Get the most out of your Centmin Mod LEMP stack
Become a Member

Letsencrypt Fresh install and SSL_ERROR_UNRECOGNIZED_NAME_ALERT issue

Discussion in 'Domains, DNS, Email & SSL Certificates' started by jellday, Dec 25, 2024.

  1. jellday

    jellday Member

    73
    4
    8
    May 31, 2014
    Ratings:
    +9
    Local Time:
    6:53 AM
    1.4.6
    5.5
    • CentOS Version: Rocky Linux 8
    • Centmin Mod Version Installed: 131.00stable
    • Nginx Version Installed: 1.27.2 ?
    • PHP Version Installed: 7.4.33
    • MariaDB MySQL Version Installed: 10.4.xx
    • When was last time updated Centmin Mod code base ? : Dec 24th,2024
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
      Code (Text):
      cat /etc/centminmod/custom_config.inc
      [*]LETSENCRYPT_DETECT='y'
      DUALCERTS='y'
      SELFSIGNEDSSL_ECDSA='y'
      PHPFINFO='y'
      PHP_OVERWRITECONF='n'
      PYTHON_INSTALL_ALTERNATIVES='y'
      

    I just added a new domain, and everything seemed fine until I visited www.mydomain.com, and got these errors using Firefox v133.0.3:


    Secure Connection Failed
    An error occurred during a connection to www.mydomain.com. SSL peer has no certificate for the requested DNS name.

    Error code: SSL_ERROR_UNRECOGNIZED_NAME_ALERT

    • The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    • Please contact the website owners to inform them of this problem.
    Learn moreā€¦

    But when I visit mydomain.com (without 'www'), the page works properly. Is there anything I might have missed?
     
    Last edited: Dec 25, 2024
  2. jellday

    jellday Member

    73
    4
    8
    May 31, 2014
    Ratings:
    +9
    Local Time:
    6:53 AM
    1.4.6
    5.5
    I found the problemā€”it was caused by the Imperva CDN. I noticed that the script supports Cloudflare CDN with full SSL connections. In my case, if the domains are set up without the Cloudflare API and ID configured in the etc/centminmod/custom_config.inc file, what steps should I take to complete the setup?
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,328
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Are you using Cloudflare at all? Or just Imperva?

    If you use Cloudflare for domain, then regardless of using Imperva, you optimal need to use Cloudflare DNS API domain validation method so that Letsencrypt can properly validate your domain for SSL certificate issuance.

    But are you still using incorrect entry in persistent config file at
    /etc/centminmod/custom_config.inc
    for
    Code (Text):
    [*]LETSENCRYPT_DETECT='y'
    

    as that should be like below with removal of [*] part
    Code (Text):
    LETSENCRYPT_DETECT='y'
    

    If you created Centmin Mod Nginx vhost with the incorrect persistent config file entry, then Letsencrypt support in Centmin Mod would of been disabled and you would not have gotten Letsencrypt SSL certificate but fallen back to untrusted self-signed SSL certificate for your domain, so if you had Cloudflare SSL mode set to Full Strict you would have issues, if you set Full non-strict you might get it to work for now. But if you have Imperva CDN in front of Cloudflare, then Imperva may have it's own setting for when it encounters SSL certificate error. If you disable Imperva and use Cloudflare only, what do you get?

    Correct your persistent config file entry for LETSENCRYPT_DETECT at
    /etc/centminmod/custom_config.inc to
    Code (Text):
    LETSENCRYPT_DETECT='y'
    

    so that Letsencrypt support is enabled in Centmin Mod

    Then try acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.com live
    

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
     
  4. jellday

    jellday Member

    73
    4
    8
    May 31, 2014
    Ratings:
    +9
    Local Time:
    6:53 AM
    1.4.6
    5.5
    Thank you for your detailed response. The previous issue was caused by Imperva, which I have now disabled.

    The incorrect persistent config file was likely due to a typing errorā€”the extra [*] is not present in the current file.

    I now have a working SSL site. If I want to use Cloudflare, how should I perform domain DNS validation? Should I run
    ./acmetool.sh reissue-only domain.com live
    after adding the appropriate Cloudflare token and ID in the custom_config.inc file?

    Additionally, since the certificate has a 90-day validity, will the script handle automatic certificate renewal?
     
  5. jellday

    jellday Member

    73
    4
    8
    May 31, 2014
    Ratings:
    +9
    Local Time:
    6:53 AM
    1.4.6
    5.5
    How do I set up SSL for an existing vhost to work with both Cloudflare and non-CDN setups?

    I tried running:
    ./acmetool.sh issue mydomain.com lived
    but the verification failed (the vhost is currently behind Cloudflare).

    I have already configured the correct Cloudflare client ID and token, and the command:
    ./acmetool.sh check_cfapi
    passed successfully.

    What should I do to resolve this issue and complete the SSL setup?

    I asked ChatGPT, and it gave me the following:

    To set up SSL for an existing vhost that works both with Cloudflare (behind a CDN) and non-CDN setups, you need to ensure the correct configuration for DNS validation or HTTP validation. Here's a step-by-step guide based on your scenario:

    Step 1: Verify Cloudflare API Configuration
    You mentioned running ./acmetool.sh check_cfapi and it passed, which confirms that the Cloudflare API credentials are correct. This is crucial for DNS-based validation.

    Step 2: Ensure the vhost Configuration Matches Your Validation Method
    1. For DNS Validation (Recommended for Cloudflare setups):
      • Ensure your domain is set to "Proxied" (orange cloud) in Cloudflare DNS settings.
      • Use the following command to issue the SSL certificate:
    Code:
    ./acmetool.sh issue mydomain.com livedns
    
      • This uses DNS validation, leveraging your Cloudflare API to handle the TXT records automatically.
    • For HTTP Validation (if you want non-CDN setup or Cloudflare is "DNS-only"):
      • Temporarily disable "Proxied" mode (set it to "DNS-only," gray cloud) for your domain in Cloudflare.
      • Ensure your vhost serves HTTP requests properly for /.well-known/acme-challenge/ by adding the following block to your Nginx configuration:
        Code:
        location /.well-known/acme-challenge/ {
            root /usr/local/nginx/html;
        }
        
      Reload Nginx:
      Then run:
      Code:
      ./acmetool.sh issue mydomain.com live
      
    After successful issuance, you can re-enable "Proxied" mode in Cloudflare.
    • Step 3: Automatic Certificate Renewal
      The script should handle automatic renewal as long as the initial setup is correct:
      • DNS validation will use your Cloudflare API.
      • HTTP validation requires /.well-known/acme-challenge/ to be accessible.
      You can confirm this by checking the cron jobs (crontab -l) set up by Centmin Mod for SSL renewals.

      Step 4: Update Your vhost to Use SSL
      Once the certificate is issued, configure your Nginx vhost to use SSL. Below is an example:
    • Code:
      server {
          listen 443 ssl http2;
          server_name mydomain.com www.mydomain.com;
      
          ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
          ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
      
          root /path/to/your/website;
          index index.html index.php;
      
          location / {
              try_files $uri $uri/ =404;
          }
      }
      
    • Reload Nginx
    • I am not sure if ChatGPT's answer is right?
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,328
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Both are outlined at Letsencrypt Free SSL Certificates Integration For Centmin Mod LEMP Stack for new Centmin Mod Nginx vhosts.

    For existing Centmin Mod Nginx vhosts it's as previously mentioned use reissue option for https://community.centminmod.com/th...tmin-mod-123-09beta01.8290/page-25#post-68788

    If they fail, then need to troubleshoot it https://community.centminmod.com/th...pt-ssl-certificate-issuance-or-renewal.17859/
     
  7. jellday

    jellday Member

    73
    4
    8
    May 31, 2014
    Ratings:
    +9
    Local Time:
    6:53 AM
    1.4.6
    5.5
    I see. Iā€™ve checked those posts, and everything works well with the new vhost.

    However, my current failed domain is behind Cloudflare. When I tried to issue or reissue the certificate, it seems that acmetool.sh didnā€™t generate a DNS TXT record through Cloudflareā€™s API. Since my domain resolves to Cloudflare instead of the server IP, the verification failed.

    Is there an option to use Cloudflareā€™s DNS API for domain validation?
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,328
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If the failed domain is in same Cloudflare account, it should work provided you setup the persistent config variables outlined Letsencrypt Free SSL Certificates Integration For Centmin Mod LEMP Stack. If you have a separate Cloudflare account for the domain then you would need to for that Cloudflare account invite admin access to the Cloudflare account you are using for persistent config file variables and update Cloudflare API token permissions to include the other Cloudflare account.

    But to troubleshoot need the debug logs https://community.centminmod.com/th...pt-ssl-certificate-issuance-or-renewal.17859/
     
  9. jellday

    jellday Member

    73
    4
    8
    May 31, 2014
    Ratings:
    +9
    Local Time:
    6:53 AM
    1.4.6
    5.5
    I tested one of my domains. which is behind Cloudflare, and ran the command:
    Code:
    ./acmetool.sh reissue-only go2uk.org lived
    It returned the following errors:
    Code:
    go2uk.org nginx HTTPS SSL vhost doesn't already exist at
    /usr/local/nginx/conf/conf.d/go2uk.org.ssl.conf
    reissue-only command is for use with existing nginx HTTPS SSL based vhosts only
    aborting...
    
    The error message was clear, so I tried the command:
    Code:
    ./acmetool.sh issue go2uk.org lived
    Everything seemed fine during the process, with no errors reported. However, after the setup was complete and I visited the domain, I encountered errors from Cloudflare:

    Invalid SSL certificate Error code 526
     
  10. jellday

    jellday Member

    73
    4
    8
    May 31, 2014
    Ratings:
    +9
    Local Time:
    6:53 AM
    1.4.6
    5.5
  11. eva2000

    eva2000 Administrator Staff Member

    54,328
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    logs are 404 not found

    reissue-only option is for Centmin Mod nginx vhost sites that already exist and created on the server

    do you have Cloudflare set to Full SSL Strict or Full SSL non-strict or Flexible SSL.

    If Letsencrypt issued a proper SSL cert, you should set to either Full SSL Strict or Full SSL. If Letsencrypt SSL certificate issuance failed, you would of fallen back to self-signed untrusted SSL cert so need to set Cloudflare to Flexible SSL.

    You can verify if Letsencrypt SSL cert was issued and when using checkdates command which will list all SSL certificates issued and separately list SSL certs installed and configured by Centmin Mod nginx including their respective expiry dates
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh checkdates
     
  12. jellday

    jellday Member

    73
    4
    8
    May 31, 2014
    Ratings:
    +9
    Local Time:
    6:53 AM
    1.4.6
    5.5
    Code:
    /usr/local/src/centminmod/addons/acmetool.sh checkdates
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/go2uk.org/go2uk.org-acme.cer
    SHA1 Fingerprint=B79912F34D2F7F2E38A96063FF142F7A9C8F95B6
    certificate expires in 89 days on 30 Mar 2025
    
    /usr/local/nginx/conf/ssl/go2uk.org/go2uk.org-acme-ecc.cer
    SHA1 Fingerprint=4AAB4067DC20AAC6017FE1EE475AAF2B860DB8E5
    certificate expires in 89 days on 30 Mar 2025
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/go2uk.org_ecc/go2uk.org.cer
    SHA1 Fingerprint=4AAB4067DC20AAC6017FE1EE475AAF2B860DB8E5
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=4AAB4067DC20AAC6017FE1EE475AAF2B860DB8E5
    certificate expires in 89 days on 30 Mar 2025
    Letsencrypt validation method: Le_Webroot='dns_cf'
    
    /root/.acme.sh/go2uk.org/go2uk.org.cer
    SHA1 Fingerprint=B79912F34D2F7F2E38A96063FF142F7A9C8F95B6
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=B79912F34D2F7F2E38A96063FF142F7A9C8F95B6
    certificate expires in 89 days on 30 Mar 2025
    Letsencrypt validation method: Le_Webroot='dns_cf'
    
    
    Is this correct?

    Yes. The vhost site that I used reissue option was already created on the server (without https).

    The logs must be deleted by the staff for some reasons.

    It was set to Full strict mode. Now I change it to Full, and it works fine.

    So, if I migrating a site to a new VPS, how do I set up properly?
    My idea is, create vhost in the new VPS, without https, then move the data to the new VPS, then change DNS setting, then issue certificates?
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,328
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    8:53 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    looks correct matching SSL cert expiry dates and SSL sha1 hashes for issued SSL certs vs nginx installed SSL certs

    You should migrate the entire site and data intact.

    You have a few choices for Centmin Mod data/server migrations outlined below. All three should retain the working Centmin Mod Nginx vhost site's Letsencrypt SSL certificates and renewal processes. Of course, centmin.sh menu option 21 was written by me specifically for this :D

    1. First is https://community.centminmod.com/threads/centmin-mod-site-data-migration-guide.10382/, which outlines Centmin Mod to Centmin Mod data transfers using tools and techniques that apply to any server move. This migration process I've been doing for decades, and the basic underlying tools and what they are used for are always the same :)
    2. Or Centmin Mod revamped centmin.sh menu option 21 data management menu which I've been developing/testing/using already for migrations to EL8/EL9. It uses the fastest method for data transfers available from my years of experience :) There are both shell menu and shell script command line options available. You can do test migrations without updating domain(s) DNS just to practice and get familiar with the process. The centmin.sh menu option 21 is designed so you could in fact do multiple data transfers to the same server or different servers and each backup will be transferred to their own staging directory. So you can in fact use it like a remote backup method for whole server data as you have the shell script command line options available. There's very detailed centmin.sh menu option 21 documentation for Centmin Mod 131.00stable and Centmin Mod 140.00beta01. There are separate links as documentation will eventually diverge as Centmin Mod 140.00beta01 development continues to improve on the code.
    3. Or hire someone to do the Centmin Mod migration. I've been doing a lot of Centmin Mod and non-Centmin CentOS 7 migrations to EL8/EL9 based Centmin Mod / non-Centmin Mod servers lately - using the centmin.sh menu option 21 revamped data management menu for them too :)