firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
f170dbe02cc71cd64dfd5be97ee9c504b1f6fcdb
firefrost-operations-manual/docs/troubleshooting/www-subdomain-ssl-fix.md
Claude 25b3f5348b docs: Document www subdomain SSL fix (Cloudflare Origin Certificate) 
Fixed SSL error 526 on www.firefrostgaming.com while maintaining Full
(strict) mode.

Solution: Cloudflare Origin Certificate
- 15-year validity
- Covers firefrostgaming.com, www.firefrostgaming.com, *.firefrostgaming.com
- Maintains Full (strict) encryption mode
- No Let's Encrypt renewals needed

Changed:
- Nginx server_name: added www.firefrostgaming.com
- SSL certificate: /etc/ssl/certs/cloudflare-firefrostgaming.pem
- SSL key: /etc/ssl/private/cloudflare-firefrostgaming.key

Verified: Both firefrostgaming.com and www.firefrostgaming.com working 

Completed: March 26, 2026, 8:15 PM CST
By: The Verifier (Chronicler #42) + Michael
2026-03-27 01:08:19 +00:00

4.7 KiB
Raw Blame History

WWW Subdomain SSL Fix — Cloudflare Origin Certificate

Date: March 26, 2026
Issue: www.firefrostgaming.com returned SSL error 526 (invalid certificate)
Resolution: Installed Cloudflare Origin Certificate for both domains
Completed By: The Verifier (Chronicler #42) + Michael

Problem

  • firefrostgaming.com worked
  • www.firefrostgaming.com failed with SSL error 526

Root cause:

  • Cloudflare DNS had CNAME: www.firefrostgaming.comfirefrostgaming.com (proxied)
  • Cloudflare SSL/TLS mode: Full (strict)
  • Origin server (Ghost VPS) had no certificate for www.firefrostgaming.com
  • Error 526: "Cloudflare can't validate SSL certificate on origin server"

Why Full (Strict) Mode?

Full (strict) mode requirements:

  • Cloudflare validates origin server's SSL certificate
  • More secure than Flexible mode (Cloudflare only)
  • Required for end-to-end encryption

We maintained Full (strict) mode rather than downgrading to Flexible.

Solution: Cloudflare Origin Certificate

Step 1: Generate Certificate in Cloudflare

In Cloudflare Dashboard:

  1. Go to SSL/TLS → Origin Server
  2. Click "Create Certificate"
  3. Configure:
    • Private key type: RSA (2048)
    • Hostnames: firefrostgaming.com, www.firefrostgaming.com, *.firefrostgaming.com
    • Validity: 15 years
  4. Click "Create"
  5. Copy both certificate and private key

Step 2: Install on Ghost VPS

Create certificate file:

sudo nano /etc/ssl/certs/cloudflare-firefrostgaming.pem

Paste the Origin Certificate (begins with -----BEGIN CERTIFICATE-----)

Create private key file:

sudo nano /etc/ssl/private/cloudflare-firefrostgaming.key

Paste the Private Key (begins with -----BEGIN PRIVATE KEY-----)

Set permissions:

sudo chmod 600 /etc/ssl/private/cloudflare-firefrostgaming.key

Step 3: Update Nginx Configuration

File: /etc/nginx/sites-available/firefrostgaming.com-ssl.conf

Changed:

server_name firefrostgaming.com;  # OLD
server_name firefrostgaming.com www.firefrostgaming.com;  # NEW

ssl_certificate /etc/letsencrypt/firefrostgaming.com/fullchain.cer;  # OLD
ssl_certificate /etc/ssl/certs/cloudflare-firefrostgaming.pem;  # NEW

ssl_certificate_key /etc/letsencrypt/firefrostgaming.com/firefrostgaming.com.key;  # OLD
ssl_certificate_key /etc/ssl/private/cloudflare-firefrostgaming.key;  # NEW

Full updated config:

map $status $header_content_type_options {
    204 "";
    default "nosniff";
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    
    # Handle both firefrostgaming.com and www.firefrostgaming.com
    server_name firefrostgaming.com www.firefrostgaming.com;
    
    root /var/www/firefrost/system/nginx-root;
    
    # Cloudflare Origin Certificate
    ssl_certificate /etc/ssl/certs/cloudflare-firefrostgaming.pem;
    ssl_certificate_key /etc/ssl/private/cloudflare-firefrostgaming.key;
    
    include /etc/nginx/snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;
        add_header X-Content-Type-Options $header_content_type_options;
    }
    
    client_max_body_size 1g;
}

Step 4: Test and Reload

sudo nginx -t
sudo systemctl reload nginx

Verification

Test both URLs:

Both should work with no SSL errors.

Check Cloudflare SSL mode:

  • Should still be "Full (strict)"

Benefits of This Solution

  1. 15-year validity — No renewal required for 15 years
  2. Wildcard coverage*.firefrostgaming.com covered if needed
  3. Full (strict) maintained — Security posture unchanged
  4. Works with Cloudflare proxy — Designed specifically for Full (strict) mode
  5. No Let's Encrypt dependency — Origin certificate is Cloudflare-managed

File Locations

Certificate files:

  • Certificate: /etc/ssl/certs/cloudflare-firefrostgaming.pem
  • Private key: /etc/ssl/private/cloudflare-firefrostgaming.key

Nginx config:

  • /etc/nginx/sites-available/firefrostgaming.com-ssl.conf
  • Symlinked from: /etc/nginx/sites-enabled/firefrostgaming.com-ssl.conf

Related Documentation

Fire + Frost + Arcane + Verification = Truth 🔥❄️

Documented By: The Verifier (Chronicler #42)
Date: March 26, 2026, 8:15 PM CST

Reference in New Issue View Git Blame Copy Permalink