Please see later in the post for my config files. My issue is that when using the following site to verify ssl settings; https://ssllabs.com/ssltest; I get the following “issue”:
- The “ffxiv-app.com” certificate is presented as a secondary certificate that’s not trusted for all domains.
That’s the only issue I see. With the answers to the standard template below, am I missing anything?
My domain is:
I ran this command:
- Installed certbot then ran the following commads with only “default” site enabled.
- Ran similar command for all domains, which were succesful:
- certbot certonly --webroot -w /opt/www -d domain.com -d www.domain.com
- enabled each domains config after starting service
It produced this output:
- Standard output with success.
My operating system is (include version):
- Ubuntu 16.10 4.8.0-38-generic
My web server is (include version):
- nginx/1.10.1, nodejs 7.5.0 (hapi, express)
My hosting provider, if applicable, is:
- DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know):
- Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
- No
default:
server {
listen 80 default;
server_name _;
root /opt/www;
location / {
try_files $uri /index.html =404;
}
location ~ /.well-known {
allow all;
}
location @maintenance {
try_files $uri /maintenance.html =404;
}
error_page 404 /;
error_page 500 502 503 504 =200 @maintenance;
}
xivapp.com (same config except cert locations and domain name for rest):
server {
listen 80;
server_name www.xivapp.com;
return 301 https://www.xivapp.com$request_uri;
}
server {
listen 80;
server_name xivapp.com;
return 301 https://xivapp.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.xivapp.com;
include snippets/ssl-xivapp.com.conf;
include snippets/ssl-params.conf;
return 301 https://xivapp.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xivapp.com;
include snippets/ssl-xivapp.com.conf;
include snippets/ssl-params.conf;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_intercept_errors on;
location / {
proxy_pass http://127.0.0.1:#####;
}
location @maintenance {
root /opt/www;
try_files $uri /maintenance.html =404;
}
error_page 500 502 503 504 =200 @maintenance;
}
ssl-params:
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;