Nginx + Wordpress - sec_error_unknown_issuer


#1

Hello,

SSL is not working for me as it should (sec_error_unknown_issuer error on Firefox browser). Can anyone point me out what is wrong with my configuration? I would be very grateful for any help. I had to disable SSL on my server but here’s previous test results:

SSL Server Test: https://www.ssllabs.com/ssltest/analyze.html?d=marzycielskapoczta.pl
Grade C

My Nginx configuration:

server {
    listen  443;
    server_name www.marzycielskapoczta.pl;
    return 301 $scheme://marzycielskapoczta.pl$request_uri;
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_prefer_server_ciphers On;
     ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_certificate /etc/letsencrypt/live/www.marzycielskapoczta.pl/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.marzycielskapoczta.pl/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/www.marzycielskapoczta.pl/fullchain.pem;
}

server {
    listen 443;
    root /disk2/wordpress;
    server_name marzycielskapoczta.pl;
    index index.php;
    access_log off;
    error_log /var/log/nginx/mp.error.log;
    location = /favicon.ico {
    log_not_found off;
    access_log off;
    }

Thanks in advance!

PS: I was using this tutorial to install Let’s encrypt on server: NGINX Installation


#2

It should be replaced by
ssl_certificate /etc/letsencrypt/live/www.marzycielskapoczta.pl/fullchain.pem;


#3

Thank you very much vmeurisse - SSL is working now. :grinning:

Still, my redirecitons are not working. When I type http://marzycielskapoczta.pl it doesn’t redirect to https://marzycielskapoczta.pl

Can anyone help me out?

My Nginx config:

server {
    listen  443;
    server_name www.marzycielskapoczta.pl;
    return 301 https://marzycielskapoczta.pl$request_uri;
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers On;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_certificate /etc/letsencrypt/live/www.marzycielskapoczta.pl/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.marzycielskapoczta.pl/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/www.marzycielskapoczta.pl/fullchain.pem;
}

server {
    listen 443;
    root /disk2/wordpress;
    server_name marzycielskapoczta.pl;
    index index.php;
    access_log off;
    error_log /var/log/nginx/mp.error.log;
    location = /favicon.ico {
    log_not_found off;
    access_log off;
    }

#4

I changed my code and now it’s working. Still, I don’t have idea why TLS 1.2 and TLS 1.1 is not working (Nginx 1.8.0). :frowning:

My code:

server {
    listen 80;
    server_name www.marzycielskapoczta.pl;
    return 301 https://marzycielskapoczta.pl$request_uri;
}


server {
    listen 443 ssl;
    server_name www.marzycielskapoczta.pl;
    root /disk2/wordpress;
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/www.marzycielskapoczta.pl/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.marzycielskapoczta.pl/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/www.marzycielskapoczta.pl/fullchain.pem;

}

server {
    listen 443;
    root /disk2/wordpress;
    server_name marzycielskapoczta.pl;
    index index.php;
    access_log off;
    error_log /var/log/nginx/mp.error.log;
    location = /favicon.ico {
    log_not_found off;
    access_log off;
    }

#5

Try taking a look at this, and see if it helps at all: https://alexanderbell.info/2015/11/install-lets-encrypt-ssl-certificates-nginx/
I got WordPress, Nginx and Let’s Encrypt working together this way.


#6

pixelastic, thanks for the link. My config was fine and after I upgraded Nginx from version 1.8.0 to 1.9.7 everything works fine and I get Grade A+ on SSLLabs test. :slight_smile: