Want more timely Centmin Mod News Updates?
Become a Member

Letsencrypt SSL acme ssl obtain ssl success but its invalid and not secure

Discussion in 'Domains, DNS, Email & SSL Certificates' started by R0rke, Jun 28, 2017.

  1. R0rke

    R0rke Member

    63
    14
    8
    Jun 2, 2016
    Iran
    Ratings:
    +19
    Local Time:
    6:37 AM
    1.11.1
    10.1
    hi just installed centminmod 123.09beta01 recently with fresh os install and centmin setup + no any config or changes just set a dns zone NS For domains then add vhost with default option menu 2 note i enabled letsencrypt detect before :
    • CentOS Version: 7.0
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.13.1
    • PHP Version Installed: 7.0.20
    • MariaDB MySQL Version Installed: dunno
    • When was last time updated Centmin Mod code base ? : never i just do fresh install 24 hours ago
    • Persistent Config: nothing at all
    • Code:
      cat: /etc/centminmod/custom_config.inc: No such file or directory
    simply i decide to os reload and install centminmod again . but before it i want to report this problem . thanks George
     
  2. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    Without the answers to above questions and logs, there is nothing to help troubleshoot.
     
    • Like Like x 1
  3. R0rke

    R0rke Member

    63
    14
    8
    Jun 2, 2016
    Iran
    Ratings:
    +19
    Local Time:
    6:37 AM
    1.11.1
    10.1
    i post some related ones as secret gist , i'l send u a private message . check please

    edit :
    i just double check my DNS Settings i doubt the problem is happening because of DNS but as u can see here screencapture-cp3-nicpanel-ca-domain-all-1498646026215.png i make child hosts and dns template on NSD With centmin Menu Option 3 . then set a custom display name server for my Domian like this :
    ns1.site.net
    ns2.site.net
    and here is the DNS Template :
    PHP:
    $TTL 14400
    @       IN      SOA     ns1.MyWebSiteAddressISFilterd.net.      hostmaster.MyWebSiteAddressISFilterd.net. (
                                                    
    2010091500
                                                    14400
                                                    3600
                                                    1209600
                                                    86400 
    )

    Nameservers
    MyWebSiteAddressISFilterd
    .net.       14400   IN      NS      ns1.MyWebSiteAddressISFilterd.net.
    MyWebSiteAddressISFilterd.net.       14400   IN      NS      ns2.MyWebSiteAddressISFilterd.net.

    A Records
    MyWebSiteAddressISFilterd
    .net.       14400   IN      A       74.222.**.***
    ftp                     14400   IN      A       74.222.**.***
    localhost       14400   IN      A       127.0.0.1
    mail            14400   IN      A       74.222
    .**.***
    ns1                     14400   IN      A       74.222.**.***
    ns2                     14400   IN      A       74.222.**.***
    pop                     14400   IN      A       74.222.**.***
    smtp            14400   IN      A       74.222.**.***
    www                     14400   IN      A       74.222.**.***

    MX Record
    MyWebSiteAddressISFilterd
    .net.       14400   IN      MX      10 mail

    TXT Record (for SPF)
    MyWebSiteAddressISFilterd.net.       14400   IN      TXT     "v=spf1 a mx ip4:74.222.**.*** ~all"
    MyWebSiteAddressISFilterd.net3600 IN DS 2371 13 2 6992cdc095c0b02a75fa2c287af2625ac7fe120c6f49bc7af42f4ff51edd225f

     
    Last edited: Jun 28, 2017
  4. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    Did you follow NSD example at Domains - Domain name DNS setup on local NSD server ? You need to register your vanity nameservers with your domain registrar before you can setup domain using vanity custom nameservers. Your domain DNS doesn't seem to be working check Global DNS Propagation Checker - What's My DNS? should return your server IP address for A records

    I suggest you use a 3rd party DNS provider instead of NSD i.e. Cloudflare Cloudflare - DNS - Cloudflare DNS Only Configuration

    But you managed to get your letsencrypt ssl cert successfully, so your DNS was working at time of issuance
     
    • Like Like x 1
  5. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    Last edited: Jun 28, 2017
    • Like Like x 1
  6. R0rke

    R0rke Member

    63
    14
    8
    Jun 2, 2016
    Iran
    Ratings:
    +19
    Local Time:
    6:37 AM
    1.11.1
    10.1
    [​IMG]
    i set a custom a record with ns.site.net + my main ip address has been seted on nsd .
    but when i set the domains dns to NS1.SITE.NET + NS2.SITE.NET

    GIVES ERROR :
    There are no glue records for at least one of the provided name servers.
     
  7. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    need to contact your dns provider/domain registrar for help in setting up proper vanity custom nameservers
     
    Last edited: Jun 29, 2017
    • Like Like x 1
  8. R0rke

    R0rke Member

    63
    14
    8
    Jun 2, 2016
    Iran
    Ratings:
    +19
    Local Time:
    6:37 AM
    1.11.1
    10.1
    if u mean you need to check i can provide username and password but there is another way i can secuss the connection . by making a child host .
    now i just need to place the nameservers and boom i can see the website loads .
    thing is i use this method on older versions i mean about month ago of centminmod beta
    but honestly i don't know what's happening right now . btw thanks for your fast replay i enabled this option i mean child hosts and just let see what's happening
     

    Attached Files:

  9. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    • Like Like x 1
  10. R0rke

    R0rke Member

    63
    14
    8
    Jun 2, 2016
    Iran
    Ratings:
    +19
    Local Time:
    6:37 AM
    1.11.1
    10.1
    ok updated . i can see the domain now functioning as well !
    thanks for ur help i'l try to contact them later but it seems the problem solved ( about DNS )
    but we still have problem with obtaining SSL Cert
     
    • Like Like x 1
  11. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    There's generally 3 ways of setting up HTTPS SSL certificate for Centmin Mod Nginx HTTP/2 based HTTPS

    Method 1. The traditional way via centmin.sh menu option 2, 22 and selecting yes to self-signed ssl certificates first. Then converting the self-signed ssl certificate to paid or free (Letsencrypt) web browser trusted SSL certificates outlined at How to switch self-signed SSL certificate to paid SSL certificate ? You would still need to follow the same steps outlined at Nginx SPDY SSL Configuration for obtaining and purchasing the paid SSL certificate and most important part is the concatenation of the SSL provider provided filesto create the mentioned /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crtfiles referenced in your Nginx SSL vhost config file.

    You may need to also decide if you want to enable HTTP to HTTPS redirect outlined at How to force redirect from HTTP:// to HTTPS:// ?

    If you didn't answer yes at time of initial nginx vhost creation to self-signed ssl certificates, you can manually setup the self-signed ssl certificate via the vhost generator by checking self-signed ssl box and enter a domain name. This will outline instructions for manually creating and setting up self-signed ssl certificate and nginx vhost settings. Then for web browser trusted ssl certificates you switch follow - How to switch self-signed SSL certificate to paid SSL certificate ?.

    Method 2. Using and testing Centmin Mod 123.09beta01's new addons/acmetool.sh addon which is still in beta testing only for integrating Letsencrypt SSL certificates. And has both auto and manual methods.

    Method 3. Fully manual method for free Letsencrypt SSL certificates.
    So try one of the 2 application guides in method 3
     
    • Like Like x 1
  12. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    from your ssllab result, you selected letsencrypt test staging ssl certs and not live ssl certs hence untrusted
    Code (Text):
    Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
    
    You have 4 options:
    1. issue staging test cert with HTTP + HTTPS
    2. issue staging test cert with HTTPS default
    3. issue live cert with HTTP + HTTPS
    4. issue live cert with HTTPS default
    Enter option number 1-4: 1
    

    option 1 and 2 = test staging ssl certs

    you should select 3 or 4 for live trusted ssl certs

    following method for existing vhost outlined at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates should fix it with live trusted ssl certs
     
    • Like Like x 1
  13. R0rke

    R0rke Member

    63
    14
    8
    Jun 2, 2016
    Iran
    Ratings:
    +19
    Local Time:
    6:37 AM
    1.11.1
    10.1
    • Like Like x 1
  14. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    • Like Like x 1