I did the test for ssl on https://www.ssllabs.com/ and it says it is not trusted.
It also said that the certificate was self-signed?
I am running iredmail on CentOS 6 using the nginx web server.
Should all the statements be put in /etc/nginx/conf.d/ssl.conf ?
If so, from all the tutorials online, I seem to be putting it in right. But…now the site says it is untrusted.
Hi @guyueland, would you like to tell us your domain name?
Self-signed certs are never issued by Let’s Encrypt. So if you see an indication that your site is using a self-signed cert, it’s not using the Let’s Encrypt-issued cert. You can sometimes obtain a Let’s Encrypt cert without also successfully configuring your server applications to make use of it. Definitely some server configuration file will need to be edited somehow, and currently no Let’s Encrypt client applications do this automatically by default for nginx configurations.
hi @guyueland
usually it’s a good idea to fill out the help form completely so people can assist
did you restart the web server after updating the SSL configuration?
this one catches people out as nginx doesn’t reload the certificates until a restart
FYI: fields you should fill out in the future so people can do verifications on why the web server is not using the correct certificate
A) I usually check if a valid certificate has actually been issued and what the fingerprint it
B) i then check if that is the fingerprint of the certificate your service is currently serving up
C) the command question helps us narrow down if it’s a syntax issue
Please fill out the fields below so we can help you better.
My domain is:
I ran this command:
It produced this output:
My operating system is (include version):
My web server is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
My domain is mail.eliteautogroup.ca
My operating system is CentOS 6.8
My web server is nginx (provided by iredmail)
My mail server is iRedmail 0.9.5-1
We host the server ourselves
I put the cert file pointers in /etc/nginx/conf.d/ssl.conf
-------------------------------------------------------------------------------------
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/mail.eliteautogroup.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.eliteautogroup.ca/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:32m;
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384$
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
ssl_buffer_size 800k;
-----------------------------------------------------------------------------------------------------------------------------
I restarted the web server several times using this command: service nginx restart
I can log into a root shell to the server remotely
hi @guyueland
have a look at the mozilla tls generator https://mozilla.github.io/server-side-tls/ssl-config-generator/
your ssl configs (ciphers etc) are good however you are definitely serving up a self signed certificate
have a look at this http://www.iredmail.org/docs/use.a.bought.ssl.certificate.html#nginx-web-server
Andrei
Thanks. I was going through an upgrade of my iRedMail server and while I was upgrading it I came across a file with the wrong pointers for the ssl. It seems I should have put the pointers in /etc/nginx/conf.d/00-default.conf NOT /etc/nginx/conf.d/ssl.conf.
After editing I restarted the nginx server, ran the ssl test again and now it says it is Trusted!!! Yay!
Sorry for the inconvenience.
hi @guyueland
not an inconvenience at all.
it’s always a learning experience and thanks for sharing your solution as it might help someone else in the future 
Andrei
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.