrite ^/([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+).php$ /promo.php?id=$1&page=$2&set=$3&link=$4&clickid=$5 permanent;
rewrite ^/([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)-([a-zA-Z]+).php$ /promo.php?id=$1&page=$2&set=$3&link=$4&keyword=$5 permanent;
rewrite ^/([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)-([a-zA-Z]+)-([0-9]+).php$ /promo.php?id=$1&page=$2&set=$3&link=$4&keyword=$5&custom=$6 permanent;
rewrite ^/([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)-([a-zA-Z]+)-([0-9]+)-([0-9]+).php$ /promo.php?id=$1&page=$2&set=$3&link=$4&keyword=$5&custom=$6&url=$7 permanent;
# redirects end

# redirects without extension start
rewrite ^/signup-([0-9]+)$ /recruit.php?ref=$1 permanent;
rewrite ^/([0-9]+)-([a-z]+)-([0-9]+)$ /idevads.php?id=$1&ad=$3 permanent;
rewrite ^/([0-9]+)-([a-z]+)-([0-9]+)-([0-9]+)$ /idevads.php?id=$1&ad=$3&page=$4 permanent;
rewrite ^/([0-9]+)$ /promo.php?id=$1 permanent;
rewrite ^/([0-9]+)-([0-9]+)$ /promo.php?id=$1&page=$2 permanent;
rewrite ^/([0-9]+)-([0-9]+)-([0-9]+)$ /promo.php?id=$1&page=$2&set=$3 permanent;
rewrite ^/([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)$ /promo.php?id=$1&page=$2&set=$3&link=$4 permanent;
rewrite ^/([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)$ /promo.php?id=$1&page=$2&set=$3&link=$4&clickid=$5 permanent;
rewrite ^/([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)-([a-zA-Z]+)$ /promo.php?id=$1&page=$2&set=$3&link=$4&keyword=$5 permanent;
rewrite ^/([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)-([a-zA-Z]+)-([0-9]+)$ /promo.php?id=$1&page=$2&set=$3&link=$4&keyword=$5&custom=$6 permanent;
rewrite ^/([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)-([a-zA-Z]+)-([0-9]+)-([0-9]+)$ /promo.php?id=$1&page=$2&set=$3&link=$4&keyword=$5&custom=$6&url=$7 permanent;
# redirects without extension end

    listen 443 ssl; http2 on; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/srtrak.click/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/srtrak.click/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

# this is the new s
server {
add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
    if ($host = srtrak.click) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen   91.132.60.212:80;
    listen   [2a07:5740:400:13:0000:0000:0000:0015]:80 ipv6only=off;
    server_name srtrak.click;
    return 301 https://$host$request_uri;

}
server {
add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
    if ($host = www.srtrak.click) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name www.srtrak.click;
    listen   91.132.60.212:80;
    #listen   [2a07:5740:400:13:0000:0000:0000:0008]:80 ipv6only=off;
    return 301 https://$host$request_uri;

}

# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

# configuration file /etc/nginx/fastcgi.conf:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  REMOTE_USER        $remote_user;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  REMOTE_USER        $remote_user;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/common/locations.conf:
# NGINX CONFIGURATION FOR COMMON LOCATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files
location = /favicon.ico {
  access_log off;
  log_not_found off;
  expires max;
}
location = /robots.txt {
  # Some WordPress plugin gererate robots.txt file
  # Refer #340 issue
  try_files $uri $uri/ /index.php?$args;
  access_log off;
  log_not_found off;
}
# Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
  add_header "Access-Control-Allow-Origin" "*";
  access_log off;
  log_not_found off;
  expires max;
}
# Security settings for better privacy
# Deny hidden files
location ~ /\.well-known {
  allow all;
}
location ~ /\. {
  deny all;
  access_log off;
  log_not_found off;
}
# Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
  deny all;
  access_log off;
  log_not_found off;
}
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
  return 403;
}
# Status pages
location = /nginx_status {
  stub_status on;
  access_log off;
  include common/acl.conf;
}
location ~ ^/(status|ping)$ {
  include fastcgi_params;
  fastcgi_pass 127.0.0.1:9000;
  include common/acl.conf;
}

    ## Block SQL injections
    set $block_sql_injections 0;
    if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "union.*all.*select.*") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "concat.*\(") {
        set $block_sql_injections 1;
    }
    # x3 from S start
    if ($query_string ~ "%27a=0") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "\'a=0") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "union all select") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "union\ all\ select") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "waitfor delay") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "dbms_pipe\.receive_message") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "select.*\(") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "waitfor(.*)delay") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "and.*sleep\(") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "\/etc\/passwd") {
        set $block_sql_injections 1;
    }
    #if ($query_string ~ "and.*\=.*and.*\=") {
    #    set $block_sql_injections 1;
    #}
    # x3 from S end
    if ($block_sql_injections = 1) {
        return 403;
    }

    ## Block file injections
    set $block_file_injections 0;
    if ($query_string ~ "[a-zA-Z0-9_]=http://") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
        set $block_file_injections 1;
    }
    if ($block_file_injections = 1) {
        return 403;
    }

    ## Block common exploits
    set $block_common_exploits 0;
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "proc/self/environ") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_exploits 1;
    }
    if ($block_common_exploits = 1) {
        return 403;
    }
    
# sql inject annoyance
deny 103.106.35.218;
deny 104.208.137.224;
deny 104.215.122.106;
deny 104.46.0.177;
deny 105.157.163.211;
deny 109.202.111.140;
deny 13.233.225.82;
deny 13.56.236.197;
deny 13.58.131.92;
deny 13.68.171.87;
deny 13.90.197.137;
deny 13.90.45.49;
deny 13.90.79.167;
deny 13.92.124.209;
deny 13.92.16.147;
deny 137.117.39.200;
deny 137.135.117.150;
deny 138.91.140.65;
deny 138.99.216.233;
deny 141.98.80.58;
deny 141.98.80.95;
deny 141.98.81.178;
deny 141.98.81.179;
deny 141.98.81.183;
deny 141.98.81.196;
deny 141.98.83.6;
deny 141.98.9.212;
deny 141.98.9.222;
deny 162.241.204.227;
deny 171.241.55.144;
deny 176.121.14.179;
deny 176.121.14.181;
deny 176.121.14.183;
deny 176.121.14.184;
deny 176.121.14.186;
deny 176.121.14.187;
deny 176.121.14.188;
deny 176.121.14.189;
deny 176.121.14.191;
deny 176.121.14.198;
deny 178.239.173.236;
deny 18.191.83.211;
deny 184.168.200.49;
deny 185.191.228.163;
deny 185.222.209.212;
deny 185.92.25.21;
deny 190.233.151.114;
deny 195.162.24.206;
deny 196.75.41.198;
deny 198.211.113.130;
deny 198.71.230.55;
deny 203.192.238.241;
deny 205.186.180.19;
deny 216.151.183.191;
deny 216.163.188.191;
deny 24.191.5.193;
deny 3.120.31.239;
deny 3.19.219.137;
deny 31.167.72.219;
deny 35.158.124.52;
deny 40.117.173.158;
deny 40.117.252.209;
deny 40.124.52.222;
deny 40.78.43.110;
deny 40.84.148.254;
deny 40.84.233.110;
deny 40.85.146.62;
deny 45.227.253.36;
deny 45.227.253.54;
deny 45.227.253.58;
deny 45.227.253.62;
deny 45.227.253.66;
deny 45.227.255.149;
deny 45.227.255.227;
deny 45.227.255.58;
deny 45.32.92.162;
deny 46.22.174.170;
deny 5.188.86.10;
deny 5.188.86.156;
deny 5.188.86.218;
deny 51.79.26.156;
deny 52.168.178.142;
deny 52.168.50.10;
deny 52.170.130.85;
deny 52.191.172.244;
deny 52.233.79.206;
deny 52.247.219.45;
deny 52.251.48.186;
deny 63.246.135.140;
deny 66.215.122.237;
deny 67.55.94.84;
deny 69.10.63.244;
deny 69.167.39.222;
deny 69.181.200.5;
deny 70.37.51.240;
deny 70.37.51.62;
deny 81.135.249.57;
deny 82.205.70.58;
deny 86.162.173.55;
deny 88.198.156.185;
deny 88.20.150.78;
deny 91.173.253.90;
deny 91.232.125.222;
deny 95.142.124.20;
deny 141.98.81.176;
# configuration file /etc/nginx/common/acl.conf:
# EasyEngine (ee) protect locations using
# HTTP authentication || IP address
satisfy any;
try_files $uri $uri/ =404;
auth_basic "Restricted Area";
auth_basic_user_file htpasswd-ee;
# Allowed IP Address List
allow 127.0.0.1;
deny all;

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:P-256:P-384;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES";
ssl_prefer_server_ciphers on;

Nginx is fine. Why does SSL work for other domains? Even on the end it says

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

So for some reason certbot issuing .com cert for .click and .xyz and .top
Weird...

Bruce5051 · April 16, 2024, 10:43pm

Side bar:

IPv4 Responses are Open.

>nmap -4 -Pn -p80,443 srtrak.click
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-16 22:41 UTC
Nmap scan report for srtrak.click (91.132.60.212)
Host is up (0.15s latency).
Other addresses for srtrak.click (not scanned): 2a07:5740:400:13::15

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds

IPv6 Responses are CLOSED

>nmap -6 -Pn -p80,443 srtrak.click
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-16 22:41 UTC
Nmap scan report for srtrak.click (2a07:5740:400:13::15)
Host is up (0.15s latency).
Other addresses for srtrak.click (not scanned): 91.132.60.212

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.86 seconds

MikeMcQ · April 16, 2024, 10:48pm

That is not what is happening. You can prove that by taking the file at

/etc/letsencrypt/live/srtrak.click/cert.pem

And put it in an online pem decoder like maybe this one (link here). You will see the correct domain names it

You almost certainly have a server block that is IP based which is "latching" onto all incoming requests. But, you have not shown your entire nginx config as I requested so this is only a guess.

If you upload the entire contents I can find the problem (most likely). Can you upload the config.txt file resulting from:

sudo nginx -T >config.txt

countesscat · April 16, 2024, 10:48pm

It is a smart firewall I coded for hackers like you...

JK, should be open...

i ran

ip6tables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
ip6tables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -t filter -A OUTPUT -p udp --dport 80 -j ACCEPT
ip6tables -t filter -A INPUT -p udp --dport 80 -j ACCEPT

ip6tables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
ip6tables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
ip6tables -t filter -A OUTPUT -p udp --dport 443 -j ACCEPT
ip6tables -t filter -A INPUT -p udp --dport 443 -j ACCEPT

But does not seem to make a difference...

countesscat · April 16, 2024, 10:51pm

OK... https://srtrak.com/cert/config.txt

MikeMcQ · April 16, 2024, 10:53pm

Please ignore the IPv6 problem for the moment. Once the nginx config is correct we can sort that out. See for example this test site which fails to connect using IPv6. I also cannot connect to your site using IPv6 but we can sort out your nginx cert problem using IPv4
https://www.ssllabs.com/ssltest/analyze.html?d=srtrak.click&hideResults=on

countesscat · April 16, 2024, 11:08pm

Sure. Thanks!

MikeMcQ · April 16, 2024, 11:09pm

Hmm. I saw IP based server blocks for port 80 but not any for port 443 that I thought I would. I only did a quick look and won't have time until later to look more in depth.

I know this sounds like poor advice but I would try rebooting your server. At least doing a full restart of nginx. Sometimes experimenting with Certbot can result in two instances of nginx running with different configs.

countesscat · April 16, 2024, 11:11pm

Huh!? Weird... OK. Let's restart server...