Bonjour,

J'ai un domaine : https://usbelgium.be/ ; j'utilise Let's encrypt pour le SSL mais d'un coup ça a décidé de ne plus fonctionner. La configuration est la même que sur mon second domaine où là le SSL fonctionne correctement : https://site-concept.eu/ !

Avez-vous une idée d'où est-ce que je dois modifier quelque chose ?

Mes deux certificats sont à jour

    root@vps524901:/# /opt/letsencrypt/letsencrypt-auto renew
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/site-concept.eu.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert not yet due for renewal

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/usbelgium.be.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert not yet due for renewal

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    The following certs are not due for renewal yet:
      /etc/letsencrypt/live/site-concept.eu/fullchain.pem expires on 2019-11-09 (skipped)
      /etc/letsencrypt/live/usbelgium.be/fullchain.pem expires on 2019-11-09 (skipped)
    No renewals were attempted.```

Niveau config NGINX j'appel bien les fichiers et je n'ai aucune log d'erreur...
server {
    listen 80;
    listen [::]:80; 
    server_name  www.usbelgium.be usbelgium.be *.usbelgium.be;
    root /home/siteconcept/;

    location ~ /\.well-known/acme-challenge {
        allow all;
        root /home/usbelgium/;
    }

    location / {
        return 301 https://usbelgium.be$request_uri; 
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name  www.usbelgium.be usbelgium.be *.usbelgium.be;
    root /home/usbelgium/;
    index index.php index.html index.htm;

    # ------------------------------------
    # ----------- SSL
    # ------------------------------------
    ssl on;
    ssl_certificate /etc/letsencrypt/live/usbelgium.be/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/usbelgium.be/privkey.pem;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/usbelgium.be/fullchain.pem;
    # Google DNS, Open DNS, Dyn DNS
    resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
    resolver_timeout 3s;

    #### Session Tickets
    # Session Cache doit avoir la même valeur sur tous les blocs "server".
    ssl_session_cache shared:SSL:100m;
    ssl_session_timeout 24h;
    ssl_session_tickets on;
    # [ATTENTION] il faudra générer le ticket de session.
    ssl_session_ticket_key /etc/nginx/ssl/ticket.key;
    # [ATTENTION] Les paramètres Diffie-Helman doivent être générés
    ssl_dhparam /etc/nginx/ssl/dhparam4.pem;

    #### ECDH Curve
    ssl_ecdh_curve secp384r1;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

    location ~ /\.well-known/acme-challenge {
        allow all;
        root /home/usbelgium/;
    }

    # ------------------------------------
    # ----------- HEADER
    # ------------------------------------
    add_header Strict-Transport-Security max-age=63072000;
    add_header Public-Key-Pins 'pin-sha256=\"RyVHLvC/L9OizFGYr+ujdCAdQL2vpmbquWSVwagQOzE=\"; pin-sha256=\"EohwrK1N7rr3bRQphPj4j2cel+B2d0NNbM9PWHNDXpM=\"; max-age=25920; includeSubDomains';
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header Content-Security-Policy': "script-src 'self' 'unsafe-inline' https://*.googleapis.com https://maps.gstatic.com 'unsafe-eval'";

    # ------------------------------------
    # ----------- COMPRESSION
    # ------------------------------------
    gzip on;
    gzip_comp_level 5;
    gzip_min_length 1000;
    gzip_proxied any;
    gzip_buffers 4 32k;
    gzip_vary on;
    gzip_types
            application/atom+xml
            application/javascript
            application/json
            application/ld+json
            application/manifest+json
            application/rss+xml
            application/vnd.geo+json
            application/vnd.ms-fontobject
            application/x-font-ttf
            application/x-web-app-manifest+json
            application/xhtml+xml
            application/xml
            font/opentype
            image/bmp
            image/svg+xml
            image/x-icon
            text/cache-manifest
            text/css
            text/plain
            text/vcard
            text/vnd.rim.location.xloc
            text/vtt
            text/x-component
            text/x-cross-domain-policy;

    # ------------------------------------
    # ----------- CACHE
    # ------------------------------------
    location ~* .(html|css|js|png|jpg|jpeg|gif|ico|svg|eot|woff|woff2|ttf)$ {
        expires 10d;
    }

    open_file_cache max=2000 inactive=5m;
    open_file_cache_valid 2m;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;

    location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
        access_log        off;
        log_not_found     off;
        expires           10d;
    }

    # ------------------------------------
    # ----------- PROTECTION
    # ------------------------------------
    # On interdit les dotfiles
    location ~ /\ { deny all; }
    location ~ /package { deny all; }
    location ~ /node_modules { deny all; }
    location ~ /templates { deny all; }

    # ------------------------------------
    # ----------- PHP ET REDIRECTION
    # ------------------------------------       
    location / {
        try_files $uri /index.php?page=$uri;
        aio threads;
    }

    location /admin {
        index  index.html index.htm index.php;
    }

    location /py {
        index  index.html index.htm index.php;
    }

    location /mail {
        try_files $uri $uri/ /index.php;
    }

    location ~* \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass    unix:/run/php/php7.0-fpm.sock;
        fastcgi_index   index.php;
        include         fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
    }
}```

Merci d'avance !

4 réponses


Je relance !

Je relance !

Je relance

Je relance !