V
V
Vadim Timoshenko2019-02-25 10:44:58
Nginx
Vadim Timoshenko, 2019-02-25 10:44:58

How to properly install Let's enycript on NGINX?

Created certificates for domains sitename.ru and *.sitename.ru on the site. Got 3 files:

  • ca_bundle.crt
  • certificate.crt
  • private key

I sent them to a folder on the VDS server /etc/ssl/certs/sitename.ru/.
In .conf for NGINX I wrote the following:
http {
        ...
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;
        ...

        server {
        ...
           ssl_certificate        /etc/ssl/certs/sitename.ru/certificate.crt;
           ssl_certificate_key /etc/ssl/certs/sitename.ru/private.key;
           ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
           ssl_ciphers         HIGH:!aNULL:!MD5;
        ...
}

Made the necessary redirects. Everything is working. The site opens successfully on https:// and there is a green padlock in the browser. But Yandex.webmaster swears and when switching from VK, a warning appears that the certificate is not installed correctly.
Tell me what I forgot? Where to put the ca_bundle.crt file ? Maybe I did not complete the process of installing certificates correctly at all?

Answer the question

In order to leave comments, you need to log in

6 answer(s)
K
kotabus, 2019-02-25
@PbI6A_KuT

It will be correct to put certbot which will configure nginx or apache for the necessary domains and will renew the certificate itself.

V
Viktor Taran, 2019-02-25
@shambler81

so cap, look here
1. put certificates

server {

######################################################################
## Server configuration
######################################################################
        listen *:443 ssl http2;
                server_name 3dpaneli.ru www.3dpaneli.ru   ;
        root /var/www/3dpaneli.ru/web;


######################################################################
## SSL configuration
######################################################################
# recommended but not manditory directive
# leave commented out unless you know what it is doing
#more_set_headers 'Strict-Transport-Security: max-age=15768000';
        ssl on;
        ssl_session_cache  shared:SSL:10m;
        ssl_session_timeout 1h;
        ssl_protocols TLSv1.2 TLSv1.1;
        add_header Strict-Transport-Security "max-age=15768000" always;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
        ssl_certificate /var/www/clients/client19/web26/ssl/3dpaneli.ru-le.crt;
        ssl_certificate_key /var/www/clients/client19/web26/ssl/3dpaneli.ru-le.key;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
###################################################################

......
ssl_dhparam /etc/nginx/ssl/dhparam.pem; - not required, but required to upgrade the certificate class.
Next, in the browser, click on the certificate and see if everything is normal there, whether the domain is green,
open the debugger, and look in the developer console if mix_content is pouring, if so, then eliminate it.

J
JohnnyMnemonik, 2019-02-26
@JohnnyMnemonik

https://www.ssllabs.com/ssltest/analyze.html

F
FJCrux, 2019-02-26
@FJCrux

You have not fully installed the certificate, at least.
The ca_bundle file contains the root and intermediate certificates, which, together with your domain certificate, make up a complete chain of certificates.
Glue your certificate with the bundle and specify the resulting file as the certificate.

E
ellgooll, 2019-02-25
@ellgooll

and port 80 is open on the server ?, plus in Yawebmaster, as far as I remember, you need to explicitly specify https://.
And he can swear because in the cache the site is without a certificate. try opening in incognito mode

K
ky0, 2019-02-25
@ky0

https://mozilla.github.io/server-side-tls/ssl-conf...
Notice the ssl_trusted_certificate.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question