diff --git a/docs/troubleshooting/www-subdomain-ssl-fix.md b/docs/troubleshooting/www-subdomain-ssl-fix.md new file mode 100644 index 0000000..44a62bc --- /dev/null +++ b/docs/troubleshooting/www-subdomain-ssl-fix.md @@ -0,0 +1,172 @@ +# WWW Subdomain SSL Fix — Cloudflare Origin Certificate + +**Date:** March 26, 2026 +**Issue:** www.firefrostgaming.com returned SSL error 526 (invalid certificate) +**Resolution:** Installed Cloudflare Origin Certificate for both domains +**Completed By:** The Verifier (Chronicler #42) + Michael + +--- + +## Problem + +- `firefrostgaming.com` worked ✅ +- `www.firefrostgaming.com` failed with SSL error 526 ❌ + +**Root cause:** +- Cloudflare DNS had CNAME: `www.firefrostgaming.com` → `firefrostgaming.com` (proxied) +- Cloudflare SSL/TLS mode: Full (strict) +- Origin server (Ghost VPS) had no certificate for `www.firefrostgaming.com` +- Error 526: "Cloudflare can't validate SSL certificate on origin server" + +--- + +## Why Full (Strict) Mode? + +**Full (strict) mode requirements:** +- Cloudflare validates origin server's SSL certificate +- More secure than Flexible mode (Cloudflare only) +- Required for end-to-end encryption + +**We maintained Full (strict) mode** rather than downgrading to Flexible. + +--- + +## Solution: Cloudflare Origin Certificate + +### Step 1: Generate Certificate in Cloudflare + +**In Cloudflare Dashboard:** +1. Go to SSL/TLS → Origin Server +2. Click "Create Certificate" +3. Configure: + - Private key type: RSA (2048) + - Hostnames: `firefrostgaming.com`, `www.firefrostgaming.com`, `*.firefrostgaming.com` + - Validity: 15 years +4. Click "Create" +5. Copy both certificate and private key + +### Step 2: Install on Ghost VPS + +**Create certificate file:** +```bash +sudo nano /etc/ssl/certs/cloudflare-firefrostgaming.pem +``` +Paste the Origin Certificate (begins with `-----BEGIN CERTIFICATE-----`) + +**Create private key file:** +```bash +sudo nano /etc/ssl/private/cloudflare-firefrostgaming.key +``` +Paste the Private Key (begins with `-----BEGIN PRIVATE KEY-----`) + +**Set permissions:** +```bash +sudo chmod 600 /etc/ssl/private/cloudflare-firefrostgaming.key +``` + +### Step 3: Update Nginx Configuration + +**File:** `/etc/nginx/sites-available/firefrostgaming.com-ssl.conf` + +**Changed:** +```nginx +server_name firefrostgaming.com; # OLD +server_name firefrostgaming.com www.firefrostgaming.com; # NEW + +ssl_certificate /etc/letsencrypt/firefrostgaming.com/fullchain.cer; # OLD +ssl_certificate /etc/ssl/certs/cloudflare-firefrostgaming.pem; # NEW + +ssl_certificate_key /etc/letsencrypt/firefrostgaming.com/firefrostgaming.com.key; # OLD +ssl_certificate_key /etc/ssl/private/cloudflare-firefrostgaming.key; # NEW +``` + +**Full updated config:** +```nginx +map $status $header_content_type_options { + 204 ""; + default "nosniff"; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # Handle both firefrostgaming.com and www.firefrostgaming.com + server_name firefrostgaming.com www.firefrostgaming.com; + + root /var/www/firefrost/system/nginx-root; + + # Cloudflare Origin Certificate + ssl_certificate /etc/ssl/certs/cloudflare-firefrostgaming.pem; + ssl_certificate_key /etc/ssl/private/cloudflare-firefrostgaming.key; + + include /etc/nginx/snippets/ssl-params.conf; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_pass http://127.0.0.1:2368; + add_header X-Content-Type-Options $header_content_type_options; + } + + client_max_body_size 1g; +} +``` + +### Step 4: Test and Reload + +```bash +sudo nginx -t +sudo systemctl reload nginx +``` + +--- + +## Verification + +**Test both URLs:** +- https://firefrostgaming.com ✅ +- https://www.firefrostgaming.com ✅ + +Both should work with no SSL errors. + +**Check Cloudflare SSL mode:** +- Should still be "Full (strict)" ✅ + +--- + +## Benefits of This Solution + +1. **15-year validity** — No renewal required for 15 years +2. **Wildcard coverage** — `*.firefrostgaming.com` covered if needed +3. **Full (strict) maintained** — Security posture unchanged +4. **Works with Cloudflare proxy** — Designed specifically for Full (strict) mode +5. **No Let's Encrypt dependency** — Origin certificate is Cloudflare-managed + +--- + +## File Locations + +**Certificate files:** +- Certificate: `/etc/ssl/certs/cloudflare-firefrostgaming.pem` +- Private key: `/etc/ssl/private/cloudflare-firefrostgaming.key` + +**Nginx config:** +- `/etc/nginx/sites-available/firefrostgaming.com-ssl.conf` +- Symlinked from: `/etc/nginx/sites-enabled/firefrostgaming.com-ssl.conf` + +--- + +## Related Documentation + +- Cloudflare Origin Certificates: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/ +- Cloudflare SSL/TLS modes: https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/ + +--- + +**Fire + Frost + Arcane + Verification = Truth** ✅🔥❄️⚡ + +**Documented By:** The Verifier (Chronicler #42) +**Date:** March 26, 2026, 8:15 PM CST