Join the community today
Become a Member

Letsencrypt Let's encrypt autorenew problem

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Meirami, May 16, 2018.

  1. Meirami

    Meirami Member

    62
    7
    8
    Dec 21, 2017
    Ratings:
    +20
    Local Time:
    12:36 AM
    My site is forced from http to https and I think that's why I can't have new certificate automatically. I've been trying different tricks without success. Now I have to stop, because let's encrypt says "too many failed authorizations".

    This is when problems start with autorenew.
    Code:
    [Wed May 16 00:50:51 UTC 2018] response='{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/0pmVw8Hdr42ysOSxDfJ6G6YgdeGKci82JPeDU_p-lUU/4663008782","token":"f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0","keyAuthorization":"f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0.ukVgFgQ7y14lEuZDr6FFzotPmTUb03MQ58f6Ru5Jzqc"}'
    [Wed May 16 00:50:51 UTC 2018] code='202'
    [Wed May 16 00:50:51 UTC 2018] sleep 2 secs to verify
    [Wed May 16 00:50:53 UTC 2018] checking
    [Wed May 16 00:50:53 UTC 2018] GET
    [Wed May 16 00:50:53 UTC 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/0pmVw8Hdr42ysOSxDfJ6G6YgdeGKci82JPeDU_p-lUU/4663008782'
    [Wed May 16 00:50:53 UTC 2018] timeout=
    [Wed May 16 00:50:53 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
    [Wed May 16 00:50:54 UTC 2018] ret='0'
    [Wed May 16 00:50:54 UTC 2018] original='{
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "Invalid response from http://domain.name/.well-known/acme-challenge/f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"",
        "status": 403
      },
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/0pmVw8Hdr42ysOSxDfJ6G6YgdeGKci82JPeDU_p-lUU/4663008782",
      "token": "f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0",
      "keyAuthorization": "f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0.ukVgFgQ7y14lEuZDr6FFzotPmTUb03MQ58f6Ru5Jzqc",
      "validationRecord": [
        {
          "url": "http://domain.name/.well-known/acme-challenge/f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0",
          "hostname": "domain.name",
          "port": "80",
          "addressesResolved": [
            "123.123.33.111"
          ],
          "addressUsed": "123.123.33.111"
        }
      ]
    }'
    [Wed May 16 00:50:54 UTC 2018] response='{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://domain.name/.well-known/acme-challenge/f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"","status": 403},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/0pmVw8Hdr42ysOSxDfJ6G6YgdeGKci82JPeDU_p-lUU/4663008782","token":"f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0","keyAuthorization":"f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0.ukVgFgQ7y14lEuZDr6FFzotPmTUb03MQ58f6Ru5Jzqc","validationRecord":[{"url":"http://domain.name/.well-known/acme-challenge/f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0","hostname":"domain.name","port":"80","addressesResolved":["123.123.33.111"],"addressUsed":"123.123.33.111"}]}'
    [Wed May 16 00:50:54 UTC 2018] error='"error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://domain.name/.well-known/acme-challenge/f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0: '
    [Wed May 16 00:50:54 UTC 2018] errordetail='Invalid response from http://domain.name/.well-known/acme-challenge/f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0: '
    [Wed May 16 00:50:54 UTC 2018] domain.name:Verify error:Invalid response from http://domain.name/.well-known/acme-challenge/f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0:
    [Wed May 16 00:50:54 UTC 2018] Debug: get token url.
    [Wed May 16 00:50:54 UTC 2018] GET
    [Wed May 16 00:50:54 UTC 2018] url='http://domain.name/.well-known/acme-challenge/f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0'
    [Wed May 16 00:50:54 UTC 2018] timeout=1
    [Wed May 16 00:50:54 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g  --connect-timeout 1'
    [Wed May 16 00:50:54 UTC 2018] ret='0'
    [Wed May 16 00:50:54 UTC 2018] Debugging, skip removing: /home/nginx/domains/domain.name/public/.well-known/acme-challenge/f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0
    [Wed May 16 00:50:54 UTC 2018] pid
    [Wed May 16 00:50:54 UTC 2018] No need to restore nginx, skip.
    [Wed May 16 00:50:54 UTC 2018] _clearupdns
    [Wed May 16 00:50:54 UTC 2018] skip dns.
    [Wed May 16 00:50:54 UTC 2018] _on_issue_err
    [Wed May 16 00:50:54 UTC 2018] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-150318-160203.log
    [Wed May 16 00:50:54 UTC 2018] _chk_vlist='domain.name#f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0.ukVgFgQ7y14lEuZDr6FFzotPmTUb03MQ58f6Ru5Jzqc#https://acme-v01.api.letsencrypt.org/acme/challenge/0pmVw8Hdr42ysOSxDfJ6G6YgdeGKci82JPeDU_p-lUU/4663008782#http-01#/home/nginx/domains/domain.name/public,www.domain.name#h41MCKc4qWVt27ZFEbzGPlpLxXvGV_sU0kR_f4PFll0.ukVgFgQ7y14lEuZDr6FFzotPmTUb03MQ58f6Ru5Jzqc#https://acme-v01.api.letsencrypt.org/acme/challenge/-iPyHt-d1qHpDLvdqgJ7PypnZ9keI45xLGGvct7mYzk/4663008958#http-01#/home/nginx/domains/domain.name/public,'
    [Wed May 16 00:50:54 UTC 2018] start to deactivate authz
    [Wed May 16 00:50:54 UTC 2018] tigger domain validation.
    [Wed May 16 00:50:54 UTC 2018] _t_url='https://acme-v01.api.letsencrypt.org/acme/challenge/0pmVw8Hdr42ysOSxDfJ6G6YgdeGKci82JPeDU_p-lUU/4663008782'
    [Wed May 16 00:50:54 UTC 2018] _t_key_authz='f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0.ukVgFgQ7y14lEuZDr6FFzotPmTUb03MQ58f6Ru5Jzqc'
    [Wed May 16 00:50:54 UTC 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/0pmVw8Hdr42ysOSxDfJ6G6YgdeGKci82JPeDU_p-lUU/4663008782'
    [Wed May 16 00:50:54 UTC 2018] payload='{"resource": "challenge", "keyAuthorization": "f6Y6PoU7Zzjngh-dfBe_fb2GFpFj_nt4Z3y2i1zsFT0.ukVgFgQ7y14lEuZDr6FFzotPmTUb03MQ58f6Ru5Jzqc"}'
    [Wed May 16 00:50:54 UTC 2018] Use cached jwk for file: /root/.acme.sh/ca/acme-v01.api.letsencrypt.org/account.key
    [Wed May 16 00:50:54 UTC 2018] Use _CACHED_NONCE='ab05UCrVk6wnvHoAjrofKBPynwIAhshFYdqJruEAihg'
    [Wed May 16 00:50:54 UTC 2018] nonce='ab05UCrVk6wnvHoAjrofKBPynwIAhshFYdqJruEAihg'
    [Wed May 16 00:50:54 UTC 2018] POST
    [Wed May 16 00:50:54 UTC 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/0pmVw8Hdr42ysOSxDfJ6G6YgdeGKci82JPeDU_p-lUU/4663008782'
    [Wed May 16 00:50:54 UTC 2018] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "s0ZiywY3vWFxzmIYUR6iuO5LETw2B9RW1qBU1pzLd21KAU610YFzoaNaAFxa5NV_49EyaDmF2J3RbsaqxzxJbceilVgR9ylnqDoi0FkijGULqjTaqCXIULYKhVvcdFqpmyBzaJcbaYdhDr1VGaFCxV7P8JfddfMoMXaxoQHL71utXVQfpQzCjkSKYE0PjRwOvJvKkmeJbVC_A8vWbmy8QzhkkQW0LRucRUNZjhncWR7MmVGSASzihVf1bADb_rnH7oGAbg6FAAwkXfrxmGaUXFs7IBEY5e-5CaYimMWVQau0AX7WEs2sKeD-BM2O_10irbagxEmSTn9o0uPjecKuOQ"}}, "protected": "eyJub25jZSI6ICJhYjA1VUNyVms2d252SG9BanJvZktCUHlud0lBaHNoRllkcUpydUVBaWhnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvMHBtVnc4SGRyNDJ5c09TeERmSjZHNllnZGVHS2NpODJKUGVEVV9wLWxVVS80NjYzMDA4NzgyIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiczBaaXl3WTN2V0Z4em1JWVVSNml1TzVMRVR3MkI5UlcxcUJVMXB6TGQyMUtBVTYxMFlGem9hTmFBRnhhNU5WXzQ5RXlhRG1GMkozUmJzYXF4enhKYmNlaWxWZ1I5eWxucURvaTBGa2lqR1VMcWpUYXFDWElVTFlLaFZ2Y2RGcXBteUJ6YUpjYmFZZGhEcjFWR2FGQ3hWN1A4SmZkZGZNb01YYXhvUUhMNzF1dFhWUWZwUXpDamtTS1lFMFBqUndPdkp2S2ttZUpiVkNfQTh2V2JteThRemhra1FXMExSdWNSVU5aamhuY1dSN01tVkdTQVN6aWhWZjFiQURiX3JuSDdvR0FiZzZGQUF3a1hmcnhtR2FVWEZzN0lCRVk1ZS01Q2FZaW1NV1ZRYXUwQVg3V0VzMnNLZUQtQk0yT18xMGlyYmFneEVtU1RuOW8wdVBqZWNLdU9RIn19", "payload": "eyJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLCAia2V5QXV0aG9yaXphdGlvbiI6ICJmNlk2UG9VN1p6am5naC1kZkJlX2ZiMkdGcEZqX250NFozeTJpMXpzRlQwLnVrVmdGZ1E3eTE0bEV1WkRyNkZGem90UG1UVWIwM01RNThmNlJ1NUp6cWMifQ", "signature": "fZnHGbPzUxDLhGR-9ACtfUJ6a78PWv0bRNTGHjdDrTk8ijUvVhHEqjgeLnSFCwJ9L4itbH-4hMxgltiktHATdu0eCT5Oqs8IjYCvdpYFnlTvVm9x7aS8-APXKBGv95gltczidyceorqPrvROaLCdMN59sB_Skwsh6vnMuchWckkeyRVT7uyJWN-QlIq2tFBxe-AoPd9oyY6v9WpaP-KIh_53LL0ifbDjzVT-mf1NDQd9IZ9Wcl43IaKPYIwWWru9zrhp0d8R6UNMq5YeZ_O5jQnF5Cz9_mH9bj5DS8WApWPuGZylTmtSAXiHHvLjKfsUE2ZeP7L_2RbUXFX9MfWOYA"}'
    [Wed May 16 00:50:54 UTC 2018] Http already initialized.
    [Wed May 16 00:50:54 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g  -H "Content-Type: application/jose+json" '
    [Wed May 16 00:50:55 UTC 2018] _ret='0'
    [Wed May 16 00:50:55 UTC 2018] original='{
      "type": "urn:acme:error:malformed",
      "detail": "Unable to update challenge :: The challenge is not pending.",
      "status": 400
    }'
    [Wed May 16 00:50:55 UTC 2018] responseHeaders='HTTP/1.1 100 Continue
    Expires: Wed, 16 May 2018 00:50:55 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 400 Bad Request
    Server: nginx
    Content-Type: application/problem+json
    Content-Length: 132
    Boulder-Requester: 31209276
    Replay-Nonce: ZsoutRElrBlNLrLRu4zurznAw0P3AZSv_y5wa4PBs7o
    Expires: Wed, 16 May 2018 00:50:55 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Wed, 16 May 2018 00:50:55 GMT
    Connection: close
    '
    [Wed May 16 00:50:55 UTC 2018] response='{"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: The challenge is not pending.","status": 400}'
    [Wed May 16 00:50:55 UTC 2018] code='400'
    [Wed May 16 00:50:55 UTC 2018] tigger domain validation.
    [Wed May 16 00:50:55 UTC 2018] _t_url='https://acme-v01.api.letsencrypt.org/acme/challenge/-iPyHt-d1qHpDLvdqgJ7PypnZ9keI45xLGGvct7mYzk/4663008958'
    [Wed May 16 00:50:55 UTC 2018] _t_key_authz='h41MCKc4qWVt27ZFEbzGPlpLxXvGV_sU0kR_f4PFll0.ukVgFgQ7y14lEuZDr6FFzotPmTUb03MQ58f6Ru5Jzqc'
    [Wed May 16 00:50:55 UTC 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/-iPyHt-d1qHpDLvdqgJ7PypnZ9keI45xLGGvct7mYzk/4663008958'
    [Wed May 16 00:50:55 UTC 2018] payload='{"resource": "challenge", "keyAuthorization": "h41MCKc4qWVt27ZFEbzGPlpLxXvGV_sU0kR_f4PFll0.ukVgFgQ7y14lEuZDr6FFzotPmTUb03MQ58f6Ru5Jzqc"}'
    [Wed May 16 00:50:55 UTC 2018] Use cached jwk for file: /root/.acme.sh/ca/acme-v01.api.letsencrypt.org/account.key
    [Wed May 16 00:50:55 UTC 2018] Use _CACHED_NONCE='ZsoutRElrBlNLrLRu4zurznAw0P3AZSv_y5wa4PBs7o'
    [Wed May 16 00:50:55 UTC 2018] nonce='ZsoutRElrBlNLrLRu4zurznAw0P3AZSv_y5wa4PBs7o'
    [Wed May 16 00:50:55 UTC 2018] POST
    [Wed May 16 00:50:55 UTC 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/-iPyHt-d1qHpDLvdqgJ7PypnZ9keI45xLGGvct7mYzk/4663008958'
    [Wed May 16 00:50:55 UTC 2018] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "s0ZiywY3vWFxzmIYUR6iuO5LETw2B9RW1qBU1pzLd21KAU610YFzoaNaAFxa5NV_49EyaDmF2J3RbsaqxzxJbceilVgR9ylnqDoi0FkijGULqjTaqCXIULYKhVvcdFqpmyBzaJcbaYdhDr1VGaFCxV7P8JfddfMoMXaxoQHL71utXVQfpQzCjkSKYE0PjRwOvJvKkmeJbVC_A8vWbmy8QzhkkQW0LRucRUNZjhncWR7MmVGSASzihVf1bADb_rnH7oGAbg6FAAwkXfrxmGaUXFs7IBEY5e-5CaYimMWVQau0AX7WEs2sKeD-BM2O_10irbagxEmSTn9o0uPjecKuOQ"}}, "protected": "eyJub25jZSI6ICJac291dFJFbHJCbE5MckxSdTR6dXJ6bkF3MFAzQVpTdl95NXdhNFBCczdvIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvLWlQeUh0LWQxcUhwREx2ZHFnSjdQeXBuWjlrZUk0NXhMR0d2Y3Q3bVl6ay80NjYzMDA4OTU4IiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiczBaaXl3WTN2V0Z4em1JWVVSNml1TzVMRVR3MkI5UlcxcUJVMXB6TGQyMUtBVTYxMFlGem9hTmFBRnhhNU5WXzQ5RXlhRG1GMkozUmJzYXF4enhKYmNlaWxWZ1I5eWxucURvaTBGa2lqR1VMcWpUYXFDWElVTFlLaFZ2Y2RGcXBteUJ6YUpjYmFZZGhEcjFWR2FGQ3hWN1A4SmZkZGZNb01YYXhvUUhMNzF1dFhWUWZwUXpDamtTS1lFMFBqUndPdkp2S2ttZUpiVkNfQTh2V2JteThRemhra1FXMExSdWNSVU5aamhuY1dSN01tVkdTQVN6aWhWZjFiQURiX3JuSDdvR0FiZzZGQUF3a1hmcnhtR2FVWEZzN0lCRVk1ZS01Q2FZaW1NV1ZRYXUwQVg3V0VzMnNLZUQtQk0yT18xMGlyYmFneEVtU1RuOW8wdVBqZWNLdU9RIn19", "payload": "eyJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLCAia2V5QXV0aG9yaXphdGlvbiI6ICJoNDFNQ0tjNHFXVnQyN1pGRWJ6R1BscEx4WHZHVl9zVTBrUl9mNFBGbGwwLnVrVmdGZ1E3eTE0bEV1WkRyNkZGem90UG1UVWIwM01RNThmNlJ1NUp6cWMifQ", "signature": "TqAiuRQyi32_MR7yR-UAcCo7QLVUbLWiGhp4LQvwL5e7JKLNyjdCWvFEjwu8Goki65Xgj1HgJ7NzZUDN63xZVmYmeSAK-llf4z3JEXerr-lyIIjfhlByvzFilmZYlMSRIs2D6iZZ-tP7DsvQ8Ip51rNfklTQ1aBU8MQBNwK4nIM3xKjRMSL-EEqa9YvdG16xDfoS1ea9d6DFjuzqy2YX96FiM_-L-teWV9-jCDMnw7ACjzIeyewA0CB-wIb-pYf6baXN9tzLpdl3-Io2xok2LZeBWdWq3rAdW9anBN1pmGzWky0NIJqWMovDTSdvEO1SUAiwdTaE6RxHudD9D7FZUw"}'
    [Wed May 16 00:50:55 UTC 2018] Http already initialized.
    [Wed May 16 00:50:55 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g  -H "Content-Type: application/jose+json" '
    [Wed May 16 00:50:56 UTC 2018] _ret='0'
    [Wed May 16 00:50:56 UTC 2018] original='{
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/-iPyHt-d1qHpDLvdqgJ7PypnZ9keI45xLGGvct7mYzk/4663008958",
      "token": "h41MCKc4qWVt27ZFEbzGPlpLxXvGV_sU0kR_f4PFll0",
      "keyAuthorization": "h41MCKc4qWVt27ZFEbzGPlpLxXvGV_sU0kR_f4PFll0.ukVgFgQ7y14lEuZDr6FFzotPmTUb03MQ58f6Ru5Jzqc"
    }'
    [Wed May 16 00:50:56 UTC 2018] responseHeaders='HTTP/1.1 100 Continue
    Expires: Wed, 16 May 2018 00:50:56 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 202 Accepted
    Server: nginx
    Content-Type: application/json
    Content-Length: 336
    Boulder-Requester: 31209276
    Link: <https://acme-v01.api.letsencrypt.org/acme/authz/-iPyHt-d1qHpDLvdqgJ7PypnZ9keI45xLGGvct7mYzk>;rel="up"
    Location: https://acme-v01.api.letsencrypt.org/acme/challenge/-iPyHt-d1qHpDLvdqgJ7PypnZ9keI45xLGGvct7mYzk/4663008958
    Replay-Nonce: HQhP3LlOOdwOSe2vMxY44NKWRPwqTkQPdioAqvBazlk
    Expires: Wed, 16 May 2018 00:50:56 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Wed, 16 May 2018 00:50:56 GMT
    Connection: keep-alive
    '
    [Wed May 16 00:50:56 UTC 2018] response='{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/-iPyHt-d1qHpDLvdqgJ7PypnZ9keI45xLGGvct7mYzk/4663008958","token":"h41MCKc4qWVt27ZFEbzGPlpLxXvGV_sU0kR_f4PFll0","keyAuthorization":"h41MCKc4qWVt27ZFEbzGPlpLxXvGV_sU0kR_f4PFll0.ukVgFgQ7y14lEuZDr6FFzotPmTUb03MQ58f6Ru5Jzqc"}'
    [Wed May 16 00:50:56 UTC 2018] code='202'
    [Wed May 16 00:50:56 UTC 2018] '/home/nginx/domains/domain.name/public' does not contain 'dns'
    [Wed May 16 00:50:56 UTC 2018] socat doesn't exists.
    [Wed May 16 00:50:56 UTC 2018] Diagnosis versions:
    openssl:openssl
    OpenSSL 1.0.2k-fips  26 Jan 2017
    apache:
    apache doesn't exists.
    nginx:
    nginx version: nginx/1.13.10
    built by gcc 7.2.1 20170829 (Red Hat 7.2.1-1) (GCC)
    built with OpenSSL 1.1.0h  27 Mar 2018
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.31 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0h --with-openssl-opt='enable-ec_nistp_64_gcc_128'
    socat:
    [Wed May 16 00:50:56 UTC 2018] Return code: 1
    [Wed May 16 00:50:56 UTC 2018] Error renew domain.name.
    [Wed May 16 00:50:56 UTC 2018] ===End cron===
    
    Is there a way to configure nginx so I can have http2https redirection and automatic certificate renew?
    My crontab line:
    7 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
     
  2. eva2000

    eva2000 Administrator Staff Member

    34,253
    7,581
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,656
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags
     
  3. Meirami

    Meirami Member

    62
    7
    8
    Dec 21, 2017
    Ratings:
    +20
    Local Time:
    12:36 AM
    I think I did it like this:
    LETSENCRYPT_DETECT='y' to custom config
    um -y update; curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh
    Setup The Default Server Main Hostname Nginx Vhost
    #run Centmin menu option #2
    y #continue
    domain.name
    n #don't need self-signed certificate.
    y #use Letsencrypt
    y #continue
    y #continue
    4 #live cert with HTTPS default (trusted)

    Now I have had few (cron) autoupdate runs without success.

    acmetool debug log
    Let'sE

    Code:
    /var/log/cron:May 14 00:07:01 host CROND[20855]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:May 15 00:07:01 host CROND[29988]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:May 16 00:07:02 host CROND[7504]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:May 17 00:07:01 host CROND[24553]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    
    Code:
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://centminmod.com/acmetool
    -------------------------------------------------
    
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/domain.name/domain.name-acme.cer
    SHA1 Fingerprint=B7AFEBE59FFB86FD913612DEA32E8E9B4CCCCCCC
    certificate expires in 26 days on 13 Jun 2018
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/domain.name/domain.name.cer
    SHA1 Fingerprint=B7AFEBE59FFB86FD913612DEA32E8E9B4CCCCCCC
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=B7AFEBE59FFB86FD913612DEA32E8E9B4CCCCCCC
    certificate expires in 26 days on 13 Jun 2018
    
    Code:
    [Thu May 17 19:50:22 UTC 2018] ===Starting cron===
    [Thu May 17 19:50:22 UTC 2018] Renew: 'domain.name'
    [Thu May 17 19:50:23 UTC 2018] Multi domain='DNS:domain.name,DNS:www.domain.name'
    [Thu May 17 19:50:23 UTC 2018] Getting domain auth token for each domain
    [Thu May 17 19:50:23 UTC 2018] Getting webroot for domain='domain.name'
    [Thu May 17 19:50:23 UTC 2018] Getting new-authz for domain='domain.name'
    [Thu May 17 19:50:25 UTC 2018] The new-authz request is ok.
    [Thu May 17 19:50:25 UTC 2018] Getting webroot for domain='www.domain.name'
    [Thu May 17 19:50:25 UTC 2018] Getting new-authz for domain='www.domain.name'
    [Thu May 17 19:50:26 UTC 2018] The new-authz request is ok.
    [Thu May 17 19:50:26 UTC 2018] Verifying:domain.name
    [Thu May 17 19:50:30 UTC 2018] domain.name:Verify error:Invalid response from http://domain.name/.well-known/acme-challenge/9Y7k9EQ3-EhQ5rcR9XuD7ux-VgVBWVJW2DHQyIUWn4M:
    [Thu May 17 19:50:30 UTC 2018] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-150318-160203.log
    [Thu May 17 19:50:33 UTC 2018] Error renew domain.name.
    [Thu May 17 19:50:33 UTC 2018] ===End cron===
    

    Code:
    CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = domain.name
    verify return:1
    ---
    Certificate chain
     0 s:/CN=domain.name
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIFBDCCA+ygAwIBAgISA1buNVGvqiJ08qQuJND8i6B5MA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAzMTUxNTA2MjVaFw0x
    ODA2MTMxNTA2MjVaMBQxEjAQBgNVBAMTCW1haHRhLndpbjCCASIwDQYJKoZIhvcN
    AQEBBQADggEPADCCAQoCggEBALlgociFtYOXdP1HVbSFGIEDgykfKxNqByU31bgF
    n5E1lvALdfNTojdjr5YGcbsQJT2kL3asi8TIOi8lchBNnFCA4akiLA//4Ln/md2d
    M+Z/eNxnEnLukGt0nWV3lknmzgaM/9fcww54IC5r8qZqjvmz3sgvoEjXjZMMrZWu
    S5NTVsJuaDY+uCRMxyKgKlPcQHl/FBOFMHkU+Z6BCNMopeKMZGoZCpiOTlMcnELn
    uO1PzFkSMFIE5xCCPWDN2o1pAIiUxgS7HKOYTpMnd9Zy+JtYCfCd7JiHJhBRLqg8
    CDzI5bdX5A5QG+CdMwC2K+T324SLOBhCXRvxga3xLmsQpiUCAwEAAaOCAhgwggIU
    MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
    DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUKjkI98NUlojTXcCYPcA7ifiW0pcwHwYD
    VR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4G
    CCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8G
    CCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAj
    BgNVHREEHDAaggltYWh0YS53aW6CDXd3dy5tYWh0YS53aW4wgf4GA1UdIASB9jCB
    8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRw
    Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENl
    cnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFy
    dGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRl
    IFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0
    b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAYRlADGLduyAfjq3XaESIM1+z7vfj1jPo
    MMPnhadJ8ZYv0x5aNbW9q8pZCGAfifk00GM903CrTh0A6YTNDfIS9Ojugge+4wOK
    WIkol+B/2hYJA4VvuMu9KrUfdBoGoOjxVt7LuO84I99gwHBc7CDdqM3yROvFF8rT
    lKL1JWALuOT1AjChUlCNziOZYol5cwduMTfiNl0syyq+IMLAn/KVd+0UNveYNvZL
    tPP1tBfHZnBLpnXdl+f6jrLWFN915p69PmqOgwIgcB1b8l7cfdLVzVDVAgGc7VCk
    F5n+k64I7PnMX/Jus1OaGn0B50Ep7wEVjoQ1RMWU+QPPXpSSK7ZlzA==
    -----END CERTIFICATE-----
    subject=/CN=domain.name
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 3135 bytes and written 415 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: E90E5A4B3D7CC51EC5F849EA8C558B9C7A49C217275C24D7ADB0AEC37B2B86AE
        Session-ID-ctx:
        Master-Key: 9CBCD1A657EF370690162D1D524E49415F56B5812F9EEC6E9ED98918F1E68FD99B52D17EB518DBF0D2A3F068517B14A0
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 3600 (seconds)
        TLS session ticket:
        0000 - 9a 77 86 23 44 be 53 fa-1c 7e 93 e6 d8 c0 a6 0a   .w.#D.S..~......
        0010 - 93 9c 67 ee 62 8a ed ac-ec 71 4f 1d 8e 8c ba 0b   ..g.b....qO.....
        0020 - 1d 59 2f 6b a4 80 07 8c-ec 5f 8d b9 96 64 4b 79   .Y/k....._...dKy
        0030 - f7 10 09 60 87 4d 7f 2f-3d c0 17 43 4c 2f fc b2   ...`.M./=..CL/..
        0040 - f3 bf f3 72 02 bd 8e 5d-65 fd 37 36 45 a2 87 eb   ...r...]e.76E...
        0050 - 98 f0 c2 9e f2 10 39 90-3a 6d e3 55 ab a2 43 2f   ......9.:m.U..C/
        0060 - 9a 53 b4 9c ed dd ca 2d-39 21 61 6a 04 63 93 5e   .S.....-9!aj.c.^
        0070 - 24 6d a5 5e 41 5c 50 01-7e 2f 09 82 46 85 da c8   $m.^A\P.~/..F...
        0080 - 14 5c fc e7 1a c4 7e e5-81 53 22 4f 1e cb 95 3a   .\....~..S"O...:
        0090 - a5 50 e1 ca cc f1 42 e9-43 24 cc 1a ed 31 9e b7   .P....B.C$...1..
        00a0 - e8 f1 e4 82 40 bb dd 0f-d7 62 a2 e9 41 c2 6d 0a   [email protected]
    
        Start Time: 1526586773
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    DONE
    
    Code:
     ##
    upstream php-handler {
        server 127.0.0.1:9000;
        #server unix:/var/run/php5-fpm.sock;
    }
    
    server {
        listen 80;
        listen [::]:80;
        server_name domain.name www.domain.name;
        return 302 https://$server_name$request_uri; #this was some weeks 301
    }
    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name domain.name www.domain.name;
    
      include /usr/local/nginx/conf/ssl/domain.name/domain.name.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.name/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.name/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.name/autoprotect-domain.name.conf;
      root /home/nginx/domains/domain.name/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
    
    location = /.well-known/carddav {
          return 301 $scheme://$host/remote.php/dav;
        }
        location = /.well-known/caldav {
          return 301 $scheme://$host/remote.php/dav;
        }
    
        # set max upload size
        client_max_body_size 1024M;
        fastcgi_buffers 64 4K;
    
    
        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    
    
      location / {
        rewrite ^ /index.php$uri;
        include /usr/local/nginx/conf/php-pool2.conf;
    
      location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            deny all;
        }
      location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }
    
      location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on;
            #Avoid sending the security headers twice
            fastcgi_param modHeadersAvailable true;
            fastcgi_param front_controller_active true;
            fastcgi_pass php-handler;
            fastcgi_request_buffering off;
        }
    
      location ~ ^/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
        }
    
        # Adding the cache control header for js and css files
        # Make sure it is BELOW the PHP block
        location ~ \.(?:css|js|woff|svg|gif)$ {
            try_files $uri /index.php$uri$is_args$args;
            add_header Cache-Control "public, max-age=31536000";
            # Add headers to serve security related headers (It is intended to
            # have those duplicated to the ones above)
            # The ones above removed because those are harcoded in NC13.
            # Before enabling Strict-Transport-Security headers please read into
            # this topic first.
            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
            #
            # WARNING: Only add the preload option once you read about
            # the consequences in https://hstspreload.org/. This option
            # will add the domain to a hardcoded list that is shipped
            # in all major browsers and getting removed from this list
            # could take several months.
            add_header X-Content-Type-Options nosniff;
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;
            # Optional: Don't log access to assets
            access_log off;
        }
    
        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
            try_files $uri /index.php$uri$is_args$args;
            # Optional: Don't log access to other assets
            access_log off;
        }
    
    
    # block common exploits, sql injections etc
    include /usr/local/nginx/conf/block.conf;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.name.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    Code:
    curl -I https://domain.name
    HTTP/1.1 302 Found
    Date: Thu, 17 May 2018 20:01:04 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Set-Cookie: ocbeeo0utq51=i2r2879esd3id2sde2idntktii; path=/; secure; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Set-Cookie: oc_sessionPassphrase=JzgEUT2e1VuhGgQPoshc3JXw5TKsO34V2rznzVrRtOlakoIcrmweO9Ma8%2FzJ6heeJ35mOUsKqoWJcZAXXNN1brx2mo0Lj8C2RIT0ucVEVo3t2ZumkAj7B18SFSP5CBVP; path=/; secure; HttpOnly
    Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-YytiWmxTMmVVVG5JSkx2VWYyVmdRS3JRdEpuQmo5ZHI1WHl2bE00QXNMbz06WEw2UDIyN0taUWkvWU4rVkpTTVlGNXlrK3Z1TXBQZ0NqRHZvcktOWTl2WT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    X-Robots-Tag: none
    X-Download-Options: noopen
    X-Permitted-Cross-Domain-Policies: none
    Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
    Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
    Location: https://domain.name/index.php/login
    Server: nginx centminmod
    X-Powered-By: centminmod
    Strict-Transport-Security: max-age=31536000; includeSubdomains;
    
    Code:
    curl -I https://www.domain.name
    HTTP/1.1 400
    Date: Thu, 17 May 2018 20:02:56 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Set-Cookie: ocbeeo0utq51=9sulm5qpu0md1alkaqrb94kd4s; path=/; secure; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Set-Cookie: oc_sessionPassphrase=fRCJonfcfqUYfkEl8Fju70FJ1P1I5mxTgkt1kkc3Cx1FnAMFMln3IbPrf5EHFN6jTRQ%2BWfs%2Fd%2FYYu7cb6tRNiyIaOvvh6y%2B598oCxuyauqCzyTqU9NSwRX1idW2k%2FaiS; path=/; secure; HttpOnly
    Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-em0waGVWVE1tSHRXS1U3S0owdkVudkFMWmVOeTcwTGE5VEdna3VyN3dxMD06cGhkMk5XWDA3ako1UmdxZlRTYjI3NkZCS29VUjJDNlFwbmpVOE1XWmtKbz0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    X-Robots-Tag: none
    X-Download-Options: noopen
    X-Permitted-Cross-Domain-Policies: none
    Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
    Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    Code:
    curl -I http://domain.name
    HTTP/1.1 302 Moved Temporarily
    Date: Thu, 17 May 2018 20:04:06 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: keep-alive
    Location: https://domain.name/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    Code:
    curl -I http://www.domain.name
    HTTP/1.1 302 Moved Temporarily
    Date: Thu, 17 May 2018 20:04:55 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: keep-alive
    Location: https://domain.name/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    34,253
    7,581
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,656
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    probably related to these redirects you have unfortunately you'd have to figure that out for your web app
    Code (Text):
    location = /.well-known/carddav {
         return 301 $scheme://$host/remote.php/dav;
       }
       location = /.well-known/caldav {
         return 301 $scheme://$host/remote.php/dav;
       }
    

    Letsencrypt web root validation of domain for SSL issuance uses .well-known url file so if you're redirecting it else where then Letsencrypt isn't able to validate your domain at expected location http://domain.name/.well-known/acme-challenge/****
     
  5. Meirami

    Meirami Member

    62
    7
    8
    Dec 21, 2017
    Ratings:
    +20
    Local Time:
    12:36 AM
    Thank you for the help!
    It was a lot of easier to search for solution, after you showed me the direction. :)
    I found a solution and it worked. Would you use this kind of solution?
    add this
    Code:
    location ~ ^/.well-known/acme-challenge/* {
        allow all;
    }
    above these
    Code:
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
     
  6. eva2000

    eva2000 Administrator Staff Member

    34,253
    7,581
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,656
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    yeah if you can put the allow all location context match as high up in order of location contexts in vhost the better
     
  7. Meirami

    Meirami Member

    62
    7
    8
    Dec 21, 2017
    Ratings:
    +20
    Local Time:
    12:36 AM
    So, do you think the best place is before
    Code:
    location = /.well-known/carddav {
          return 301 $scheme://$host/remote.php/dav;
        }
        location = /.well-known/caldav {
          return 301 $scheme://$host/remote.php/dav;
        }
    Then it would be the first location.
     
  8. eva2000

    eva2000 Administrator Staff Member

    34,253
    7,581
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,656
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    yup
     
    • Like Like x 1
..