Want more timely Centmin Mod News Updates?
Become a Member

Letsencrypt Lets Encrypt Issue Error

Discussion in 'Add Ons' started by MarkKiss, Aug 30, 2019.

  1. MarkKiss

    MarkKiss New Member

    25
    3
    3
    Sep 2, 2015
    Ratings:
    +4
    Local Time:
    1:53 PM
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 23.09beta01
    • Nginx Version Installed: 1.17.3
    • PHP Version Installed: 7.2
    • MariaDB MySQL Version Installed: 10.2
    • When was last time updated Centmin Mod code base ? : Today
    • Persistent Config: Yes
      Code (Text):
      LETSENCRYPT_DETECT='y'
      
    • ERROR
    • Code (Text):
      [Thu Aug 29 17:57:39 UTC 2019] Verifying: destiny2.cz
      [Thu Aug 29 17:57:42 UTC 2019] destiny2.cz:Verify error:Fetching https://destiny2.cz/.well-known/acme-challenge/PqwC87z2OTlEJuMBXlj2fJeOHGaoACGwK3AXxVQHfWE: Connection refused
      [Thu Aug 29 17:57:42 UTC 2019] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-290819-175729.log
      
    • LOG
    • Code (Text):
      [Thu Aug 29 17:57:36 UTC 2019] Lets find script dir.
      [Thu Aug 29 17:57:36 UTC 2019] _SCRIPT_='/root/.acme.sh/acme.sh'
      [Thu Aug 29 17:57:36 UTC 2019] _script='/root/.acme.sh/acme.sh'
      [Thu Aug 29 17:57:36 UTC 2019] _script_home='/root/.acme.sh'
      [Thu Aug 29 17:57:36 UTC 2019] Using config home:/root/.acme.sh
      [Thu Aug 29 17:57:36 UTC 2019] LE_WORKING_DIR='/root/.acme.sh'
      [Thu Aug 29 17:57:36 UTC 2019] Running cmd: issue
      [Thu Aug 29 17:57:36 UTC 2019] _main_domain='destiny2.cz'
      [Thu Aug 29 17:57:36 UTC 2019] _alt_domains='www.destiny2.cz'
      [Thu Aug 29 17:57:36 UTC 2019] Using config home:/root/.acme.sh
      [Thu Aug 29 17:57:36 UTC 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
      [Thu Aug 29 17:57:36 UTC 2019] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
      [Thu Aug 29 17:57:36 UTC 2019] DOMAIN_PATH='/root/.acme.sh/destiny2.cz'
      [Thu Aug 29 17:57:36 UTC 2019] '/home/nginx/domains/destiny2.cz/public' does not contain 'dns'
      [Thu Aug 29 17:57:36 UTC 2019] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
      [Thu Aug 29 17:57:36 UTC 2019] _init api for server: https://acme-v02.api.letsencrypt.org/directory
      [Thu Aug 29 17:57:36 UTC 2019] GET
      [Thu Aug 29 17:57:36 UTC 2019] url='https://acme-v02.api.letsencrypt.org/directory'
      [Thu Aug 29 17:57:36 UTC 2019] timeout=
      [Thu Aug 29 17:57:36 UTC 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
      [Thu Aug 29 17:57:37 UTC 2019] ret='0'
      [Thu Aug 29 17:57:37 UTC 2019] response='{
        "VSTGaKgi9xk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
        "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
        "meta": {
         "caaIdentities": [
           "letsencrypt.org"
         ],
         "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
         "website": "https://letsencrypt.org"
        },
        "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
        "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
        "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
        "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
      }'
      [Thu Aug 29 17:57:37 UTC 2019] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
      [Thu Aug 29 17:57:37 UTC 2019] ACME_NEW_AUTHZ
      [Thu Aug 29 17:57:37 UTC 2019] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
      [Thu Aug 29 17:57:37 UTC 2019] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
      [Thu Aug 29 17:57:37 UTC 2019] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
      [Thu Aug 29 17:57:37 UTC 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
      [Thu Aug 29 17:57:37 UTC 2019] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
      [Thu Aug 29 17:57:37 UTC 2019] ACME_VERSION='2'
      [Thu Aug 29 17:57:37 UTC 2019] _on_before_issue
      [Thu Aug 29 17:57:37 UTC 2019] _chk_main_domain='destiny2.cz'
      [Thu Aug 29 17:57:37 UTC 2019] _chk_alt_domains='www.destiny2.cz'
      [Thu Aug 29 17:57:37 UTC 2019] '/home/nginx/domains/destiny2.cz/public' does not contain 'no'
      [Thu Aug 29 17:57:37 UTC 2019] Le_LocalAddress
      [Thu Aug 29 17:57:37 UTC 2019] d='destiny2.cz'
      [Thu Aug 29 17:57:37 UTC 2019] Check for domain='destiny2.cz'
      [Thu Aug 29 17:57:37 UTC 2019] _currentRoot='/home/nginx/domains/destiny2.cz/public'
      [Thu Aug 29 17:57:37 UTC 2019] d='www.destiny2.cz'
      [Thu Aug 29 17:57:37 UTC 2019] Check for domain='www.destiny2.cz'
      [Thu Aug 29 17:57:37 UTC 2019] _currentRoot='/home/nginx/domains/destiny2.cz/public'
      [Thu Aug 29 17:57:37 UTC 2019] d
      
    I have no clue whats wrong all shoud be good
     
  2. EckyBrazzz

    EckyBrazzz Active Member

    854
    173
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +317
    Local Time:
    10:53 AM
    Latest
    Latest
    Site gives (after accepting risk to continue)
    500 Internal Server Error
    nginx

    Might want to recompile something at centmin menu #4 to get it fixed.

    These I had also several times this week:
    Code (Text):
    '/home/nginx/domains/domain.com/public' does not contain 'dns'
    '/home/nginx/domains/domain.com/public' does not contain 'no'
    

    Still don't have a clue why. Changed domain register for that domain and problem was gone.

    When you create a post: Don't post domains/passwords etc. that are in log files. Change that info (domain.com), remove passwords etc. Safety first.
     
    Last edited: Aug 31, 2019
    • Informative Informative x 1
  3. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    11:53 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation.

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
  4. pamamolf

    pamamolf Premium Member Premium Member

    3,697
    357
    83
    May 31, 2014
    Ratings:
    +688
    Local Time:
    3:53 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    I got the same issue long time ago with an old server that i had a long time to update ....

    So from what i remember i add the domain from menu 2 with a custom ssl certificate and then install acme and run the menu 4 and again 4....

    All was ok with let's Encrypt but now the certificate expired.

    So i update Cenminmod and run it once and then i try to renew or issue again the certificate but didn't work and i got a message:

    Invalid response from the .wellknown bla bla bla

    Log file:
    [Tue Oct 29 22:29:12 UTC 2019] Lets find script dir. [Tue Oct 29 22:29:12 UTC 2 - Pastebin.com

    Code:
    /var/log/cron-20191027:Oct 25 00:52:01 host CROND[8291]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20191027:Oct 26 00:52:01 host CROND[19158]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20191027:Oct 27 00:52:01 host CROND[25936]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    Code:
    /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer
    SHA1 Fingerprint=890BA1FD22F0EECCF41E81B73F7297B5EEDD78F4
    certificate expires in -67 days on 23 Aug 2019
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/mydomain.com/mydomain.com.cer
    SHA1 Fingerprint=890BA1FD22F0EECCF41E81B73F7297B5EEDD78F4
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    crt.sh | 890ba1fd22f0eeccf41e81b73f7297b5eedd78f4
    certificate expires in -67 days on 23 Aug 2019
    Code:
    mydomain.com:Verify error:Invalid response from https://mydomain.com/.well-known/acme-challenge/o_YIepcPezqeUy78aFb6EeT6N7u5EuxexXr2v3tJKD8
    
    Code:
    Connected and certificate has expired ....
    Code:
    curl: (60) Peer's Certificate has expired.
    More details here: curl - SSL CA Certificates
    
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.
    Code:
    curl: (60) Peer's Certificate has expired.
    More details here: curl - SSL CA Certificates
    
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.
    Code:
    HTTP/1.1 302 Moved Temporarily
    Date: Wed, 30 Oct 2019 00:29:54 GMT
    Content-Type: text/html
    Content-Length: 138
    Connection: keep-alive
    Location: MyDomain | Domain Names, Web Hosting, and Free Domain Services
    Server: nginx centminmod
    X-Powered-By: centminmod
    Code:
    HTTP/1.1 302 Moved Temporarily
    Date: Wed, 30 Oct 2019 00:30:30 GMT
    Content-Type: text/html
    Content-Length: 138
    Connection: keep-alive
    Location: MyDomain | Domain Names, Web Hosting, and Free Domain Services
    Server: nginx centminmod
    X-Powered-By: centminmod

    My domain config:
    #x# HTTPS-DEFAULT server { server_name mydomain.com www.mydomain.co - Pastebin.com

    Any ideas?

    Thank you
     
    Last edited: Oct 30, 2019
  5. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    11:53 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. What do you get
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    3,697
    357
    83
    May 31, 2014
    Ratings:
    +688
    Local Time:
    3:53 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    All ok is the result Green !
     
  7. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    11:53 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    noticed in config you have location context for php when you already have php.conf include file
    Code (Text):
    location ~ \.php$ {
        include /usr/local/nginx/conf/fastcgi.conf;
            fastcgi_pass 127.0.0.1:9000;
    }
      include /usr/local/nginx/conf/pre-staticfiles-local-mydomain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
    

    you can remove location php context and restart nginx + php-fpm and see if manually running cronjob auto-renewal works
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"

    If it doesn't, sounds like Letsencrypt is following your domain's non-https domain's 301/302 redirect to https based domain to validate the domain. But https based domain's SSL certificate expired.

    What you can do is sort of partial manual steps from Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates in that you temporarily disable your /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and recreate the non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf using the official Nginx vhost generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS (which is step 1 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates).

    Then follow manual steps 2, 3, 4, 5 and 6 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates where step 6 you can re-enable your https /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and disable your non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf again.

    Then you can test your domain at Let's Debug to ensure future renewals work.
     
    • Informative Informative x 1
  8. pamamolf

    pamamolf Premium Member Premium Member

    3,697
    357
    83
    May 31, 2014
    Ratings:
    +688
    Local Time:
    3:53 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    I was not able to adjust that include php file and it was the only way for me to get it working....

    What about deleting anything related to that domain and re add it and restore the database/files and then get the certificate?
     
  9. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    11:53 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    try my below steps instead as that won't require deleting domain/files etc
     
    • Like Like x 1
  10. pamamolf

    pamamolf Premium Member Premium Member

    3,697
    357
    83
    May 31, 2014
    Ratings:
    +688
    Local Time:
    3:53 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    All good now :)

    I create the http config and follow the instrucions and is working now....

    What should i do now with the http config to not have again that issue?

    Should i keep it enable? Disable?

    Thanks !
     
    • Informative Informative x 1
  11. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    11:53 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
     
    • Informative Informative x 1
  12. MarkKiss

    MarkKiss New Member

    25
    3
    3
    Sep 2, 2015
    Ratings:
    +4
    Local Time:
    1:53 PM
    Hi, I have one addon to my issues and may bug in acme.

    If a certificate expires renewal via acme tool using a redirect to https what is not possible due to expired cert. May will be worth to adjust that to using fallback to http after cert is created to prevent this issues. Or any suggestion how to do this?
     
  13. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    11:53 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you'd have to do it manually then via non-https vhost setup

    What you can do is sort of partial manual steps from Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates in that you temporarily disable your /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and recreate the non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf using the official Nginx vhost generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS (which is step 1 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates).

    Then follow manual steps 2, 3, 4, 5 and 6 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates where step 6 you can re-enable your https /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and disable your non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf again.

    Then you can test your domain at Let's Debug to ensure future renewals work.