Join the community today
Register Now

Letsencrypt SSL acmetool.sh not renewing certificate for one site

Discussion in 'Add Ons' started by CarpCharacin, Aug 7, 2017.

  1. CarpCharacin

    CarpCharacin Member

    203
    14
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +18
    Local Time:
    1:46 PM
    1.13.0
    MariaDB 10
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: i.e. 1.13.0
    • PHP Version Installed: i.e. 7.1.8
    • MariaDB MySQL Version Installed: 10.1
    • When was last time updated Centmin Mod code base ? : Today
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? No.
    It has been renewing the utahfishkeepers ssl certificate, just not the one for my other site.
    Here are the outputs:
    Code (Text):
    /var/log/cron:Jul 31 00:00:01 host CROND[2352]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Aug  1 00:00:01 host CROND[17354]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Aug  2 00:00:01 host CROND[31814]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Aug  3 00:00:01 host CROND[13093]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Aug  4 00:00:01 host CROND[26862]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Aug  5 00:00:01 host CROND[11305]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Aug  6 00:00:02 host CROND[26326]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170709:Jul  4 00:00:01 host CROND[5507]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170709:Jul  5 00:00:01 host CROND[22564]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170709:Jul  6 00:00:01 host CROND[2029]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170709:Jul  7 00:00:02 host CROND[19587]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170709:Jul  8 00:00:01 host CROND[6611]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170709:Jul  9 00:00:01 host CROND[22556]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170716:Jul 10 00:00:01 host CROND[7261]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170716:Jul 11 00:00:01 host CROND[22652]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170716:Jul 12 00:00:01 host CROND[19569]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170716:Jul 13 00:00:01 host CROND[14036]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170716:Jul 14 00:00:02 host CROND[2328]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170716:Jul 15 00:00:01 host CROND[24876]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170716:Jul 16 00:00:01 host CROND[19891]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170724:Jul 17 00:00:01 host CROND[10643]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170724:Jul 18 00:00:01 host CROND[3399]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170724:Jul 19 00:00:01 host CROND[27205]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170724:Jul 20 00:00:01 host CROND[20770]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170724:Jul 21 00:00:01 host CROND[6600]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170724:Jul 22 00:00:01 host CROND[25683]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170724:Jul 23 00:00:01 host CROND[11493]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170724:Jul 24 00:00:01 host CROND[2236]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170730:Jul 25 00:00:01 host CROND[21614]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170730:Jul 26 00:00:01 host CROND[5524]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170730:Jul 27 00:00:01 host CROND[20982]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170730:Jul 28 00:00:01 host CROND[22468]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170730:Jul 29 00:00:02 host CROND[5225]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20170730:Jul 30 00:00:01 host CROND[20336]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    

    Code (Text):
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://centminmod.com/acmetool
    -------------------------------------------------
    
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/carpcharacin.rocks/carpcharacin.rocks-acme.cer
    SHA1 Fingerprint=04B66671C0E12B0D7C5B284F5FF2F477CE44EC15
    certificate expires in -5 days on 1 Aug 2017
    
    /usr/local/nginx/conf/ssl/utahfishkeepers.us/utahfishkeepers.us-acme.cer
    SHA1 Fingerprint=75356F784AECBC8AD8E7DA21B8A24134A9D6B24F
    certificate expires in 74 days on 20 Oct 2017
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/carpcharacin.rocks/carpcharacin.rocks.cer
    SHA1 Fingerprint=04B66671C0E12B0D7C5B284F5FF2F477CE44EC15
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=04B66671C0E12B0D7C5B284F5FF2F477CE44EC15
    certificate expires in -5 days on 1 Aug 2017
    
    /root/.acme.sh/utahfishkeepers.us/utahfishkeepers.us.cer
    SHA1 Fingerprint=75356F784AECBC8AD8E7DA21B8A24134A9D6B24F
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=75356F784AECBC8AD8E7DA21B8A24134A9D6B24F
    certificate expires in 74 days on 20 Oct 2017
    

    Code (Text):
    [Sun Aug  6 18:01:28 UTC 2017] Renew: 'carpcharacin.rocks'
    [Sun Aug  6 18:01:29 UTC 2017] Multi domain='DNS:www.carpcharacin.rocks'
    [Sun Aug  6 18:01:29 UTC 2017] Getting domain auth token for each domain
    [Sun Aug  6 18:01:29 UTC 2017] Getting webroot for domain='carpcharacin.rocks'
    [Sun Aug  6 18:01:29 UTC 2017] _w='/home/nginx/domains/carpcharacin.rocks/publi'
    [Sun Aug  6 18:01:29 UTC 2017] Getting new-authz for domain='carpcharacin.rocks
    [Sun Aug  6 18:01:30 UTC 2017] The new-authz request is ok.
    [Sun Aug  6 18:01:30 UTC 2017] Getting webroot for domain='www.carpcharacin.rocs'
    [Sun Aug  6 18:01:30 UTC 2017] _w='/home/nginx/domains/carpcharacin.rocks/publi'
    [Sun Aug  6 18:01:30 UTC 2017] Getting new-authz for domain='www.carpcharacin.rcks'
    [Sun Aug  6 18:01:30 UTC 2017] The new-authz request is ok.
    [Sun Aug  6 18:01:30 UTC 2017] Verifying:carpcharacin.rocks
    [Sun Aug  6 18:01:33 UTC 2017] carpcharacin.rocks:Verify error:Invalid responsefrom http://carpcharacin.rocks/.well-known/acme-challenge/FmQBUOeupSLmv0pV1cldXja4hbg0zFVTAs_UIxJOXU:
    [Sun Aug  6 18:01:33 UTC 2017] Please check log file for more details: /root/cetminlogs/acmetool.sh-debug-log-040117-212952.log
    [Sun Aug  6 18:01:33 UTC 2017] Error renew carpcharacin.rocks, Go ahead to nextone.
    [Sun Aug  6 18:01:33 UTC 2017] Renew: 'utahfishkeepers.us'
    [Sun Aug  6 18:01:33 UTC 2017] Skip, Next renewal time is: Thu Sep 21 00:00:54 TC 2017
    [Sun Aug  6 18:01:33 UTC 2017] Add '--force' to force to renew.
    [Sun Aug  6 18:01:33 UTC 2017] Skipped utahfishkeepers.us
    

     
    • Informative Informative x 1
  2. CarpCharacin

    CarpCharacin Member

    203
    14
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +18
    Local Time:
    1:46 PM
    1.13.0
    MariaDB 10
    Dang, carpcharacin.rocks just started redirecting to utahfishkeepers after I ran that last command.
     
  3. eva2000

    eva2000 Administrator Staff Member

    29,031
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    5:46 AM
    Nginx 1.13.x
    MariaDB 5.5
    contents for nginx vhosts for carpcharacin.rocks ?

    and contents for /root/cetminlogs/acmetool.sh-debug-log-040117-212952.log ? post to gist.github.com or pastebin.com

    Redirect is probably because https requests to expired SSL cert site are now redirecting to next valid https site due to SNI support where https SSL certs share same IP address instead of having SSL certs assigned their own separate IPs. Fixing expired SSL cert will fix redirects then.
     
  4. CarpCharacin

    CarpCharacin Member

    203
    14
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +18
    Local Time:
    1:46 PM
    1.13.0
    MariaDB 10
    Here is the vhost:
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
    
       server_name carpcharacin.rocks www.carpcharacin.rocks;
       return 302 https://$server_name$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      listen [2600:3c01::f03c:91ff:fe2c:f69e]:443 ssl http2;
      server_name carpcharacin.rocks www.carpcharacin.rocks;
    
      include /usr/local/nginx/conf/ssl/carpcharacin.rocks/carpcharacin.rocks.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/carpcharacin.rocks/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/carpcharacin.rocks/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/carpcharacin.rocks/autoprotect-carpcharacin.rocks.conf;
      root /home/nginx/domains/carpcharacin.rocks/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      include /usr/local/nginx/conf/wpincludes/carpcharacin.rocks/wpcacheenabler_carpcharacin.rocks.conf;
      #include /usr/local/nginx/conf/wpincludes/carpcharacin.rocks/wpsupercache_carpcharacin.rocks.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/wpincludes/carpcharacin.rocks/rediscache_carpcharacin.rocks.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/carpcharacin.rocks/htpasswd_wplogin;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/carpcharacin.rocks/wpsecure_carpcharacin.rocks.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    

    I tried opening the log file, but it said No such file or directory.
     
  5. eva2000

    eva2000 Administrator Staff Member

    29,031
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    5:46 AM
    Nginx 1.13.x
    MariaDB 5.5
    looks like web root paths aren't registered correctly

    from
    Code (Text):
    [Sun Aug  6 18:01:28 UTC 2017] Renew: 'carpcharacin.rocks'
    [Sun Aug  6 18:01:29 UTC 2017] Multi domain='DNS:www.carpcharacin.rocks'
    [Sun Aug  6 18:01:29 UTC 2017] Getting domain auth token for each domain
    [Sun Aug  6 18:01:29 UTC 2017] Getting webroot for domain='carpcharacin.rocks'
    [Sun Aug  6 18:01:29 UTC 2017] _w='/home/nginx/domains/carpcharacin.rocks/publi'
    [Sun Aug  6 18:01:29 UTC 2017] Getting new-authz for domain='carpcharacin.rocks
    [Sun Aug  6 18:01:30 UTC 2017] The new-authz request is ok.
    [Sun Aug  6 18:01:30 UTC 2017] Getting webroot for domain='www.carpcharacin.rocs'
    [Sun Aug  6 18:01:30 UTC 2017] _w='/home/nginx/domains/carpcharacin.rocks/publi'
    [Sun Aug  6 18:01:30 UTC 2017] Getting new-authz for domain='www.carpcharacin.rcks'
    [Sun Aug  6 18:01:30 UTC 2017] The new-authz request is ok.
    [Sun Aug  6 18:01:30 UTC 2017] Verifying:carpcharacin.rocks
    [Sun Aug  6 18:01:33 UTC 2017] carpcharacin.rocks:Verify error:Invalid responsefrom http://carpcharacin.rocks/.well-known/acme-challenge/FmQBUOeupSLmv0pV1cldXja4hbg0zFVTAs_UIxJOXU:
    [Sun Aug  6 18:01:33 UTC 2017] Please check log file for more details: /root/cetminlogs/acmetool.sh-debug-log-040117-212952.log
    [Sun Aug  6 18:01:33 UTC 2017] Error renew carpcharacin.rocks, Go ahead to nextone.
    [Sun Aug  6 18:01:33 UTC 2017] Renew: 'utahfishkeepers.us'
    [Sun Aug  6 18:01:33 UTC 2017] Skip, Next renewal time is: Thu Sep 21 00:00:54 TC 2017
    [Sun Aug  6 18:01:33 UTC 2017] Add '--force' to force to renew.
    [Sun Aug  6 18:01:33 UTC 2017] Skipped utahfishkeepers.us
    


    you have
    • _w='/home/nginx/domains/carpcharacin.rocks/publi'
    missing c on end there for /public

    acme.sh reads from /root/.acme.sh/domain.com/domain.com.conf what your public web root is for letsencrypt domain validation via webroot authentication method i.e. using grep for Le_Webroot to output path found in /root/.acme.sh/domain.com/domain.com.conf will reveal
    Code (Text):
    grep Le_Webroot /root/.acme.sh/domain.com/domain.com.conf
    

    example
    Code (Text):
    grep Le_Webroot /root/.acme.sh/domain.com/domain.com.conf
    Le_Webroot='/home/nginx/domains/domain.com/public'
    

    check your path is correct in /root/.acme.sh/carpcharacin.rocks/carpcharacin.rocks.conf should give
    Code (Text):
    grep Le_Webroot /root/.acme.sh/carpcharacin.rocks/carpcharacin.rocks.conf
    

    if not edit /root/.acme.sh/carpcharacin.rocks/carpcharacin.rocks.conf and re-run
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"