Discover Centmin Mod today
Register Now

Letsencrypt acmetool attempting to get cert for extra domains?

Discussion in 'Add Ons' started by ElChorizo, Nov 6, 2024.

  1. ElChorizo

    ElChorizo Premium Member Premium Member

    44
    4
    8
    Apr 29, 2021
    Ratings:
    +8
    Local Time:
    8:38 PM
    1.19.10
    10.3.28
    Please fill in any relevant information that applies to you:
    • CentOS Version: AlmaLinux / Rocky Linux 8/9 ?
    • Centmin Mod Version Installed: 140.00beta01
    I am using the cloudflare api key to do our SSL stuff now. It appears that Centminmod is pulling the zone and attempting to get certs for all the A records. Sendgrid, in order to verify a domain requires that we add some records. It appears the acmetool is trying to get a cert for this and it shouldn't as it's really not in our control:

    Code:
    [Tue Nov  5 00:51:06 CST 2024] Invalid status, landcruiserforum.com:Verify error detail:2606:4700:3033::6815:25ef: Invalid response from https://u2505146.ct.sendgrid.net/ls/click?upn=u001.Z02rDlqluqPw6jaJNqTOPw-2FLd6KWu49KAd3tzyM8wuOXJPQp3DKoE-2BRVcWlc2lU5SYNvTVyqxTbqA21cQMER1quNmSgOBK0RakYYv4ybiFK4NklOedd-2BGkAAEHR0zgYQZhZw5RDmbyZkKzltTxL-2BjA-3D-3DGDJt_COkXSIKRoTFPtoiObLTm9uqkBTzNKLQRMI6toU3QHWF-2FhZYjrhCDiKZT-2Bh0WxepcVE3WbzjjtE-2FK2tP4VODD4nGPvbDxEeCgbBEiOtQCF1KKQzcD9QWrQ4xgzyAx155balXu-2FfGV3nxOS74zrtWVCe1I35QNVw2LZBt0N67BY7ThGeiq01adyMPygKrpVbdXtoRGNaJd-2BBCJS2HRkh3kzQ-3D-3D 404
    [Tue Nov  5 00:51:06 CST 2024] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-060923-111326.log
    [Tue Nov  5 00:51:06 CST 2024] Error renew landcruiserforum.com.
    [Tue Nov  5 00:51:11 CST 2024] Invalid status, landcruiserforum.com:Verify error detail:2606:4700:3033::6815:25ef: Invalid response from https://u2505146.ct.sendgrid.net/ls/click?upn=u001.Z02rDlqluqPw6jaJNqTOPw-2FLd6KWu49KAd3tzyM8wuOXJPQp3DKoE-2BRVcWlc2lU5SYNvTVyqxTbqA21cQMER1qqHKm3qPk6iiySOjuptrnH8LHj1v-2B7YVVDAgThJvWTqrN05grVyDHMRpuoxSBr6Hg-3D-3Dq8mj_COkXSIKRoTFPtoiObLTm9uqkBTzNKLQRMI6toU3QHWF-2FhZYjrhCDiKZT-2Bh0Wxepch8u8wHuNEgF2D1SPUv5Ce3Ii68vnrinJ2rXjgTeIxZFhBLyPeYQPHLLpNU4i6ijsp0eXTfRm9FjrgDxK6Jdw0yQhNN1OIfV1c3isOHVyN1TBdo94VgDf-2BytWLVvP7FHlIX-2FB0Nl09XMoUQoUIrX75A-3D-3D 404
    [Tue Nov  5 00:51:11 CST 2024] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-060923-111326.log
    [Tue Nov  5 00:51:12 CST 2024] Error renew landcruiserforum.com_ecc.
    This is from the cron job trying to update certificates.... any way we can specify a way to ignore this and not try to generate a cert for it?


    The cert it's trying to pull is for this record:
    Screenshot 2024-11-05 at 12.47.09 PM.png
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,126
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    12:38 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Strange, nothing in Centmin Mod's Letsencrypt implementation is coded to do this - it only issues SSL certificates for the domain name specified for Nginx vhost creation in centmin.sh menu option 2, 22 or via nv command line. If you enter domain.com, it will get it and www. version of domain and if subdomain, it only gets subdomain specified. There is no code or mechanism for Centmin Mod to tell underlying acme.sh client via addons/acmetool.sh wrapper script to attempt to issue Letsencrypt SSL certificates outside of those menu options or nv command line.

    you can do a recursive grep of your Nginx vhost creation logs in /root/centminlogs to see if any references for
    landcruiserforum keyword as proof an Nginx vhost was created specifying that domain name
    Code (Text):
    grep -rin 'landcruiserforum.com' /root/centminlogs
    

    and for
    Code (Text):
    grep -rin 'landcruiserforum.com created successfully' /root/centminlogs
    

    If entries return from command, it means Nginx vhosts were created for this domain by you on your end.

    Also check the list of Centmin Mod Nginx site domain names created to see if landcruiserforum domain is listed as proof of Nginx vhost created
    Code (Text):
    ls -lah /home/nginx/domains/
    

    If any of these commands returns an entry for landcruiserforum.com, then it means a Nginx vhost site for this was specifically created by you on your end and thus a Letsencrypt SSL certificate issuance was attempted and this an underlying acme.sh client cronjob profile was setup in /root/.acme.sh/landcruiserforum.com and if DUALCERTS='y' enable, also at /root/.acme.sh/landcruiserforum.com_ecc

    If you accidentally did create Nginx vhost for landcruiserforum.com domain you do not own, then you can delete the acme.sh cronjob profiles directories in /root/.acme.sh/landcruiserforum.com and if DUALCERTS='y' enable, also at /root/.acme.sh/landcruiserforum.com_ecc which will prevent acme.sh cronjob from attempting auto-renewing Letsencrypt SSL certificates.

    If the domain was incorrectly created via centmin.sh menu option 2, 22 or nv command, you would also have an accompanying nginx vhost removal log in /root/centminlogs listing all commands to delete the Nginx vhost. You can find the specific log via command
    Code (Text):
    grep -rin 'landcruiserforum.com' /root/centminlogs/ | grep 'remove'
    
     
  3. ElChorizo

    ElChorizo Premium Member Premium Member

    44
    4
    8
    Apr 29, 2021
    Ratings:
    +8
    Local Time:
    8:38 PM
    1.19.10
    10.3.28
    I created the domain using landcruiserforum.com -- But for some reason, it's trying to pull a cert for a sendgrid cname. There is nothing for sendgrid or em6052 in the logs, or configs. I never entered that name for it to try and pull a cert... so it's gotta be getting it automatically from the Cloudflare API.

    Code:
    [20:21][root@X landcruiserforum.com]# grep -Fir sendgrid *
    [20:23][root@X landcruiserforum.com]# pwd
    /root/.acme.sh/landcruiserforum.com
    [20:23][root@X landcruiserforum.com]# cd /root/centminlogs/
    [20:23][root@X centminlogs]# grep -Fir sendgrid *
    [20:23][root@X centminlogs]#
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,126
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    12:38 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Check the full log to see which domains it's trying to validate /root/centminlogs/acmetool.sh-debug-log-060923-111326.log

    But first post isn't saying it's trying to get ssl cert for sendgrid name, but it's trying to verify your domain but I suspect you ave your dns misconfigured as Cloudflare has option to flatten cnames to act like dns A records. If your www is not an dns A Record to your server IP but a name and not pointing to non-www domain

    Try testing your domain at Let's Debug using DNS-01 mode

    Though if it's a bug in acme.sh then might want to report it or see if it's mentioned at GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol