Welcome to Centmin Mod Community
Register Now

acmetool.sh issue certificate without www. subject alternative name

Discussion in 'Bug Reports' started by th0nkang, Jan 28, 2023.

  1. th0nkang

    th0nkang New Member

    12
    1
    3
    Jun 29, 2022
    Ratings:
    +5
    Local Time:
    4:36 PM
    when acmetool.sh ask for "Enter SSL certificate domain name you want without www. prefix host:" and enter a domain name without www. prefix, it should include www. domain when issuing the certificate or is it intentional to not include www. domain?
    if so, how to tell acmetool.sh to issue certificate with www. domain name included?


    centminmod 124.00stable
    acmetool.sh should be latest (I download it from centminmod github repo)
     
  2. eva2000

    eva2000 Administrator Staff Member

    51,957
    11,974
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,471
    Local Time:
    7:36 PM
    Nginx 1.25.x
    MariaDB 10.x
    by default entering domain.com will auto add www version too so no need to do anything else :)
     
  3. th0nkang

    th0nkang New Member

    12
    1
    3
    Jun 29, 2022
    Ratings:
    +5
    Local Time:
    4:36 PM
    yea, that's what I remembered last time I'm working with centminmod. But this time (new server) it not including www when issuing certificate.
     
  4. eva2000

    eva2000 Administrator Staff Member

    51,957
    11,974
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,471
    Local Time:
    7:36 PM
    Nginx 1.25.x
    MariaDB 10.x
    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. If you created Centmin Mod 123.09beta01 or higher Nginx site with Letsencrypt via centmin.sh menu option 2, 22 or nv command line, you now also have an automatic letsdebug.net API check log saved at /root/centminlogs/letsdebug-yourdomain.com-${DT}.log where yourdomain.com is domain specified during nginx vhost creation and DT is date/timestamp. Inspecting the /root/centminlogs/letsdebug-yourdomain.com-${DT}.log log will also give you clues as to why letsencrypt SSL certificate issuance failed.

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Troubleshooting



    There are various steps you can do to troubleshoot letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • You can also do a quick grep filter on all previous and current acmetool.sh runs of the underlying acme.sh client for errors listed in errordetails field of each log using the command below:
      Code (Text):
      find /root/centminlogs/ -type f -name 'acme*.log' -printf '%TY-%Tm-%Td %TH:%TM:%TS %p\n' | sort | awk '{print $3}' | xargs -d '\n' grep -i 'errordetail'
      
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.

    Cloudflare



    If you use Cloudflare, instead of the default Letsencrypt web root validation, you can use Cloudflare's DNS API for Letsencrypt DNS validation for your domain. See the outline at bottom of page at Letsencrypt Free SSL Certificates
     
  5. eva2000

    eva2000 Administrator Staff Member

    51,957
    11,974
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,471
    Local Time:
    7:36 PM
    Nginx 1.25.x
    MariaDB 10.x
    Oh that might be the problem. Do you mean you used git clone of repo? Centmin Mod no longer uses Git clone directly for initial install, it's done via the officially installers listed on Github readme GitHub - centminmod/centminmod: CentOS Shell menu based Nginx LEMP web stack auto installer (GPLv3 licensed) or Centmin Mod LEMP Stack Install Nginx on CentOS

    i.e. like
    Code (Text):
    yum -y update; curl -O https://centminmod.com/installer.sh && chmod 0700 installer.sh && bash installer.sh
    
     
  6. th0nkang

    th0nkang New Member

    12
    1
    3
    Jun 29, 2022
    Ratings:
    +5
    Local Time:
    4:36 PM
    I'm only download acmetool.sh from centminmod/acmetool.sh at master · centminmod/centminmod since I didn't know where acmetool.sh was installed.
    For initial install, yes I'm using installer.sh from centminmod.com
    here's my certificate log from crt.sh | Certificate Search
    upload_2023-1-30_15-18-37.png
    dualcert is on.
    bottom 2 were from initial add vhost (option 2) > issue live cert with HTTPS default (option 4).
    next 2 were from reissue with acmetool.sh acme-menu > Reissue SSL Management (option 6) > Reissue SSL Cert Live HTTPS Default (option 4).
    I turn off dualcert since it was already 4 of 5 limit weekly I believe.
    the top one from manually issue with acme.sh with -d domain.com -d www.domain.com.

    acmesh-issue_270123-141235.log
    Code (Text):
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for domain.com
    -----------------------------------------------------------
    testcert value = lived
    /root/.acme.sh/acme.sh --issue -d domain.com --days 60 -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-270123-141235.log --log-level 2 --preferred-chain  "ISRG"

    I notice that when add vhost, centminmod said can't find DNS records but I assure you the DNS records exist before I add vhost and using dns tools like DNS Checker to check the DNS records and after add vhost everything seems working properly except the issued certificate don't have www. alternative name.
    centminmod_124.00stable.s70_270123-125219_nginx_addvhost.log
    Code (Text):
    ---------------------------------------------------------------
    Important Information
    ---------------------------------------------------------------
    You are about to create an Nginx vhost site account with/without
    HTTPS/SSL support. Details of this process are outlined on site
    at centminmod.com/nginx_domain_dns_setup.html. Also read the
    continually updated Getting Started Guide for Centmin Mod usage
    at centminmod.com/getstarted.html which covers the pure-ftpd
    ftp username that is auto generated with the Nginx vhost site.
    ---------------------------------------------------------------
    403 Permission denied message handling
    if after vhost site setup you encounter 403 permission denied errors,
    check https://community.centminmod.com/threads/7308/ to see if your
    site needs tools/autoprotect.sh tweaking/whitelisting
    ---------------------------------------------------------------
    
    Do you want to continue with Nginx vhost site creation ? [y/n] y
    
    Enter vhost domain name to add (without www. prefix): domain.com
    
    Create a self-signed SSL certificate Nginx vhost? [y/n]: y
    Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
    
    ---------------------------------------------------------------
    To get Letsencrypt SSL certificate, you must already have updated intended
    domain vhost name's DNS A record to this server's IP addresss.
    If top level domain, DNS A record is needed also for www. version of domain
    otherwise, Letsencrypt domain name validation will fail.
    ---------------------------------------------------------------
    continue [y/n] ? y
    
    
    !! Error: domain.com DNS records not found or setup properly yet or domain.com invalid
    
    Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
    
    Do you want to continue [y/n]: y
    
    ------------------------------------------------
    You have 4 options:
    ------------------------------------------------
    1. issue staging test cert with HTTP + HTTPS (untrusted)
    2. issue staging test cert with HTTPS default (untrusted)
    3. issue live cert with HTTP + HTTPS (trusted)
    4. issue live cert with HTTPS default (trusted)
    Enter option number 1-4: 4
     
  7. eva2000

    eva2000 Administrator Staff Member

    51,957
    11,974
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,471
    Local Time:
    7:36 PM
    Nginx 1.25.x
    MariaDB 10.x
    You shouldn't need to download acmetool.sh it should be natively installed at /usr/local/src/centminmod/addons/acmetool.sh to be used by centmin.sh menu option 2, 22 or via nv command line.

    Admittedly, acmetool.sh acme-menu hasn't been worked on for ages as non-menu command line is all addons/acmetool.sh is used for in underlying centmin.sh menu option 2, 22 or via nv command line usage. But your first try with centmin.sh menu option 2 also had same issue so probably rules it out.

    If you can provide the full log for acmesh-issue_270123-141235.log via private message attachment that would help.

    Do you have the exact error message? Or do you mean message = !! Error: DNS A record IP doesn't match any found on this server ? Are you running behind Cloudflare Orange cloud proxy? As that message would be expected as Cloudflare hides the domain's real IP address with it's own. In 130.00beta01, yesterday I updated it's code for centmin.sh menu option 2 to also add a note for Cloudflare users to ignore the = !! Error: DNS A record IP doesn't match any found on this server message as it's expected to not match if Cloudflare is used.

    acmetool.sh and centmin.sh menu option 2, 22 or nv system DNS checks will use dig with Google 8.8.8.8 DNS resolver, so if that isn't working properly, it probably would cause issues like this. You can see the code for centmin.sh menu option 2 check_dns() function for 124.00stable at top of inc/nginx_addvhost.inc include file at centminmod/nginx_addvhost.inc at 124.00stable · centminmod/centminmod

    If you can provide full centminmod_124.00stable.s70_270123-125219_nginx_addvhost.log log too via private message attachment - might need to zip it up for size limits that would help with troubleshooting
     
  8. th0nkang

    th0nkang New Member

    12
    1
    3
    Jun 29, 2022
    Ratings:
    +5
    Local Time:
    4:36 PM
    sent it to you :)
    No, I'm not behind Cloudflare. But I'm behind NAT.
    the error message is:
    "!! Error: domain.com DNS records not found or setup properly yet or domain.com invalid".
     
  9. eva2000

    eva2000 Administrator Staff Member

    51,957
    11,974
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,471
    Local Time:
    7:36 PM
    Nginx 1.25.x
    MariaDB 10.x
    Your ISP connection is behind NAT or you mean the actual VPS/server that Centmin Mod is installed on is behind NAT?
     
  10. th0nkang

    th0nkang New Member

    12
    1
    3
    Jun 29, 2022
    Ratings:
    +5
    Local Time:
    4:36 PM
    the server is behind NAT.
     
  11. eva2000

    eva2000 Administrator Staff Member

    51,957
    11,974
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,471
    Local Time:
    7:36 PM
    Nginx 1.25.x
    MariaDB 10.x
    Ah then yes that probably is the problem. Centmin Mod hasn't really been designed or tested for NAT setup servers - primarily due to me not using them so can't really test them and 99.99999% of users aren't using NAT setup servers so doesn't make sense for me to dedicate free time for this. That's probably why.

    I'll check the log you provided but pretty sure that's why. Who's your web host?
     
  12. th0nkang

    th0nkang New Member

    12
    1
    3
    Jun 29, 2022
    Ratings:
    +5
    Local Time:
    4:36 PM
    yea, I agree with that and I'm actually fine if this is just a problem from a rare use case of centmin mod. I'm just happy to report and hopefully it become a "documentation" for someone with the same use case ;).
    It's on-premise server. I'm just setup the server remotely through SSH and the web developer as well.
     
  13. eva2000

    eva2000 Administrator Staff Member

    51,957
    11,974
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,471
    Local Time:
    7:36 PM
    Nginx 1.25.x
    MariaDB 10.x