Welcome to Centmin Mod Community
Register Now

Beta Branch acmetool.sh 1.0.14 fix for certonly-issue DNS mode renew routine

Discussion in 'Centmin Mod Github Commits' started by eva2000, Oct 26, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    30,195
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    acmetool.sh 1.0.14 fix for certonly-issue DNS mode renew routine

    addons/acmetool.sh DNS mode issuance for letsencrypt ssl certificates needed a minor fix for when you are issuing staging test ssl certs as it requires passing --staging flag to the --renew command in underlying acme.sh tool which acmetool.sh uses

    Continue reading...

    123.09beta01 branch
     
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,195
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    test run of DNS mode via certonly-issue for acmedns1.domain.com and acmedns2.domain.com

    where i ran DNS mode issuance of staging test letsencrypt ssl certificate for just acmedns1.domain.com first and added the appropriate DNS TXT verification record and issued staging test letsencrypt ssl certificate.
    Code (Text):
    cd /usr/local/src/centminmod
    addons/acmetool.sh certonly-issue acmedns1.domain.com
    

    then re-ran it again to add acmedns2.domain.com to the same acmedns1.domain.com certificate for a SANs multi domain staging test letsencrypt ssl certificate
    Code (Text):
    cd /usr/local/src/centminmod
    addons/acmetool.sh certonly-issue acmedns1.domain.com,acmedns2.domain.com
    

    output for the re-run
    Code (Text):
    addons/acmetool.sh certonly-issue acmedns1.domain.com,acmedns2.domain.com
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    [Wed Oct 26 03:22:51 UTC 2016] Installing to /root/.acme.sh
    [Wed Oct 26 03:22:51 UTC 2016] Installed to /root/.acme.sh/acme.sh
    [Wed Oct 26 03:22:52 UTC 2016] Installing alias to '/root/.bashrc'
    [Wed Oct 26 03:22:52 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
    [Wed Oct 26 03:22:52 UTC 2016] Installing alias to '/root/.cshrc'
    [Wed Oct 26 03:22:52 UTC 2016] Installing alias to '/root/.tcshrc'
    [Wed Oct 26 03:22:52 UTC 2016] Installing cron job
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Wed Oct 26 03:22:52 UTC 2016] Good, bash is found, so change the shebang to use bash as prefered.
    [Wed Oct 26 03:22:52 UTC 2016] OK
    https://github.com/Neilpang/acme.sh
    v2.6.2
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    acmedns1.domain.com,acmedns2.domain.com
    

    Code (Text):
    -----------------------------------------------------------
    [DNS mode] issue & install letsencrypt ssl certificate for acmedns1.domain.com
    -----------------------------------------------------------
    testcert value =
    /root/.acme.sh/acme.sh --staging --issue --force --dns -d acmedns1.domain.com -d acmedns2.domain.com -k 2048 --useragent centminmod-centos7-acmesh-dns --log /root/centminlogs/acmetool.sh-debug-log-261016-032248.log --log-level 2
    [Wed Oct 26 03:22:53 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Wed Oct 26 03:22:57 UTC 2016] Registering account
    [Wed Oct 26 03:23:05 UTC 2016] Already registered
    [Wed Oct 26 03:23:12 UTC 2016] Update success.
    [Wed Oct 26 03:23:12 UTC 2016] Multi domain='DNS:acmedns2.domain.com'
    [Wed Oct 26 03:23:12 UTC 2016] Verify each domain
    [Wed Oct 26 03:23:12 UTC 2016] Getting webroot for domain='acmedns1.domain.com'
    [Wed Oct 26 03:23:12 UTC 2016] _w='dns'
    [Wed Oct 26 03:23:12 UTC 2016] Getting new-authz for domain='acmedns1.domain.com'
    [Wed Oct 26 03:23:21 UTC 2016] acmedns1.domain.com is already verified, skip.
    [Wed Oct 26 03:23:21 UTC 2016] Getting webroot for domain='acmedns2.domain.com'
    [Wed Oct 26 03:23:21 UTC 2016] _w='dns'
    [Wed Oct 26 03:23:21 UTC 2016] Getting new-authz for domain='acmedns2.domain.com'
    [Wed Oct 26 03:23:29 UTC 2016] acmedns1.domain.com is already verified, skip dns-01.
    [Wed Oct 26 03:23:29 UTC 2016] Add the following TXT record:
    [Wed Oct 26 03:23:29 UTC 2016] Domain: '_acme-challenge.acmedns2.domain.com'
    [Wed Oct 26 03:23:29 UTC 2016] TXT value: 'CzmNS456s8mQu9cnWnOcRL4TEnChJl9ssyBRipmZubY'
    [Wed Oct 26 03:23:29 UTC 2016] Please be aware that you prepend _acme-challenge. before your domain
    [Wed Oct 26 03:23:29 UTC 2016] so the resulting subdomain will be: _acme-challenge.acmedns2.domain.com
    [Wed Oct 26 03:23:29 UTC 2016] Please add the TXT records to the domains, and retry again.
    [Wed Oct 26 03:23:29 UTC 2016] Dns not added, skip.
    [Wed Oct 26 03:23:29 UTC 2016] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-261016-032248.log
    

    Code (Text):
    ---------------------------------
     DNS mode requires manual steps below
    ---------------------------------
     Add the following TXT record:
     Domain: '_acme-challenge.acmedns2.domain.com'
     TXT value: 'CzmNS456s8mQu9cnWnOcRL4TEnChJl9ssyBRipmZubY'
     Please be aware that you prepend _acme-challenge. before your domain
     Dns not added, skip.
     Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-261016-032248.log
     Once DNS updated for acmedns1.domain.com, run SSH command:
    ---------------------------------
      /root/.acme.sh/acme.sh --force --renew --staging -d acmedns1.domain.com -d acmedns2.domain.com
    ---------------------------------
     SSL certs will be located : /root/.acme.sh/acmedns1.domain.com
    
     If want to install cert into Nginx vhost, run SSH command:
    ---------------------------------
      /root/.acme.sh/acme.sh --installcert -d acmedns1.domain.com -d acmedns2.domain.com --certpath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.key --capath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-fullchain-acme. key
    ---------------------------------
     SSL certs will be installed at : /usr/local/nginx/conf/ssl/acmedns1.domain.com/
    

    notice acmedns1.domain.com already verified from previous dns verification and is valid for 90 days so can be skipped
    Code (Text):
    [Wed Oct 26 03:23:21 UTC 2016] acmedns1.domain.com is already verified, skip.
    

    so only acmedns2.domain.com needed adding a TXT DNS verification record

    once added and TXT DNS propagated, do 2nd step of issuing ssl cert as instructed in above text
    Code (Text):
    Once DNS updated for acmedns1.domain.com, run SSH command:
    ---------------------------------
      /root/.acme.sh/acme.sh --force --renew --staging -d acmedns1.domain.com -d acmedns2.domain.com
    

    and output
    Code (Text):
    /root/.acme.sh/acme.sh --force --renew --staging -d acmedns1.domain.com -d acmedns2.domain.com
    [Wed Oct 26 03:24:31 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Wed Oct 26 03:24:31 UTC 2016] Renew: 'acmedns1.domain.com'
    [Wed Oct 26 03:24:36 UTC 2016] Registering account
    [Wed Oct 26 03:24:42 UTC 2016] Already registered
    [Wed Oct 26 03:24:50 UTC 2016] Update success.
    [Wed Oct 26 03:24:50 UTC 2016] Multi domain='DNS:acmedns2.domain.com'
    [Wed Oct 26 03:24:50 UTC 2016] Verify each domain
    [Wed Oct 26 03:24:50 UTC 2016] acmedns1.domain.com is already verified, skip dns-01.
    [Wed Oct 26 03:24:50 UTC 2016] Verifying:acmedns2.domain.com
    [Wed Oct 26 03:25:03 UTC 2016] Success
    [Wed Oct 26 03:25:03 UTC 2016] Dns not added, skip.
    [Wed Oct 26 03:25:03 UTC 2016] Verify finished, start to sign.
    [Wed Oct 26 03:25:13 UTC 2016] Cert success.
    

    Code (Text):
    -----BEGIN CERTIFICATE-----
    MIIFEjCCA/qgAwIBAgITAPr/ma3iGnBEZcJ5Ue7MwtZOzjANBgkqhkiG9w0BAQsF
    ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjEwMjYw
    MjI1MDBaFw0xNzAxMjQwMjI1MDBaMCQxIjAgBgNVBAMTGWFjbWV0b29sZG5zMS5o
    dHRwMnNzbC54eXowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBeE81
    7SgQPmcZN1NZ5Tuv6RHPWn/ezS3+rKiuYh8bcCxkGYpkjQFCLI367VBuNHaQHdiW
    sBV4vAO6pXV/XqraFbyRU/UswjG0uB6NyDkliEXBabcyKJXAkPLz+j2AT9ldWoh9
    SrM6DV0GwG0YvkZbulVocVdHeQom2yI89bs2xzMNQwKDrUpXv0l7L+EEBWfLmDu+
    SHQ0lOq+wqOEIwD4GPj1H94l9d4LxjnfoeVg7Y3UhTMVAcC5doSapIO/wghG5jfK
    EmW2zvtr4VSxJ21sKh6VsKBwyZ1imzih90sBbesrwqPeVBEPvRxO/3K9Fet9sW3B
    A4laxCenxq/g4PgRAgMBAAGjggI9MIICOTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
    BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
    FLXscKI40fsxyoljkahs7hanxklHHkhsknaxujakshaAFMDMA0a5WCDMXHJw8+Eu
    yyCm9Wg6MHgGCCsGAQUFBwEBBGwwajAzBggrBgEFBQcwAYYnaHR0cDovL29jc3Au
    c3RnLWludC14MS5sZXRzZW5jcnlwdC5vcmcvMDMGCCsGAQUFBzAChidodHRwOi8v
    KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC
    AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g
    YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0
    aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5
    cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBlHXsgil0JbbVy
    IxdeFErYOn9RXjqB7BymXXmrIY/0Np6C7G6VRp9mSqxgfaUJKS30Wmb45LDOIIQ2
    4BNOBQ5MS8OE56p85f0SOCFhE9/KKALOk5je3UPdkFvcsFJCXQ1DMbsKhxmFjYOT
    2acjmmIG5DsgV6DawkuY8Ilbrlc4mDwdeMLsUlHolcljzysgaAy6B36blL6WwaDA
    i042AHTR4dMj9wnsH+si8VQpSfDiB6heHGuCsXq8jy9DQaVE8h6HQ/4InKtIbI1P
    +ZQ8zy9i
    -----END CERTIFICATE-----
    [Wed Oct 26 03:25:13 UTC 2016] Your cert is in  /root/.acme.sh/acmedns1.domain.com/acmedns1.domain.com.cer
    [Wed Oct 26 03:25:13 UTC 2016] Your cert key is in  /root/.acme.sh/acmedns1.domain.com/acmedns1.domain.com.key
    [Wed Oct 26 03:25:15 UTC 2016] The intermediate CA cert is in  /root/.acme.sh/acmedns1.domain.com/ca.cer
    [Wed Oct 26 03:25:15 UTC 2016] And the full chain certs is there:  /root/.acme.sh/acmedns1.domain.com/fullchain.cer
    

    so
    • ssl cert available at /root/.acme.sh/acmedns1.domain.com/acmedns1.domain.com.cer
    • ssl cert private key at /root/.acme.sh/acmedns1.domain.com/acmedns1.domain.com.key
    • fullchain.cer for nginx at /root/.acme.sh/acmedns1.domain.com/fullchain.cer
     
    Last edited: Oct 26, 2016
    • Like Like x 1
  3. eva2000

    eva2000 Administrator Staff Member

    30,195
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    notice in initial certonly-issue run the instructions if you want to install the issued ssl cert to nginx vhost
    Code (Text):
     If want to install cert into Nginx vhost, run SSH command:
    ---------------------------------
      /root/.acme.sh/acme.sh --installcert -d acmedns1.domain.com -d acmedns2.domain.com --certpath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.key --capath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-fullchain-acme. key
    ---------------------------------
    SSL certs will be installed at : /usr/local/nginx/conf/ssl/acmedns1.domain.com/
    

    The nginx vhost = acmedns1.domain.com has to exist before you can run that --installcert command.
    You can use centmin.sh menu option 2 or /usr/bin/nv command line to create acmedns1.domain.com first as outlined at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

    using nv command is easy in SSH type with -s y flag for self-signed ssl cert and https vhost generation
    Code (Text):
    nv -d acmedns1.domain.com -s -y -u YOURDESIRED_FTPUSERNAME
    

    or via centmin.sh menu option 2 and making sure to answer yes to self-signed ssl cert as that auto generates the https nginx vhost config file too
    Code (Text):
    --------------------------------------------------------
         Centmin Mod Menu 123.09beta01 centminmod.com  
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ]
    

    one nginx vhost created, you can run the instructed command to install the DNS mode obtained letsencrypt ssl certificate
    Code (Text):
    /root/.acme.sh/acme.sh --installcert -d acmedns1.domain.com -d acmedns2.domain.com --certpath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.key --capath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-fullchain-acme. key
    

    this will install the letsencrypt ssl certificate files to /usr/local/nginx/conf/ssl/acmedns1.domain.com/ directory and you will need to edit your acmedns1.domain.com.ssl.conf vhost for these 3 lines which are the default generated self-signed ssl cert
    Code (Text):
      ssl_certificate      /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com.key;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-trusted.crt;
    

    to
    Code (Text):
      ssl_certificate      /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.key;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer;
    

    then restart nginx

    You can uncomment the last 4 lines if using live letsencrypt ssl certificate but leave commented out if using staging test letsencrypt ssl certs as OCSP stapling isn't supported for test staging ssl certs.
    Code (Text):
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer;
    
     
    Last edited: Oct 26, 2016