Bonjour,
J'ai un domaine : https://usbelgium.be/ ; j'utilise Let's encrypt pour le SSL mais d'un coup ça a décidé de ne plus fonctionner. La configuration est la même que sur mon second domaine où là le SSL fonctionne correctement : https://site-concept.eu/ !
Avez-vous une idée d'où est-ce que je dois modifier quelque chose ?
Mes deux certificats sont à jour
root@vps524901:/# /opt/letsencrypt/letsencrypt-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/site-concept.eu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/usbelgium.be.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/site-concept.eu/fullchain.pem expires on 2019-11-09 (skipped)
/etc/letsencrypt/live/usbelgium.be/fullchain.pem expires on 2019-11-09 (skipped)
No renewals were attempted.```
Niveau config NGINX j'appel bien les fichiers et je n'ai aucune log d'erreur...
server {
listen 80;
listen [::]:80;
server_name www.usbelgium.be usbelgium.be *.usbelgium.be;
root /home/siteconcept/;
location ~ /\.well-known/acme-challenge {
allow all;
root /home/usbelgium/;
}
location / {
return 301 https://usbelgium.be$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.usbelgium.be usbelgium.be *.usbelgium.be;
root /home/usbelgium/;
index index.php index.html index.htm;
# ------------------------------------
# ----------- SSL
# ------------------------------------
ssl on;
ssl_certificate /etc/letsencrypt/live/usbelgium.be/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/usbelgium.be/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/usbelgium.be/fullchain.pem;
# Google DNS, Open DNS, Dyn DNS
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
resolver_timeout 3s;
#### Session Tickets
# Session Cache doit avoir la même valeur sur tous les blocs "server".
ssl_session_cache shared:SSL:100m;
ssl_session_timeout 24h;
ssl_session_tickets on;
# [ATTENTION] il faudra générer le ticket de session.
ssl_session_ticket_key /etc/nginx/ssl/ticket.key;
# [ATTENTION] Les paramètres Diffie-Helman doivent être générés
ssl_dhparam /etc/nginx/ssl/dhparam4.pem;
#### ECDH Curve
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
location ~ /\.well-known/acme-challenge {
allow all;
root /home/usbelgium/;
}
# ------------------------------------
# ----------- HEADER
# ------------------------------------
add_header Strict-Transport-Security max-age=63072000;
add_header Public-Key-Pins 'pin-sha256=\"RyVHLvC/L9OizFGYr+ujdCAdQL2vpmbquWSVwagQOzE=\"; pin-sha256=\"EohwrK1N7rr3bRQphPj4j2cel+B2d0NNbM9PWHNDXpM=\"; max-age=25920; includeSubDomains';
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy': "script-src 'self' 'unsafe-inline' https://*.googleapis.com https://maps.gstatic.com 'unsafe-eval'";
# ------------------------------------
# ----------- COMPRESSION
# ------------------------------------
gzip on;
gzip_comp_level 5;
gzip_min_length 1000;
gzip_proxied any;
gzip_buffers 4 32k;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# ------------------------------------
# ----------- CACHE
# ------------------------------------
location ~* .(html|css|js|png|jpg|jpeg|gif|ico|svg|eot|woff|woff2|ttf)$ {
expires 10d;
}
open_file_cache max=2000 inactive=5m;
open_file_cache_valid 2m;
open_file_cache_min_uses 2;
open_file_cache_errors on;
location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 10d;
}
# ------------------------------------
# ----------- PROTECTION
# ------------------------------------
# On interdit les dotfiles
location ~ /\ { deny all; }
location ~ /package { deny all; }
location ~ /node_modules { deny all; }
location ~ /templates { deny all; }
# ------------------------------------
# ----------- PHP ET REDIRECTION
# ------------------------------------
location / {
try_files $uri /index.php?page=$uri;
aio threads;
}
location /admin {
index index.html index.htm index.php;
}
location /py {
index index.html index.htm index.php;
}
location /mail {
try_files $uri $uri/ /index.php;
}
location ~* \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}```
Merci d'avance !