I am getting this error: Code (Text): insidepromod.com:Verify error:Fetching https://insidepromod.com/.well-known/acme-challenge/pRwLOn1K1iHuIRauvrvRBlLv3zZ0KPfXwgbyeBDjzXM: Too many redirects When running this command: Code (Text): /root/.acme.sh/acme.sh --force --issue --days 60 -d insidepromod.com -d www.insidepromod.com -w /home/nginx/domains/insidepromod.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-insidepromod.com.log --log-level 2 Any help would be much appreciated. Thanks, Itworx4me
First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. For your domain it has errors Let's Debug you have Cloudflare on domain but CF SSL cert has not been issued yet - it can have delays by up to 24hrs you have bad redirect - too many redirects Code: BadRedirect ERROR Sending an ACME HTTP validation request to insidepromod.com results in an unacceptable redirect. This is most likely a misconfiguration of your web server or your web application. Too many (10) redirects, last redirect was to: https://insidepromod.com/.well-known/acme-challenge/letsdebug-test Trace: @0ms: Making a request to http://insidepromod.com/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3034::681c:196d) @0ms: Dialing 2606:4700:3034::681c:196d @119ms: Server response: HTTP 302 Moved Temporarily @119ms: Received redirect to https://insidepromod.com/.well-known/acme-challenge/letsdebug-test @119ms: Dialing 2606:4700:3034::681c:196d @207ms: Server response: HTTP 302 Moved Temporarily @207ms: Received redirect to https://insidepromod.com/.well-known/acme-challenge/letsdebug-test @281ms: Server response: HTTP 302 Moved Temporarily @281ms: Received redirect to https://insidepromod.com/.well-known/acme-challenge/letsdebug-test @355ms: Server response: HTTP 302 Moved Temporarily @355ms: Received redirect to https://insidepromod.com/.well-known/acme-challenge/letsdebug-test @394ms: Server response: HTTP 302 Moved Temporarily @394ms: Received redirect to https://insidepromod.com/.well-known/acme-challenge/letsdebug-test @468ms: Server response: HTTP 302 Moved Temporarily @468ms: Received redirect to https://insidepromod.com/.well-known/acme-challenge/letsdebug-test @508ms: Server response: HTTP 302 Moved Temporarily @508ms: Received redirect to https://insidepromod.com/.well-known/acme-challenge/letsdebug-test @548ms: Server response: HTTP 302 Moved Temporarily @548ms: Received redirect to https://insidepromod.com/.well-known/acme-challenge/letsdebug-test @588ms: Server response: HTTP 302 Moved Temporarily @588ms: Received redirect to https://insidepromod.com/.well-known/acme-challenge/letsdebug-test @665ms: Server response: HTTP 302 Moved Temporarily When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL) Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com Vhost public web root will be at /home/nginx/domains/newdomain.com/public Vhost log directory will be at /home/nginx/domains/newdomain.com/log Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags) what is output of these commands in ssh Code (Text): curl -I https://domain.com Code (Text): curl -I https://www.domain.com Code (Text): curl -I http://domain.com Code (Text): curl -I http://www.domain.com wrap output in CODE tags
I choose option #2 when creating the vhost I choose option #4 when creating the letsencrypt (live https ) It never created the acme ssl files. It looks like it fell back on a self signed ssl. Here is the information you requested: Code (Text): curl -I https://domain.com Code (Text): HTTP/1.1 302 Moved Temporarily Date: Sun, 22 Mar 2020 13:35:24 GMT Content-Type: text/html Connection: keep-alive Set-Cookie: __cfduid=d844693781d4db7c70cbd7ca6354932b31584884124; expires=Tue, 21-Apr-20 13:35:24 GMT; path=/; domain=.insidepromod.com; HttpOnly; SameSite=Lax Location: https://insidepromod.com/ X-Powered-By: centminmod CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 57804bb1fcd5e968-MIA Code (Text): curl -I https://www.domain.com Code (Text): HTTP/1.1 302 Moved Temporarily Date: Sun, 22 Mar 2020 13:42:37 GMT Content-Type: text/html Connection: keep-alive Set-Cookie: __cfduid=d5501eb1c0ff78c4be49e9f6ed609b2be1584884557; expires=Tue, 21-Apr-20 13:42:37 GMT; path=/; domain=.insidepromod.com; HttpOnly; SameSite=Lax Location: https://insidepromod.com/ X-Powered-By: centminmod CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 57805645eac2c88f-MIA Code (Text): curl -I http://domain.com Code (Text): HTTP/1.1 302 Moved Temporarily Date: Sun, 22 Mar 2020 13:43:31 GMT Content-Type: text/html Connection: keep-alive Set-Cookie: __cfduid=d979ff6cf912bd9283c824fb6334e28521584884611; expires=Tue, 21-Apr-20 13:43:31 GMT; path=/; domain=.insidepromod.com; HttpOnly; SameSite=Lax Location: https://insidepromod.com/ X-Powered-By: centminmod CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 57805796cf4de954-MIA Code (Text): curl -I http://www.domain.com Code (Text): HTTP/1.1 302 Moved Temporarily Date: Sun, 22 Mar 2020 13:44:26 GMT Content-Type: text/html Connection: keep-alive Set-Cookie: __cfduid=d6d370a7e5586e393d46594a873ac12d31584884666; expires=Tue, 21-Apr-20 13:44:26 GMT; path=/; domain=.insidepromod.com; HttpOnly; SameSite=Lax Location: https://insidepromod.com/ X-Powered-By: centminmod CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 578058efbab25336-MIA I just don't understand how I am getting the 302 moved temporarily code.. Thank you for your help @eva2000 . I really appreciate it. Setting up a vhost with ssl has never gone smooth for me.... Itworx4me
Here is the insidepromod.com.ssl.conf file that centmin created. I haven't touched the file or changed anything. Code (Text): #x# HTTPS-DEFAULT server { server_name insidepromod.com www.insidepromod.com; return 302 https://insidepromod.com$request_uri; include /usr/local/nginx/conf/staticfiles.conf; } server { listen 443 ssl http2 reuseport; server_name insidepromod.com www.insidepromod.com; include /usr/local/nginx/conf/ssl/insidepromod.com/insidepromod.com.crt.key.conf; include /usr/local/nginx/conf/ssl_include.conf; # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/ #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/insidepromod.com/origin.crt; #ssl_verify_client on; http2_max_field_size 16k; http2_max_header_size 32k; http2_max_requests 5000; # mozilla recommended ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; ssl_prefer_server_ciphers on; #add_header Alternate-Protocol 443:npn-spdy/3; # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; #add_header X-Frame-Options SAMEORIGIN; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; #add_header Referrer-Policy "strict-origin-when-cross-origin"; #add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"; #spdy_headers_comp 5; ssl_buffer_size 1369; ssl_session_tickets on; # enable ocsp stapling #resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m; #resolver_timeout 10s; #ssl_stapling on; #ssl_stapling_verify on; # ngx_pagespeed & ngx_pagespeed handler #include /usr/local/nginx/conf/pagespeed.conf; #include /usr/local/nginx/conf/pagespeedhandler.conf; #include /usr/local/nginx/conf/pagespeedstatslog.conf; # limit_conn limit_per_ip 16; # ssi on; access_log /home/nginx/domains/insidepromod.com/log/access.log combined buffer=256k flush=5m; error_log /home/nginx/domains/insidepromod.com/log/error.log; include /usr/local/nginx/conf/autoprotect/insidepromod.com/autoprotect-insidepromod.com.conf; root /home/nginx/domains/insidepromod.com/public; # uncomment cloudflare.conf include if using cloudflare for # server and/or vhost site #include /usr/local/nginx/conf/cloudflare.conf; include /usr/local/nginx/conf/503include-main.conf; location / { include /usr/local/nginx/conf/503include-only.conf; # block common exploits, sql injections etc #include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found #autoindex on; # Shows file listing times as local time #autoindex_localtime on; # Wordpress Permalinks example #try_files $uri $uri/ /index.php?q=$uri&$args; } include /usr/local/nginx/conf/pre-staticfiles-local-insidepromod.com.conf; include /usr/local/nginx/conf/pre-staticfiles-global.conf; include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; }
it's due to this redirect for https non-www redirect to https non-www so it's in a loop Code (Text): curl -I https://domain.com HTTP/1.1 302 Moved Temporarily Date: Sun, 22 Mar 2020 13:35:24 GMT Content-Type: text/html Connection: keep-alive Set-Cookie: __cfduid=d844693781d4db7c70cbd7ca6354932b31584884124; expires=Tue, 21-Apr-20 13:35:24 GMT; path=/; domain=.insidepromod.com; HttpOnly; SameSite=Lax Location: https://insidepromod.com/ X-Powered-By: centminmod CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 57804bb1fcd5e968-MIA If you have Cloudflare enabled with always use HTTPS in dashboard, it will force https so centmin mod nginx doesn't need the 302 redirect Code (Text): #x# HTTPS-DEFAULT server { server_name insidepromod.com www.insidepromod.com; return 302 https://insidepromod.com$request_uri; include /usr/local/nginx/conf/staticfiles.conf; } for now i'd keep that 302 redirect for now and disable Cloudflare always use HTTPS from SSL/TLS > Edge Certificates tab and re-run Code (Text): curl -I https://domain.com to see if you get HTTP 200 status code instead of 302 redirect. If you do, you can re-attempt to re-issue letsencrypt. Try acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run: Code (Text): cd /usr/local/src/centminmod/addons ./acmetool.sh reissue-only domain.com live It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
did you install any other wordpress plugins ? like Cloudflare wordpress plugin ? if you temporarily comment out these lines with hash # in front and restart nginx/php-fpm does it work when access https version of your domain ? change from Code (Text): server { server_name insidepromod.com www.insidepromod.com; return 302 https://insidepromod.com$request_uri; include /usr/local/nginx/conf/staticfiles.conf; } to Code (Text): # server { # # server_name insidepromod.com www.insidepromod.com; # return 302 https://insidepromod.com$request_uri; # include /usr/local/nginx/conf/staticfiles.conf; # } then try Code (Text): curl -I http://domain.com curl -I https://domain.com curl -I http://www.domain.com curl -I https://www.domain.com
I get the Centminmod Nginx Auto Installer page now Test Page for the Centmin Mod Nginx HTTP Server Code (Text): HTTP/1.1 200 OK Date: Sun, 22 Mar 2020 15:47:11 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Set-Cookie: __cfduid=d6500cc838583ad9911562f81f4c49e721584892031; expires=Tue, 21-Apr-20 15:47:11 GMT; path=/; domain=.insidepromod.com; HttpOnly; SameSite=Lax Last-Modified: Wed, 31 Jan 2018 00:31:37 GMT Vary: Accept-Encoding X-Powered-By: centminmod CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 57810cbedb1be974-MIA Code (Text): HTTP/1.1 200 OK Date: Sun, 22 Mar 2020 15:50:26 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Set-Cookie: __cfduid=d9f4df8b8a4cbd13bf08fc8ced79a5f641584892225; expires=Tue, 21-Apr-20 15:50:25 GMT; path=/; domain=.insidepromod.com; HttpOnly; SameSite=Lax Last-Modified: Wed, 31 Jan 2018 00:31:37 GMT Vary: Accept-Encoding X-Powered-By: centminmod CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 578111745b9250d2-MIA Code (Text): HTTP/1.1 200 OK Date: Sun, 22 Mar 2020 15:51:14 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Set-Cookie: __cfduid=da116afc07a247ee1f1a2d9dca6232da81584892274; expires=Tue, 21-Apr-20 15:51:14 GMT; path=/; domain=.insidepromod.com; HttpOnly; SameSite=Lax Last-Modified: Wed, 31 Jan 2018 00:31:37 GMT Vary: Accept-Encoding X-Powered-By: centminmod CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 578112ac9e76d4f9-MIA Code (Text): HTTP/1.1 200 OK Date: Sun, 22 Mar 2020 15:51:57 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Set-Cookie: __cfduid=d8ea351ce3f0290a872f9121e3ec25d241584892317; expires=Tue, 21-Apr-20 15:51:57 GMT; path=/; domain=.insidepromod.com; HttpOnly; SameSite=Lax Last-Modified: Wed, 31 Jan 2018 00:31:37 GMT Vary: Accept-Encoding X-Powered-By: centminmod CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 578113ba3c34ef26-MIA
That probably means you didn't setup your main hostname for your server properly from Getting Started Guide step 1 at Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS - you need to ensure it isn't using your insidepromod.com domain but a subdomain like host.insidepromod.com When you install Centmin Mod it's setup a main hostname nginx vhost host for server which is where Nginx default install index page is shown. Accessing server via IP address will show that page and it's correct and should be left as is as the main hostname site is also used for statistics pages outlined here. When you create a new Nginx vhost site via centmin.sh menu option 2, 22 or nv commands, you have a separate Nginx vhost directory structure. The differences are outlined on official Config file page and at Getting Started Guide step 1 and bottom of that page here. If your site domain name when visited redirects to main hostname and default nginx index page, then that is usually due to the main hostname being same as the site domain name which is incorrect as they need to differ. What does your /usr/local/nginx/conf/conf.d/virtual.conf and /usr/local/nginx/conf/conf.d/yourdomain.com.conf contents look like ? Make sure virtual.conf main hostname's server_name isn't same as any added nginx vhost site's domain name as per Getting Started Guide step 1, the main hostname needs to be unique. You can check via recursive grep filter of your domain name in vhost directory at /usr/local/nginx/conf/conf.d Code (Text): grep -rnw 'yourdomain.com' /usr/local/nginx/conf/conf.d Also check DNS is correct use dig to check DNS for domain Code (Text): dig +short A @8.8.8.8 yourdomain.com dig +short A @8.8.8.8 www.yourdomain.com dig +short A @8.8.8.8 hostname.yourdomain.com check HTTP headers via curl for both HTTP (and HTTPS if you have HTTPS/SSL) Code (Text): curl -I http://yourdomain.com curl -I http://www.yourdomain.com curl -I https://yourdomain.com curl -I https://www.yourdomain.com curl -I http://hostname.yourdomain.com
I have 3 other sites on the server that are working fine. My hostname is ****.insidetopfuel.com. There is a vhost of insidetopfuel.com that gets redirected to nitromater.com Code (Text): /usr/local/nginx/conf/conf.d/insidepromod.com.ssl.conf:4:# server_name insidepromod.com www.insidepromod.com; /usr/local/nginx/conf/conf.d/insidepromod.com.ssl.conf:5:# return 302 https://insidepromod.com$request_uri; /usr/local/nginx/conf/conf.d/insidepromod.com.ssl.conf:12: server_name insidepromod.com www.insidepromod.com; /usr/local/nginx/conf/conf.d/insidepromod.com.ssl.conf:14: include /usr/local/nginx/conf/ssl/insidepromod.com/insidepromod.com.crt.key.conf; /usr/local/nginx/conf/conf.d/insidepromod.com.ssl.conf:18: #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/insidepromod.com/origin.crt; /usr/local/nginx/conf/conf.d/insidepromod.com.ssl.conf:53: access_log /home/nginx/domains/insidepromod.com/log/access.log combined buffer=256k flush=5m; /usr/local/nginx/conf/conf.d/insidepromod.com.ssl.conf:54: error_log /home/nginx/domains/insidepromod.com/log/error.log; /usr/local/nginx/conf/conf.d/insidepromod.com.ssl.conf:56: include /usr/local/nginx/conf/autoprotect/insidepromod.com/autoprotect-insidepromod.com.conf; /usr/local/nginx/conf/conf.d/insidepromod.com.ssl.conf:57: root /home/nginx/domains/insidepromod.com/public; /usr/local/nginx/conf/conf.d/insidepromod.com.ssl.conf:80: include /usr/local/nginx/conf/pre-staticfiles-local-insidepromod.com.conf; I am at a loss.. Really appreciate your help George
Here is a site that is working on the server: Code (Text): /usr/local/nginx/conf/conf.d/***.com.ssl.conf:10: server_name ***.com www.***.com; /usr/local/nginx/conf/conf.d/***.com.ssl.conf:11: return 302 https://***.com$request_uri; /usr/local/nginx/conf/conf.d/***.com.ssl.conf:16: server_name ***.com www.***.com; /usr/local/nginx/conf/conf.d/***.com.ssl.conf:18: ssl_dhparam /usr/local/nginx/conf/ssl/***.com/dhparam.pem; /usr/local/nginx/conf/conf.d/***.com.ssl.conf:19: ssl_certificate /usr/local/nginx/conf/ssl/***.com/***.com-acme.cer; /usr/local/nginx/conf/conf.d/***.com.ssl.conf:20: ssl_certificate_key /usr/local/nginx/conf/ssl/***.com/***.com-acme.key; /usr/local/nginx/conf/conf.d/***.com.ssl.conf:33: add_header Link "<http://***.com$request_uri>; rel=\"canonical\""; /usr/local/nginx/conf/conf.d/***.com.ssl.conf:43: ssl_trusted_certificate /usr/local/nginx/conf/ssl/***.com/***.com-acme.cer; /usr/local/nginx/conf/conf.d/***.com.ssl.conf:53: access_log /home/nginx/domains/***.com/log/access.log combined buffer=256k flush=5m; /usr/local/nginx/conf/conf.d/***.com.ssl.conf:54: error_log /home/nginx/domains/***.com/log/error.log; /usr/local/nginx/conf/conf.d/***.com.ssl.conf:56: root /home/nginx/domains/***.com/public; /usr/local/nginx/conf/conf.d/***.com.conf-disabled:9:# server_name ***.com; /usr/local/nginx/conf/conf.d/***.com.conf-disabled:10:# return 301 $scheme://www.***.com$request_uri; /usr/local/nginx/conf/conf.d/***.com.conf-disabled:15: server_name ***.com www.***.com; /usr/local/nginx/conf/conf.d/***.com.conf-disabled:29: access_log /home/nginx/domains/***.com/log/access.log main_ext buffer=256k flush=5m; /usr/local/nginx/conf/conf.d/***.com.conf-disabled:30: error_log /home/nginx/domains/***.com/log/error.log; /usr/local/nginx/conf/conf.d/***.com.conf-disabled:32: include /usr/local/nginx/conf/autoprotect/***.com/autoprotect-***.com.conf; /usr/local/nginx/conf/conf.d/***.com.conf-disabled:33: root /home/nginx/domains/***.com/public; /usr/local/nginx/conf/conf.d/insidtetopfuel.com.ssl.conf:55: root /home/nginx/domains/***.com/public;
With Cloudflare are you using Flexible SSL or Full SSL ? As you have HTTPS default nginx site, you'd need to ensure Cloudflare is using Full SSL so it checks HTTPS nginx origin as Flexible SSL checks non-HTTPS nginx origin. If you have Flexible SSL, it will try to connect to non-HTTPS nginx origin and will get a 302 redirect HTTPS which then has a cycle of checking non-HTTPS again if Flexible SSL is used. which is what original letsdebug.net check reported too at Let's Debug
the domain https://insidepromod.com/ is still pointing to main hostname's default nginx index page though so something in one of your nginx config is not setup correctly - letsencrypt reissue will fail domain validation because of this. What happens if you try and turn off orange cloud proxy on your cloudflare DNS record for main domain and www version of your domain from cloudflare dashboard, does accessing the domain show your site or not ?
Oh before trying turning off orange cloud, try Full non-strict too as strict requires valid SSL cert on nginx origin and you don't have one right now it's a self-signed ssl cert on nginx origin in use when running centmin.sh menu option 2 or 22 and you select option 2 or 4 for letsencrypt HTTPS mode, you will also get a notice message like one below informing you of such as well
Yup looks good now so try re-issuance I've updated 123.09beta01 centmin.sh menu option 2 and 22 routines to make the cloudflare notice more noticeable at the end of nginx vhost creation routine too when cloudflare DNS is detected for the domain now as well.