Learn about Centmin Mod LEMP Stack today
Become a Member

SSL Letsencrypt Cloudflare Full (strict) not works Error 526 Invalid SSL certificate Authenticated Origin Pulls

Discussion in 'Domains, DNS, Email & SSL Certificates' started by adamus007p, Dec 27, 2021.

  1. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:43 PM
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed:123.09beta01.b760
      Nginx Version Installed: 1.21.4
    • PHP Version Installed: 8.0.14
    • When was last time updated Centmin Mod code base ? : today
    • Persistent Config:
      Code (Text):
      CF_DNSAPI_GLOBAL='y'
      CF_Token="xxxxxxxxxxxx"
      CF_Account_ID="xxxxxxxxxxxxxxxx"
      NGINX_SSLCACHE_ALLOWOVERRIDE='y'
      NGINX_STAPLE_CACHE_OVERRIDE='y'
      NGINX_STAPLE_CACHE_TTL='86400'
      SET_DEFAULT_MYSQLCHARSET='utf8mb4'
      AUTOHARDTUNE_NGINXBACKLOG='y'
      ZSTD_LOGROTATE_NGINX='y'
      ZSTD_LOGROTATE_PHPFPM='y'
      NGINX_LIBBROTLI='y'
      NGXDYNAMIC_BROTLI='y'
      PHP_PGO='y'
      PHP_BROTLI='y'
      PHP_LZFOUR='y'
      PHP_LZF='y'
      PHP_ZSTD='y'
      MARCH_TARGETNATIVE='n'
      LETSENCRYPT_DETECT='y'
      DUALCERTS='y'
      AUDITD_ENABLE='y'
      PHPINTL='y'
      PHPFINFO='y'
      LIBRESSL_SWITCH='n'
      DMOTD_PHPCHECK='y'
      WPCLI_CE_QUERYSTRING_INCLUDED='y'
      NGINX_ZERODT='y'
      
      
      
    Hello, I have 10 blogs (domains) and I wanted to configure it with cloudflare and Authenticated Origin Pulls.

    Code (Text):
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
      ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
    
    and
    # uncomment cloudflare.conf include if using cloudflare for
    # server and/or vhost site
    include /usr/local/nginx/conf/cloudflare.conf;
    
    


    have follow
    https://community.centminmod.com/th...d-origin-pulls-protecting-your-origins.13847/
    https://servermanager.guide/203/wordpress-cache-enabler-advanced-full-page-caching-guide/

    I have cofigured domains in Cloudflare too.

    Interesting thing is that some domains are working with full strict some only with full.
    Your SSL/TLS encryption mode is Full (strict)
    from SSL tab


    why some domains are not working with full strict?
    I have done all the same steps and some domains are working some not.
    What is wrong? How to correct it? May you help?

    When i want to use full strict on domain what is not working there is
    Error 526
    Invalid SSL certificate

    how to correct it?

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Cloudflare Full strict requires Centmin Mod Nginx HTTPS site's SSL certificate be a valid Letsencrypt SSL certificate. Or any other browser trusted SSL certificate i.e. ZeroSSL, Comodo/Sectigo, Digicert etc.

    Cloudflare Full non-strict only requires Centmin Mod Nginx HTTPS site's SSL certificate to exist - it can be a self-signed no browser valid certificate

    So question is before you switched to Cloudflare, was HTTPS working on all 10 of your blogs with Letsencrypt SSL certificates? Are they still valid now or have any expired ?

    If all blogs were setup via Centmin Mod Nginx creation menus like centmin.sh menu option 2, 22 or nv command with Letsencrypt SSL certificates, then addons/acmetool.sh can list and check all the issued Letsencrypt SSL certificates and list all the SSL certificates installed on each Centmin Mod Nginx vhost via acmetool.sh checkdates command.

    Run this command within SSH logged in session for Centmin Mod server
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    It will list all SSL certificate location paths + SHA1 fingerprint for SSL certificate + certificate expirate day and how many days until the SSL certificate expires. It will list them in 2 groups, 1st group is nginx installed ones and then 2nd group is Letsencrypt issued certificates. Generally both lists should match as Letsencrypt issued certificate will be installed and configured for Nginx.

    Note: I wouldn't post the output for checkdates on public forum as it reveals your Nginx vhost domain name and the SHA1 fingerprint and link to crt.sh public transparency log page for your SSL certificate - which can be queried in public SSL certificate transparency logs i.e. crt.sh to get your domain name as well. You can mask the info for public displaying/posting.

    The key point is looking to see if any of the listed SSL certificates are missing for your domain or already expired. This may indicate, that the Letsencrypt SSL certificate wasn't issued for a blog domain you have suggesting you blog maybe using self-signed SSL certificates which is used as fall back if Letsencrypt issuance and domain validation failed. Or that your blog issued Letsencrypt SSL certificate has expired. Though cases would give you Cloudflare 526 error if you use Cloudflare Full Strict SSL mode. If you switch to Full non-strict SSL mode, using self-signed SSL certificate should still work.

    example output from addon/acmetools.sh checkdates command for domain.com which shows Letsencrypt SSL issued/obtained and nginx installed is the same as they have matching SHA1 fingerprints and that the SSL certificate expires in 76 days time on March 14, 2022
    Code (Text):
     /usr/local/src/centminmod/addons/acmetool.sh checkdates
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
    SHA1 Fingerprint=EDBFC***********E68A3851CF*************
    certificate expires in 76 days on 14 Mar 2022
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/domain.com/domain.com.cer
    SHA1 Fingerprint=EDBFC***********E68A3851CF*************
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=EDBFC***********E68A3851CF*************
    certificate expires in 76 days on 14 Mar 2022
    
     
  3. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:43 PM
    Hello @eva2000 thank you for your answer.

    All blogs were installed using option 22.

    All SSL are and were valid.
    how may I double check it?

    interesting thing is that

    Code (Text):
     /usr/local/src/centminmod/addons/acmetool.sh checkdates
    


    some domains are not listed here....
    That one where there are problems with strict full.

    How to fix it?



    2. Do protect Cloudflare Authenticated Origin do I have to use full strict or only full will be ok?
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    That suggests either those domains had a failed Letsencrypt domain validation, so fell back to self-signed SSL certificate or if didn't have HTTPS setup in the first place ? i.e. created non-HTTPS Nginx vhost?

    More likely Letsencrypt SSL domain validation failed. If so, disable Cloudflare Authenticated Origin pull on problematic Nginx vhost site's nginx config files domain.ssl.conf by commenting out the lines with a hash # in front and restart Nginx. Then switch to Cloudflare Full non-strict SSL mode and see if the domain works. If it works, then try acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.com live
    

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Cloudflare Authenticated Origin Pull doesn't depend on site's HTTPS status, it's only for validating the connection between Cloudflare edge servers and origin Centmin Mod Nginx site.
     
  6. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:43 PM
    @eva2000 I remember that I was using option 4 so only https.

    How may I double check it?
    O see only domain1.com.ssl.conf only ssl.conf there is no .conf without ssl in names.

    Ok I have followed your instruction


    So when I will run below command for each domain
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.com live
    



    It helped :) Thank you very much.

    Shall I do any further steps? Like add something to cron?
    or anything else regards SSL? any https://community.centminmod.com/th...s-to-origin-server-use-ecdsa-ssl-certs.14817/
     
    Last edited: Dec 28, 2021
  7. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:43 PM
    One thing I have noticed that some domains have in domain.com.ssl.conf files:

    Code (Text):
     # mozilla recommended
    ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256......
    


    some other newer domains
    Code (Text):
     # mozilla recommended
    TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13......
    


    why?

    should be the same?
    shall I update it and how?
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    must of been very old nginx vhosts, as since Oct 1, 2018, that changed reorder chacha20 ssl_ciphers in 123.09beta01 · centminmod/centminmod@7786092 AFAIK

    If only domain.com.ssl.conf, then all domains were HTTPS

    Glad to see :)
     
  9. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:43 PM
    Besides that:
    @eva2000 do I need to add anything to cron? Will SSL be automatically updated?



    Yes it is very old vhost how may I update it? Just copy it or run any command?


    Should I add to persistent config file /etc/centminmod/custom_config.inc
    Code (Text):
    PRIORITIZE_CHACHA_OPENSSL='y'
    


    and 4 recompile nginx?


    2. Is it possible to refresh vhosts?
     
    Last edited: Dec 28, 2021
  10. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    acmetool.sh uses acme.sh underlying client and that has a cronjob setup for automatic renewals

    No need to refresh host, just updating should be enough - pay attention to below 123.09beta01 update info.

    Upgrading Centmin Mod Code to Latest Version



    Getting Started Guide step 19 outlines also how to keep Centmin Mod code updated or how to switch version branches or you can run cmupdate command that was recently added.

    Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch switching via Git backed environment you can setup.

    For 123.08stable that means centmin.sh menu option 23 submenu option 2 (if you previously ran submenu option 1) first, then exit centmin.sh, re-enter /usr/local/src/centminmod and re-run centmin.sh menu.

    For 123.09beta01 and higher that means running SSH command = cmupdate and then re-enter /usr/local/src/centminmod and re-run centmin.sh menu.

    Example of using 123.09beta01 cmupdate command to update Centmin Mod code on your server
    Code (Text):
    cmupdate
    No local changes to save
    Updating 5f92047..9d06ee8
    Fast-forward
     stackscripts/stackscript.sh | 11 ++++++++---
     1 file changed, 8 insertions(+), 3 deletions(-)
    


    For full details read the following links:
    Upgrading Centmin Mod involves 2 parts.
    1. Upgrading the actual Centmin Mod code outlined at Upgrade Centmin Mod. This is heart of Centmin Mod where the code is the engine that runs centmin.sh shell based menu and all the automation you're accustomed to. You can easily update within a Centmin Mod version branch or switch version branches via centmin.sh menu option 23 outlined here.
    2. Upgrade software that Centmin Mod installed or manages. For this part following outline at How to upgrade Centmin Mod software installed on your server.
    So essentially, you can upgrade from one version branch to another i.e. 123.08stable to 123.09beta01 or higher in place, but not everything is upgraded as some things like server initial environment setup isn't changed i.e. how swap, tmp setup and allocation are created etc. The main parts from part 2 above are what in place upgrades do i.e. Nginx and PHP-FPM compilation and config/settings parameters and MariaDB version from 5.5 to 10.0.x. If you want the full environment changed including tmp and swap setup to 123.09beta01 etc configuration, then you would need a fresh OS install and fresh 123.09beta01 initial install. You can think of it like upgrading Windows 7 to Windows 8. An in place upgrade will upgrade code but won't change your computer environment from when you installed Windows 7 i.e. disk configuration and partition sizes won't change from when you initially installed Windows 7. Only way to change that would be fresh Windows 8 install.
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    The gist of previous post is to update existing 123.09beta01 just run

    cmupdate

    then run centmin.sh menu option 4 and 5 to recompile nginx and PHP to latest versions would be enough to take care of most updates, then ensure run centmin.sh menu option 24 to exit and you will see an yum update command listed if there are yum updates, so run that yum update command.
     
  12. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:43 PM
    Hello @eva2000 thank you for your time and replay.

    I have already done this thing but it did not update my very old vhost, what can I do with such case? Still my vhosts are not updated. Is there anything what can I do?
     
    Last edited: Dec 29, 2021
  13. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:43 PM
    @eva2000 I see that problem back :(

    Invalid SSL certificate Error code 526
    Visit cloudflare.com for more information.

    Full (strict) not works Error 526 Invalid SSL certificate Authenticated Origin Pulls


    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh check_cfapi
    
    ------------------------------------------------------------------------------
    Version Check:
    ------------------------------------------------------------------------------
    !!!  there maybe a newer version of /usr/local/src/centminmod/addons/acmetool.sh available  !!!
    https://community.centminmod.com/posts/34492/
    update using centmin.sh menu option 23 submenu option 2
    
    or via command: cmupdate
    
    Always ensure Current Version is higher or equal to Latest Version
    ------------------------------------------------------------------------------
    Current acmetool.sh Version: 1.0.82
    Latest acmetool.sh Version: 1.0.83
    


    Then I run
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh checkdates


    Code (Text):
    nginx installed
    
    /usr/local/nginx/conf/ssl/domain1.com/domain1.com-acme-ecc.cer
    SHA1 Fingerprint=46CEC90xxxx
    certificate expires in -257 days on 27 Mar 2022
    
    acme.sh obtained
    /root/.acme.sh/domain1.com_ecc/domain1.com.cer
    SHA1 Fingerprint=46CEC909617A97xxxxxxxx
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=46CEC909617A97xxxxxx
    certificate expires in -257 days on 27 Mar 2022
    


    some domains are update some not, why?

    How to correct all domains?


    I run command
    Code (Text):
    /usr/local/src/centminmod/tools/cf-authenticated-origin-cert-update.sh update


    It did not helped :(
    Invalid SSL certificate Error code 526
     
    Last edited: Dec 10, 2022
  14. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Authenticated Origin pull ssl certificate isn't related to letsencrypt so not the same thing.

    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. If you created Centmin Mod 123.09beta01 or higher Nginx site with Letsencrypt via centmin.sh menu option 2, 22 or nv command line, you now also have an automatic letsdebug.net API check log saved at /root/centminlogs/letsdebug-yourdomain.com-${DT}.log where yourdomain.com is domain specified during nginx vhost creation and DT is date/timestamp. Inspecting the /root/centminlogs/letsdebug-yourdomain.com-${DT}.log log will also give you clues as to why letsencrypt SSL certificate issuance failed.

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.

    Cloudflare



    If you use Cloudflare, instead of the default Letsencrypt web root validation, you can use Cloudflare's DNS API for Letsencrypt DNS validation for your domain. See the outline at bottom of page at Letsencrypt Free SSL Certificates
     
  15. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:43 PM
    Hello @eva2000 thank you for a respond.
    Older host I see that there is no domain info so I had to look one by one, but finnally I have found.

    Domain has been created in 13.07.2019 the file name is centminmod_123.09beta01.b202_130719-184313_wordpress_addvhost

    I was adding domain like a beginer, choosing options, nothing extra. Any other commands.


    I belive that domain has been created by option 22.

    As I see that I could choose
    Code (Text):
    4. issue live cert with HTTPS default (trusted)
    Enter option number 1-4: 4


    later

    Code (Text):
    [self-signed ssl cert check] required by acmetool.sh
    
    [self-signed ssl] /usr/local/nginx/conf/ssl/domain.com/dhparam.pem exists
    [self-signed ssl] /usr/local/nginx/conf/ssl/domain.com/domain.com.crt exists
    [self-signed ssl] /usr/local/nginx/conf/ssl/domain.com/domain.com.key exists
    
    [sslvhostsetup] create /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    
    ...
    
    issue & install letsencrypt ssl certificate for domain.com
    -----------------------------------------------------------
    testcert value = wplived
    wp routine detected use reissue instead via --force
    /root/.acme.sh/acme.sh --force --issue -d domain.com -d www.domain.com --days 60 -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-130719-183950.log --log-level 2
    [Sat Jul 13 18:41:14 UTC 2019] Creating domain key
    [Sat Jul 13 18:41:15 UTC 2019] The domain key is here: /root/.acme.sh/domain.com/domain.com.key
    [Sat Jul 13 18:41:15 UTC 2019] Multi domain='DNS:domain.com,DNS:www.domain.com'
    [Sat Jul 13 18:41:15 UTC 2019] Getting domain auth token for each domain
    [Sat Jul 13 18:41:17 UTC 2019] Getting webroot for domain='domain.com'
    [Sat Jul 13 18:41:17 UTC 2019] Getting webroot for domain='www.domain.com'
    [Sat Jul 13 18:41:17 UTC 2019] Verifying: domain.com
    [Sat Jul 13 18:41:20 UTC 2019] Pending
    [Sat Jul 13 18:41:22 UTC 2019] domain.com:Verify error:Fetching https://domain.com/.well-known/acme-challenge/LD1uGONPM_zaKLXUaJXX28zQWChQq8aMsZBAaGvWWF8: Too many redirects
    [Sat Jul 13 18:41:22 UTC 2019] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-130719-183950.log
    LECHECK = 1


    Here was a problem...

    How can I fix this domain?

    I can send full log /root/centminlogs/acmetool.sh-debug-log-130719-183950.log if it is needed.
     
    Last edited: Dec 11, 2022
  16. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:43 PM
    https://letsdebug.net/

    CloudflareCDN
    WARNING
    The domain korepetycjechemia.com is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.


    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    /var/log/cron:Dec  5 00:54:01 host CROND[6896]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Dec  6 00:54:01 host CROND[8340]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Dec  7 00:54:01 host CROND[3459]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Dec  8 00:54:01 host CROND[32405]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Dec  9 00:54:02 host CROND[19469]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Dec 10 00:54:01 host CROND[20340]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221113:Nov  7 00:54:01 host CROND[24614]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221113:Nov  8 00:54:01 host CROND[13575]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221113:Nov  9 00:54:01 host CROND[32629]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221113:Nov 10 00:54:01 host CROND[20901]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221113:Nov 11 00:54:01 host CROND[12664]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221113:Nov 12 00:54:01 host CROND[30197]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221113:Nov 13 00:54:01 host CROND[9229]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221120:Nov 14 00:54:01 host CROND[29577]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221120:Nov 15 00:54:01 host CROND[19777]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221120:Nov 16 00:54:01 host CROND[13874]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221120:Nov 17 00:54:01 host CROND[8869]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221120:Nov 18 00:54:01 host CROND[2862]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221120:Nov 19 00:54:01 host CROND[26579]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221120:Nov 20 00:54:01 host CROND[16094]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221127:Nov 21 00:54:01 host CROND[8206]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221127:Nov 22 00:54:01 host CROND[30398]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221127:Nov 23 00:54:01 host CROND[18089]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221127:Nov 24 00:54:01 host CROND[2208]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221127:Nov 25 00:54:01 host CROND[23126]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221127:Nov 26 00:54:01 host CROND[24423]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221127:Nov 27 00:54:01 host CROND[12064]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221204:Nov 28 00:54:01 host CROND[1409]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20221204:Nov 29 00:54:01 host CROND[19644]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    


    I have run a command
    Code (Text):
     "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    [Sat Dec 10 23:24:10 UTC 2022] ===Starting cron===
    [Sat Dec 10 23:24:10 UTC 2022] Renew: 'domain11.com.com'
    [Sat Dec 10 23:24:10 UTC 2022] Skip, Next renewal time is: Tue Jan 24 00:54:32 UTC 2023
    [Sat Dec 10 23:24:10 UTC 2022] Add '--force' to force to renew.
    [Sat Dec 10 23:24:10 UTC 2022] Skipped domain11.com.com
    

    For better vewing I have separate the log.
    Code (Text):
    [Sat Dec 10 23:24:10 UTC 2022] Renew: 'TROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:10 UTC 2022] Skip, Next renewal time is: Wed Feb  8 23:11:35 UTC 2023
    [Sat Dec 10 23:24:10 UTC 2022] Add '--force' to force to renew.
    [Sat Dec 10 23:24:10 UTC 2022] Skipped TROUBLE-DOMAIN.com
    [Sat Dec 10 23:24:11 UTC 2022] Renew: 'TROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:12 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Sat Dec 10 23:24:12 UTC 2022] Multi domain='DNS:TROUBLE-DOMAIN.com,DNS:www.TROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:12 UTC 2022] Getting domain auth token for each domain
    [Sat Dec 10 23:24:15 UTC 2022] Getting webroot for domain='TROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:15 UTC 2022] Getting webroot for domain='www.TROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:15 UTC 2022] TROUBLE-DOMAIN.com is already verified, skip dns-01.
    [Sat Dec 10 23:24:15 UTC 2022] www.TROUBLE-DOMAIN.com is already verified, skip http-01.
    [Sat Dec 10 23:24:15 UTC 2022] Verify finished, start to sign.
    [Sat Dec 10 23:24:15 UTC 2022] Lets finalize the order.
    [Sat Dec 10 23:24:15 UTC 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/605867xxxx
    [Sat Dec 10 23:24:17 UTC 2022] Downloading cert.
    [Sat Dec 10 23:24:17 UTC 2022] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/038e1ef1049fxxxx
    [Sat Dec 10 23:24:17 UTC 2022] Try rel: https://acme-v02.api.letsencrypt.org/acme/cert/038e1efxxxx
    [Sat Dec 10 23:24:18 UTC 2022] Cert success.
    -----BEGIN CERTIFICATE-----
    ........xxxxxxxxx............
    -----END CERTIFICATE-----
    [Sat Dec 10 23:24:18 UTC 2022] Your cert is in: /root/.acme.sh/TROUBLE-DOMAIN.com_ecc/TROUBLE-DOMAIN.com.cer
    [Sat Dec 10 23:24:18 UTC 2022] Your cert key is in: /root/.acme.sh/TROUBLE-DOMAIN.com_ecc/TROUBLE-DOMAIN.com.key
    [Sat Dec 10 23:24:18 UTC 2022] The intermediate CA cert is in: /root/.acme.sh/TROUBLE-DOMAIN.com_ecc/ca.cer
    [Sat Dec 10 23:24:18 UTC 2022] And the full chain certs is there: /root/.acme.sh/TROUBLE-DOMAIN.com_ecc/fullchain.cer
    [Sat Dec 10 23:24:19 UTC 2022] Installing cert to: /usr/local/nginx/conf/ssl/TROUBLE-DOMAIN.com/TROUBLE-DOMAIN.com-acme-ecc.cer
    [Sat Dec 10 23:24:19 UTC 2022] Installing CA to: /usr/local/nginx/conf/ssl/TROUBLE-DOMAIN.com/TROUBLE-DOMAIN.com-acme-ecc.cer
    [Sat Dec 10 23:24:19 UTC 2022] Installing key to: /usr/local/nginx/conf/ssl/TROUBLE-DOMAIN.com/TROUBLE-DOMAIN.com-acme-ecc.key
    [Sat Dec 10 23:24:19 UTC 2022] Installing full chain to: /usr/local/nginx/conf/ssl/TROUBLE-DOMAIN.com/TROUBLE-DOMAIN.com-fullchain-acme-ecc.key
    [Sat Dec 10 23:24:19 UTC 2022] Run reload cmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):             [  OK  ]
    [Sat Dec 10 23:24:20 UTC 2022] Reload success
    

    And the problem seems to be fixed, but the question it will be renewed automatically?
    Do I need to to anything else?

    During this command I see other errors regards other domain: otherTROUBLE-DOMAIN.com
    Code (Text):
    [Sat Dec 10 23:24:20 UTC 2022] Renew: 'otherTROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:21 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Sat Dec 10 23:24:21 UTC 2022] Multi domain='DNS:otherTROUBLE-DOMAIN.com,DNS:www.otherTROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:21 UTC 2022] Getting domain auth token for each domain
    [Sat Dec 10 23:24:24 UTC 2022] Getting webroot for domain='otherTROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:25 UTC 2022] Getting webroot for domain='www.otherTROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:25 UTC 2022] Adding txt value: xxxxxxxxxxxxsvNTUNbtkUxt3fK-mKdcAg1xY for domain:  _acme-challenge.otherTROUBLE-DOMAIN.com
    [Sat Dec 10 23:24:28 UTC 2022] invalid domain
    [Sat Dec 10 23:24:28 UTC 2022] Error add txt for domain:_acme-challenge.otherTROUBLE-DOMAIN.com
    [Sat Dec 10 23:24:28 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-280122-105529.log
    [Sat Dec 10 23:24:30 UTC 2022] Error renew otherTROUBLE-DOMAIN.com.
    [Sat Dec 10 23:24:30 UTC 2022] Renew: 'otherTROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:31 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Sat Dec 10 23:24:31 UTC 2022] Multi domain='DNS:otherTROUBLE-DOMAIN.com,DNS:www.otherTROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:31 UTC 2022] Getting domain auth token for each domain
    [Sat Dec 10 23:24:34 UTC 2022] Getting webroot for domain='otherTROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:34 UTC 2022] Getting webroot for domain='www.otherTROUBLE-DOMAIN.com'
    [Sat Dec 10 23:24:35 UTC 2022] Adding txt value: xxxxxsDc17ZcBtnQ7Nv_cqIk for domain:  _acme-challenge.otherTROUBLE-DOMAIN.com
    [Sat Dec 10 23:24:38 UTC 2022] invalid domain
    [Sat Dec 10 23:24:38 UTC 2022] Error add txt for domain:_acme-challenge.otherTROUBLE-DOMAIN.com
    [Sat Dec 10 23:24:38 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-280122-105529.log
    [Sat Dec 10 23:24:40 UTC 2022] Error renew otherTROUBLE-DOMAIN.com_ecc.
    [Sat Dec 10 23:24:40 UTC 2022] Renew: 'domain444.com'
    [Sat Dec 10 23:24:40 UTC 2022] Skip, Next renewal time is: Tue Jan 24 00:55:26 UTC 2023
    [Sat Dec 10 23:24:40 UTC 2022] Add '--force' to force to renew.
    [Sat Dec 10 23:24:40 UTC 2022] Skipped domain444.com
    



    I see other domains here otherTROUBLE-DOMAIN.com there is some error too. Why?
     
    Last edited: Dec 11, 2022
  17. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:43 PM
    Code (Text):
     echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    
    ------------------------------------------------------------------------------
    Version Check:
    ------------------------------------------------------------------------------
    !!!  there maybe a newer version of /usr/local/src/centminmod/addons/acmetool.sh available  !!!
    https://community.centminmod.com/posts/34492/
    update using centmin.sh menu option 23 submenu option 2
    
    or via command: cmupdate
    
    Always ensure Current Version is higher or equal to Latest Version
    ------------------------------------------------------------------------------
    Current acmetool.sh Version: 1.0.82
    Latest acmetool.sh Version: 1.0.83
    ------------------------------------------------------------------------------
    
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    
    
    /usr/local/nginx/conf/ssl/TROUBLE-DOMAIN/TROUBLE-DOMAIN-acme-ecc.cer
    SHA1 Fingerprint=90BCDA45B5BBxxxxx
    certificate expires in 89 days on 10 Mar 2023
    
    /usr/local/nginx/conf/ssl/TROUBLE-DOMAIN/TROUBLE-DOMAIN-acme.cer
    SHA1 Fingerprint=FD4FF8B9007xxxxx
    certificate expires in -258 days on 27 Mar 2022
    
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    
    /root/.acme.sh/TROUBLE-DOMAIN_ecc/TROUBLE-DOMAIN.cer
    SHA1 Fingerprint=90BCDA45B5BB57E3E3985EA224DB4C74A755EED1
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=90BCDA45B5Bxxxxxxxx
    certificate expires in 89 days on 10 Mar 2023



    is everything is OK?
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Are you now using Cloudflare DNS API for domain validation outlined at Letsencrypt Free SSL Certificates ?

    You're getting invalid domain
    Code (Text):
    [Sat Dec 10 23:24:35 UTC 2022] Adding txt value: xxxxxsDc17ZcBtnQ7Nv_cqIk for domain:  _acme-challenge.otherTROUBLE-DOMAIN.com
    [Sat Dec 10 23:24:38 UTC 2022] invalid domain
    

    Are all domains on your server in the same Cloudflare Account where the Cloudflare API Token was generated? Because if the domain isn't a zone added to and managed via Cloudflare account/DNS, then you won't be able to use Cloudflare DNS API for those specific domains and would ideally need to move those domain's DNS manage into that Cloudflare account first.
     
  19. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:43 PM
    Yes, Cloudflare DNS API.

    It is the same account, so do not understant.
    All domains have been created using 22 option.

    How about the 1st domain - TROUBLE-DOMAIN.com? Do I need do anything else?
     
  20. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:43 PM
    Code (Text):
    [Sun Dec 11 19:40:29 UTC 2022] Renew: 'otherdomain.com'
    [Sun Dec 11 19:40:30 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Sun Dec 11 19:40:31 UTC 2022] Multi domain='DNS:otherdomain.com,DNS:www.otherdomain.com'
    [Sun Dec 11 19:40:31 UTC 2022] Getting domain auth token for each domain
    [Sun Dec 11 19:40:34 UTC 2022] Getting webroot for domain='otherdomain.com'
    [Sun Dec 11 19:40:34 UTC 2022] Getting webroot for domain='www.otherdomain.com'
    [Sun Dec 11 19:40:34 UTC 2022] Adding txt value: sQmTaW-hPC6COxxxxxxxx4 for domain:  _acme-challenge.otherdomain.com
    [Sun Dec 11 19:40:38 UTC 2022] invalid domain
    [Sun Dec 11 19:40:38 UTC 2022] Error add txt for domain:_acme-challenge.otherdomain.com
    [Sun Dec 11 19:40:38 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-280122-105529.log
    [Sun Dec 11 19:40:39 UTC 2022] Error renew otherdomain.com.
    [Sun Dec 11 19:40:40 UTC 2022] Renew: 'otherdomain.com'
    [Sun Dec 11 19:40:41 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Sun Dec 11 19:40:41 UTC 2022] Multi domain='DNS:otherdomain.com,DNS:www.otherdomain.com'
    [Sun Dec 11 19:40:41 UTC 2022] Getting domain auth token for each domain
    [Sun Dec 11 19:40:44 UTC 2022] Getting webroot for domain='otherdomain.com'
    [Sun Dec 11 19:40:44 UTC 2022] Getting webroot for domain='www.otherdomain.com'
    [Sun Dec 11 19:40:44 UTC 2022] Adding txt value: CFz4DOGtlcKdhpxxxxxxxx for domain:  _acme-challenge.otherdomain.com
    [Sun Dec 11 19:40:48 UTC 2022] invalid domain
    [Sun Dec 11 19:40:48 UTC 2022] Error add txt for domain:_acme-challenge.otherdomain.com
    [Sun Dec 11 19:40:48 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-280122-105529.log
    [Sun Dec 11 19:40:50 UTC 2022] Error renew otherdomain.com_ecc.
    



    screen from CF

    upload_2022-12-11_21-12-19.png


    I see some backup, i did not do manually in CF side.

    I was doing normall install from option 22 and Cloudflare DNS API in persistant file.