Error 526 Invalid SSL certificate with CloudFlare Strict SSL

duy13 / vDDoS-Protection

Welcome to vDDoS, a HTTP(S) DDoS Protection Reverse Proxy. Thank you for using!

https://vddos.voduy.com

488 stars 139 forks source link

Error 526 Invalid SSL certificate with CloudFlare Strict SSL #26

Closed robert1112 closed 6 years ago

robert1112 commented 6 years ago

I got a Let's Encrypt SSL for my domain with CloudFlare Strict SSL enabled. Then I got Error 526 after implement vDDOS proxy in front. Is it related to /vddos/ssl/your-domain.com.pri and /vddos/ssl/your-domain.com.crt? I used the values in website.conf Thank you.

I used it in production and I got DDOS just now and It really works against Layer 7 attack. Appreciate your work.

duy13 commented 6 years ago

Give me website.conf information and screenshot in Crypto Cloudflare SSL

cat /vddos/website.conf

screenshot 761

duy13 commented 6 years ago

In vDDoS, please request a Let's Encrypt certificate for the domain using the following command: (It will automatically renew)

root@vddos # vddos start
root@vddos # /root/.acme.sh/acme.sh --issue -d voduy.com -d www.voduy.com -w /vddos/letsencrypt

Documentation of that tool (acme.sh): https://github.com/Neilpang/acme.sh

Certificate SSL located at:

[Mon Sep 18 09:34:32 UTC 2017] Your cert is in  /root/.acme.sh/voduy.com/voduy.com.cer
[Mon Sep 18 09:34:32 UTC 2017] Your cert key is in  /root/.acme.sh/voduy.com/voduy.com.key
[Mon Sep 18 09:34:38 UTC 2017] The intermediate CA cert is in  /root/.acme.sh/voduy.com/ca.cer
[Mon Sep 18 09:34:38 UTC 2017] And the full chain certs is there:  /root/.acme.sh/voduy.com/fullchain.cer

/root/.acme.sh/voduy.com/fullchain.cer is CRT KEY
/root/.acme.sh/voduy.com/voduy.com.key is PRI KEY

robert1112 commented 6 years ago

Hi @duy13 Thanks so much for your support. Just to clarify before I doing anything stupid. 😄

After creating SSL, I should put these links in vddos/website.conf to replace original /vddos/ssl/your-domain.com.pri and /vddos/ssl/your-domain.com.crt? Correct? Thank you very much. 👍

/root/.acme.sh/mydomain.com/fullchain.cer is CRT KEY
/root/.acme.sh/mydomain.com/voduy.com.key is PRI KEY

robert1112 commented 6 years ago

Hi I follow and created the keys. Below is the config I used and I switch it to strict SSL but it still show Cloudflare SSL. Thank you.

# Website       Listen            Backend               Cache  Security  SSL-Prikey  SSL-CRTkey
default         http://0.0.0.0:80    http://my.ip:80 no     5s     no          no
default         https://0.0.0.0:443  https://my.ip:443  no  5s     /root/.acme.sh/mydomain.com/mydomain.com.key  /root/.acme.sh/mydomain.com/fullchain.cer

duy13 commented 6 years ago

Of course it is always cloudflare ssl, when you proxy through cloudflare it always use ssl of cloudflare, you have to turn off "yellow cloud" to be able to use Let's Encrypt SSL

robert1112 commented 6 years ago

Turning off "yellow cloud" to be able to use Let's Encrypt SSL, is there any benefit?