New issued certificate is Fake (?)

Shirkit · Feb 6, 2019

So I have a Mautic server which required that I redirected and rewrite some things to properly work

Here's the log of the certificate issue

Code:

[22:19][root@digitalocean.atlantidastudios.com addons]# ./acmetool.sh issue mautic.orquidariobahia.com.br

-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://centminmod.com/acmetool
-------------------------------------------------

continue [y/n] ? y

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
Cloning into 'acme.sh'...
[Tue Feb  5 22:20:32 UTC 2019] It is recommended to install socat first.
[Tue Feb  5 22:20:32 UTC 2019] We use socat for standalone server if you use standalone mode.
[Tue Feb  5 22:20:32 UTC 2019] If you don't use standalone mode, just ignore this warning.
[Tue Feb  5 22:20:32 UTC 2019] Installing to /root/.acme.sh
[Tue Feb  5 22:20:32 UTC 2019] Installed to /root/.acme.sh/acme.sh
[Tue Feb  5 22:20:32 UTC 2019] Installing alias to '/root/.bashrc'
[Tue Feb  5 22:20:32 UTC 2019] OK, Close and reopen your terminal to start using acme.sh
[Tue Feb  5 22:20:32 UTC 2019] Installing alias to '/root/.cshrc'
[Tue Feb  5 22:20:32 UTC 2019] Installing alias to '/root/.tcshrc'
[Tue Feb  5 22:20:32 UTC 2019] Installing cron job
52 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Tue Feb  5 22:20:32 UTC 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Feb  5 22:20:32 UTC 2019] OK
https://github.com/Neilpang/acme.sh
v2.8.1
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------
cat /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf
cat: /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf: No such file or directory
grep 'root' /usr/local/nginx/conf/conf.d/mautic.orquidariobahia.com.br.ssl.conf
  root /home/nginx/domains/mautic.orquidariobahia.com.br/public;

-----------------------------------------------------------
issue & install letsencrypt ssl certificate for mautic.orquidariobahia.com.br
-----------------------------------------------------------
testcert value =
/root/.acme.sh/acme.sh --staging --issue -d mautic.orquidariobahia.com.br --days 60 -w /home/nginx/domains/mautic.orquidariobahia.com.br/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-050219-222028.log --log-level 2
[Tue Feb  5 22:20:33 UTC 2019] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Tue Feb  5 22:20:33 UTC 2019] Creating domain key
[Tue Feb  5 22:20:34 UTC 2019] The domain key is here: /root/.acme.sh/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.key
[Tue Feb  5 22:20:34 UTC 2019] Single domain='mautic.orquidariobahia.com.br'
[Tue Feb  5 22:20:34 UTC 2019] Getting domain auth token for each domain
[Tue Feb  5 22:20:34 UTC 2019] Getting webroot for domain='mautic.orquidariobahia.com.br'
[Tue Feb  5 22:20:34 UTC 2019] Getting new-authz for domain='mautic.orquidariobahia.com.br'
[Tue Feb  5 22:20:34 UTC 2019] The new-authz request is ok.
[Tue Feb  5 22:20:34 UTC 2019] Verifying: mautic.orquidariobahia.com.br
[Tue Feb  5 22:20:37 UTC 2019] Success
[Tue Feb  5 22:20:37 UTC 2019] Verify finished, start to sign.
[Tue Feb  5 22:20:40 UTC 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFVTCCBD2gAwIBAgITAPq9BBP/x0Bt7jMlmUCxWRCHODANBgkqhkiG9w0BAQsF
QMXZghXEBAf7Fq28dBrWdlyND0t4oMZld2QfgWCxEeCyDXoBs7abONOlHbnRHhV0
KpaQ2rtmLKlwBCXgSyKIlfuixMqHf3capFhnyBI8ip+VB8DK6+65I0lZmqC6pjvf
Sp6eUQ9h2km93x+ewlWwun8rjoxzsI2bRw==
-----END CERTIFICATE-----
[Tue Feb  5 22:20:40 UTC 2019] Your cert is in  /root/.acme.sh/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.cer
[Tue Feb  5 22:20:40 UTC 2019] Your cert key is in  /root/.acme.sh/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.key
[Tue Feb  5 22:20:40 UTC 2019] The intermediate CA cert is in  /root/.acme.sh/mautic.orquidariobahia.com.br/ca.cer
[Tue Feb  5 22:20:40 UTC 2019] And the full chain certs is there:  /root/.acme.sh/mautic.orquidariobahia.com.br/fullchain.cer
LECHECK = 0
sed: can't read /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf: No such file or directory
sed: can't read /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf: No such file or directory
sed: can't read /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf: No such file or directory
tee: /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/acme-vhost-config.txt: No such file or directory
grep: /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf: No such file or directory

-----------------------------------------------------------
install cert
-----------------------------------------------------------
/root/.acme.sh/acme.sh --installcert -d mautic.orquidariobahia.com.br --certpath /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.cer --keypath /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.key --capath /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-fullchain-acme.key
[Tue Feb  5 22:20:40 UTC 2019] Installing cert to:/usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.cer
[Tue Feb  5 22:20:40 UTC 2019] Installing CA to:/usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.cer
[Tue Feb  5 22:20:40 UTC 2019] Installing key to:/usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.key
[Tue Feb  5 22:20:40 UTC 2019] Installing full chain to:/usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-fullchain-acme.key
[Tue Feb  5 22:20:40 UTC 2019] Run reload cmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl):  Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
[FAILED]
[Tue Feb  5 22:20:40 UTC 2019] Reload error for :

letsencrypt ssl certificate setup completed
ssl certs located at: /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br

openssl x509 -noout -text < /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fa:bd:04:13:ff:c7:40:6d:ee:33:25:99:40:b1:59:10:87:38
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Fake LE Intermediate X1
        Validity
            Not Before: Feb  5 21:20:38 2019 GMT
            Not After : May  6 21:20:38 2019 GMT
        Subject: CN=mautic.orquidariobahia.com.br
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:4f:8b:d5:06:70:00:43:86:55:1d:36:9c:74:
                    e3:78:bc:ec:28:ce:1b:32:f9:89:18:e6:9f:61:64:
                    f8:ca:79:b4:cc:20:89:d7:60:24:a2:4f:1f:ed:4a:
                    cc:df
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                D4:62:9F:EB:E5:A8:E5:8D:09:5E:60:30:95:72:01:80:5A:8E:EE:AA
            X509v3 Authority Key Identifier:
                keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A

            Authority Information Access:
                OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org
                CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:mautic.orquidariobahia.com.br
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : DD:99:34:FC:A5:E7:24:80:C9:56:68:7D:81:34:99:08:
                    Timestamp : Feb  5 22:20:38.855 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:D1:F0:D7:26:92:D7:C4:70:2F:0E:A9:
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : B0:CC:83:E5:A5:F9:7D:6B:AF:7C:09:CC:28:49:04:87:
                    Timestamp : Feb  5 22:20:38.858 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:85:9D:0E:33:C4:2E:9B:CF:87:33:4E:
                                2A:25:32:AC:B0:05:AF:05:D0:A9:77:2A:69:81:D4:03:
    Signature Algorithm: sha256WithRSAEncryption
         dd:44:67:e3:48:79:02:b3:d8:10:d3:f0:37:97:9d:62:4b:40:
         37:7a:84:b5:d7:1a:8b:36:17:dc:80:90:b6:92:e0:87:09:47:
         57:5f:6e:f6:6d:3d:c1:ee:07:fa:13:74:71:b2:95:51:d1:80:
         b0:8d:9b:47

log files saved at /root/centminlogs
-rw-r--r-- 1 root root  33K Feb  5 22:20 acmetool.sh-debug-log-050219-222028.log
-rw-r--r-- 1 root root  14K Feb  5 22:20 acmesh-issue_050219-222028.log

Here goes my .conf /usr/local/nginx/conf/conf.d/mautic.orquidariobahia.com.br.conf

Code:

#x# HTTPS-DEFAULT
 server {

   server_name mautic.orquidariobahia.com.br www.mautic.orquidariobahia.com.br;
   return 302 https://mautic.orquidariobahia.com.br$request_uri;
   include /usr/local/nginx/conf/staticfiles.conf;
 }

#       listen   80;
#       server_name mautic.orquidariobahia.com.br www.mautic.orquidariobahia.com.br;
#       return 302 https://$server_name$request_uri;

server {
  listen 443 ssl http2;
  server_name mautic.orquidariobahia.com.br www.mautic.orquidariobahia.com.br;

#  include /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
  #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/mautic.orquidariobahia.com.br/origin.crt;
  #ssl_verify_client on;
  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;
  add_header Access-Control-Allow-Origin *;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/mautic.orquidariobahia.com.br/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/mautic.orquidariobahia.com.br/log/error.log;

#  include /usr/local/nginx/conf/autoprotect/mautic.orquidariobahia.com.br/autoprotect-mautic.orquidariobahia.com.br.conf;
  root /home/nginx/domains/mautic.orquidariobahia.com.br/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  #include /usr/local/nginx/conf/503include-main.conf;

  #######################################
  ##  Start Mautic Specific config #####
  #######################################

  location ~ ^/.well-known/acme-challenge/* {
    allow all;
  }


  rewrite ^/index.php/(.*) /$1 permanent;

#  rewrite ^/(vendor|translations|build)/.* /index.php break;

  location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to index.html
    # one option: try_files $uri $uri/ /index.php$is_args$args;
    try_files $uri /index.php$is_args$args;
  }

#  # Deny everything else in /app folder except Assets folder in bundles
  location ~ /app/bundles/.*/Assets/(.*).js {
    allow all;
    access_log off;
  }
#  location ~ /app/ { allow 127.0.0.1; deny all; }

  # Deny everything else in /addons or /plugins folder except Assets folder in bundles
  location ~ /(addons|plugins)/.*/Assets/ {
    allow all;
    access_log off;
  }
#  location ~ /(addons|plugins)/ { deny all; }

  # Deny all php files in themes folder
  location ~* ^/themes/(.*)\.php {
    deny all;
  }

#  # Deny yml, twig, markdown, init file access
#  location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {
#      allow 127.0.0.1;
#      deny all;
#      access_log off;
#      log_not_found off;
#  }

  # Deny all attempts to access hidden files/folders such as .htaccess, .htpasswd, .DS_Store (Mac), etc...
  location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
  }

  # Deny all grunt, composer files
  location ~* (Gruntfile|package|composer)\.(js|json)$ {
    deny all;
    access_log off;
    log_not_found off;
  }

  location ~*  \.(jpg|jpeg|png|ico|pdf)$ {
    expires 15d;
  }

  #Deny access to any files with a .php extension in the uploads directory
  location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
  }

  # Solve email tracking pixel not found
  location ~ email/(.*).gif {
    try_files $uri /index.php?$args;
  }

  # Solve JS Loading 404 Error
  location ~ (.*)(mtc|generate).js {
    try_files $uri /index.php?$args;
    expires 1d;
  }

#    location ~ \.php$ {
#        # try_files $uri =403;
#        fastcgi_split_path_info ^(.+\.php)(/.+)$;
#        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
#        fastcgi_pass unix:/var/run/php5-fpm.sock;
#        fastcgi_index index.php;
#        include fastcgi_params;
#
#}

  #######################################
  ##  End Mautic Specific config #####
  #######################################


  include /usr/local/nginx/conf/pre-staticfiles-local-mautic.orquidariobahia.com.br.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;

  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

So, I renamed the following folders

Code:

/root/.acme.sh/mauatic.orquidariobahia.com.br
/usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br

And issue a new certificate, that's the output on the top, but something didn't work.

I noticed that some files where missing, so I had to comment the following line

Code:

#  include /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf;

So, lemme output the previous folder and the new folder

Code:

[22:41][root@digitalocean.atlantidastudios.com mautic.orquidariobahia.com.br.old]# ls -l
total 36
-rw-r--r-- 1 root root  443 Feb  5 22:04 acme-vhost-config.txt
-rw-r--r-- 1 root root  424 Nov  7 14:18 dhparam.pem
-rw-r--r-- 1 root root 3583 Feb  5 22:04 mautic.orquidariobahia.com.br-acme.cer
-rw-r--r-- 1 root root 1675 Feb  5 22:04 mautic.orquidariobahia.com.br-acme.key
-rw-r--r-- 1 root root 1403 Nov  7 19:31 mautic.orquidariobahia.com.br.crt
-rw-r--r-- 1 root root  443 Feb  5 22:04 mautic.orquidariobahia.com.br.crt.key.conf
-rw-r--r-- 1 root root 1102 Nov  7 19:31 mautic.orquidariobahia.com.br.csr
-rw-r--r-- 1 root root 3582 Feb  5 22:04 mautic.orquidariobahia.com.br-fullchain-acme.key
-rw-r--r-- 1 root root 1704 Nov  7 19:31 mautic.orquidariobahia.com.br.key
[22:41][root@digitalocean.atlantidastudios.com mautic.orquidariobahia.com.br.old]# cd ..
You have mail in /var/spool/mail/root
[22:41][root@digitalocean.atlantidastudios.com ssl]# cd mautic.orquidariobahia.com.br
[22:42][root@digitalocean.atlantidastudios.com mautic.orquidariobahia.com.br]# ls -l
total 12
-rw-r--r-- 1 root root 3591 Feb  5 22:20 mautic.orquidariobahia.com.br-acme.cer
-rw-r--r-- 1 root root 1675 Feb  5 22:20 mautic.orquidariobahia.com.br-acme.key
-rw-r--r-- 1 root root 3590 Feb  5 22:20 mautic.orquidariobahia.com.br-fullchain-acme.key
[22:42][root@digitalocean.atlantidastudios.com mautic.orquidariobahia.com.br]#

I noticed that there are files missing in the new version, as the chain was not fully constructed. Currently, everything broke and I don't know how to get my SSL back to work.

Any help is appreciated.

eva2000 · Feb 6, 2019

If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

this is because you ran acmetool.sh without live flag for real letsencrypt ssl cert, and ran with staging test ssl cert via
Code (Text):
./acmetool.sh issue mautic.orquidariobahia.com.br
as opposed to
Code (Text):
./acmetool.sh issue mautic.orquidariobahia.com.br live
as per instructions at Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01 (3rd post)

you can try reissuing Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01
Code (Text):
./acmetool.sh reissue mautic.orquidariobahia.com.br live
if you ssl nginx vhost is at /usr/local/nginx/conf/conf.d/mautic.orquidariobahia.com.br.ssl.conf

Shirkit · Feb 6, 2019

Code:

[22:59][root@digitalocean.atlantidastudios.com addons]# ./acmetool.sh issue mautic.orquidariobahia.com.br live

-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://centminmod.com/acmetool
-------------------------------------------------

continue [y/n] ? y

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
Cloning into 'acme.sh'...
[Tue Feb  5 22:59:24 UTC 2019] It is recommended to install socat first.
[Tue Feb  5 22:59:24 UTC 2019] We use socat for standalone server if you use standalone mode.
[Tue Feb  5 22:59:24 UTC 2019] If you don't use standalone mode, just ignore this warning.
[Tue Feb  5 22:59:24 UTC 2019] Installing to /root/.acme.sh
[Tue Feb  5 22:59:24 UTC 2019] Installed to /root/.acme.sh/acme.sh
[Tue Feb  5 22:59:24 UTC 2019] Installing alias to '/root/.bashrc'
[Tue Feb  5 22:59:24 UTC 2019] OK, Close and reopen your terminal to start using acme.sh
[Tue Feb  5 22:59:24 UTC 2019] Installing alias to '/root/.cshrc'
[Tue Feb  5 22:59:24 UTC 2019] Installing alias to '/root/.tcshrc'
[Tue Feb  5 22:59:24 UTC 2019] Installing cron job
52 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Tue Feb  5 22:59:24 UTC 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Feb  5 22:59:24 UTC 2019] OK
https://github.com/Neilpang/acme.sh
v2.8.1
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------
cat /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf
cat: /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf: No such file or directory
grep 'root' /usr/local/nginx/conf/conf.d/mautic.orquidariobahia.com.br.ssl.conf
  root /home/nginx/domains/mautic.orquidariobahia.com.br/public;

-----------------------------------------------------------
issue & install letsencrypt ssl certificate for mautic.orquidariobahia.com.br
-----------------------------------------------------------
testcert value = live
/root/.acme.sh/acme.sh --issue -d mautic.orquidariobahia.com.br --days 60 -w /home/nginx/domains/mautic.orquidariobahia.com.br/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-050219-225919.log --log-level 2
[Tue Feb  5 22:59:26 UTC 2019] Domains not changed.
[Tue Feb  5 22:59:26 UTC 2019] Skip, Next renewal time is: Sat Apr  6 22:20:40 UTC 2019
[Tue Feb  5 22:59:26 UTC 2019] Add '--force' to force to renew.
LECHECK = 2

issue skipped as ssl cert still valid

log files saved at /root/centminlogs
-rw-r--r-- 1 root root 3.2K Feb  5 22:59 acmetool.sh-debug-log-050219-225919.log
-rw-r--r-- 1 root root 2.5K Feb  5 22:59 acmesh-issue_050219-225919.log


[22:59][root@digitalocean.atlantidastudios.com addons]# ./acmetool.sh reissue mautic.orquidariobahia.com.br live

-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://centminmod.com/acmetool
-------------------------------------------------

continue [y/n] ? y

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
Cloning into 'acme.sh'...
[Tue Feb  5 22:59:35 UTC 2019] It is recommended to install socat first.
[Tue Feb  5 22:59:35 UTC 2019] We use socat for standalone server if you use standalone mode.
[Tue Feb  5 22:59:35 UTC 2019] If you don't use standalone mode, just ignore this warning.
[Tue Feb  5 22:59:35 UTC 2019] Installing to /root/.acme.sh
[Tue Feb  5 22:59:35 UTC 2019] Installed to /root/.acme.sh/acme.sh
[Tue Feb  5 22:59:35 UTC 2019] Installing alias to '/root/.bashrc'
[Tue Feb  5 22:59:35 UTC 2019] OK, Close and reopen your terminal to start using acme.sh
[Tue Feb  5 22:59:35 UTC 2019] Installing alias to '/root/.cshrc'
[Tue Feb  5 22:59:35 UTC 2019] Installing alias to '/root/.tcshrc'
[Tue Feb  5 22:59:35 UTC 2019] Installing cron job
52 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Tue Feb  5 22:59:35 UTC 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Feb  5 22:59:36 UTC 2019] OK
https://github.com/Neilpang/acme.sh
v2.8.1
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------
cat /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf
cat: /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf: No such file or directory
grep 'root' /usr/local/nginx/conf/conf.d/mautic.orquidariobahia.com.br.ssl.conf
  root /home/nginx/domains/mautic.orquidariobahia.com.br/public;

-----------------------------------------------------------
reissue & install letsencrypt ssl certificate for mautic.orquidariobahia.com.br
-----------------------------------------------------------
/root/.acme.sh/acme.sh --force --createDomainKey -d mautic.orquidariobahia.com.br -k 2048 --useragent centminmod-centos7-acmesh-webroot
[Tue Feb  5 22:59:37 UTC 2019] Creating domain key
[Tue Feb  5 22:59:37 UTC 2019] The domain key is here: /root/.acme.sh/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.key
testcert value = live
/root/.acme.sh/acme.sh --force --issue -d mautic.orquidariobahia.com.br --days 60 -w /home/nginx/domains/mautic.orquidariobahia.com.br/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-050219-225933.log --log-level 2
[Tue Feb  5 22:59:38 UTC 2019] Single domain='mautic.orquidariobahia.com.br'
[Tue Feb  5 22:59:38 UTC 2019] Getting domain auth token for each domain
[Tue Feb  5 22:59:38 UTC 2019] Getting webroot for domain='mautic.orquidariobahia.com.br'
[Tue Feb  5 22:59:38 UTC 2019] Getting new-authz for domain='mautic.orquidariobahia.com.br'
[Tue Feb  5 22:59:38 UTC 2019] The new-authz request is ok.
[Tue Feb  5 22:59:39 UTC 2019] Verifying: mautic.orquidariobahia.com.br
[Tue Feb  5 22:59:41 UTC 2019] Success
[Tue Feb  5 22:59:41 UTC 2019] Verify finished, start to sign.
[Tue Feb  5 22:59:43 UTC 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFczCCBFugAwIBAgISA/mrypNW7G/1d+lVQzMZ0cZMMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAyMDUyMTU5NDJaFw0x
OTA1MDYyMTU5NDJaMCgxJjAkBgNVBAMTHW1hdXRpYy5vcnF1aWRhcmlvYmFoaWEu
Y29tLmJyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr1cy8AaHNa1N
M+faAUzUc3g77INUoeA6Nf+izNH5Kxq+L53uA+q5liOAp6ZjiX5SiO0Lm5pbvKj2
91krW/nhus2hqSQuWMtbkGRzF7DnmEr9vXageyDMWOR+e6MeHNR+fjilqIfSAFEc
L7r4n/xLX2IXYQLDD33na+EJwZ/taMmA0ofVpKOFVy9lhkGAWG1Bej4nJTUETzFH
b1U3DuTmES8Bn3j2g2YWZuKb6G
KwYBBAHWeQIEAgSB9gSB8wDxAHcA4mlLribo6UAJ6IYbtjuD1D7n/nSI+6SPKJMB
nd3x2/4AAAFov+N6mAAABAMASDBGAiEAp2ix1Ofj7DjCOXWvX7g6koycClP0QlSs
t/N6hplcsj4CIQCWmLdh6galpFh3Vk4o9LPq6gl/Tp318ONRc9XFfqI7uQB2ACk8
UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABaL/jevAAAAQDAEcwRQIh
AKnXfGZVSeYj1BAGG7SOksZ6Kw0ED/usu5NI1jh1dNdXAiA15FzgJc4iU0wngsI6
tbob0pfjA2B1prLDgT2kfqqZ9zANBgkqhkiG9w0BAQsFAAOCAQEAhnj8by25ba0H
GvZx8pCqXSLduWuZOXi8xKP5CLgAcaa3Zu0/MnvdXYEaqpLRDOR640/PAXoeCKXl
L/0JGh2edM1H1WIiLdEYrS5Dzhcw9nD+iq4wF7BxkMOWMu3NHTzY2QVxYEXa0j5Y
396GQH6kwv8TOmj/uwGwVQh4bBEFuvhaZCCxyCCq2CrU4G5/05lICepuCrvsjBGI
huFWoL0X45Kl2a/9DVkuM+XlI/2nQcolmM9ONr9nbkgPlmKHM5mpH9tHaKr910h6
81xAz9GmpBTBJ49rUQ/ah2xcACkIzcTMR9O0/3i586WZWY9OEo3IedwVIAZZJ7Jt
jFB0H7/T7A==
-----END CERTIFICATE-----
[Tue Feb  5 22:59:43 UTC 2019] Your cert is in  /root/.acme.sh/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.cer
[Tue Feb  5 22:59:43 UTC 2019] Your cert key is in  /root/.acme.sh/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.key
[Tue Feb  5 22:59:43 UTC 2019] The intermediate CA cert is in  /root/.acme.sh/mautic.orquidariobahia.com.br/ca.cer
[Tue Feb  5 22:59:43 UTC 2019] And the full chain certs is there:  /root/.acme.sh/mautic.orquidariobahia.com.br/fullchain.cer
LECHECK = 0
sed: can't read /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf: No such file or directory
sed: can't read /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf: No such file or directory
sed: can't read /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf: No such file or directory
grep: /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf: No such file or directory

-----------------------------------------------------------
install cert
-----------------------------------------------------------
/root/.acme.sh/acme.sh --installcert -d mautic.orquidariobahia.com.br --certpath /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.cer --keypath /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.key --capath /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-fullchain-acme.key
[Tue Feb  5 22:59:44 UTC 2019] Installing cert to:/usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.cer
[Tue Feb  5 22:59:44 UTC 2019] Installing CA to:/usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.cer
[Tue Feb  5 22:59:44 UTC 2019] Installing key to:/usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.key
[Tue Feb  5 22:59:44 UTC 2019] Installing full chain to:/usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-fullchain-acme.key
[Tue Feb  5 22:59:44 UTC 2019] Run reload cmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl):  [  OK  ]
[Tue Feb  5 22:59:44 UTC 2019] Reload success

letsencrypt ssl certificate setup completed
ssl certs located at: /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br

openssl x509 -noout -text < /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br-acme.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:f9:ab:ca:93:56:ec:6f:f5:77:e9:55:43:33:19:d1:c6:4c
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Feb  5 21:59:42 2019 GMT
            Not After : May  6 21:59:42 2019 GMT
        Subject: CN=mautic.orquidariobahia.com.br
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:af:57:32:f0:06:87:35:ad:4d:33:e7:da:01:4c:
                    d4:73:78:3b:ec:83:54:a1:e0:3a:35:ff:a2:cc:d1:
                    f9:2b:1a:be:2f:9d:ee:03:ea:b9:96:23:80:a7:a6:
                    63:89:7e:52:88:ed:0b:9b:9a:5b:bc:a8:f6:f7:59:
                    2b:5b:f9:e1:ba:cd:a1:a9:24:2e:58:cb:5b:90:64:
                    73:17:b0:e7:98:4a:fd:bd:76:a0:7b:20:cc:58:e4:
                    7e:7b:a3:1e:1c:d4:7e:7e:38:a5:a8:87:d2:00:51:
                    04:4f:31:47:6f:55:37:0e:e4:e6:11:2f:01:9f:78:
                    f6:83:66:16:66:e2:9b:e8:61:ca:82:6f:95:e1:20:
                    4c:92:06:a1:7e:e8:2b:b3:1b:8d:11:3d:0d:21:3a:
                    ce:7b:4b:0b:8f:0f:76:a3:93:54:f8:49:56:0e:4a:
                    3e:eb:46:55:24:db:31:20:b3:ae:a0:0e:3a:9f:fa:
                    5e:22:ad:b0:28:15:5b:e1:4a:2d:ec:9f:dc:a5:6d:
                    db:ff:58:dd:dd:54:07:2c:97:9f:06:f7:99:a3:d5:
                    34:c7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                F7:EF:6D:8D:03:D1:FC:B3:21:D1:12:B4:2A:07:69:34:3F:0D:41:F5
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:mautic.orquidariobahia.com.br
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
                                3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
                    Timestamp : Feb  5 22:59:42.872 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:A7:68:B1:D4:E7:E3:EC:38:C2:39:75:
                                AF:5F:B8:3A:92:8C:9C:0A:53:F4:42:54:AC:B7:F3:7A:
                                86:99:5C:B2:3E:02:21:00:96:98:B7:61:EA:06:A5:A4:
                                58:77:56:4E:28:F4:B3:EA:EA:09:7F:4E:9D:F5:F0:E3:
                                51:73:D5:C5:7E:A2:3B:B9
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
                                6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
                    Timestamp : Feb  5 22:59:42.960 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:A9:D7:7C:66:55:49:E6:23:D4:10:06:
                                1B:B4:8E:92:C6:7A:2B:0D:04:0F:FB:AC:BB:93:48:D6:
                                38:75:74:D7:57:02:20:35:E4:5C:E0:25:CE:22:53:4C:
                                27:82:C2:3A:B5:BA:1B:D2:97:E3:03:60:75:A6:B2:C3:
                                81:3D:A4:7E:AA:99:F7
    Signature Algorithm: sha256WithRSAEncryption
         86:78:fc:6f:2d:b9:6d:ad:07:1a:f6:71:f2:90:aa:5d:22:dd:
         b9:6b:99:39:78:bc:c4:a3:f9:08:b8:00:71:a6:b7:66:ed:3f:
         32:ed:cd:1d:3c:d8:d9:05:71:60:45:da:d2:3e:58:df:de:86:
         40:7e:a4:c2:ff:13:3a:68:ff:bb:01:b0:55:08:78:6c:11:05:
         ba:f8:5a:64:20:b1:c8:20:aa:d8:2a:d4:e0:6e:7f:d3:99:48:
         36:bf:67:6e:48:0f:96:62:87:33:99:a9:1f:db:47:68:aa:fd:
         d7:48:7a:f3:5c:40:cf:d1:a6:a4:14:c1:27:8f:6b:51:0f:da:
         87:6c:5c:00:29:08:cd:c4:cc:47:d3:b4:ff:78:b9:f3:a5:99:
         59:8f:4e:12:8d:c8:79:dc:15:20:06:59:27:b2:6d:8c:50:74:
         1f:bf:d3:ec

log files saved at /root/centminlogs
-rw-r--r-- 1 root root 2.6K Feb  5 22:59 acmesh-issue_050219-225919.log
-rw-r--r-- 1 root root 5.7K Feb  5 22:59 acmetool.sh-debug-log-050219-225919.log
-rw-r--r-- 1 root root  32K Feb  5 22:59 acmetool.sh-debug-log-050219-225933.log
-rw-r--r-- 1 root root  13K Feb  5 22:59 acmesh-reissue_050219-225933.log

Ok I did it correctly this time, but still I don't think it's working, as per:

Code:

[23:00][root@digitalocean.atlantidastudios.com addons]# cd /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br
[23:01][root@digitalocean.atlantidastudios.com mautic.orquidariobahia.com.br]# ls -l
total 12
-rw-r--r-- 1 root root    0 Feb  5 22:59 acme-vhost-config.txt
-rw-r--r-- 1 root root 3600 Feb  5 22:59 mautic.orquidariobahia.com.br-acme.cer
-rw-r--r-- 1 root root 1679 Feb  5 22:59 mautic.orquidariobahia.com.br-acme.key
-rw-r--r-- 1 root root 3599 Feb  5 22:59 mautic.orquidariobahia.com.br-fullchain-acme.key
[23:01][root@digitalocean.atlantidastudios.com mautic.orquidariobahia.com.br]#

I think it just updated the self-signed certificate.

eva2000 · Feb 6, 2019

Shirkit said: ↑
So, I renamed the following folders
Code:
/root/.acme.sh/mauatic.orquidariobahia.com.br
/usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br
And issue a new certificate, that's the output on the top, but something didn't work.
Click to expand...
you broke acmetool.sh by renaming /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br as that is were letsencrypt ssl issued certs are installed to.

eva2000 · Feb 6, 2019

that looks correct

eva2000 · Feb 6, 2019

Shirkit said: ↑
I noticed that some files where missing, so I had to comment the following line
Code:
# include /usr/local/nginx/conf/ssl/mautic.orquidariobahia.com.br/mautic.orquidariobahia.com.br.crt.key.conf;
So,
Click to expand...
also do not comment out that line, that is what loads your letsencrypt ssl certs

Shirkit · Feb 6, 2019

eva2000 said: ↑

that looks correct
Click to expand...

Indeed that was correct, all I was missing was the file back, since I had moved it, it stopped working
Code:
mautic.orquidariobahia.com.br.crt.key.conf
What is most confusing for me is that I could swear that on the first time I tried to reissue the certificate after I added the new location/allow rule I actually did a live cert, and after I saw that it failed, I started doing stupid stuff.

Well, thanks to you, someone saw the mistake I'd made.

Your help was invaluable.

Log in / Register

Forums

Want to subscribe to topics you're interested in?

New issued certificate is Fake (?)

Shirkit New Member

eva2000 Administrator Staff Member

Shirkit New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Shirkit New Member

.

Log in / Register

Useful Searches

Want to subscribe to topics you're interested in?

New issued certificate is Fake (?)

Shirkit New Member

eva2000 Administrator Staff Member

Shirkit New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Shirkit New Member

.