Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL Letsencrypt LetsEncrypt and well-known dir

Discussion in 'Domains, DNS, Email & SSL Certificates' started by GASTAN, Mar 29, 2019.

  1. GASTAN

    GASTAN Member

    85
    12
    8
    Jun 28, 2017
    Ratings:
    +18
    Local Time:
    9:25 PM
    Hi

    I am trying to generate Cert for existing domain.
    I used generator but I get error (on domain verification) with this command:

    /root/.acme.sh/acme.sh --force --issue --days 60 -d mydomain.com -w /home/nginx/domains/mydomain.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-connect.mydomain.com.log --log-level 2

    mydomain.com:Verify error:Invalid response from http://mydomain.com/.well-known/acme-challenge/trLplVVVDNJ-Z6rY5ARQZ2NhAHF3KN1X3HdL9V_lvB8

    I create .well-known/acme-challenge/trLplVVVDNJ-Z6rY5ARQZ2NhAHF3KN1X3HdL9V_lvB8
    for testing and getting 403 error

    when I checked errorLog, there is *27 access forbidden by rule, client:

    I have no idea what's wrong. whousl I somehow configure this .well-known alias, or dir?
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,753
    10,205
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,816
    Local Time:
    5:25 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags
     
  3. GASTAN

    GASTAN Member

    85
    12
    8
    Jun 28, 2017
    Ratings:
    +18
    Local Time:
    9:25 PM
    for https I get
    Code:
    HTTP/1.1 503 Service Unavailable
    Server: squid/3.5.20
    Mime-Version: 1.0
    Date: Fri, 29 Mar 2019 05:55:50 GMT
    Content-Type: text/html;charset=utf-8
    Content-Length: 3743
    X-Squid-Error: ERR_DNS_FAIL 0
    Vary: Accept-Language
    Content-Language: en
    
    for http I get
    I guess problem is, I am behind proxy?
    but from outside I can at least get index.html page
    but not from inside :(
     
  4. GASTAN

    GASTAN Member

    85
    12
    8
    Jun 28, 2017
    Ratings:
    +18
    Local Time:
    9:25 PM
    I tweaked proxys DNS a little:

    Code:
    HTTP/1.1 200 Connection established
    
    curl: (60) Peer's Certificate has expired.
    More details here: http://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.
    

    and

    Code:
    HTTP/1.1 200 OK
    Date: Fri, 29 Mar 2019 06:16:27 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 172
    Last-Modified: Fri, 02 Nov 2018 16:41:53 GMT
    ETag: "5bdc7e51-ac"
    Server: nginx centminmod
    X-Powered-By: centminmod
    Expires: Sat, 30 Mar 2019 06:16:27 GMT
    Cache-Control: max-age=86400
    Cache-Control: public, must-revalidate, proxy-revalidate
    Accept-Ranges: bytes
    X-Cache: MISS from vs-proxy
    X-Cache-Lookup: MISS from vs-proxy:3128
    Via: 1.1 vs-proxy (squid/3.5.20)
    Connection: keep-alive
    

    but there seems to be something not liking leading dot in well-known path...
    it's either squid or nginx

    I am gonna try to turn off proxy, but I guess no connection to internet then :(
     
  5. GASTAN

    GASTAN Member

    85
    12
    8
    Jun 28, 2017
    Ratings:
    +18
    Local Time:
    9:25 PM
    I think this in my domain config (domain was generated in 123.08 or older, couple of years ago) is the problem:

    Code:
     # prevent access to ./directories and files                                                                                                                                       |
      location ~ (?:^|/)\. {                                                                                                                                                            |
       deny all;                                                                                                                                                                        |
      }   
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,753
    10,205
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,816
    Local Time:
    5:25 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yup remove that and restart nginx
     
  7. GASTAN

    GASTAN Member

    85
    12
    8
    Jun 28, 2017
    Ratings:
    +18
    Local Time:
    9:25 PM
    so I just commented out the deny all from above (there is bunch of stuff in staticfile.conf) and it worked now!

    thx