In Chrome browser, prompt: Your connection is not a private connection (the website’s certificate has expired)
1. In the Chrome browser, it prompts: Your connection is not a private connection. as shown in Figure 1
Figure 1
Your connection is not a private connection An attacker may try to steal your information (e.g. password, communication content, or credit card information) from learn-php-app-0605-prod.wangqiang.store. Learn more NET::ERR_CERT_DATE_INVALID If you want the highest level of security protection from Chrome, turn on Enhanced protection learn-php-app-0605-prod.wangqiang.store usually uses encryption technology to protect your information. When Chrome was trying to connect to learn-php-app-0605-prod.wangqiang.store this time, the website sent back abnormal error credentials. This may be because an attacker is trying to impersonate learn-php-app-0605-prod.wangqiang.store, or the Wi-Fi login screen has been interrupted. Please rest assured that your information is still safe, as Chrome stopped the connection before any data exchange was done. You are currently unable to access learn-php-app-0605-prod.wangqiang.store because this website uses HSTS. Network errors and attacks are usually temporary, so this page may be back to normal later.
2. Reference: https://www.shuijingwanwq.com/2023/07/21/7894/ . The process of switching the domain name of one website to another. The time for this switching is 2023/06/05, and the current time is 2023/12/11 . It was confirmed that it was normal half a year ago.
3. In the Firefox browser, the prompt: Warning: face potential security risks. It is likely that the website’s certificate has expired, thus preventing Firefox from connecting safely. as shown in Figure 2
Figure 2
Warning: Facing potential security risks Firefox detected a problem without continuing to connect learn-php-app-0605-prod.wangqiang.store. It may be that the website is configured incorrectly, or your computer clock is set incorrectly. It is likely that the website's certificate has expired, thus preventing Firefox from connecting safely. If you continue to visit the site, an attacker may try to steal information such as your password, email or credit card. What can you do? This problem is mostly related to the website and cannot be solved through your operation. You can feedback this issue to the administrator of this website. Learn more about…
4. Decide to delete the virtual host, and then add it again. Failed in the verify finished, start to sign. Delete and add successfully. as shown in Figure 3
Figure 3
Do you want to redirect all http requests to https?[y/n]: Y Please select domain cert key length. Enter one of 2048, 3072, 4096, 8192 Will Issue a RSA Cert. Enter one of EC-256, EC-384, EC-521 will issue a ECC cert. Please enter your cert key length (default 2048): [Mon Dec 11 05:42:44 PM CST 2023]Using CA: https://acme.zerossl.com/v2/dv90 [Mon Dec 11 05:42:44 PM CST 2023]single domain=learn-php-app-0605-prod.wangqiang.store [Mon Dec 11 05:42:44 PM CST 2023]Getting domain auth token for each domain [Mon Dec 11 05:43:42 PM CST 2023]Getting webroot for domain=learn-php-app-0605-prod.wangqiang.store [Mon Dec 11 05:43:42 PM CST 2023]Verifying: learn-php-app-0605-prod.wangqiang.store [Mon Dec 11 05:43:44 PM CST 2023]Processing, the ca is processing your order, please just wait. (1/30) [Mon Dec 11 05:43:48 PM CST 2023]succeed [Mon Dec 11 05:43:48 PM CST 2023]verify, start to sign. [Mon Dec 11 05:43:48 PM CST 2023]Lets finalize the order. [Mon Dec 11 05:43:48 PM CST 2023]le_orderfinalize=https://acme.zerossl.com/v2/dv90/order/axuzjzhyyoc-v2rj0fm0pq/finalize [Mon Dec 11 05:44:51 PM CST 2023]sign failed, finalize code is not 200. [Mon Dec 11 05:44:51 PM CST 2023]<html> <head><title>504 gateway time-out</title></head> <body> <center><h1>504 Gateway time-out</h1></center> <hr><center>nginx</center> </body> </html> [Mon Dec 11 05:44:51 PM CST 2023]please add--debugOr--logTo check more details. [Mon Dec 11 05:44:51 PM CST 2023]See: https://github.com/acmesh-official/acme.sh/wiki/how-to-debug-acme.sh Do you want to add hotlink protection?[y/n]: Y
[root@iZ23wv7v5ggZ ~]# ~/oneinstack/vhost.sh --del ############################ ############################ # OneInStack for CentOS/RedHat 7+ Debian 9+ and Ubuntu 16+ # # for more information please visit https://oneinstack.com # ############################ ############################ virtualhost list: learn-php-app-0605-prod.wangqiang.store www.shuijingwanwq.com Please input a domain you want to delete: learn-php-app-0605-prod.wangqiang.store Do you want to delete virtul hostory?[y/n]: n domain: learn-php-app-0605-prod.wangqiang.store has been deleted. [root@iZ23wv7v5ggZ ~]# ~/oneinstack/vhost.sh ############################ ############################ # OneInStack for CentOS/RedHat 7+ Debian 9+ and Ubuntu 16+ # # for more information please visit https://oneinstack.com # ############################ ############################ What are you doing? 1. Use HTTP only 2. Use your own SSL certificate and key 3. Use lets encrypt to create ssl certificate and key Q. exit Please input the correct option: 3 please input domain(example: www.example.com): learn-php-app-0605-prod.wangqiang.store domain=learn-php-app-0605-prod.wangqiang.store Please input the directory for the domain:learn-php-app-0605-prod.wangqiang.store : (default directory: /data/wwwroot/learn-php-app-0605-prod.wangqiang.store): /data/wwwroot/learn-php-app-0605-prod.shuijingwanwq.com Create virtul host directory... Set Permissions of Virtual Host Directory... Do you want to add more domain name?[y/n]: n Do you want to redirect all http requests to https?[y/n]: Y Please select domain cert key length. Enter one of 2048, 3072, 4096, 8192 Will Issue a RSA Cert. Enter one of EC-256, EC-384, EC-521 will issue a ECC cert. Please enter your cert key length (default 2048): [Tue Dec 12 09:45:48 AM CST 2023]Using CA: https://acme.zerossl.com/v2/dv90 [Tue Dec 12 09:45:48 AM CST 2023]single domain=learn-php-app-0605-prod.wangqiang.store [Tue Dec 12 09:45:48 AM CST 2023]Getting domain auth token for each domain [Tue Dec 12 09:47:19 AM CST 2023]Getting webroot for domain=learn-php-app-0605-prod.wangqiang.store [Tue Dec 12 09:47:19 AM CST 2023]Verifying: learn-php-app-0605-prod.wangqiang.store [Tue Dec 12 09:47:50 AM CST 2023]Processing, the ca is processing your order, please just wait. (1/30) [Tue Dec 12 09:48:16 AM CST 2023]succeed [Tue Dec 12 09:48:16 AM CST 2023]verify, start to sign. [Tue Dec 12 09:48:16 AM CST 2023]Lets finalize the order. [Tue Dec 12 09:48:16 AM CST 2023]le_orderfinalize=https://acme.zerossl.com/v2/dv90/order/vngx1i061glkvkou91rutg/finalize [Tue Dec 12 09:48:46 AM CST 2023]Order status is processing, lets sleep and retry. [Tue Dec 12 09:48:46 AM CST 2023]Retry After: 15 [Tue Dec 12 09:49:02 AM CST 2023]polling order status: https://acme.zerossl.com/v2/dv90/order/vngx1i061glkvkou91rutg [Tue Dec 12 09:49:32 AM CST 2023]downloading cert. [Tue Dec 12 09:49:32 AM CST 2023]le_linkcert=https://acme.zerossl.com/v2/dv90/cert/foxlshbazt9i7vwqos2w7g [Tue Dec 12 09:50:06 AM CST 2023]cert success. -----Begin Certificate----- xxxxxxxxxx -----end certificate----- [Tue Dec 12 09:50:06 AM CST 2023]your cert is in: /root/.acme.sh/learn-php-0605-prod.wangqiang.store/learn-php-app-0605-prod.wangqiang.store.cer [Tue Dec 12 09:50:06 AM CST 2023]Your cert key is in: /root/.acme.sh/learn-php-0605-prod.wangqiang.store/learn-php-app-0605-prod.wangqiang.store.key [Tue Dec 12 09:50:06 AM CST 2023]The index CA cert is in: /root/.acme.sh/learn-php-app-0605-prod.wangqiang.store/ca.cer [Tue Dec 12 09:50:06 AM CST 2023]And the full chain certs is there: /root/.acme.sh/learn-php-app-0605-prod.wangqiang.store/fullchain.cer Do you want to add hotlink protection?[y/n]: Y Allow rewrite rule?[y/n]: Y Please input the rewrite of program : WordPress, OpenCart, Magento2, Drupal, Joomla, CodeIgniter, Laravel thinkphp, pathinfo, Discuz, typecho, ecshop, nextcloud, zblog, whmcs rewrite was exist. (default rewrite: other): Laravel you choose rewrite=laravel allow nginx/tenengine/openresty access_log?[y/n]: Y you access log file=/data/wwwlogs/learn-php-app-0605-prod.wangqiang.store_nginx.log Nginx: The configuration file /usr/local/nginx/conf/nginx.conf syntax is OK Nginx: configuration file /usr/local/nginx/conf/nginx.conf test is success reload nginx...... ############################ ############################ # OneInStack for CentOS/RedHat 7+ Debian 9+ and Ubuntu 16+ # # for more information please visit https://oneinstack.com # ############################ ############################ Your Domain: learn-php-app-0605-prod.wangqiang.store virtualhost conf: /usr/local/nginx/conf/vhost/learn-php-app-0605-prod.wangqiang.store.conf Directory of: /data/wwwroot/learn-php-app-0605-prod.shuijingwanwq.com rewrite rule: /usr/local/nginx/conf/rewrite/laravel.conf lets encrypt ssl certificate:/usr/local/nginx/conf/ssl/learn-php-app-0605-prod.wangqiang.store.crt SSL private key: /usr/local/nginx/conf/ssl/learn-php-app-0605-prod.wangqiang.store.key
5. After editing the nginx configuration file as needed, edit the root and restart the nginx service. as shown in Figure 4
Figure 4
server {
listen 80;
listen[::]:80;
Listen 443 SSL HTTP2;
listen[::]:443 SSL HTTP2;
ssl_certificate /usr/local/nginx/conf/ssl/learn-php-app-0605-prod.wangqiang.store.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/learn-php-app-0605-prod.wangqiang.store.key;
SSL_Protocols TLSv1.2 TLSv1.3;
SSL_ECDH_Curve x25519:prime256v1:secp384r1:secp521r1;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-GCM-SHA38 4: ecdhe-ecdsa-chacha20-poly1305: ecdhe-rsa-chacha20-poly13 05: ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES128-GCM-SH A256: DHE-RSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256;
SSL_CONF_Command CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_Poly1305_SHA256:TLS_AES_128_GCM_SHA256;
SSL_CONF_Command options prioritizechacha;
ssl_prefer_server_ciphers on;
SSL_Session_Timeout 10M;
ssl_session_cache shared:ssl:10m;
SSL_Buffer_size 2K;
add_header strict-transport-security max-age=15768000;
SSL_Stapling on;
SSL_StapLing_Verify on;
server_name learn-php-app-0605-prod.wangqiang.store;
access_log /data/wwwlogs/learn-php-0605-prod.wangqiang.store_nginx.log combined;
index index.html index.htm index.php;
root /data/wwwroot/learn-php-app-0605-prod.shuijingwanwq.com/public;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
include /usr/local/nginx/conf/rewrite/laravel.conf;
#error_page 404 /404.html;
#error_page 502 /502.html;
location ~ .*\.(wma|wmv|asf|mp3|mmf|zip|rar|jpg|gif|png|swf|flv|mp4)$ {
valid_referers none blocked *.wangqiang.store learn-php-app-0605-prod.wangqiang.store;
if ($invalid_referer) {
return 403;
}
}
location ~[^/]\.php(/|$) {
#fastcgi_pass remote_php_ip:9000;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
Expires 30D;
access_log off;
}
location ~ .*\.(js|css)?$ {
Expires 7D;
access_log off;
}
location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|license|readme\.md) {
deny all;
}
location /.well-known {
allow all;
}
}
[root@iZ23wv7v5ggZ ~]# service nginx restart redirecting to /bin/systemctl restart nginx.service
6. Open: https://learn-php-app-0605-prod.wangqiang.store/robots.txt . In Chrome and Firefox browsers are all normal. as shown in Figure 5
Figure 5
7. In-depth study of the root cause, the certificate is made by lets Encrypt is released. lets Encrypt is a global certificate authority (CA) that provides individuals and groups around the world with services to obtain, renew and manage SSL/TLS certificates. Reference: lets Encrypt FAQ. https://letsencrypt.org/en-cn/docs/faq/ . The certificate is valid for 90 days. The reasons behind it can be learned from here. This period cannot be adjusted, and there are no exceptions. We recommend that you automatically renew the certificate every 60 days (after waiting for the next certificate to expire, I hope to find a way to automatically renew, instead of deleting the virtual host, and then adding the virtual host.). as shown in Figure 6
Figure 6
