Skip to content

Error certification on virtualmin/Nginx

Solved Linux
17 2 1.3k 1
  • Hello mark

    It’s strange this evening I no longer had SSL access to my dev environment

    I had a zeroSSL CA certificate that was still valid until the end of the month.
    I rebooted the machine as well.

    So I checked my DNS, Cloudflare, domain name, nginx service, all is OK.
    I regenerated a certificate on zero SSL but I got an error saying there is a problem with the certificate (invalid certificate)

    9166b7c8-1471-4246-b43b-13790a664197-image.png

    Your connection is not private
    Malicious individuals may be trying to steal your personal information from the nodebbdev.xxxxxx.fr site (passwords, messages or credit card numbers, for example). Learn more
    NET::ERR_CERT_COMMON_NAME_INVALID

    fbbc49fc-9887-4c41-ac28-9eede0a83bd6-image.png

    I can Bypass the message but that’s not the goal

  • Maybe better, I don’t know how anymore in Virtualmin, there was a bug with virtualmin/Let’s encrypt, I have to look for it

    @DownPW yes, it’s a bit hit and miss, but certbot will work. Have a look at this

    https://sudonix.org/topic/54/virtualmin-letsencrypt-renewal

  • aea4ec70-b4d9-4dbd-95cd-473b2b9a2daf-image.png

    It is impossible to verify on the server that it is indeed the domain nodebbdev.test.fr, because its security certificate comes from the domain test.fr. This could be due to a misconfiguration or your connection being intercepted by a hacker.

    @phenomlab

    Seems to be a configuration problem but don’t know where and why ?
    I have installed the ZeroSSL CA certificate on domain and nodebbdev subdomain.

  • aea4ec70-b4d9-4dbd-95cd-473b2b9a2daf-image.png

    It is impossible to verify on the server that it is indeed the domain nodebbdev.test.fr, because its security certificate comes from the domain test.fr. This could be due to a misconfiguration or your connection being intercepted by a hacker.

    @phenomlab

    Seems to be a configuration problem but don’t know where and why ?
    I have installed the ZeroSSL CA certificate on domain and nodebbdev subdomain.

    @DownPW it looks to me that the cert you are using isn’t a wildcard or for the subdomain.

  • d**n, maybe you are right because I’m on a ZeroSSL free account
    But I can normally generate a certificate for all subdomains. I didn’t get this message before.

  • d**n, maybe you are right because I’m on a ZeroSSL free account
    But I can normally generate a certificate for all subdomains. I didn’t get this message before.

    @DownPW how are you generating the certificate?

  • like this

    image.png

    replace test.fr with my domaine of course. (not subdomain)

  • like this

    image.png

    replace test.fr with my domaine of course. (not subdomain)

    @DownPW yes, you need a wildcard cert for the subdomain to work. Can you use LetsEncrypt?

  • Maybe better, I don’t know how anymore in Virtualmin, there was a bug with virtualmin/Let’s encrypt, I have to look for it

  • Maybe better, I don’t know how anymore in Virtualmin, there was a bug with virtualmin/Let’s encrypt, I have to look for it

    @DownPW yes, it’s a bit hit and miss, but certbot will work. Have a look at this

    https://sudonix.org/topic/54/virtualmin-letsencrypt-renewal

  • I did like that from memory and select subdomain but I would like to take a longer time. Memorizing the certificate didn’t last long

    sudo certbot --nginx -v

  • I did like that from memory and select subdomain but I would like to take a longer time. Memorizing the certificate didn’t last long

    sudo certbot --nginx -v

    @DownPW should be 90 days?

  • Yes I guess but it’s not much but it doesn’t matter. I don’t see any commands in the help
    Should I delete the Zerro SSL certificate via Webmin before? Think yes

    image.png

    and this bug that we can’t regenerate a certificate without error via virtualmin is really annoying.

  • Yes I guess but it’s not much but it doesn’t matter. I don’t see any commands in the help
    Should I delete the Zerro SSL certificate via Webmin before? Think yes

    image.png

    and this bug that we can’t regenerate a certificate without error via virtualmin is really annoying.

    @DownPW said in Error certification on virtualmin/Nginx:

    Should I delete the Zerro SSL certificate via Webmin before? Think yes

    Yes.

    @DownPW said in Error certification on virtualmin/Nginx:

    and this bug that we can’t regenerate a certificate without error via virtualmin is really annoying.

    What is the error message?

  • I have regenerate with certbot, reload nginx without errors but it is still the zeroSSL certificate that appears in Webmin/Current Certificate

    Do you want to expand and replace this existing certificate with the new
    certificate?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (E)xpand/(C)ancel: E
    Renewing an existing certificate for virtuaverse.fr and 2 more domains
    
    Successfully received certificate.
    Certificate is saved at: /etc/letsencrypt/live/nodebbdev.xxx.fr/fullchain.pem
    Key is saved at:         /etc/letsencrypt/live/nodebbdev.xxx.fr/privkey.pem
    This certificate expires on 2023-12-31.
    These files will be updated when the certificate renews.
    Certbot has set up a scheduled task to automatically renew this certificate in the background.
    
    Deploying certificate
    Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/xxx.fr.conf
    Successfully deployed certificate for xxx.fr to /etc/nginx/sites-enabled/xxx.fr.conf
    Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/proxy.xxx.fr.conf
    Successfully deployed certificate for proxy.xxx.fr to /etc/nginx/sites-enabled/proxy.xxx.fr.conf
    Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/nodebbdev.xxx.fr.conf
    Successfully deployed certificate for nodebbdev.xxx.fr to /etc/nginx/sites-enabled/nodebbdev.xxx.fr.conf
    Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/xxx.fr.conf
    Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/proxy.xxx.fr.conf
    Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/nodebbdev.xxx.fr.conf
    Your existing certificate has been successfully renewed, and the new certificate has been installed.
    

    703b34e3-77df-4bca-9578-1d0d04b3ebe2-image.png

    ada17138-1945-4794-aa91-8865eaa0a528-image.png

    EDIT : Very Strange, i test again to regenerate certificat with let’s encrypt on virtualmin and that’s work and Current certificate is now OK on virtualmin.
    it never worked for several months and it works now, very strange 😲

  • I have regenerate with certbot, reload nginx without errors but it is still the zeroSSL certificate that appears in Webmin/Current Certificate

    Do you want to expand and replace this existing certificate with the new
    certificate?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (E)xpand/(C)ancel: E
    Renewing an existing certificate for virtuaverse.fr and 2 more domains
    
    Successfully received certificate.
    Certificate is saved at: /etc/letsencrypt/live/nodebbdev.xxx.fr/fullchain.pem
    Key is saved at:         /etc/letsencrypt/live/nodebbdev.xxx.fr/privkey.pem
    This certificate expires on 2023-12-31.
    These files will be updated when the certificate renews.
    Certbot has set up a scheduled task to automatically renew this certificate in the background.
    
    Deploying certificate
    Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/xxx.fr.conf
    Successfully deployed certificate for xxx.fr to /etc/nginx/sites-enabled/xxx.fr.conf
    Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/proxy.xxx.fr.conf
    Successfully deployed certificate for proxy.xxx.fr to /etc/nginx/sites-enabled/proxy.xxx.fr.conf
    Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/nodebbdev.xxx.fr.conf
    Successfully deployed certificate for nodebbdev.xxx.fr to /etc/nginx/sites-enabled/nodebbdev.xxx.fr.conf
    Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/xxx.fr.conf
    Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/proxy.xxx.fr.conf
    Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/nodebbdev.xxx.fr.conf
    Your existing certificate has been successfully renewed, and the new certificate has been installed.
    

    703b34e3-77df-4bca-9578-1d0d04b3ebe2-image.png

    ada17138-1945-4794-aa91-8865eaa0a528-image.png

    EDIT : Very Strange, i test again to regenerate certificat with let’s encrypt on virtualmin and that’s work and Current certificate is now OK on virtualmin.
    it never worked for several months and it works now, very strange 😲

    @DownPW go figure…

  • yep very very erratic

    In any case, thank you for the support.

  • DownPWundefined DownPW has marked this topic as solved on
  • yep very very erratic

    In any case, thank you for the support.

    @DownPW anytime


Did this solution help you?
Did you find the suggested solution useful? Why not buy me a coffee? It's a nice gesture, and a great way to show your appreciation 💗

Related Topics
  • 3 Votes
    30 Posts
    2k Views
    @DownPW any update?
  • 3 Votes
    6 Posts
    747 Views
    @DownPW said in Nginx core developer quits project in security dispute, starts “freenginx” fork: Maybe virtualmin implement it in the future… I don’t think they will - my guess is that they will stick with the current branch of NGINX. I’ve not personally tested it, but the GIT page seems to be very active. This is equally impressive [image: 1714914575066-8ac0d197-68fa-4bd8-bfa3-87237bf8f1f4-image.png] I think the most impressive on here is the native support of HTTP 3
  • 14 Votes
    69 Posts
    16k Views
    @phenomlab Seems to be better with some scaling fix for redis on redis.conf. I haven’t seen the message yet since the changes I made # I increase it to the value of /proc/sys/net/core/somaxconn tcp-backlog 4096 # I'm uncommenting because it can slow down Redis. Uncommented by default !!!!!!!!!!!!!!!!!!! #save 900 1 #save 300 10 #save 60 10000 If you have other Redis optimizations. I take all your advice https://severalnines.com/blog/performance-tuning-redis/
  • 6 Votes
    36 Posts
    3k Views
    @justoverclock said in Digitalocean step by step guide to nginx configuration: i’m learning And that’s the whole point of this site If you don’t learn anything, you gain nothing.
  • how to use CF tunnels with Virtualmin?

    Solved Configure cf tunnel cloudflare virtualmin
    10
    3 Votes
    10 Posts
    1k Views
    @Hari DDoS protection is not just a switch, or one component. It’s a collection of different and often disparate technologies that when grouped together form the basis of a combined toolset that can be used in defence. Typically these consist of IDS (Instrusion Detection System) and IPS (Intrusion Prevention System) components that detect irregularities in network traffic, and will take decisive action based on predefined rulesets, or in the case of more modern systems, AI and ML. Traditional “traffic shaping” technology is also deployed, so if an attack cannot be easily identified as malicious, the bandwidth available to that connection is severely limited to nothing more than a trickle rather than a full flow. Years ago, ISP’s used traffic shaping (also called “policers”) as an effective means of stopping applications such as BearShare, eDonkey, Napster, and other P2P based sharing systems from functioning correctly - essentially reducing the “appeal” of distributing and seeding illegal downloads. This was essentially the ISP’s way of saying “stop what you are doing please” without actually pulling the plug. These days, DDoS attacks are designed to overwhelm - not assume control of - webservers and other public facing components. It’s rare for small entities to be attacked unless there is some form of political agenda driven by your site or product. A classic example is governmental institutions or lawmakers who effectively are classed as “enforcers” and those who disagree are effectively making a statement in the form of Denial of Service. DDoS protection is effectively the responsibility of the hosting provider, but you shouldn’t just assume that they will protect you or your site. Their responsibility stops at their infrastructure, so it’s then up to you too decide how you full the gap in between your host and the website. Typically, you’d leverage something like Imunify360 which you can get for Plesk (and something I’d strongly recommend) but it’s not free, and is a paid (not expensive per month) subscription. If you want to use VirtualMin then there are a variety of tools readily available out of the box such as firewalls and fail2ban.
  • IRC Server/Client - Chat App with NodeBB

    Linux nodebb irc server client
    6
    1 Votes
    6 Posts
    1k Views
    @Hari not sure from the consumer perspective, but Skype has been all but completely consumed by Microsoft Teams when it comes to business usage.
  • how to configure DNS records virtualmin?

    Solved Linux digitalocean dns
    26
    1
    11 Votes
    26 Posts
    2k Views
    i think we can mark this discussion as solved learned how to install virtualmin with NGINX We can easily point the DNS by mentioning server IP at CF a name record learned how to install SSL
  • SASL LOGIN authentication failed: generic failure

    Moved Solved Linux
    5
    0 Votes
    5 Posts
    1k Views
    @Ash3T I’m going to mark this post as solved as I’ve not heard from you in a while. Let me know if this isn’t the case and you need more help.