Get the most out of your Centmin Mod LEMP stack
Become a Member

Error: Setting Up Cloudflare Authenticated Origin Pulls

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Mrbo, Feb 27, 2019.

  1. Mrbo

    Mrbo Member

    112
    7
    18
    Jun 17, 2018
    Ratings:
    +7
    Local Time:
    1:52 AM
    Hi! I followed this guide to set up Cloudflare Authenticated Origin Pulls but after I un-comment the two lines in my vhost i get this error when i try to restart nginx.

    Code:
    [22:14][root@contribution ~]# ngxrestart
    Restarting nginx (via systemctl):  Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
                                                               [FAILED]
    You have new mail in /var/spool/mail/root
    [22:15][root@contribution ~]# systemctl status nginx.service
    ● nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
       Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)
       Active: failed (Result: exit-code) since Tue 2019-02-26 22:15:29 UTC; 12s ago
         Docs: man:systemd-sysv-generator(8)
      Process: 765 ExecStop=/etc/rc.d/init.d/nginx stop (code=exited, status=0/SUCCESS)
      Process: 780 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=1/FAILURE)
     Main PID: 31042 (code=exited, status=0/SUCCESS)
    
    Feb 26 22:15:29 contribution systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server...
    Feb 26 22:15:29 contribution nginx[780]: Starting nginx: nginx: [emerg] SSL_CTX_load_verify_locations("/usr/local/nginx/conf/ssl/cloudflare/webdigitos.com/origin.crt") fai...
    Feb 26 22:15:29 contribution nginx[780]: [FAILED]
    Feb 26 22:15:29 contribution systemd[1]: nginx.service: control process exited, code=exited status=1
    Feb 26 22:15:29 contribution systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
    Feb 26 22:15:29 contribution systemd[1]: Unit nginx.service entered failed state.
    Feb 26 22:15:29 contribution systemd[1]: nginx.service failed.
    Hint: Some lines were ellipsized, use -l to show in full.
    
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,360
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,079
    Local Time:
    4:52 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    run nginx config check and post output
    Code (Text):
    nginx -t
     
  3. Mrbo

    Mrbo Member

    112
    7
    18
    Jun 17, 2018
    Ratings:
    +7
    Local Time:
    1:52 AM
    Code:
    [22:58][root@contribution ~]# nginx -t
    nginx: [emerg] SSL_CTX_load_verify_locations("/usr/local/nginx/conf/ssl/cloudflare/webdigitos.com/origin.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/nginx/conf/ssl/cloudflare/webdigitos.com/origin.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
     
  4. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,360
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,079
    Local Time:
    4:52 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    origin cert wasn't downloaded/created at /usr/local/nginx/conf/ssl/cloudflare/webdigitos.com/origin.crt when your domain was created via centmin.sh menu option 2 it seems

    so you can manually do that via steps outlined at https://community.centminmod.com/th...d-origin-pulls-protecting-your-origins.13847/

    run commands
    Code (Text):
    read -ep "enter vhost domain name you want to setup cloudflare origin pull for: " vhostname ;
    mkdir -p /usr/local/nginx/conf/ssl/cloudflare/$vhostname ;
    cd /usr/local/nginx/conf/ssl/cloudflare/$vhostname ;
    wget https://support.cloudflare.com/hc/en-us/article_attachments/201243967/origin-pull-ca.pem -O origin.crt ;
    echo -e "ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhostname/origin.crt;\nssl_verify_client on;" ;
    
     
  5. Mrbo

    Mrbo Member

    112
    7
    18
    Jun 17, 2018
    Ratings:
    +7
    Local Time:
    1:52 AM
    Ok, I never used option 2 to install WP. This was a fresh install with option 22 on a fresh server with all the latest updates. Any idea why I wasnt created? I will go on and fix it manually. Thanks!
     
  6. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,360
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,079
    Local Time:
    4:52 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    same both centmin.sh menu option 2 or 22 usually will auto download the cloudflare origin pull cert unless there were problems, you can get your nginx vhost creation logs in /root/centminlogs for clues (i wouldn't post these logs publicly as they contain pure-ftpd user/pass etc).
     
  7. Mrbo

    Mrbo Member

    112
    7
    18
    Jun 17, 2018
    Ratings:
    +7
    Local Time:
    1:52 AM
    Awesome! Thank you very much. I will see if it works better with the next installation.
     
  8. Mrbo

    Mrbo Member

    112
    7
    18
    Jun 17, 2018
    Ratings:
    +7
    Local Time:
    1:52 AM
    Unfortunately it didnt work again. No Cloudflare Authenticated Origin certificates on fresh WP installs. Any way to troubleshoot it?
     
  9. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,360
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,079
    Local Time:
    4:52 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Maybe related to your modifications of wpsetup.inc Beta Branch - update inc/wpsetup.inc add new mywpcmds routine ? Tried without your modified wpsetup.inc ?

    Troubleshooting Centmin Mod Menu Option 22 Wordpress Install Run



    To troubleshoot centmin.sh menu option 22 wordpress installation, you need to check the centmin.sh menu option 22 log located in /root/centminlogs at /root/centminlogs/centminmod_*_wordpress_addvhost.log based log where * is the centminmod version and date timestamp. Edit and mask any actual ftp username/password or wordpress usernames and logins before posting the log contents to Pastebin.com or Gists to share a sanitised version of the contents of the log.

    Example list /root/centminlogs files in date ascending order and grep for wordpress_addvhost.log
    Code (Text):
    ls -lahrt /root/centminlogs | grep wordpress_addvhost.log
    

    example output returns log at /root/centminlogs/centminmod_1.2.3-eva2000.09.001_111016-112321_wordpress_addvhost.log
    Code (Text):
    ls -lahrt /root/centminlogs | grep wordpress_addvhost.log
    -rw-r--r--  1 root root 2.2M Oct 11 01:40 /root/centminlogs/centminmod_1.2.3-eva2000.09.001_111016-112321_wordpress_addvhost.log
    

    in SSH use cat to ouput contents of /root/centminlogs/centminmod_1.2.3-eva2000.09.001_111016-112321_wordpress_addvhost.log. Clear your SSH client window/buffer so only output is the contents of the file
    Code (Text):
    cat /root/centminlogs/centminmod_1.2.3-eva2000.09.001_111016-112321_wordpress_addvhost.log
    

    Then copy and paste into Pastebin.com or Gists entry. If your SSH window scroll buffer isn't that large to get the whole contents of the install log, you can download file manually and copy and paste contents. But makes sure it's sanitised version of the contents without revealing sensitive info. For example you can replace domain name of the wordpress site with generic dummy entry = domain.com if you want and mask site/server IP revealed in the log with generic dummy entry = 111.222.333.444.
     
  10. Kuro

    Kuro Member

    82
    12
    8
    Feb 8, 2018
    Ratings:
    +19
    Local Time:
    1:52 AM
    1.15.10
    10.3
    Hi Eva
    Today I installed three times for new VPS with Centminmod and Let's Encrypt but I don't see any Cloudflare Authenticated Origin Pull inside.

    upload_2019-3-31_23-16-31.png
    Chances are that the guy is the same as me. Of course I can still install it manually.
    Code:
    read -ep "enter vhost domain name you want to setup cloudflare origin pull for: " vhostname ;
    mkdir -p /usr/local/nginx/conf/ssl/cloudflare/$vhostname ;
    cd /usr/local/nginx/conf/ssl/cloudflare/$vhostname ;
    wget https://support.cloudflare.com/hc/en-us/article_attachments/201243967/origin-pull-ca.pem -O origin.crt ;
    echo -e "ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhostname/origin.crt;\nssl_verify_client on;" ;
     
  11. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,360
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,079
    Local Time:
    4:52 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    cloudflare authenticated origin pull cert is only downloaded when you run nginx vhost creation routines and not at initial install time. So you were running centmin.sh menu option 2, 22 or nv command for letsencrypt ssl and origin pull cert wasn't created ? If that is the case need your nginx vhost creation logs

    When you created nginx vhost via centmin.sh menu option 2, 22 or nv command or acmetool.sh, you would of automatically created a nginx_addvhost and nginx_addvhost-remove-cmds logs in /root/centminlogs. You can find those logs via ls command listing in reverse ascending time the logs and filtered by nginx_addvhost filename using command below
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep addvhost
    

    example
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep addvhost
    -rw-r--r--.  1 root root 1.1K May 18 14:09 centminmod_1.2.3-eva2000.09.005_180517-140925_nginx_addvhost-remove-cmds-domain.com.log
    -rw-r--r--.  1 root root 4.4K May 18 14:09 centminmod_1.2.3-eva2000.09.005_180517-140925_nginx_addvhost.log
    

    post to pastebin.com or gist.github.com, the contents of the relevant domain.com name logs for nginx_addvhost and nginx_addvhost-remove-cmds log files

    For example, in SSH use cat to ouput contents of /root/centminlogs/centminmod_1.2.3-eva2000.09.005_180517-140925_nginx_addvhost.log. Clear your SSH client window/buffer so only output is the contents of the file
    Code (Text):
    cat /root/centminlogs/centminmod_1.2.3-eva2000.09.005_180517-140925_nginx_addvhost.log
    

    Then copy and paste into Pastebin.com or Gists entry. If your SSH window scroll buffer isn't that large to get the whole contents of the install log, you can download file manually and copy and paste contents.
     
  12. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,360
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,079
    Local Time:
    4:52 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    oh were these domains previously added to server via centmin.sh menu option 2, 22 or nv command but removed later manually ?
     
  13. Kuro

    Kuro Member

    82
    12
    8
    Feb 8, 2018
    Ratings:
    +19
    Local Time:
    1:52 AM
    1.15.10
    10.3
    No, I deployed a completely new Centminmod server centmin.sh menu option three times.
    I did like you.
    Code:
    # create initial persistent config file to override centmin.sh defaults
    # https://centminmod.com/upgrade.html#persistent
    mkdir -p /etc/centminmod
    touch /etc/centminmod/custom_config.inc
    
    # enable zstd compressed logrotation for nginx & php-fpm https://community.centminmod.com/threads/16374/
    echo "ZSTD_LOGROTATE_NGINX='y'" >> /etc/centminmod/custom_config.inc
    echo "ZSTD_LOGROTATE_PHPFPM='y'" >> /etc/centminmod/custom_config.inc
    
    # enable nginx zero downtime on the fly nginx binary upgrades https://community.centminmod.com/threads/8000/
    #echo "NGINX_ZERODT='y'" >> /etc/centminmod/custom_config.inc
    
    # enable brotli compression https://community.centminmod.com/threads/10688/
    echo "NGINX_LIBBROTLI='y'" >> /etc/centminmod/custom_config.inc
    echo "NGXDYNAMIC_BROTLI='y'" >> /etc/centminmod/custom_config.inc
    
    # boost PHP 7 performance by enabling Profile Guided Optimisation flag
    # https://centminmod.com/perf/
    echo "PHP_PGO='y'" >> /etc/centminmod/custom_config.inc
    
    # mariadb 10.3 default install for private test server testing
    echo "MARIADB_INSTALLTENTHREE='y'" >> /etc/centminmod/custom_config.inc
    
    # php compression extensions https://community.centminmod.com/posts/70777/
    echo "PHP_BROTLI='y'" >> /etc/centminmod/custom_config.inc
    echo "PHP_LZFOUR='y'" >> /etc/centminmod/custom_config.inc
    echo "PHP_LZF='y'" >> /etc/centminmod/custom_config.inc
    echo "PHP_ZSTD='y'" >> /etc/centminmod/custom_config.inc
    
    # install centmin mod latest beta with php-fpm 7.3 default
    # https://community.centminmod.com/threads/centmin-mod-09-beta-branch-testing.4128/
    yum -y update; curl -O https://centminmod.com/betainstaller73.sh && chmod 0700 betainstaller73.sh && bash betainstaller73.sh
    
    # enable letsencrypt ssl certificate + dual RSA+ECDSA ssl certs https://centminmod.com/acmetool/
    echo "LETSENCRYPT_DETECT='y'" >> /etc/centminmod/custom_config.inc
    echo "DUALCERTS='y'" >> /etc/centminmod/custom_config.inc
    And after that run menu option 2 (self-signed certificate = no, LETSENCRYPT = yes)
    .
     
    Last edited: Apr 1, 2019
  14. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,360
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,079
    Local Time:
    4:52 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  15. Kuro

    Kuro Member

    82
    12
    8
    Feb 8, 2018
    Ratings:
    +19
    Local Time:
    1:52 AM
    1.15.10
    10.3
  16. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,360
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,079
    Local Time:
    4:52 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    the log shows origin.crt saved correctly though
    Code (Text):
    --2019-03-31 15:59:33--  https://support.cloudflare.com/hc/en-us/article_attachments/201243967/origin-pull-ca.pem
    Resolving support.cloudflare.com... 104.16.51.111, 104.16.52.111, 104.16.53.111, ...
    Connecting to support.cloudflare.com|104.16.51.111|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 2151 (2.1K) [application/x-x509-ca-cert]
    Saving to: ‘origin.crt’
    
        0K ..                                                    100% 6.56M=0s
    
    2019-03-31 15:59:34 (6.56 MB/s) - ‘origin.crt’ saved [2151/2151]
    

    though letsencrypt domain verification failed
    Code (Text):
    [Sun Mar 31 16:04:13 UTC 2019] domain.com:Verify error:Invalid response from https://domain.com/.well-known/acme-challenge/OTlZ4I37Btit72LpRYwrvsa7VU7eoPUbM7HfEFSa5P0 [2606:4700:30::681c:1e94]:
    [Sun Mar 31 16:04:13 UTC 2019] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-310319-160302.log
    

    Code (Text):
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for domain.com
    -----------------------------------------------------------
    testcert value = lived
    /root/.acme.sh/acme.sh --issue -d domain.com -d www.domain.com --days 60 -w /home/nginx/domains/domain.com/public -k ec-256 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-310319-160302.log --log-level 2
    [Sun Mar 31 16:04:03 UTC 2019] Registering account
    [Sun Mar 31 16:04:05 UTC 2019] Registered
    [Sun Mar 31 16:04:05 UTC 2019] ACCOUNT_THUMBPRINT='57J7ewXARH4Z24KFlHz4WJXVG99eMsR-HyVo1H1s1Ik'
    [Sun Mar 31 16:04:05 UTC 2019] Creating domain key
    [Sun Mar 31 16:04:05 UTC 2019] The domain key is here: /root/.acme.sh/domain.com_ecc/domain.com.key
    [Sun Mar 31 16:04:05 UTC 2019] Multi domain='DNS:domain.com,DNS:www.domain.com'
    [Sun Mar 31 16:04:06 UTC 2019] Getting domain auth token for each domain
    [Sun Mar 31 16:04:10 UTC 2019] Getting webroot for domain='domain.com'
    [Sun Mar 31 16:04:10 UTC 2019] Getting webroot for domain='www.domain.com'
    [Sun Mar 31 16:04:10 UTC 2019] Verifying: domain.com
    [Sun Mar 31 16:04:13 UTC 2019] domain.com:Verify error:Invalid response from https://domain.com/.well-known/acme-challenge/OTlZ4I37Btit72LpRYwrvsa7VU7eoPUbM7HfEFSa5P0 [2606:4700:30::681c:1e94]:
    [Sun Mar 31 16:04:13 UTC 2019] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-310319-160302.log
    LECHECK = 1
    
    log files saved at /root/centminlogs
    -rw-r--r-- 1 root root  52K Mar 31 16:04 acmetool.sh-debug-log-310319-160302.log
    -rw-r--r-- 1 root root 5.0K Mar 31 16:04 acmesh-issue_310319-160302.log
    

    ensure if you enable IPv6, that you have DNS A and AAAA records for IPv4 and IPv6 ips and your nginx vhost has IPv6 configured. If nginx vhost doesn't have IPv6 configured, just remove DNS AAAA IPv6 record so letsencrypt verifies domain over IPv4 only
     
  17. Kuro

    Kuro Member

    82
    12
    8
    Feb 8, 2018
    Ratings:
    +19
    Local Time:
    1:52 AM
    1.15.10
    10.3
    I do not use IPV6
    upload_2019-4-1_10-7-17.png
     
  18. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,360
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,079
    Local Time:
    4:52 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    but cloudflare does use IPv6, but if server doesn't use IPv6, then you may need to enable in cloudflare network settings Pseudo IPv4

    cf-pseudo-ipv4.png
     
  19. Kuro

    Kuro Member

    82
    12
    8
    Feb 8, 2018
    Ratings:
    +19
    Local Time:
    1:52 AM
    1.15.10
    10.3
    It seems to be turned on?
    (My server)
    Code:
    [02:12][root@D-145 ~]# cat /etc/sysctl.conf | grep ipv6
    net.ipv6.conf.all.disable_ipv6 = 0
    net.ipv6.conf.default.disable_ipv6 = 0
    [02:13][root@D-145 ~]# ifconfig -a | grep inet6
            inet6 fe80::6ef0:49ff:fe1a:b2e  prefixlen 64  scopeid 0x20<link>
            inet6 ::1  prefixlen 128  scopeid 0x10<host>
    scopeid 0x0<global> missing
    For example (Digital Ocean)
    Code:
     inet6 fe80::7818:5aff:fe41:d25f  prefixlen 64  scopeid 0x20<link>
            inet6 2400:6180:0:d1::6b8:5001  prefixlen 64  scopeid 0x0<global>
            inet6 ::1  prefixlen 128  scopeid 0x10<host>
    
     
    Last edited: Apr 1, 2019
  20. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,360
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,079
    Local Time:
    4:52 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    verify ipv6 is working or not using ping6
    Code (Text):
    ping6 -c4 www.google.com

    Code (Text):
    ping6 -c4 www.google.com
    PING www.google.com(sea15s12-in-x04.1e100.net (2607:f8b0:400a:809::2004)) 56 data bytes
    64 bytes from sea15s12-in-x04.1e100.net (2607:f8b0:400a:809::2004): icmp_seq=1 ttl=57 time=0.501 ms
    64 bytes from sea15s12-in-x04.1e100.net (2607:f8b0:400a:809::2004): icmp_seq=2 ttl=57 time=0.498 ms
    64 bytes from sea15s12-in-x04.1e100.net (2607:f8b0:400a:809::2004): icmp_seq=3 ttl=57 time=0.533 ms
    64 bytes from sea15s12-in-x04.1e100.net (2607:f8b0:400a:809::2004): icmp_seq=4 ttl=57 time=0.523 ms
    
    --- www.google.com ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3002ms
    rtt min/avg/max/mdev = 0.498/0.513/0.533/0.031 ms