SSL Domains Letsencrypt Letsencrypt SSL certificate renewal fails

ShaneVG · Mar 3, 2022

Hi!

In December I started with a clean install of CentOS with Centmin Mod on it. For the first time I used the SSL option with Letsencrypt. Now I notice in the logs that the certificate cannot be renewed. Can someone help based on input and logs provided?

Let's Debug
All OK ==> https://letsdebug.net/ictworkz.be/932518

How was the initial letsencrypt ssl certificate obtained ? Which method ?
New domain nginx vhost site setup for first time:

Code:

- centmin.sh
-- 2) Nginx vhost site creation
--- Create a self-signed SSL certificate Nginx vhost? [y/n]: n
---- Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
----- Issue live cert with HTTPS default (trusted)

Output: grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"

Code:

/var/log/cron-20220206:Jan 30 05:14:01 host CROND[4528]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220206:Jan 31 05:14:01 host CROND[10474]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220206:Feb  1 05:14:01 host CROND[15523]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220206:Feb  2 05:14:01 host CROND[22555]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220206:Feb  3 05:14:01 host CROND[29193]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220206:Feb  4 05:14:01 host CROND[2593]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220206:Feb  5 05:14:01 host CROND[8747]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220213:Feb  6 05:14:01 host CROND[15235]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220213:Feb  7 05:14:01 host CROND[20385]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220213:Feb  8 05:14:01 host CROND[24849]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220213:Feb  9 05:14:01 host CROND[30708]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220213:Feb 10 05:14:01 host CROND[3831]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220213:Feb 11 05:14:01 host CROND[9730]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220213:Feb 12 05:14:01 host CROND[14857]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220220:Feb 13 05:14:01 host CROND[22886]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220220:Feb 14 05:14:01 host CROND[27843]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220220:Feb 15 05:14:01 host CROND[1329]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220220:Feb 16 05:14:01 host CROND[8146]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220220:Feb 17 05:14:01 host CROND[15352]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220220:Feb 18 05:14:01 host CROND[20105]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220220:Feb 19 05:14:01 host CROND[24645]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220227:Feb 20 05:14:01 host CROND[31178]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220227:Feb 21 05:14:01 host CROND[7456]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220227:Feb 22 05:14:01 host CROND[14613]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220227:Feb 23 05:14:01 host CROND[22466]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220227:Feb 24 05:14:01 host CROND[30721]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220227:Feb 25 05:14:01 host CROND[6192]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20220227:Feb 26 05:14:01 host CROND[14717]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)

Output: echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates

Code:

----------------------------------------------
nginx installed
----------------------------------------------

/usr/local/nginx/conf/ssl/ictworkz.be/ictworkz.be-acme.cer
SHA1 Fingerprint=6D48038900B83F50A23812B0DB7C0ED73ED9ED8B
certificate expires in 19 days on 22 Mar 2022

/usr/local/nginx/conf/ssl/berlaarsedansstudio.be/berlaarsedansstudio.be-acme.cer
SHA1 Fingerprint=0888F6080BF9FE1C0E20E68CA655DE7289BD73A6
certificate expires in 32 days on 4 Apr 2022

----------------------------------------------
acme.sh obtained
----------------------------------------------

/root/.acme.sh/ictworkz.be/ictworkz.be.cer
SHA1 Fingerprint=6D48038900B83F50A23812B0DB7C0ED73ED9ED8B
[ below certifcate transparency link is only valid ~1hr after issuance ]
https://crt.sh/?sha1=6D48038900B83F50A23812B0DB7C0ED73ED9ED8B
certificate expires in 19 days on 22 Mar 2022

/root/.acme.sh/berlaarsedansstudio.be/berlaarsedansstudio.be.cer
SHA1 Fingerprint=0888F6080BF9FE1C0E20E68CA655DE7289BD73A6
[ below certifcate transparency link is only valid ~1hr after issuance ]
https://crt.sh/?sha1=0888F6080BF9FE1C0E20E68CA655DE7289BD73A6
certificate expires in 32 days on 4 Apr 2022

Output: "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"

Code:

[Wed Mar  2 19:35:57 UTC 2022] ===Starting cron===
[Wed Mar  2 19:35:57 UTC 2022] Renew: 'berlaarsedansstudio.be'
[Wed Mar  2 19:35:57 UTC 2022] Skip, Next renewal time is: Sat Mar  5 13:22:14 UTC 2022
[Wed Mar  2 19:35:57 UTC 2022] Add '--force' to force to renew.
[Wed Mar  2 19:35:57 UTC 2022] Skipped berlaarsedansstudio.be
[Wed Mar  2 19:35:57 UTC 2022] Renew: 'ictworkz.be'
[Wed Mar  2 19:35:58 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed Mar  2 19:35:58 UTC 2022] Multi domain='DNS:ictworkz.be,DNS:www.ictworkz.be'
[Wed Mar  2 19:35:58 UTC 2022] Getting domain auth token for each domain
[Wed Mar  2 19:36:01 UTC 2022] Getting webroot for domain='ictworkz.be'
[Wed Mar  2 19:36:01 UTC 2022] Getting webroot for domain='www.ictworkz.be'
[Wed Mar  2 19:36:01 UTC 2022] Verifying: ictworkz.be
[Wed Mar  2 19:36:02 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Wed Mar  2 19:36:05 UTC 2022] ictworkz.be:Verify error:Invalid response from https://ictworkz.be/.well-known/acme-challenge/LOWm2UCQjD6Kirn0LP1r_VAnSj_HdyjSABuuOySLZfo [81.4.106.240]:
[Wed Mar  2 19:36:05 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-040122-132156.log
[Wed Mar  2 19:36:06 UTC 2022] Error renew ictworkz.be.
[Wed Mar  2 19:36:06 UTC 2022] ===End cron===

Output: echo | openssl s_client -connect ictworkz.be:443

Code:

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = berlaarsedansstudio.be
verify return:1
---
Certificate chain
 0 s:/CN=berlaarsedansstudio.be
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFTTCCBDWgAwIBAgISA7tCmCgdlb4hA78DK98mivADMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAxMDQxMjIyMTJaFw0yMjA0MDQxMjIyMTFaMCExHzAdBgNVBAMT
FmJlcmxhYXJzZWRhbnNzdHVkaW8uYmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC8q1EHEPd9VQ/1FAo+2Nojn+LDgt72JvCwyFkJUgJcBhat7NFblzX+
B8EnSYfdvIDBo7htYleGVqn8fitqoCQVX8q2JokpRLA2Z1IveJi3IyyB2yFd3ylu
qx7TZI+xjKfQiLbKh9VhNcCRYbX6/D3+RRyrYz2BuJQGFsh/wNP9yQ2hUyEDO6/6
7c/h2WC8Rie/t3jJrvRjTs8/2Yyu63CesqUnbFcodVTZ23SpZKQNsG5Q+7VvURvx
5cA84ZcEang37rxekXgH07nsH4LjNqEhhdFaP4hrNQWZ/UAqEhwxYHTptliEa1tl
keEzKl5i7OiX+QMIy0KzhYCMf1LNd3KhAgMBAAGjggJsMIICaDAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFMLzRO6MqeyH20yZ8kTK1kP89Z4AMB8GA1UdIwQYMBaAFBQu
sxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYV
aHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5s
ZW5jci5vcmcvMD0GA1UdEQQ2MDSCFmJlcmxhYXJzZWRhbnNzdHVkaW8uYmWCGnd3
dy5iZXJsYWFyc2VkYW5zc3R1ZGlvLmJlMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcG
CysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5
cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUA36Veq2iCTx9sre64X04+
WurNohKkal6OOxLAIERcKnMAAAF+JUEihAAABAMARjBEAiBa0K1VaoAdMu7NzeA/
Rw9DbvfCiOwd9ozlA3p81Ts2bwIgPLhXgMgN5PSWUi89CRvcsTx259hetXgBPl01
iqz/XlAAdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAX4lQSKn
AAAEAwBHMEUCICQ+3vgOz+Sdr9l0CZ/DBtDWioQiFBKkJI1gbnv8/Z1jAiEA5cJp
2M/Org5EzKi81ATm6+gx83xQht+WnFSjrgBMupAwDQYJKoZIhvcNAQELBQADggEB
AKgHQUeUSIjhb/8iZwWRB1bMkyU4Y1XrDRJbdRMNrxrYf1LgVFUHz6uSCa3TcH3V
fVoBtTZ/7hsewzUXx9wWTb1/MQIrLr5Q345Z+VUKDdwjBXvj0/WNnX7vVujcslOz
coCVt9vCMRgbks2nRDI3oTX2lYC4tTXhU/mCHK4GRiGdRMT9VlBQs+SzsLV4tRbb
I7qOv+OdVZyJY2LFn1UXxpJ26kV0aA3Pxb9n9+64FjxdyY0znQNn+ubibGzoKS1V
g7TiVIzYQOgiQPQ3OjsSl4M67+mtskf8H+4NpNdo1CkyE4OLCFNuJpSJrF4jrrr+
VH3ypTUfya5nODWmmGUMVJg=
-----END CERTIFICATE-----
subject=/CN=berlaarsedansstudio.be
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4723 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 19BEB8CB177180AA8E80C7F248EC17799AABC06F9A77612906DD77C5F658B421
    Session-ID-ctx:
    Master-Key: 7D1EE1588CA1A24CCBB6924B81447474574E5AA9982868DD3EE04B7702CA7DB67EBC99FEF0B3F34EAE01085C319031C8
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - 41 eb 5c b6 31 16 47 d0-5e 08 b2 a5 80 a1 b8 a6   A.\.1.G.^.......
    0010 - f1 90 04 6c ba 7c f5 2e-e6 36 03 fe 8c a7 7d da   ...l.|...6....}.
    0020 - 30 21 86 8d 6b e3 98 65-92 04 74 30 0a c4 aa f8   0!..k..e..t0....
    0030 - 69 ba 18 d7 9c 17 98 b1-ed ee 52 2f 76 31 d7 b6   i.........R/v1..
    0040 - 30 8a a3 88 0d f7 81 94-ff 3b ea 9d 9a 93 c5 f8   0........;......
    0050 - 94 0e f7 ac c9 65 97 25-3d 73 94 24 2f 29 08 4f   .....e.%=s.$/).O
    0060 - f3 cb 42 8f 6d da ca 28-05 e5 0e 03 28 cf dc 60   ..B.m..(....(..`
    0070 - 13 1c e6 51 4c a3 5c 79-2d 63 d6 57 c1 ee 53 a9   ...QL.\y-c.W..S.
    0080 - 60 a7 99 3f 5e 33 f7 2b-3b 62 1b cf b2 03 25 34   `..?^3.+;b....%4
    0090 - af 5b 80 e4 77 96 0d 11-a8 c2 cb 45 f1 41 8a 36   .[..w......E.A.6
    00a0 - 23 56 05 92 c8 6c 4b 8a-a7 5c 7e 42 a2 6c 32 92   #V...lK..\~B.l2.

    Start Time: 1646249828
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

SSLLabs Test
[IMG]

eva2000 · Mar 4, 2022

For the problematic domain, when you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)

Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf

Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com

Vhost public web root will be at /home/nginx/domains/newdomain.com/public

Vhost log directory will be at /home/nginx/domains/newdomain.com/log

Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

what is output of these commands in ssh
Code (Text):
curl -I https://domain.com
Code (Text):
curl -I https://www.domain.com
Code (Text):
curl -I http://domain.com
Code (Text):
curl -I http://www.domain.com
wrap output in CODE tags

ShaneVG · Mar 17, 2022

Hi,

There seems to be only a ssl.conf file?

Code:

[17:39][root@volcano.ictworkz.be ~]# cd /usr/local/nginx/conf/conf.d/
[17:39][root@volcano.ictworkz.be conf.d]# ls -lah
total 28K
drwxr-xr-x 2 root root 4.0K Jan  4 13:22 .
drwxr-xr-x 7 root root 4.0K Mar  2 12:23 ..
-rw-r--r-- 1 root root 4.0K Jan  4 17:33 berlaarsedansstudio.be.ssl.conf
-rw-r--r-- 1 root root 1.1K Dec 22 15:14 demodomain.com.conf
-rw-r--r-- 1 root root 4.0K Dec 23 11:06 ictworkz.be.ssl.conf
-rw-r--r-- 1 root root 2.2K Dec 22 20:07 phpmyadmin_ssl.conf
-rw-r--r-- 1 root root 1.5K Dec 22 20:07 virtual.conf

ictworkz.be.ssl.conf

Code:

# must read https://centminmod.com/getstarted.html
# read https://centminmod.com/nginx_configure_https_ssl_spdy.html

#x# HTTPS-DEFAULT
 server {

   server_name ictworkz.be www.ictworkz.be;
   return 302 https://ictworkz.be$request_uri;
   root /home/nginx/domains/ictworkz.be/public;
   include /usr/local/nginx/conf/staticfiles.conf;
 }
# must read https://centminmod.com/getstarted.html
# read https://centminmod.com/nginx_configure_https_ssl_spdy.html


server {
  listen 443 ssl http2 reuseport;
  server_name ictworkz.be www.ictworkz.be;

  include /usr/local/nginx/conf/ssl/ictworkz.be/ictworkz.be.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

 include /home/nginx/domains/ictworkz.be/public/hidemywpghost.conf;

  # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
  #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/ictworkz.be/origin.crt;
  #ssl_verify_client on;



  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/ictworkz.be/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/ictworkz.be/log/error.log;

  include /usr/local/nginx/conf/autoprotect/ictworkz.be/autoprotect-ictworkz.be.conf;
  root /home/nginx/domains/ictworkz.be/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  location / {
  include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  include /usr/local/nginx/conf/wpsecure.conf;
  include /usr/local/nginx/conf/wpnocache.conf;

  # Wordpress Permalinks example
  try_files $uri $uri/ /index.php?q=$uri&$args;

  }

  include /usr/local/nginx/conf/php.conf;

  include /usr/local/nginx/conf/pre-staticfiles-local-ictworkz.be.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

Code:

[17:47][root@volcano.ictworkz.be conf.d]# curl -I https://ictworkz.be
HTTP/1.1 200 OK
Date: Wed, 16 Mar 2022 17:48:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Link: <https://ictworkz.be/wp-json/>; rel="https://api.w.org/"
Server: nginx centminmod
X-Powered-By: centminmod
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff

Code:

[17:48][root@volcano.ictworkz.be conf.d]# curl -I https://www.ictworkz.be
HTTP/1.1 301 Moved Permanently
Date: Wed, 16 Mar 2022 17:49:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Redirect-By: WordPress
Location: https://ictworkz.be/
Server: nginx centminmod
X-Powered-By: centminmod
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff

Code:

[17:49][root@volcano.ictworkz.be conf.d]# curl -I http://ictworkz.be
HTTP/1.1 302 Moved Temporarily
Date: Wed, 16 Mar 2022 17:49:35 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: https://ictworkz.be/
Server: nginx centminmod
X-Powered-By: centminmod

Code:

[17:49][root@volcano.ictworkz.be conf.d]# curl -I http://www.ictworkz.be
HTTP/1.1 302 Moved Temporarily
Date: Wed, 16 Mar 2022 17:50:05 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: https://ictworkz.be/
Server: nginx centminmod
X-Powered-By: centminmod

eva2000 · Mar 17, 2022

Yes if you selected - Issue live cert with HTTPS default (trusted), then only .ssl.conf version of Nginx vhost would exist. Your Nginx vhost looks okay with exception of this include URL - what's inside hidemywpghost.conf file? It could be something blocking Letsencrypt from validating the domain via web root authentication.
Code (Text):
include /home/nginx/domains/ictworkz.be/public/hidemywpghost.conf;

ShaneVG · Mar 18, 2022

Hi,

Empty

was when testing a Wordpress plugin to hide some Wordpress stuff but the plugin itself was disabled a while ago so it automaticly removed the content of hidemywpghost.conf

I removed the line with no luck

Code:

[Thu Mar 17 19:37:13 UTC 2022] Renew: 'ictworkz.be'
[Thu Mar 17 19:37:14 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Mar 17 19:37:14 UTC 2022] Multi domain='DNS:ictworkz.be,DNS:www.ictworkz.be'
[Thu Mar 17 19:37:14 UTC 2022] Getting domain auth token for each domain
[Thu Mar 17 19:37:17 UTC 2022] Getting webroot for domain='ictworkz.be'
[Thu Mar 17 19:37:17 UTC 2022] Getting webroot for domain='www.ictworkz.be'
[Thu Mar 17 19:37:17 UTC 2022] Verifying: ictworkz.be
[Thu Mar 17 19:37:18 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Thu Mar 17 19:37:21 UTC 2022] ictworkz.be:Verify error:Invalid response from https://ictworkz.be/.well-known/acme-challenge/551iXJhwAgmUvz0csRm6WfsRp80kA7xAYxKJ-yqc8io [81.4.106.240]: 403
[Thu Mar 17 19:37:21 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-040122-132156.log
[Thu Mar 17 19:37:22 UTC 2022] Error renew ictworkz.be.
[Thu Mar 17 19:37:22 UTC 2022] ===End cron===

eva2000 · Mar 18, 2022

Only other file I can see that possibly could block requests by accident is your Nginx autoprotect include file
Code (Text):
  include /usr/local/nginx/conf/autoprotect/ictworkz.be/autoprotect-ictworkz.be.conf;
see https://community.centminmod.com/threads/wordpress-403-permission-denied-errors.11215/ and https://community.centminmod.com/th...ccess-check-migration-to-nginx-deny-all.7308/
Try commenting out the file
Code (Text):
  #include /usr/local/nginx/conf/autoprotect/ictworkz.be/autoprotect-ictworkz.be.conf;
restart nginx
Code (Text):
ngxrestart
Then try re-issue SSL certificate
Code (Text):
"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"

Log in / Register

Forums

Welcome to Centmin Mod Community

SSL Domains Letsencrypt Letsencrypt SSL certificate renewal fails

ShaneVG New Member

eva2000 Administrator Staff Member

ShaneVG New Member

eva2000 Administrator Staff Member

ShaneVG New Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

SSL Domains Letsencrypt Letsencrypt SSL certificate renewal fails

ShaneVG New Member

eva2000 Administrator Staff Member

ShaneVG New Member

eva2000 Administrator Staff Member

ShaneVG New Member

eva2000 Administrator Staff Member

.