/ Register

Learn about Centmin Mod LEMP Stack today
Become a Member

Domains DNS Letsencrypt Cloudflare Can't add another domain

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Jon Snow, Nov 3, 2019.

Previous Thread Next Thread
Loading...
  1. Nov 3, 2019 #1
    Jon Snow

    Jon Snow Active Member

    917
    188
    43
    Jun 30, 2017
    Ratings:
    +293
    Local Time:
    3:10 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    I have a server with two IPs. There are two sites set up on it. One uses one IP while the other uses the other IP.

    I have another domain I want to add to the server and I use Cloudflare to manage DNS for it. I recently changed nameservers to Cloudflare's own for this domain and checked that the domain was using the new Cloudflare nameservers. I then followed the instructions here - Using Centmin Mod acmetool.sh addon for Nginx HTTP/2 based HTTPS with free Letsencrypt SSL certificates to set up a new vhost with ssl for the domain to use with the server. Unfortunately I run into an error.

    Log - [Sun Nov 3 04:21:12 UTC 2019] Lets find script dir. [Sun Nov 3 04:21:12 UTC 2 - Pastebin.com

    If I restart NGINX, I get:

    Code (Text):
    Nov 03 04:35:44 ?????.members.linode.com nginx[15800]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Nov 03 04:35:44 ?????.members.linode.com nginx[15800]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Nov 03 04:35:45 ?????.members.linode.com nginx[15800]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Nov 03 04:35:45 ?????.members.linode.com nginx[15800]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Nov 03 04:35:46 ?????.members.linode.com nginx[15800]: nginx: [emerg] still could not bind()
Nov 03 04:35:46 ?????.members.linode.com nginx[15800]: [FAILED]
Nov 03 04:35:46 ?????.members.linode.com systemd[1]: nginx.service: control process exited, code=exited status=1
Nov 03 04:35:46 ?????.members.linode.com systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
Nov 03 04:35:46 ?????.members.linode.com systemd[1]: Unit nginx.service entered failed state.
Nov 03 04:35:46 ?????.members.linode.com systemd[1]: nginx.service failed.


    I have to remove the vhost files to fix this.

    My custom config looks like:

    Code (Text):
    NGINX_PAGESPEED='y'
NGXDYNAMIC_NGXPAGESPEED='y'
LETSENCRYPT_DETECT='y'
SECOND_IP=??.??.??.?
MARCH_TARGETNATIVE='n'
DISABLE_IPVSIX='y'


    How can I add this domain to use the IP I set where you see SECOND_IP?
     
  2. Nov 3, 2019 #2
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    4:10 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    You need to use centmin.sh menu option 2, 22 or nv command or acmetool.sh to be able to automatically use SECOND_IP set IP address. As you used method outlined at Using Centmin Mod acmetool.sh addon for Nginx HTTP/2 based HTTPS with free Letsencrypt SSL certificates, acmetool.sh underlying nginx vhost creation tool is nv command so should work.

    You set in persistent config file DISABLE_IPVSIX='y' to disable IPv6 support on your server, but Cloudflare edge servers accept both IPv4 and IPv6 requests and passes it back to Centmin Mod origin Nginx server. But because IPv6 is disabled on your server, Letsencrypt domain validation is checking via Cloudflare's IPv6 address for web root /.well-known validation file. If you have disabled IPv6 on your server, ensure Cloudflare's Pseudo IPv4 is enabled as outlined at Cloudflare - Cloudflare IPv6 Compatibility & Pseudo IPv4

    Restore your domain's nginx vhost config file(s) to /usr/local/nginx/conf/conf.d where it was before and restart nginx + php-fpm. Then try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. Then enable Pseudo IPv4 and retry letsdebug.net.
    Then try acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
./acmetool.sh reissue-only domain.com live

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
Previous Thread Next Thread
Loading...

.