Learn about Centmin Mod LEMP Stack today
Become a Member

Letsencrypt Invalid response 404 problem

Discussion in 'Domains, DNS, Email & SSL Certificates' started by jellday, Feb 7, 2025.

  1. jellday

    jellday Member

    83
    4
    8
    May 31, 2014
    Ratings:
    +11
    Local Time:
    2:20 AM
    1.4.6
    5.5
    Hi,

    I attempted to issue and reissue an existing working domain, but each time I encountered the following error:


    [Thu Feb 6 21:23:10 EST 2025] mydemodomain.net: Invalid status. Verification error details: 204.13.154.36: Invalid response from http://mydemodomain.net/.well-known/acme-challenge/ngEE9I3catV0RPHLN6nayfLH8GD654Xj5ZOnYQQQbsc: 404

    It seems that the necessary verification file wasn’t written to the root folder:
    /home/nginx/domains/mydemodomain.net/public/.well-known/…

    I used the following commands:

    /usr/local/src/centminmod/addons/acmetool.sh issue mydemodomain.net live
    /usr/local/src/centminmod/addons/acmetool.sh reissue mydemodomain.net live

    I successfully issued a certificate for another domain a few days ago, so I’m not sure why it’s failing this time. Could you help identify the issue?
     
  2. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    4:20 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. If you created Centmin Mod 123.09beta01 or higher Nginx site with Letsencrypt via centmin.sh menu option 2, 22 or nv command line, you now also have an automatic letsdebug.net API check log saved at /root/centminlogs/letsdebug-yourdomain.com-${DT}.log where yourdomain.com is domain specified during nginx vhost creation and DT is date/timestamp. Inspecting the /root/centminlogs/letsdebug-yourdomain.com-${DT}.log log will also give you clues as to why letsencrypt SSL certificate issuance failed.

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • You can also do a quick grep filter on all previous and current acmetool.sh runs of the underlying acme.sh client for errors listed in errordetails field of each log using the command below:
      Code (Text):
      find /root/centminlogs/ -type f -name 'acme*.log' -printf '%TY-%Tm-%Td %TH:%TM:%TS %p\n' | sort | awk '{print $3}' | xargs -d '\n' grep -i 'errordetail'
      
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.

    Cloudflare



    If you use Cloudflare, instead of the default Letsencrypt web root validation, you can use Cloudflare's DNS API for Letsencrypt DNS validation for your domain. See the outline at bottom of page at Letsencrypt Free SSL Certificates
     
  3. jellday

    jellday Member

    83
    4
    8
    May 31, 2014
    Ratings:
    +11
    Local Time:
    2:20 AM
    1.4.6
    5.5
    Thank you for your detailed help!

    I ran a test using the LetsDebug.net online tool, and the results were as follows:

    Code:
    Test result for mydomain.com using http-01
    All OK!
    OK
    
    No issues were found with mydomain.com. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.
    The domain’s vhost was already created (without SSL) a few weeks before attempting to generate an SSL certificate. I initially set up the vhost via centmin.sh menu option 2 (without SSL) weeks ago. Then yesterday, I ran the following commands:
    Code:
    ./acmetool.sh reissue-only mydomain.com live
    ./acmetool.sh issue mydomain.com live
    ./acmetool.sh reissue mydomain.com live
    
    I’ve uploaded the log files here: https://github.com/jellday/logs.

    Additionally, when testing with SSLLabs, I received a "Certificate name mismatch" error, which seems to reference a different domain name—quite strange.

    Also, just to clarify, the domain vhost is not behind Cloudflare.
     
    Last edited: Feb 8, 2025
  4. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    4:20 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    the non-reissue or reissue commands might have messed up your nginx vhost, as only reissue-only command does it without messing with rest of your nginx vhost

    try this, create a new dummy nginx vhost i.e. domain2.com via centmin.sh menu option 2 without SSL cert to replicate how you created this problematic domain first. Then inspect it's nginx vhost /usr/local/nginx/conf/conf.d/domain2.com.conf and compare with the problematic one to if there have been drastic changes. You can also do diff compare i.e. if problematic domain = domain1.com and dummy is domain2.com
    Code (Text):
    diff -u /usr/local/nginx/conf/conf.d/domain1.com.conf /usr/local/nginx/conf/conf.d/domain2.com.conf
    

    ensure the default /usr/local/nginx/conf/staticfiles.conf include file is intact as it has rule to allow letsencrypt to read /.well-known

    Code (Text):
        # prepare for letsencrypt 
        # https://community.centminmod.com/posts/17774/
        location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }
    
     
  5. jellday

    jellday Member

    83
    4
    8
    May 31, 2014
    Ratings:
    +11
    Local Time:
    2:20 AM
    1.4.6
    5.5
    I backed up my vhost configuration file before attempting to issue the SSL certificate. When the SSL process failed, I rolled back to the original (non-SSL) configuration, in which "include /usr/local/nginx/conf/staticfiles.conf" is there.

    What steps should I take next? Should I try running the command:

    Code:
    ./acmetool.sh issue mydomain.com live
    
     
    Last edited: Feb 9, 2025
  6. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    4:20 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    That wouldn't work as an existing Nginx vhost exists. Guide for existing Centmin Mod Nginx HTTP users wishing to migrate from HTTP to HTTPS at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates.
     
  7. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    4:20 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, for future reference, if you're not ready for Letsencrypt SSL, you can just choose HTTPS but with self-signed SSL cert and non-default HTTPS. That will create nginx vhosts for both non-HTTPS port 80 and HTTPS port 443 and allow you in future to use reissue-only flag with acmetool.sh.
     
  8. jellday

    jellday Member

    83
    4
    8
    May 31, 2014
    Ratings:
    +11
    Local Time:
    2:20 AM
    1.4.6
    5.5
    Thank you very much for your help!

    I resolved the issue by first backing up the configuration file, removing unnecessary modifications to keep it clean and simple, and then running:

    Code:
    ./acmetool.sh issue mydomain.com live
    This worked successfully. Afterward, I restored the previous modifications, and everything is back to normal—except for the subdomains.

    Some directories on my site are accessed via subdomains. For example, when visiting car.mydomain.com/1.html, it actually serves content from www.mydomain.com/car/1.html. This setup worked fine without SSL.

    Previously, my configuration looked like this:

    Code:
    server {
      server_name rent.mydomain.com;
      root  /home/nginx/domains/mydomain.com/public/house/rent/;
      access_log /home/nginx/domains/go2uk.info/log/house-access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/go2uk.info/log/house-error.log;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    However, after enabling SSL, I am now encountering an ERR_CERT_COMMON_NAME_INVALID error or Cloudflare's Error 526: Invalid SSL Certificate.

    Does this mean I need to generate a separate SSL certificate for each subdomain?
    Is there a way to issue a Wildcard SSL Certificate for mydomain.com that covers all subdomains?
     
  9. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    4:20 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod's native centmin.sh menu option 2, 22, nv commands or addons/acmetool.sh for Nginx vhost setup or Wordpress install as outlined at Letsencrypt Free SSL Certificates only issue free Letsencrypt SSL certificates on a per hostname basis instead of a single wildcard for easier automation.

    One reason why I went per hostname issuance is that Letsencrypt requires wildcard SSL certificates to use DNS TXT record domain validation and not usual easier domain control validation (DCV) via domain.com/.well-known/* which I can automate for.

    So the average Centmin Mod user isn't going to be in a position to do domain DNS API validation via Centmin Mod's addons/acmetool.sh which uses acme.sh client and is what all centmin.sh menu option 2, 22 and nv commands use for Letsencrypt. I do have test scripts in development for a separate Letsencrypt SSL wildcard mode (mainly for Cloudflare DNS API setups) for Nginx vhost creations. But as they all required DNS API domain validation, it isn't something I have been prepared to release unless I am willing to for free hand hold each user and guide them through possible 100s of DNS provider's API configurations to automate Letsencrypt SSL wildcard issuance :)

    Technically, Centmin Mod can manually do SSL wildcards and DNS API validation (supported via Cloudflare DNS and optionally via a few hidden settings for other domain DNS providers). Centmin Mod officially only supports Cloudflare DNS API for per hostname validations Letsencrypt Free SSL Certificates But if you know how to do it manually via underlying acme.sh used by Centmin Mod with other domain DNS provider's respective API configurations, you can technically do it for any acme.sh supported DNS providers outlined at dnsapi - 159 DNS providers currently listed. Here's an manual example of creating Centmin Mod Nginx vhost with Letsencrypt SSL Wildcard certificate using Cloudflare DNS API and manually setting up Nginx vhost changes at centmin mod wildcard letsencrypt ssl cert with cloudflare token based api. No free support is provided by me, so you'd be on your own or you can hire me for $$$ :)

    The closest you can come to multiple hostname based Letsencrypt SSL certificates is via /usr/local/src/centminmod/addons/acmetool.sh command line method outlined in thread at https://community.centminmod.com/th...ing-thread-for-centmin-mod-123-09beta01.8290/ - specifically for SANS Multi-Domain SSL Certificates which would require you to know before hand all the hostnames you want covered by the auto issued Letsencrypt SSL certificate.

     
  10. jellday

    jellday Member

    83
    4
    8
    May 31, 2014
    Ratings:
    +11
    Local Time:
    2:20 AM
    1.4.6
    5.5
    Thanks again for your help and time!

    I successfully added a wildcard subdomain SSL certificate, and here’s the process for anyone who may want to do the same:

    1. Set up DNS settings: Find your DNS API parameters at acme.sh DNS API.https://github.com/acmesh-official/acme.sh/wiki/dnsapi

    2. Issue the certificate: Run the following command to issue the SSL certificate for your wildcard subdomain:

      ./acme.sh --issue --dns dns_cf -d '*.yourdomain.com'

      Replace dns_cf with your specific DNS API. Note that acme.sh is located in the /root/.acme.sh/ directory.

    3. Install the certificate to Nginx: After successfully issuing the certificate, install it with the following command:

      ./acme.sh --install-cert -d '*.yourdomain.com' \
      --cert-file /usr/local/nginx/conf/ssl/yourdomain.com/wildcard.yourdomain.com.cer \
      --key-file /usr/local/nginx/conf/ssl/yourdomain.com/wildcard.yourdomain.com.key \
      --fullchain-file /usr/local/nginx/conf/ssl/yourdomain.com/wildcard.yourdomain.com.pem \
      --reloadcmd "systemctl reload nginx"

    4. Backup and update your vhost configuration: Make a backup of your vhost file and then update yourdomain.com.ssl.conf (the important part is the certificate part):

      server {
      listen 443 ssl;
      server_name *.yourdomain.com;

      ssl_certificate /usr/local/nginx/conf/ssl/yourdomain.com/wildcard.yourdomain.com.cer;
      ssl_certificate_key /usr/local/nginx/conf/ssl/yourdomain.com/wildcard.yourdomain.com.key;

      access_log /home/nginx/domains/yourdomain.com/log/sub-access.log combined buffer=256k flush=5m; # You can rename the log file as needed.
      error_log /home/nginx/domains/yourdomain.com/log/sub-error.log;

      include /usr/local/nginx/conf/autoprotect/yourdomain.com/autoprotect-yourdomain.com.conf;
      root /home/nginx/domains/yourdomain.com/public/;

      include /usr/local/nginx/conf/503include-main.conf;

      location / {
      include /usr/local/nginx/conf/503include-only.conf;
      }

      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
      }

      Refer to the server_name and SSL settings of www.yourdomain.com part for guidance.

    5. Test the setup: After making these changes, test your configuration. Everything should be working as expected!
     
  11. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    4:20 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Great to hear and thanks for sharing for the benefit of others (y)