Welcome to Centmin Mod Community
Become a Member

Letsencrypt failed letsencrypt SSL certificate issuance

Discussion in 'Domains, DNS, Email & SSL Certificates' started by urekmazino, Nov 30, 2020.

  1. urekmazino

    urekmazino New Member

    8
    0
    1
    Nov 18, 2020
    Ratings:
    +0
    Local Time:
    11:06 AM
    my website not responding
    i found this error related to let's encrypt , i found those logs in centmin logs
    Code (Text):
    [Sat Nov 28 23:44:02 UTC 2020] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sat Nov 28 23:44:02 UTC 2020] DOMAIN_PATH='/root/.acme.sh/cdst3str.xyz'
    [Sat Nov 28 23:44:02 UTC 2020] Renew: 'cdst3str.xyz'
    [Sat Nov 28 23:44:02 UTC 2020] Le_API='[URL]https://acme-v02.api.letsencrypt.org/directory[/URL]'
    [Sat Nov 28 23:44:02 UTC 2020] Using config home:/root/.acme.sh
    [Sat Nov 28 23:44:02 UTC 2020] ACME_DIRECTORY='[URL]https://acme-v02.api.letsencrypt.org/directory[/URL]'
    [Sat Nov 28 23:44:02 UTC 2020] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sat Nov 28 23:44:02 UTC 2020] Skip invalid cert for: cdst3str.xyz
    [Sat Nov 28 23:44:02 UTC 2020] Return code: 2
    [Sat Nov 28 23:44:02 UTC 2020] Skipped cdst3str.xyz
    [Sat Nov 28 23:44:02 UTC 2020] _error_level='3'
    [Sat Nov 28 23:44:02 UTC 2020] _set_level='2'
    [Sat Nov 28 23:44:02 UTC 2020] ===End cron===
    [Sun Nov 29 23:44:02 UTC 2020] LE_WORKING_DIR='/root/.acme.sh'
    [Sun Nov 29 23:44:02 UTC 2020] Running cmd: cron
    [Sun Nov 29 23:44:02 UTC 2020] Using config home:/root/.acme.sh
    [Sun Nov 29 23:44:02 UTC 2020] default_acme_server
    [Sun Nov 29 23:44:02 UTC 2020] ACME_DIRECTORY='[URL]https://acme-v02.api.letsencrypt.org/directory[/URL]'
    [Sun Nov 29 23:44:02 UTC 2020] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sun Nov 29 23:44:02 UTC 2020] ===Starting cron===
    [Sun Nov 29 23:44:02 UTC 2020] Using config home:/root/.acme.sh
    [Sun Nov 29 23:44:02 UTC 2020] ACME_DIRECTORY='[URL]https://acme-v02.api.letsencrypt.org/directory[/URL]'
    [Sun Nov 29 23:44:02 UTC 2020] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sun Nov 29 23:44:02 UTC 2020] _stopRenewOnError
    [Sun Nov 29 23:44:02 UTC 2020] _set_level='2'
    [Sun Nov 29 23:44:02 UTC 2020] di='/root/.acme.sh/cdst3str.xyz/'
    [Sun Nov 29 23:44:03 UTC 2020] d='cdst3str.xyz'
    [Sun Nov 29 23:44:03 UTC 2020] Using config home:/root/.acme.sh
    [Sun Nov 29 23:44:03 UTC 2020] ACME_DIRECTORY='[URL]https://acme-v02.api.letsencrypt.org/directory[/URL]'
    [Sun Nov 29 23:44:03 UTC 2020] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sun Nov 29 23:44:03 UTC 2020] DOMAIN_PATH='/root/.acme.sh/cdst3str.xyz'
    [Sun Nov 29 23:44:03 UTC 2020] Renew: 'cdst3str.xyz'
    [Sun Nov 29 23:44:03 UTC 2020] Le_API='[URL]https://acme-v02.api.letsencrypt.org/directory[/URL]'
    [Sun Nov 29 23:44:03 UTC 2020] Using config home:/root/.acme.sh
    [Sun Nov 29 23:44:03 UTC 2020] ACME_DIRECTORY='[URL]https://acme-v02.api.letsencrypt.org/directory[/URL]'
    [Sun Nov 29 23:44:03 UTC 2020] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sun Nov 29 23:44:03 UTC 2020] Skip invalid cert for: cdst3str.xyz
    [Sun Nov 29 23:44:03 UTC 2020] Return code: 2
    [Sun Nov 29 23:44:03 UTC 2020] Skipped cdst3str.xyz
    [Sun Nov 29 23:44:03 UTC 2020] _error_level='3'
    [Sun Nov 29 23:44:03 UTC 2020] _set_level='2'
    [Sun Nov 29 23:44:03 UTC 2020] ===End cron===
    


     
    Last edited by a moderator: Nov 30, 2020
  2. eva2000

    eva2000 Administrator Staff Member

    46,651
    10,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,435
    Local Time:
    8:06 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. If you created Centmin Mod 123.09beta01 or higher Nginx site with Letsencrypt via centmin.sh menu option 2, 22 or nv command line, you now also have an automatic letsdebug.net API check log saved at /root/centminlogs/letsdebug-yourdomain.com-${DT}.log where yourdomain.com is domain specified during nginx vhost creation and DT is date/timestamp. Inspecting the /root/centminlogs/letsdebug-yourdomain.com-${DT}.log log will also give you clues as to why letsencrypt SSL certificate issuance failed.

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
  3. eva2000

    eva2000 Administrator Staff Member

    46,651
    10,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,435
    Local Time:
    8:06 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    tried your domain and get
    Code:
    ERROR
    cdst3str.xyz has an AAAA (IPv6) record (2606:4700:3035::6812:234e) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
    A timeout was experienced while communicating with cdst3str.xyz/2606:4700:3035::6812:234e: Get "https://cdst3str.xyz/.well-known/acme-challenge/letsdebug-test": context deadline exceeded
    
    Trace:
    @0ms: Making a request to http://cdst3str.xyz/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3035::6812:234e)
    @0ms: Dialing 2606:4700:3035::6812:234e
    @1830ms: Server response: HTTP 302 Moved Temporarily
    @1830ms: Received redirect to https://cdst3str.xyz/.well-known/acme-challenge/letsdebug-test
    @1830ms: Dialing 2606:4700:3035::6812:234e
    @10000ms: Experienced error: context deadline exceeded
    so make sure your domain's DNS A record for domain and www version are pointing to centmin mod server's public IP address

    and
    Last message says CF SSL cert not provisioned yet - is this a new domain signed up and just activated by CF ? If so see SSL FAQ. Particularly =
     
  4. urekmazino

    urekmazino New Member

    8
    0
    1
    Nov 18, 2020
    Ratings:
    +0
    Local Time:
    11:06 AM
  5. urekmazino

    urekmazino New Member

    8
    0
    1
    Nov 18, 2020
    Ratings:
    +0
    Local Time:
    11:06 AM
    it's been 20 days using it , first time i get this error
     
  6. eva2000

    eva2000 Administrator Staff Member

    46,651
    10,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,435
    Local Time:
    8:06 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    You can test in SSH via curl to check headers for location field (where the redirect goes) using the following commands:
    Code (Text):
    curl -Ik http://domain.com
    

    Code (Text):
    curl -Ik http://www.domain.com
    

    Code (Text):
    curl -Ik https://domain.com
    

    Code (Text):
    curl -Ik https://www.domain.com
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    46,651
    10,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,435
    Local Time:
    8:06 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Has domain previously had working letsencrypt issued SSL cert on same server ? If so, also try manual letsencrypt ssl cert renewal via command
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    46,651
    10,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,435
    Local Time:
    8:06 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Test result for cdst3str.xyz: Warning now shows different message

    so make sure Cloudflare is not using Flexible SSL but Full SSL

    upload_2020-11-30_17-3-25.png
    Then restart manual renewal cron run
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    
     
  9. eva2000

    eva2000 Administrator Staff Member

    46,651
    10,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,435
    Local Time:
    8:06 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    I also see at Test result for cdst3str.xyz: Warning 403 permission denied on verification url check and 404 on URL itself

    make sure your nginx vhost config file has staticfiles.conf include file and wasn't removed

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
     
  10. urekmazino

    urekmazino New Member

    8
    0
    1
    Nov 18, 2020
    Ratings:
    +0
    Local Time:
    11:06 AM
    I'm getting this error , and yes I'm setting it on full
    Mon Nov 30 07:08:46 UTC 2020] ===Starting cron===
    [Mon Nov 30 07:08:46 UTC 2020] Renew: 'cdst3str.xyz'
    [Mon Nov 30 07:08:46 UTC 2020] Skip invalid cert for: cdst3str.xyz
    [Mon Nov 30 07:08:46 UTC 2020] Skipped cdst3str.xyz
    [Mon Nov 30 07:08:46 UTC 2020] Renew: 'insidepromod.com'
    [Mon Nov 30 07:08:46 UTC 2020] Skip invalid cert for: insidepromod.com
    [Mon Nov 30 07:08:46 UTC 2020] Skipped insidepromod.com
    [Mon Nov 30 07:08:46 UTC 2020] ===End cron===
     
  11. eva2000

    eva2000 Administrator Staff Member

    46,651
    10,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,435
    Local Time:
    8:06 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Also it could Letsencrypt is following your domain's non-https domain's 301/302 redirect to https based domain to validate the domain. But https based domain's SSL certificate expired or invalid.

    What you can do is sort of partial manual steps from Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates in that you temporarily disable your /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and recreate the non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf using the official Nginx vhost generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS (which is step 1 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates).

    Then follow manual steps 2, 3, 4, 5 and 6 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates where step 6 you can re-enable your https /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and disable your non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf again.

    Then you can test your domain at Let's Debug to ensure future renewals work.
     
  12. urekmazino

    urekmazino New Member

    8
    0
    1
    Nov 18, 2020
    Ratings:
    +0
    Local Time:
    11:06 AM
    ok i will try that thanks so.much
     
  13. urekmazino

    urekmazino New Member

    8
    0
    1
    Nov 18, 2020
    Ratings:
    +0
    Local Time:
    11:06 AM
    hi my problem didn't solved
    i used the commend
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"

    output :
    ===Starting cron===
    [Mon Nov 30 08:39:06 UTC 2020] Renew: 'cdst3str.xyz'
    [Mon Nov 30 08:39:06 UTC 2020] Skip invalid cert for: cdst3str.xyz
    [Mon Nov 30 08:39:06 UTC 2020] Skipped cdst3str.xyz
     
  14. eva2000

    eva2000 Administrator Staff Member

    46,651
    10,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,435
    Local Time:
    8:06 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x