/ Register

Get the most out of your Centmin Mod LEMP stack
Become a Member

Letsencrypt Switching out CF CA certs to letsencrypt via CF DNS

Discussion in 'Install & Upgrades or Pre-Install Questions' started by Colin, Oct 10, 2022.

Previous Thread Next Thread
Loading...
  1. Oct 10, 2022 #1
    Colin

    Colin Premium Member Premium Member

    192
    59
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +154
    Local Time:
    11:40 PM
    1.19.#
    MariaDB 10.1.#
    Running through on my test install which is currently setup with Cloudflare issued certs.
    It's on 124 stable.

    My goal here is to not proxy through CF, or to be able to turn CF proxy on and off. Background is Invision scripts/update and marketplace are not working under CF, for some reason. They work fine on test, not prod, same rules, I digress.

    So following the guide on getting a LE cert via Cloudflare API. Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates & Letsencrypt Free SSL Certificates (footnote)

    Code:
    /root/.acme.sh/acme.sh --force --issue --days 60 -d test.briskoda.net  -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-test.briskoda.net.log --log-level 2 --dns dns_cf
    Args added are --dns dns_cf

    I've got CF_DNS_API='y', CF_Token, CF_Account_ID, CF_EMAIL and CF_Zone_Id set in custom_config.

    ./acmetool.sh check_cfapi is happy.

    Running the above I get back:
    Code:
    Adding txt value: zL--snip--x8 for domain:  _acme-challenge.test.briskoda.net
[Sun  9 Oct 16:43:06 UTC 2022] You didn't specify a Cloudflare api key and email yet.
[Sun  9 Oct 16:43:06 UTC 2022] You can get yours from here https://dash.cloudflare.com/profile.
[Sun  9 Oct 16:43:06 UTC 2022] Error add txt for domain:_acme-challenge.test.briskoda.net
    i've tried CF_DNS_API_GLOBAL='y' too, both seem to be mentioned.
    I've added the zone id as I set up the token for a specific zone. Also tried it for all zones.

    I feel I'm missing obvious. I'm going down the DNS path as I'm using Cloudflare Access control and the .well-known check won't get past that.

    I'm going to spin up a new install as test needs a clean up anyway.

    Thanks for reading, any thoughts?
     
  2. Oct 10, 2022 #2
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    8:40 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Should be fairly easy to switch from Cloudflare issued Origin CA certificates which are not browser trusted but CF network trusted to the regular default Letsencrypt SSL certificates.

    As you're using Cloudflare still, best way for Letsencrypt domain validation is via CF DNS API as outlined at Letsencrypt Free SSL Certificates

    in persistent config file at /etc/centminmod/custom_config.inc
    Code (Text):
    CF_DNSAPI_GLOBAL='y'
CF_Token="YOUR_CF_TOKEN"
CF_Account_ID="YOUR_CF_ACCOUNT_ID"


    Then with CF proxy still enabled (don't disable it yet), if the existing domain Centmin Nginx HTTPS host exists, just run acmetool.sh with reissue-only command to only reissue the Letsencrypt SSL certificate without touching anything else
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh reissue-only yourdomain.com live

    You'll need to manually edit your domain's HTTPS nginx vhost at /usr/local/nginx/conf/conf.d/yourdomain.com.ssl.conf and remove the reference to Cloudflare issued Origin CA certificates and then add back Centmin Mod's included files for Letsencrypt SSL certs.

    For Centmin Mod Nginx HTTPS sites with Letsencrypt SSL certs, they should have include file for /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com.crt.key.conf next to include file for /usr/local/nginx/conf/ssl_include.conf
    Code (Text):
      include /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

    within /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com.crt.key.conf make sure you have the following contents
    Code (Text):
      ssl_dhparam /usr/local/nginx/conf/ssl/yourdomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com-acme.key;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com-acme.cer;

    These directories and files get populated from the above acmetool.sh reissue-only command's successful completion

    Then restart Nginx
    Code (Text):
    service nginx restart

    or via command shortcut
    Code (Text):
    ngxrestart
     
  3. Oct 10, 2022 #3
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    8:40 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    FYI, the persistent config file settings won't work directly with acme.sh client until you have at least once used it via centmin.sh menu option 2, 22 or via addons/acmetool.sh as those methods are responsible for registering the persistent config Cloudflare API for acme.sh to recognise them.

    If you want to use acme.sh directly with CF DNS API the first time, you can export environment variables for acme.sh to recognise first
    Code (Text):
      export CF_Token="$CF_Token"
  export CF_Account_ID="$CF_Account_ID"
     
  4. Oct 14, 2022 #4
    quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    4:10 AM
    Apology to the post starter for hijacking this thread, this seems to be similar to what I wanted to try. Instead of creating a thread with the same title, I just want to post my query here.
    I have a running WP blog with Full (not strict) CF SSL. My site is just new so I can't afford to purchase a dedicated CF ssl.
    Basically, I wanted to get rid of the Common Name (CN) sni.cloudflaressl.com, so I'm thinking of switching to LetsEncrypt. Is this the right way and possible way to achieve it? PS, I still want to use CF DNS and other current settings, only the SSL thing.
    Any inputs and suggestions on how to do it is highly appreciated. Thanks
     
  5. Oct 15, 2022 #5
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    8:40 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Completely different issue to what @Colin is asking for. He's referring to Centmin Mod Nginx HTTPS site SSL certificate while you're referring to CF served SSL certificate to visitors. For what you want, there is no changing common name on CF served SSL certificate for visitors for Universal SSL. Only dedicated CF SSL certificates i.e. via Cloudflare Advanced Certificate Manager would do that. This is what centminmod.com domain and this forum uses for Cloudflare Advanced Certificate Manager based SSL certificate.
     
  6. Oct 15, 2022 #6
    quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    4:10 AM
    @eva2000 Thanks for the explanation, I just thought it's possible as I see some sites using CF DNS with LE cert.
    Maybe I'll try CF Advanced Certificate Manager in the future.
     
  7. Dec 17, 2022 #7
    Colin

    Colin Premium Member Premium Member

    192
    59
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +154
    Local Time:
    11:40 PM
    1.19.#
    MariaDB 10.1.#
    Returning to this as it's cold outside ;)

    That all ran ok, until the re-issue.

    it did the DNS update, appeared to work then failed, appearing to request the acme challenge; which I was thinking should be covered off by the domain/dns setup. I might be mis-understanding of course.

    I'm also wondering if it's setup properly, it's an old install, because doing acmetool.sh checkdomains it's not coming up.

    Log from reissue recated keys etc...:

    Code:
    [Sat Dec 17 11:28:25 UTC 2022] Creating domain key
[Sat Dec 17 11:28:25 UTC 2022] The domain key is here: /root/.acme.sh/domain.net/domain.net.key
testcert value = live
/root/.acme.sh/acme.sh --force --dns dns_cf --issue -d domain.net -d www.domain.net --days 60 -w /home/nginx/domains/domain.net/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-171222-112820.log --log-level 2 --preferred-chain  "ISRG"
[Sat Dec 17 11:28:26 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat Dec 17 11:28:26 UTC 2022] Create account key ok.
[Sat Dec 17 11:28:26 UTC 2022] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Sat Dec 17 11:28:27 UTC 2022] Registered
[Sat Dec 17 11:28:27 UTC 2022] ACCOUNT_THUMBPRINT='xxx'
[Sat Dec 17 11:28:27 UTC 2022] Multi domain='DNS:domain.net,DNS:www.domain.net'
[Sat Dec 17 11:28:27 UTC 2022] Getting domain auth token for each domain
[Sat Dec 17 11:28:29 UTC 2022] Getting webroot for domain='domain.net'
[Sat Dec 17 11:28:30 UTC 2022] Getting webroot for domain='www.domain.net'
[Sat Dec 17 11:28:30 UTC 2022] Adding txt value: <acme-key-at-the-time> for domain:  _acme-challenge.domain.net
[Sat Dec 17 11:28:33 UTC 2022] Adding record
[Sat Dec 17 11:28:35 UTC 2022] Added, OK
[Sat Dec 17 11:28:35 UTC 2022] The txt record is added: Success.
[Sat Dec 17 11:28:35 UTC 2022] Let's check each DNS record now. Sleep 20 seconds first.
[Sat Dec 17 11:28:55 UTC 2022] You can use '--dnssleep' to disable public dns checks.
[Sat Dec 17 11:28:55 UTC 2022] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Sat Dec 17 11:28:55 UTC 2022] Checking domain.net for _acme-challenge.domain.net
[Sat Dec 17 11:28:55 UTC 2022] Domain domain.net '_acme-challenge.domain.net' success.
[Sat Dec 17 11:28:55 UTC 2022] All success, let's return
[Sat Dec 17 11:28:55 UTC 2022] Verifying: domain.net
[Sat Dec 17 11:28:56 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Sat Dec 17 11:28:59 UTC 2022] Success
[Sat Dec 17 11:28:59 UTC 2022] Verifying: www.domain.net
[Sat Dec 17 11:28:59 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Sat Dec 17 11:29:02 UTC 2022] www.domain.net:Verify error:2606:4700:20::681a:365: Invalid response from https://www.domain.net/.well-known/acme-challenge/<acme-challenge-key>: 403
[Sat Dec 17 11:29:02 UTC 2022] Removing DNS records.
[Sat Dec 17 11:29:02 UTC 2022] Removing txt: <acme-key-at-the-time> for domain: _acme-challenge.domain.net
[Sat Dec 17 11:29:07 UTC 2022] Removed: Success
[Sat Dec 17 11:29:07 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-171222-112820.log
    I'll clean up the debug log too if it helps. Last entry is(different time stamp as rerun afterexporting keys (just in case )) :
    Code:
    [Sat Dec 17 11:43:18 UTC 2022] responseHeaders='HTTP/2 400
server: nginx
date: Sat, 17 Dec 2022 11:43:18 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 79999313
cache-control: public, max-age=0, no-cache
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: some-nonce
'
[Sat Dec 17 11:43:18 UTC 2022] code='400'
[Sat Dec 17 11:43:18 UTC 2022] original='{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}'
[Sat Dec 17 11:43:18 UTC 2022] response='{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}'
    Googling this isn't throwing up a huge amount of useful hints.

    My gut is yelling it's in the setup, something is missing, or I skipped and 4+years back can't recall. This all worked fine on a clean test install.

    My gut is also suggesting I do a clean install on a shiny new box as that will keep me near to my desk heater all day :)
     
  8. Dec 17, 2022 #8
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    8:40 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Probably missing a step. I suggested you remove /root/.acme.sh/yourdomain.com/ and /root/.acme.sh/yourdomain.com_ecc/ before switching to Cloudflare DNS API.
    Code (Text):
    cd /root/.acme.sh/
rm -rf /root/.acme.sh/yourdomain.com/
rm -rf /root/.acme.sh/yourdomain.com_ecc/

    As the acme.sh config file for the domain in /root/.acme.sh/yourdomain.com/yourdomain.com.conf and if applicable /root/.acme.sh/yourdomain.com_ecc/yourdomain.com.conf would have this entry to tell acme.sh to use webroot or CF DNS domain validation

    for webroot would list a setting in config file for
    Code (Text):
    Le_Webroot='/home/nginx/domains/yourdomain.com/public'

    for CF DNS API would list a setting in config file for
    Code (Text):
    Le_Webroot='dns_cf'

    acme.sh will look at config in /root/.acme.sh/yourdomain.com/yourdomain.com.conf and if applicable /root/.acme.sh/yourdomain.com_ecc/yourdomain.com.conf for subsequent SSL certificate renewals too.
     
  9. Dec 17, 2022 #9
    Colin

    Colin Premium Member Premium Member

    192
    59
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +154
    Local Time:
    11:40 PM
    1.19.#
    MariaDB 10.1.#
    I was hoisted with my own petard.

    In a bid to be overly protective, I had a block on .directories. All fine now, got a sore patch on my the back of my head mind.
    Next to get it switchedover and see if IPB will let me update, sans cloudflare... (won't support me as I'm behind CF)

    Then put it back.


    /edit
    missed your reply. Super, done that too an early spring clean. Although no _ecc dir
     
    Last edited: Dec 17, 2022
  10. Dec 18, 2022 #10
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    8:40 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Ah that would explain it /.well-known is where Letsencrypt webroot authentication looks for domain validation :)

    Ideally, if you're using Cloudflare still, best way for Letsencrypt domain validation is via CF DNS API as outlined at Letsencrypt Free SSL Certificates
     
  11. Dec 19, 2022 #11
    Colin

    Colin Premium Member Premium Member

    192
    59
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +154
    Local Time:
    11:40 PM
    1.19.#
    MariaDB 10.1.#
    Yep, confusuing I see the DNS being added, then it was failing, so only when I saw the .wellknown invalid response I removed the dot block.
    I have the custom_conf set as you recommend in post 2.
    So the DNS and .wellknown seems to be run, dns for non www, .wellknown for www is how it appeared to be done, first one always passed.
    Bit confusing, but I can live without the dot block. I can survive on this server build. Once EL8 is safe to go it will be ported to a new build.

    :)
     
Previous Thread Next Thread
Loading...

.