Welcome to Centmin Mod Community
Become a Member

SSL Letsencrypt Cloudflare Full (strict) not works Error 526 Invalid SSL certificate Authenticated Origin Pulls

Discussion in 'Domains, DNS, Email & SSL Certificates' started by adamus007p, Dec 27, 2021.

  1. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:23 PM
    Great :) I am happy that you have found a bug.

    Code (Text):
    cmupdate
    No local changes to save
    Already up-to-date.
    No local changes to save
    Already up-to-date.
    [00:35][root@host ~]# echo y | /usr/local/src/centminmod/addons/acmetool.sh check_cfapi
    
    ------------------------------------------------------------------------------
    Version Check:
    ------------------------------------------------------------------------------
    !!!  there maybe a newer version of /usr/local/src/centminmod/addons/acmetool.sh available  !!!
    https://community.centminmod.com/posts/34492/
    update using centmin.sh menu option 23 submenu option 2
    
    or via command: cmupdate
    
    Always ensure Current Version is higher or equal to Latest Version
    ------------------------------------------------------------------------------
    Current acmetool.sh Version: 1.0.82
    Latest acmetool.sh Version: 1.0.83
    ------------------------------------------------------------------------------
    
    Verifying working Cloudflare DNS API Credentials
    CF API Tokens detected
    Ok: CF API Token works


    Why it is not updated?
    How to update it?


    2. Is there any easy way to update all domains, I mean turn off Always Use HTTPS ?

     
    Last edited: Dec 15, 2022
  2. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    to update now run command = cmupdate and then run addons/acmetool.sh anytime you need to update and apply changes to CF_Token from persistent config file changes i.e.
    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh check_cfapi
    


    wait another 15 mins to do this as I actually haven't committed the updates yet
     
  3. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:23 PM
    Thank you very much. :) All domains are ok, beside that one.

    Today I have checked and run:

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    
    [Thu Dec 15 13:47:44 UTC 2022] Renew: 'domain2kr.com'
    [Thu Dec 15 13:47:45 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Thu Dec 15 13:47:45 UTC 2022] Multi domain='DNS:domain2kr.com,DNS:www.domain2kr.com'
    [Thu Dec 15 13:47:46 UTC 2022] Getting domain auth token for each domain
    [Thu Dec 15 13:47:49 UTC 2022] Getting webroot for domain='domain2kr.com'
    [Thu Dec 15 13:47:49 UTC 2022] Getting webroot for domain='www.domain2kr.com'
    [Thu Dec 15 13:47:49 UTC 2022] domain2kr.com is already verified, skip dns-01.
    [Thu Dec 15 13:47:49 UTC 2022] Verifying: www.domain2kr.com
    [Thu Dec 15 13:47:50 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
    [Thu Dec 15 13:47:53 UTC 2022] www.domain2kr.com:Verify error:2606:4700:303xxxxxxc: Invalid response from https://domain2kr.com/.well-known/acme-challenge/Zzup1t9RqLkam99Qxxxxxx: 526
    [Thu Dec 15 13:47:53 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-130719-183030.log
    [Thu Dec 15 13:47:55 UTC 2022] Error renew domain2kr.com.
    [Thu Dec 15 13:47:55 UTC 2022] Renew: 'domain2kr.com'
    [Thu Dec 15 13:47:56 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Thu Dec 15 13:47:56 UTC 2022] Multi domain='DNS:domain2kr.com,DNS:www.domain2kr.com'
    [Thu Dec 15 13:47:56 UTC 2022] Getting domain auth token for each domain
    [Thu Dec 15 13:47:59 UTC 2022] Getting webroot for domain='domain2kr.com'
    [Thu Dec 15 13:47:59 UTC 2022] Getting webroot for domain='www.domain2kr.com'
    [Thu Dec 15 13:48:00 UTC 2022] domain2kr.com is already verified, skip dns-01.
    [Thu Dec 15 13:48:00 UTC 2022] Verifying: www.domain2kr.com
    [Thu Dec 15 13:48:00 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
    [Thu Dec 15 13:48:03 UTC 2022] www.domain2kr.com:Verify error:2606:4700:3037::ac43:ab75: Invalid response from https://domain2kr.com/.well-known/acme-challenge/NvtXmLsbDT-6XZsWg40Rn5Aa_f_XEUxxxx: 526
    [Thu Dec 15 13:48:03 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-130719-183030.log
    [Thu Dec 15 13:48:05 UTC 2022] Error renew domain2kr.com_ecc.



    There is an error. How can I fix it? Please advise.

    I can provide a log when it is needed.


    This domain it is a test Wordpress (empty Wordpress), so I can delete it and create everything from scratch.


    upload_2022-12-15_14-58-26.png

    upload_2022-12-15_14-59-28.png


    upload_2022-12-15_14-59-45.png

    domain.ssl.conf
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
     
       server_name domain2kr.com www.domain2kr.com;
       return 302 https://domain2kr.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name domain2kr.com www.domain2kr.com;
    
      include /usr/local/nginx/conf/ssl/domain2kr.com/domain2kr.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain2kr.com/origin.crt;
      ssl_verify_client on;
      #http2_max_field_size 16k;
      #http2_max_header_size 32k;
      # mozilla recommended
    
    ...
    
      include /usr/local/nginx/conf/autoprotect/domain2kr.com/autoprotect-domain2kr.com.conf;
      root /home/nginx/domains/domain2kr.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
     
    Last edited: Dec 16, 2022
  4. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    526 error is Cloudflare invalid SSL certificate error. Try setting Cloudflare SSL mode from Full Strict to Full non-strict first, could be Letsencrypt failed to validate for www version of your domain originally so you may not have letsencrypt on Nginx origin server side.

    Then run check dates command for addons/acmetool.sh to check dates and Letsencrypt SSL certificates issued + installed on Nginx
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Then switch that domain from webroot domain authentication to Cloudflare DNS API if the domain is added to your Cloudflare account, by deleting it's directory in /root/.acme.sh/domain2kr.com and /root/.acme.sh/domain2kr.com_ecc (if applicable)
    Code (Text):
    cd /root/.acme.sh/
    rm -rf /root/.acme.sh/domain2kr.com
    rm -rf /root/.acme.sh/domain2kr.com_ecc
    

    Then if you have Cloudflare DNS API enabled via persistent config file, try just for the domain2kr.com acmetool.sh reissue-only command.

    Try acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain2kr.com live
    

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain2kr.com for live production SSL certificate without touching any of the existing nginx vhost at domain2kr.com.ssl.conf[/QUOTE]
     
  5. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:23 PM
    I run:

    Code (Text):
     cd /root/.acme.sh/
    [17:53][root@host.com .acme.sh]# rm -rf /root/.acme.sh/domainkr.com
    [17:53][root@host.com .acme.sh]# rm -rf /root/.acme.sh/domainkr.com_ecc
    [17:53][root@host.com .acme.sh]# cd /usr/local/src/centminmod/addons
    [17:54][root@host.com addons]# ./acmetool.sh reissue-only domainkr.com live
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    Cloning into 'acme.sh'...
    [Thu Dec 15 17:54:21 UTC 2022] It is recommended to install socat first.
    [Thu Dec 15 17:54:21 UTC 2022] We use socat for standalone server if you use standalone mode.
    [Thu Dec 15 17:54:21 UTC 2022] If you don't use standalone mode, just ignore this warning.
    [Thu Dec 15 17:54:21 UTC 2022] Installing to /root/.acme.sh
    [Thu Dec 15 17:54:21 UTC 2022] Installed to /root/.acme.sh/acme.sh
    [Thu Dec 15 17:54:21 UTC 2022] Installing alias to '/root/.bashrc'
    [Thu Dec 15 17:54:21 UTC 2022] OK, Close and reopen your terminal to start using acme.sh
    [Thu Dec 15 17:54:21 UTC 2022] Installing alias to '/root/.cshrc'
    [Thu Dec 15 17:54:21 UTC 2022] Installing alias to '/root/.tcshrc'
    [Thu Dec 15 17:54:21 UTC 2022] Installing cron job
    54 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Thu Dec 15 17:54:21 UTC 2022] Good, bash is found, so change the shebang to use bash as preferred.
    [Thu Dec 15 17:54:23 UTC 2022] OK
    https://github.com/acmesh-official/acme.sh
    v3.0.5
    -----------------------------------------------------
    set default acme.sh CA to letsencrypt:
    acme.sh --set-default-ca --server letsencrypt
    [Thu Dec 15 17:54:23 UTC 2022] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    grep 'root' /usr/local/nginx/conf/conf.d/domainkr.com.ssl.conf
      root /home/nginx/domains/domainkr.com/public;
    
    -----------------------------------------------------------
    reissue & install letsencrypt ssl certificate for domainkr.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --force --createDomainKey -d domainkr.com -d www.domainkr.com -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Thu Dec 15 17:54:25 UTC 2022] Creating domain key
    [Thu Dec 15 17:54:25 UTC 2022] The domain key is here: /root/.acme.sh/domainkr.com/domainkr.com.key
    testcert value = live
    /root/.acme.sh/acme.sh --force --dns dns_cf --issue -d domainkr.com -d www.domainkr.com --days 60 -w /home/nginx/domains/domainkr.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-151222-175418.log --log-level 2 --preferred-chain  "ISRG"
    [Thu Dec 15 17:54:26 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Thu Dec 15 17:54:26 UTC 2022] Multi domain='DNS:domainkr.com,DNS:www.domainkr.com'
    [Thu Dec 15 17:54:26 UTC 2022] Getting domain auth token for each domain
    [Thu Dec 15 17:54:30 UTC 2022] Getting webroot for domain='domainkr.com'
    [Thu Dec 15 17:54:30 UTC 2022] Getting webroot for domain='www.domainkr.com'
    [Thu Dec 15 17:54:30 UTC 2022] domainkr.com is already verified, skip dns-01.
    [Thu Dec 15 17:54:30 UTC 2022] Verifying: www.domainkr.com
    [Thu Dec 15 17:54:31 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
    [Thu Dec 15 17:54:34 UTC 2022] www.domainkr.com:Verify error:2606:4700:3036::6815:1d6c: Invalid response from https://domainkr.com/.well-known/acme-challenge/VmOFBNSihkleWJ_wvZlaQdxxxxx: 526
    [Thu Dec 15 17:54:34 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-151222-175418.log
    LECHECK = 1
    
    log files saved at /root/centminlogs
    -rw-r--r-- 1 root root  44K Dec 15 17:54 acmetool.sh-debug-log-151222-175418.log
    -rw-r--r-- 1 root root 3.6K Dec 15 17:54 acmesh-reissue-only_151222-175418.log
    
    



    there is some error



    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh checkdates
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/domainkr.com/domainkr.com.cer
    SHA1 Fingerprint=0457F2E145Exx0xxxxxxx
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=0457F2E145ED40E2xxxx
    certificate expires in -263 days on 27 Mar 2022
    
    /root/.acme.sh/domainkr.com_ecc/domainkr.com.cer
    SHA1 Fingerprint=5B8A722Axx61xxxxx
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=5B8A722A4E61DCDC073085xxxx
    certificate expires in -263 days on 27 Mar 2022
    
    

    when I run this command i see many domains have minus expiry time
     
    Last edited: Dec 16, 2022
  6. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:23 PM
    I belive that I could mess up something.

    I don't know why but I have in Edge Certificates

    upload_2022-12-16_0-58-58.png


    and backup

    upload_2022-12-16_1-0-10.png


    i read somwhere to disable
    upload_2022-12-16_1-0-42.png
    and enable it again.


    I don't know why SSL is not certify by Cloudflare and there is no year of the validiti.

    I was trying to run:
    Code (Text):
     /root/.acme.sh/acme.sh --force --issue -d domain2kr.com -d www.domain2kr.com --days 60 -w /home/nginx/domains/domain2kr.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Thu Dec 15 22:04:43 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Thu Dec 15 22:04:43 UTC 2022] Multi domain='DNS:domain2kr.com,DNS:www.domain2kr.com'
    [Thu Dec 15 22:04:43 UTC 2022] Getting domain auth token for each domain
    [Thu Dec 15 22:04:46 UTC 2022] Getting webroot for domain='domain2kr.com'
    [Thu Dec 15 22:04:46 UTC 2022] Getting webroot for domain='www.domain2kr.com'
    [Thu Dec 15 22:04:46 UTC 2022] domain2kr.com is already verified, skip http-01.
    [Thu Dec 15 22:04:47 UTC 2022] Verifying: www.domain2kr.com
    [Thu Dec 15 22:04:47 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
    [Thu Dec 15 22:04:51 UTC 2022] www.domain2kr.com:Verify error:2606:4700:3037::ac43:ab75: Invalid response from https://domain2kr.com/.well-known/acme-challenge/qA_K6QO1H77egOQXiPLPccxx: 526
    [Thu Dec 15 22:04:51 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-151222-180247.log
    [Thu Dec 15 22:04:51 UTC 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
    You have new mail in /var/spool/mail/root



    This is still the same domain from above, but possible I mess it more :(
    Hopefully it is a test blog.
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Did you set Cloudflare SSL mode to Full non-strict first. Full strict requires origin Nginx to have valid SSL certificate but yours expired March 27 2022.
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  9. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:23 PM
    I follow steps from below, removed that certs but still I have Invalid SSL certificate Error code 526 and

    Code (Text):
    [11:22][root@host.host.com addons]# ./acmetool.sh reissue-only domain2kr.com live
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    Cloning into 'acme.sh'...
    [Fri Dec 16 11:22:06 UTC 2022] It is recommended to install socat first.
    [Fri Dec 16 11:22:06 UTC 2022] We use socat for standalone server if you use standalone mode.
    [Fri Dec 16 11:22:06 UTC 2022] If you don't use standalone mode, just ignore this warning.
    [Fri Dec 16 11:22:06 UTC 2022] Installing to /root/.acme.sh
    [Fri Dec 16 11:22:06 UTC 2022] Installed to /root/.acme.sh/acme.sh
    [Fri Dec 16 11:22:06 UTC 2022] Installing alias to '/root/.bashrc'
    [Fri Dec 16 11:22:06 UTC 2022] OK, Close and reopen your terminal to start using acme.sh
    [Fri Dec 16 11:22:06 UTC 2022] Installing alias to '/root/.cshrc'
    [Fri Dec 16 11:22:06 UTC 2022] Installing alias to '/root/.tcshrc'
    [Fri Dec 16 11:22:06 UTC 2022] Installing cron job
    54 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Fri Dec 16 11:22:06 UTC 2022] Good, bash is found, so change the shebang to use bash as preferred.
    [Fri Dec 16 11:22:08 UTC 2022] OK
    https://github.com/acmesh-official/acme.sh
    v3.0.5
    -----------------------------------------------------
    set default acme.sh CA to letsencrypt:
    acme.sh --set-default-ca --server letsencrypt
    [Fri Dec 16 11:22:08 UTC 2022] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    grep 'root' /usr/local/nginx/conf/conf.d/domain2kr.com.ssl.conf
      root /home/nginx/domains/domain2kr.com/public;
    
    -----------------------------------------------------------
    reissue & install letsencrypt ssl certificate for domain2kr.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --force --createDomainKey -d domain2kr.com -d www.domain2kr.com -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Fri Dec 16 11:22:10 UTC 2022] Creating domain key
    [Fri Dec 16 11:22:10 UTC 2022] The domain key is here: /root/.acme.sh/domain2kr.com/domain2kr.com.key
    testcert value = live
    /root/.acme.sh/acme.sh --force --dns dns_cf --issue -d domain2kr.com -d www.domain2kr.com --days 60 -w /home/nginx/domains/domain2kr.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-161222-112203.log --log-level 2 --preferred-chain  "ISRG"
    [Fri Dec 16 11:22:11 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Fri Dec 16 11:22:11 UTC 2022] Multi domain='DNS:domain2kr.com,DNS:www.domain2kr.com'
    [Fri Dec 16 11:22:12 UTC 2022] Getting domain auth token for each domain
    [Fri Dec 16 11:22:15 UTC 2022] Getting webroot for domain='domain2kr.com'
    [Fri Dec 16 11:22:15 UTC 2022] Getting webroot for domain='www.domain2kr.com'
    [Fri Dec 16 11:22:15 UTC 2022] domain2kr.com is already verified, skip dns-01.
    [Fri Dec 16 11:22:15 UTC 2022] Verifying: www.domain2kr.com
    [Fri Dec 16 11:22:16 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
    [Fri Dec 16 11:22:19 UTC 2022] www.domain2kr.com:Verify error:2606:4700:3036::6815:1d6c: Invalid response from https://domain2kr.com/.well-known/acme-challenge/37XPiKFSLrm3QaMxxx: 526
    [Fri Dec 16 11:22:19 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-161222-112203.log
    LECHECK = 1
    
    log files saved at /root/centminlogs
    -rw-r--r-- 1 root root  44K Dec 16 11:22 acmetool.sh-debug-log-161222-112203.log
    -rw-r--r-- 1 root root 3.6K Dec 16 11:22 acmesh-reissue-only_161222-112203.log
    
    
     
    Last edited: Dec 16, 2022
  10. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Strange that it's still trying webroot domain validation via /.well-known URLs but you have Cloudflare DNS API validation enabled.

    Did you set Cloudflare SSL mode to Full non-strict first. Full strict requires origin Nginx to have valid SSL certificate but yours expired March 27 2022.

    What's the current output for curl header response checks for these commands below
    Code (Text):
    curl -6Iv https://domain2kr.com
    

    Code (Text):
    curl -6Iv https://www.domain2kr.com
    

    Code (Text):
    curl -6Iv http://domain2kr.com
    

    Code (Text):
    curl -6Iv http://www.domain2kr.com
    

    and
    Code (Text):
    curl -4Iv https://domain2kr.com
    

    Code (Text):
    curl -4Iv https://www.domain2kr.com
    

    Code (Text):
    curl -4Iv http://domain2kr.com
    

    Code (Text):
    curl -4Iv http://www.domain2kr.com
    

    Wrap outputs in CODE/CODEB BBCODE tags
     
  11. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:23 PM
    SSL is setup as full strict. Shall I change it firhst to non-strict and run the command again?


    Code (Text):
    [13:07][root@host.host.com ~]# curl -6Iv https://domain2kr.com
    * About to connect() to domain2kr.com port 443 (#0)
    *   Trying 2606:4700:3036::6815:xxxx...
    * Connection timed out
    *   Trying 2606:4700:3037::ac43:xxxx...
    * No route to host
    * Failed connect to domain2kr.com:443; No route to host
    * Closing connection 0
    curl: (7) Failed connect to domain2kr.com:443; No route to host
    [13:08][root@host.host.com ~]# curl -6Iv https://www.domain2kr.com
    * About to connect() to www.domain2kr.com port 443 (#0)
    *   Trying 2606:4700:3036::6815:xxxx...
    * Connection timed out
    *   Trying 2606:4700:3037::ac43:xxxx...
    * No route to host
    * Failed connect to www.domain2kr.com:443; No route to host
    * Closing connection 0
    curl: (7) Failed connect to www.domain2kr.com:443; No route to host
    You have new mail in /var/spool/mail/root
    [13:10][root@host.host.com ~]# curl -6Iv http://domain2kr.com
    * About to connect() to domain2kr.com port 80 (#0)
    *   Trying 2606:4700:3036::6815:xxxx...
    * No route to host
    *   Trying 2606:4700:3037::ac43:xxxx...
    * No route to host
    * Failed connect to domain2kr.com:80; No route to host
    * Closing connection 0
    curl: (7) Failed connect to domain2kr.com:80; No route to host
    [13:11][root@host.host.com ~]# curl -6Iv http://www.domain2kr.com
    * About to connect() to www.domain2kr.com port 80 (#0)
    *   Trying 2606:4700:3037::ac43:xxx...
    * No route to host
    *   Trying 2606:4700:3036::6815:xxxx...
    * No route to host
    * Failed connect to www.domain2kr.com:80; No route to host
    * Closing connection 0
    curl: (7) Failed connect to www.domain2kr.com:80; No route to host
    [13:11][root@host.host.com ~]# curl -4Iv https://domain2kr.com
    * About to connect() to domain2kr.com port 443 (#0)
    *   Trying 172.67.171.117...
    * Connected to domain2kr.com (172.67.171.117) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=*.domain2kr.com
    *       start date: Dec 15 17:02:26 2022 GMT
    *       expire date: Mar 15 17:02:25 2023 GMT
    *       common name: *.domain2kr.com
    *       issuer: CN=GTS CA 1P5,O=Google Trust Services LLC,C=US
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: domain2kr.com
    > Accept: */*
    >
    < HTTP/1.1 526
    HTTP/1.1 526
    < Date: Fri, 16 Dec 2022 13:12:07 GMT
    Date: Fri, 16 Dec 2022 13:12:07 GMT
    < Content-Length: 0
    Content-Length: 0
    < Connection: keep-alive
    Connection: keep-alive
    < Cache-Control: no-store, no-cache
    Cache-Control: no-store, no-cache
    < CF-Cache-Status: DYNAMIC
    CF-Cache-Status: DYNAMIC
    < Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Lq6DQUCdliqiXyHxxxxxxxxxxx%2FVRYfvbYn13vN6B4qTcnCpe7A%3D%3D"}],"group":"cf-nel","max_age":604800}
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Lq6DQUCdliqiXyHmK7xxxxxxxwN8yAL%2FVRYfvbYn13vN6B4qTcnCpe7A%3D%3D"}],"group":"cf-nel","max_age":604800}
    < NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    < Server: cloudflare
    Server: cloudflare
    < CF-RAY: 77a7ab38bxxx-FRA
    CF-RAY: 77a7ab3xxxx-FRA
    < alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    
    <
    * Connection #0 to host domain2kr.com left intact
    [13:12][root@host.host.com ~]# curl -4Iv https://www.domain2kr.com
    * About to connect() to www.domain2kr.com port 443 (#0)
    *   Trying 172.67.xxx.xxx...
    * Connected to www.domain2kr.com (172.67.xxx.xxx) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=*.domain2kr.com
    *       start date: Dec 15 17:02:26 2022 GMT
    *       expire date: Mar 15 17:02:25 2023 GMT
    *       common name: *.domain2kr.com
    *       issuer: CN=GTS CA 1P5,O=Google Trust Services LLC,C=US
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: www.domain2kr.com
    > Accept: */*
    >
    < HTTP/1.1 526
    HTTP/1.1 526
    < Date: Fri, 16 Dec 2022 13:12:17 GMT
    Date: Fri, 16 Dec 2022 13:12:17 GMT
    < Content-Length: 0
    Content-Length: 0
    < Connection: keep-alive
    Connection: keep-alive
    < Cache-Control: no-store, no-cache
    Cache-Control: no-store, no-cache
    < CF-Cache-Status: DYNAMIC
    CF-Cache-Status: DYNAMIC
    < Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Y0GtqYPrgJT9gd54gxxxxhdQmz6FQKPSQ1TdnYMRU24JF7v2wm0e%2BuJeQNyP41L0%3D"}],"group":"cf-nel","max_age":604800}
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Y0GtqYPrgJT9gd54gVXxxxxxxexxxFQKPSQ1TdnYMRU24JF7v2wm0e%2BuJeQNyP41L0%3D"}],"group":"cf-nel","max_age":604800}
    < NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    < Server: cloudflare
    Server: cloudflare
    < CF-RAY: 77a7ab75xxx-FRA
    CF-RAY: 77a7ab75bxxx-FRA
    < alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    
    <
    * Connection #0 to host www.domain2kr.com left intact
    [13:12][root@host.host.com ~]# curl -4Iv http://domain2kr.com
    * About to connect() to domain2kr.com port 80 (#0)
    *   Trying 104.21.29.108...
    * Connected to domain2kr.com (104.21.29.xxx) port 80 (#0)
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: domain2kr.com
    > Accept: */*
    >
    < HTTP/1.1 302 Found
    HTTP/1.1 302 Found
    < Date: Fri, 16 Dec 2022 13:12:27 GMT
    Date: Fri, 16 Dec 2022 13:12:27 GMT
    < Content-Type: text/html
    Content-Type: text/html
    < Connection: keep-alive
    Connection: keep-alive
    < Location: https://domain2kr.com/
    Location: https://domain2kr.com/
    < X-Powered-By: centminmod
    X-Powered-By: centminmod
    < CF-Cache-Status: DYNAMIC
    CF-Cache-Status: DYNAMIC
    < Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QvP5DmIuwygJ1qxxxxxxxxxTnhE26Hiym%2Bsb%2B24xoS54A7X%2B0BoFYQc%2FtAbJQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QvP5DmIuwyxxxxx8HLEQZTnhE26Hiym%2Bsb%2B24xoS54A7X%2B0BoFYQc%2FtAbJQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    < NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    < Server: cloudflare
    Server: cloudflare
    < CF-RAY: 77a7abb41d6xxx-FRA
    CF-RAY: 77a7abb41d6xxxx-FRA
    < alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    
    <
    * Connection #0 to host domain2kr.com left intact
    [13:12][root@host.host.com ~]# curl -4Iv http://www.domain2kr.com
    * About to connect() to www.domain2kr.com port 80 (#0)
    *   Trying 172.67.171.117...
    * Connected to www.domain2kr.com (172.67.171.117) port 80 (#0)
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: www.domain2kr.com
    > Accept: */*
    >
    < HTTP/1.1 302 Found
    HTTP/1.1 302 Found
    < Date: Fri, 16 Dec 2022 13:12:33 GMT
    Date: Fri, 16 Dec 2022 13:12:33 GMT
    < Content-Type: text/html
    Content-Type: text/html
    < Connection: keep-alive
    Connection: keep-alive
    < Location: https://domain2kr.com/
    Location: https://domain2kr.com/
    < X-Powered-By: centminmod
    X-Powered-By: centminmod
    < CF-Cache-Status: DYNAMIC
    CF-Cache-Status: DYNAMIC
    < Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=74zzN65O9%2B5jxxxxjG%2B3WyM5SEtNezM%2BN%2Fy84Q0wAxhVP%2FNSrW7He1r%2BGpuSrsNjYz9Fcz%2FG8%3D"}],"group":"cf-nel","max_age":604800}
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=74zzN65O9%2B5j0xxxxM5SEtNezM%2BN%2Fy84Q0wAxhVP%2FNSrW7He1r%2BGpuSrsNjYz9Fcz%2FG8%3D"}],"group":"cf-nel","max_age":604800}
    < NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    < Server: cloudflare
    Server: cloudflare
    < CF-RAY: 77a7abd7d89b8ffe-FRA
    CF-RAY: 77a7abd7d89b8ffe-FRA
    < alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    
    <
    * Connection #0 to host www.domain2kr.com left intact
    [13:12][root@host.host.com ~]#




    I have changed to Full from Full (strict) mode and run again the command
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain2kr.com live


    Now it is seems to be OK.

    Now I am back in Cloudflare to Full strict and now website is OK :)

    Thank you very much :)
    Is there anything else what I should to go?


    What will happen later when this orgigin certifitate will expire, do I need manually change to from Full Strict to Full and renew it again? Or the cron will do everything automatically?
     
    Last edited: Dec 16, 2022
  12. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Full strict requires a valid origin side SSL certificate so that's why yours failed when your origin Letsencrypt certificate expired in March 2022. Once you have reissued valid Letencrypt SSL certificate future renewals should work. Or you can just leave it using Cloudflare Full non-strict.

    Ideally for future sites just use Cloudflare DNS API Letsencrypt Free SSL Certificates instead of Centmin Mod default webroot domain validation
     
  13. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:23 PM
    Now after your help everything is working OK.
    I was just wondering if when origin side SSL will expire it will be automatically renewed by cron when the Full strict SSL will be enabled.

    Do you know it?

    When my 1st blog was created with Centmin Mod default webroot domain validation and later I add Cloudflare DNS API Letsencrypt Free SSL Certificates do I need to change it on the 1st blog or it will be automatically changed/ covered by API?
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    It should renew 30 days before expiry so wouldn't have expired so renewal should work. Not sure why yours didn't renew

    I'd have to retest this on my end, it should switch to Cloudflare DNS API but might not have. But that's why I suggested you remove /root/.acme.sh/yourdomain.com/ and /root/.acme.sh/yourdomain.com_ecc/ before switching to Cloudflare DNS API.
    Code (Text):
    cd /root/.acme.sh/
    rm -rf /root/.acme.sh/yourdomain.com/
    rm -rf /root/.acme.sh/yourdomain.com_ecc/
    

    As the acme.sh config file for the domain in /root/.acme.sh/yourdomain.com/yourdomain.com.conf and if applicable /root/.acme.sh/yourdomain.com_ecc/yourdomain.com.conf would have this entry to tell acme.sh to use webroot or CF DNS domain validation

    for webroot would list a setting in config file for
    Code (Text):
    Le_Webroot='/home/nginx/domains/yourdomain.com/public'

    for CF DNS API would list a setting in config file for
    Code (Text):
    Le_Webroot='dns_cf'
     
  15. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:23 PM
    Maybe that domain was created with Centmin Mod default webroot domain validation?
     
  16. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:23 PM
    How to list all domains which use CF DNS domain validation?

    I see that some domains do not have
    Code (Text):
    /root/.acme.sh/yourdomain.com_ecc/


    and then I open a cofing

    Code (Text):
    Le_Webroot='/home/nginx/domains/yourdomain.com/public'


    so it is a webroot.

    The answer is that it was not automatically changed to CF DNS domain validation when I add API to persistant file.
     
    Last edited: Dec 17, 2022
  17. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    I just updated 130.00beta01 addons/acmetool.sh checkdates to support reporting with Letsencrypt validation method was used and configured in their respective domain acme.sh conf files's Le_Webroot values see https://community.centminmod.com/th...ol-sh-checkdate-option-in-130-00beta01.23544/

    The _ecc directories are only created if you enabled Letenscrypt SSL with dual SSL certificates support so 2x SSL certificates are issued one for RSA 2048bit and one for ECDSA 256bit certificates https://community.centminmod.com/th...-dual-ecdsa-rsa-ssl-certificate-support.7449/ when persistent config file /etc/centminmod/custom_config.inc is set with
    Code (Text):
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    
     
  18. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:23 PM
    I though that, so even I have a DUALCERTS there is no
    Code (Text):
    /root/.acme.sh/yourdomain.com_ecc/

    it is also regards old domain created in 2019 since I use Centminmod.
     
  19. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    10:23 PM

    What I should do to recreate everything after it? For all domains?

    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.con live
    


    for every domain?
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For recreating the _ecc directory and ECDSA 256bit SSL certs you mean? Did those domains originally have DUALCERTS='y' when you first created Nginx HTTPS site with SSL?

    I believe you did run the rm commands I listed previously which would of been for _ecc too. But on reissue-only run it should of recreated them if DUALCERTS='y' was enabled

    When you created nginx vhost via centmin.sh menu option 2, 22 or nv command or acmetool.sh, you would of automatically created a nginx_addvhost and nginx_addvhost-remove-cmds logs in /root/centminlogs. You can find those logs via ls command listing in reverse ascending time the logs and filtered by nginx_addvhost filename using command below
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep addvhost
    

    example
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep addvhost
    -rw-r--r--.  1 root root 1.1K May 18 14:09 centminmod_1.2.3-eva2000.09.005_180517-140925_nginx_addvhost-remove-cmds-domain.com.log
    -rw-r--r--.  1 root root 4.4K May 18 14:09 centminmod_1.2.3-eva2000.09.005_180517-140925_nginx_addvhost.log
    

    You can inspect those logs to see if DUALCERTS='y' was properly triggered as there would be 2 sets of /root/.acme.sh/acme.sh --force --issue and /root/.acme.sh/acme.sh --installcert commands one for RSA 2048bit and one for ECDSA 256bit SSL. You can also verify by checking if the nginx_addvhost.log has a line for = get 2nd SSL cert issued for dual ssl cert config

    You can also inspect each acme log generated on acme.sh run and saved to /root/centminlogs/ via listing logs first
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep acme

    and then inspecting those too.