Learn about Centmin Mod LEMP Stack today
Become a Member

SSL Domains Letsencrypt How to troubleshoot Letsencrypt SSL certificate issuance or renewal

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jun 30, 2019.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    51,987
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    12:58 AM
    Nginx 1.25.x
    MariaDB 10.x
    This guide is for what info is required to troubleshoot a failed Letsencrypt SSL certificate issuance or renewal when creating a Centmin Mod 123.09beta01 or newer version's Nginx vhost via centmin.sh menu option 2, 22, nv commandline or directly via addons/acmetool.sh outlined at https://centminmod.com/acmetool/. When you post a new thread in Domains, DNS, Email & SSL Certificates forum, please provide the below info.

    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation.


    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • You can also do a quick grep filter on all previous and current acmetool.sh runs of the underlying acme.sh client for errors listed in errordetails field of each log using command below:
      Code (Text):
      find /root/centminlogs/ -type f -name 'acme*.log' -printf '%TY-%Tm-%Td %TH:%TM:%TS %p\n' | sort | awk '{print $3}' | xargs -d '\n' grep -i 'errordetail'
      

    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
    Last edited: Dec 18, 2022
  2. eva2000

    eva2000 Administrator Staff Member

    51,987
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    12:58 AM
    Nginx 1.25.x
    MariaDB 10.x
    If you're behind Cloudflare and don't want to deal with the default Centmin Mod's Letsencrypt web root authentication, Centmin Mod's Letsencrypt SSL integration also supports using Letsencrypt DNS validation via Cloudflare's DNS API when you setup the optionally enabled variables for Cloudflare API Token is set in persistent config file at /etc/centminmod/custom_config.inc prior to creating your Centmin Mod Nginx HTTPS vhost domain name via centmin.sh menu option 2, 22 or nv command line.

    See details at https://community.centminmod.com/th...cloudflare-dns-api-domain-verification.22630/

    If using Cloudflare DNS API validation and you get errors for invalid domain when Letsencrypt is doing domain validation, ensure you created your Cloudflare API Token with permissions for all your domain zones and not just specific domain zones. You can manually verify if the created Cloudflare API Token has permissions to add TXT DNS records for your domain using below manual curl commands to add a test TXT DNS record and verify the test TXT DNS record. You can then delete the test TXT DNS record from Cloudflare DNS dashboard.

    Manual testing, 1st populate these 4 variables with your relevant values and type the commands in SSH as root user on the Centmin Mod server
    Code (Text):
    # same value as your CF_Token you set in persistent config file
    cftoken='your_cf_api_token'
    domain_hostname='your_domain_name_without_www'
    txtmsg='your_txt_msg'
    

    Then type these commands to create test TXT DNS record and verify it
    Code (Text):
    # get zoneid for domain_hostname
    cfzoneid=$(curl -4sX GET "https://api.cloudflare.com/client/v4/zones/?name=${domain_hostname}&status=active&page=1&per_page=100&order=status&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d ${domain_hostname} '.result[] | select(.name == $d) | .id')
    
    # create test TXT DNS record
    curl -4sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records -H Content-Type:application/json -H "Authorization: Bearer $cftoken" --data "{\"type\":\"TXT\",\"name\":\"$domain_hostname\",\"content\":\"$txtmsg\",\"ttl\":120,\"proxied\":false}" | jq 'del(.result.zone_id)'
    
    # verify test TXT DNS record
    curl -4sX GET "https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records?type=TXT&name=${domain_hostname}&page=1&per_page=100&order=type&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d $domain_hostname '.result[] | {id: .id, name: .name, type: .type, content: .content, proxiable: .proxiable, proxied: .proxied}'
    

    Post the output for both of the curl commands in CODE/CODEB bbcode tags.

    Further troubleshooting for Cloudflare DNS API Letsencrypt domain validation is to check that the SAVED_CF_Token id was updated/correct in acme.sh client's /root/.acme.sh/account.conf config file and matches what the CF_Token variable is set to in persistent config file at /etc/centminmod/custom_config.inc.

    You can inspect its contents filtered for SAVED_CF keyword using command
    Code (Text):
    cat /root/.acme.sh/account.conf | grep SAVED_CF

    No need to post contents just verify the SAVED_CF_Token is correct and SAVED_CF_Account_ID is correct and SAVED_CF_ZONE_ID variable is empty with no value
     
  3. eva2000

    eva2000 Administrator Staff Member

    51,987
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    12:58 AM
    Nginx 1.25.x
    MariaDB 10.x
    Updated 1st post with how you can also do a quick grep filter on all previous and current acmetool.sh runs of the underlying acme.sh client for errors listed in errordetails field of each log using the command below:

    Code (Text):
    find /root/centminlogs/ -type f -name 'acme*.log' -printf '%TY-%Tm-%Td %TH:%TM:%TS %p\n' | sort | awk '{print $3}' | xargs -d '\n' grep -i 'errordetail'
    
     
Thread Status:
Not open for further replies.