Want to subscribe to topics you're interested in?
Become a Member

Letsencrypt SSL Letsencrypt domain validation failed

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Andy, Nov 9, 2017.

  1. Andy

    Andy Active Member

    331
    47
    28
    Aug 6, 2014
    Ratings:
    +56
    Local Time:
    5:45 PM
    Trying to follow this guide and always got error at this step
    Code:
    /root/.acme.sh/acme.sh --force --issue --days 60 -d quantnet.com -d www.quantnet.com -w /home/nginx/domains/quantnet.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-quantnet.com.log --log-level 2
    The error is
    Code:
     /root/.acme.sh/acme.sh --force --issue --days 60 -d quantnet.com -d www.quantnet.com -w /home/nginx/domains/quantnet.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-quantnet.com.log --log-level 2
    [Thu Nov  9 05:37:57 EST 2017] Multi domain='DNS:www.quantnet.com'
    [Thu Nov  9 05:37:57 EST 2017] Getting domain auth token for each domain
    [Thu Nov  9 05:37:57 EST 2017] Getting webroot for domain='quantnet.com'
    [Thu Nov  9 05:37:57 EST 2017] Getting new-authz for domain='quantnet.com'
    [Thu Nov  9 05:37:58 EST 2017] The new-authz request is ok.
    [Thu Nov  9 05:37:58 EST 2017] Getting webroot for domain='www.quantnet.com'
    [05:38][root@andy.quantnet.com quantnet.com]# pwd/home/nginx/domains/quantnet.com/
    [Thu Nov  9 05:37:58 EST 2017] Getting new-authz for domain='www.quantnet.com'
    [Thu Nov  9 05:37:59 EST 2017] The new-authz request is ok.
    [Thu Nov  9 05:38:00 EST 2017] Verifying:quantnet.com
    [Thu Nov  9 05:38:03 EST 2017] Pending
    [Thu Nov  9 05:38:06 EST 2017] Pending
    [Thu Nov  9 05:38:08 EST 2017] quantnet.com:Verify error:Fetching https://www.quantnet.com/.well-known/acme-challenge/wOOxheLzdpPM7KFhpjD_RQnbGCUPbK790v0O7hhZLKc: Timeout
    [Thu Nov  9 05:38:08 EST 2017] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-quantnet.com.log

     
  2. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags
     
  3. Andy

    Andy Active Member

    331
    47
    28
    Aug 6, 2014
    Ratings:
    +56
    Local Time:
    5:45 PM
    Code (Text):
    # curl -I https://quantnet.com
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 09 Nov 2017 17:08:18 GMT
    Content-Type: text/html
    Content-Length: 178
    Connection: keep-alive
    Location: https://www.quantnet.com/
    Server: nginx centminmod
    X-Powered-By: centminmod

    Code (Text):
    # curl -I https://www.quantnet.com
    HTTP/1.1 200 OK
    Date: Thu, 09 Nov 2017 17:08:41 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 96435
    Connection: keep-alive
    Vary: Accept-Encoding
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-control: private, max-age=0
    Set-Cookie: xf_session=15bec6ae49a2efe178f335b45750d362; path=/; secure; HttpOnly
    X-Frame-Options: SAMEORIGIN
    X-Xss-Protection: 1
    Last-Modified: Thu, 09 Nov 2017 17:08:41 GMT
    Server: nginx centminmod
    X-Powered-By: centminmod

    Code (Text):
    # curl -I http://quantnet.com
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 09 Nov 2017 17:09:11 GMT
    Content-Type: text/html
    Content-Length: 178
    Connection: keep-alive
    Location: https://www.quantnet.com/
    Server: nginx centminmod
    X-Powered-By: centminmod

    Code (Text):
    # curl -I http://www.quantnet.com
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 09 Nov 2017 17:09:30 GMT
    Content-Type: text/html
    Content-Length: 178
    Connection: keep-alive
    Location: https://www.quantnet.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
     
  4. Andy

    Andy Active Member

    331
    47
    28
    Aug 6, 2014
    Ratings:
    +56
    Local Time:
    5:45 PM
    There is no /usr/local/nginx/conf/conf.d/quantnet.com.ssl.conf
    Content of /usr/local/nginx/conf/conf.d/quantnet.com.conf which is my existing conf
    As you can see, I tried to add the path to existing ssl cert files with the new one but nginx errors out.
    Code (Text):
    #Permanently redirect all org/net/info domains to com
    server {
         listen 80;
         server_name www.quantnet.com quantnet.com;
         return 301 https://www.quantnet.com$request_uri;
    }
    
    server {
            listen 443 ssl http2;
            server_name www.quantnet.com;
    
            ssl_dhparam          /usr/local/nginx/conf/ssl/quantnet.com/dhparam.pem;
            ssl_certificate      /usr/local/nginx/conf/ssl/quantnet.com/ssl-unified.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/quantnet.com/ssl.key;
    
    # ssl_certificate      /usr/local/nginx/conf/ssl/quantnet.com/quantnet.com-acme.cer;
    #  ssl_certificate_key  /usr/local/nginx/conf/ssl/quantnet.com/quantnet.com-acme.key;
    #  include /usr/local/nginx/conf/ssl_include.conf;
    
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
           ssl_session_cache      shared:SSL:10m;
            ssl_session_timeout  10m;
     # ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    
    
           ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
            ssl_prefer_server_ciphers   on;
            #############add_header Alternate-Protocol  443:npn-spdy/3;
    #        add_header Strict-Transport-Security "max-age=31536000;";
    
     # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    #  ssl_trusted_certificate /usr/local/nginx/conf/ssl/quantnet.com/quantnet.com-acme.cer;
    
    ## redirect non-www to www
          if ($host = 'quantnet.com' ) {
             return 301 https://$server_name$request_uri;
          }
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/quantnet.com/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/quantnet.com/log/error.log;
     root /home/nginx/domains/quantnet.com/public;
            location /data {
                    location ~ \.html$ {
                            internal;
                    }
                    internal;
            }
    
            location /internal_data {
                    location ~ \.(?:data|html|php)$ {
                            internal;
                    }
                    internal;
            }
            location /library {
                    location ~ \.(?:default|html|php|txt|xml)$ {
                            internal;
                    }
                    internal;
            }
    
            location / {
                            try_files $uri $uri/ /index.php?$uri&$args;
                            index index.php;
            }
    
         location /sendy/ {
            try_files $uri $uri/ $uri.php?$args;
        }
    
    
        location /sendy/l/ {
            rewrite ^/sendy/l/([a-zA-Z0-9/]+)$ /sendy/l.php?i=$1 last;
        }
    
        location /sendy/t/ {
            rewrite ^/sendy/t/([a-zA-Z0-9/]+)$ /sendy/t.php?i=$1 last;
        }
    
        location /sendy/w/ {
            rewrite ^/sendy/w/([a-zA-Z0-9/]+)$ /sendy/w.php?i=$1 last;
        }
    
        location /sendy/unsubscribe/ {
            rewrite ^/sendy/unsubscribe/(.*)$ /sendy/unsubscribe.php?i=$1 last;
        }
    
        location /sendy/subscribe/ {
            rewrite ^/sendy/subscribe/(.*)$ /sendy/subscribe.php?i=$1 last;
        }
    
      include /usr/local/nginx/conf/conf.d/quantnet.redirect;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
     # include /usr/local/nginx/conf/errorpage.conf;
    }
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    what errors you getting ? nginx not restarting or something else ?

    include file /usr/local/nginx/conf/ssl_include.conf has same contents or similar to
    Code (Text):
           ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
          ssl_session_cache      shared:SSL:10m;
           ssl_session_timeout  10m;
    

    that you already have just pay attention to ssl_session_timeout value 10m or 60m as they should match other ssl https vhosts' values

    check all vhosts values for ssl_session_timeout
    Code (Text):
    grep -rnw 'ssl_session_timeout' /usr/local/nginx/conf
    

    also maybe related to a drop rule in
    Code (Text):
    include /usr/local/nginx/conf/drop.conf;
    

    to disable dot . file/directories though /usr/local/nginx/conf/staticfiles.conf in latest 123.09beta01 will have a rule to allow letsencrypt domain validation file - older 123.09beta01 might be missing this part at top of /usr/local/nginx/conf/staticfiles.conf file
    Code (Text):
        # prepare for letsencrypt
        # https://community.centminmod.com/posts/17774/
        location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    also this means domain validation failed so placing the letsencrypt ssl cert paths in would result in errors as there is no valid letsencrypt ssl cert yet until you successfully re-run below command again
    Code (Text):
    /root/.acme.sh/acme.sh --force --issue --days 60 -d quantnet.com -d www.quantnet.com -w /home/nginx/domains/quantnet.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-quantnet.com.log --log-level 2
    

    and then complete step 4 outlined at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates with the second --installcert command afterwards
     
  7. Andy

    Andy Active Member

    331
    47
    28
    Aug 6, 2014
    Ratings:
    +56
    Local Time:
    5:45 PM
    My /usr/local/nginx/conf/staticfiles.conf file has that part
    Code (Text):
     # prepare for letsencrypt
       # https://community.centminmod.com/posts/17774/
       location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }

    Reruning the code would still result in the same error about domain validation failure. I did nprestart, etc. What else I need to do?
    Code (Text):
    /root/.acme.sh/acme.sh --force --issue --days 60 -d quantnet.com -d www.quantnet.com -w /home/nginx/domains/quantnet.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-quantnet.com.log --log-level 2
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    • Winner Winner x 1
  9. Andy

    Andy Active Member

    331
    47
    28
    Aug 6, 2014
    Ratings:
    +56
    Local Time:
    5:45 PM
    Here is the log [Fri Nov 10 02:18:29 EST 2017] Lets find script dir. [Fri Nov 10 02:18:29 EST 2 - Pastebin.com
    You called it!
    It was the same issue. I have my domain resolved to both ip4/ip6.
    Once I deleted the AAAA records for IP6, it successfully created the certs.
     
    • Like Like x 1
  10. Andy

    Andy Active Member

    331
    47
    28
    Aug 6, 2014
    Ratings:
    +56
    Local Time:
    5:45 PM
    check all vhosts values for ssl_session_timeout
    Code (Text):
    grep -rnw 'ssl_session_timeout' /usr/local/nginx/conf
    

    Here is the output
    Code:
    grep -rnw 'ssl_session_timeout' /usr/local/nginx/conf
    /usr/local/nginx/conf/nginx.conf.default:106:    #    ssl_session_timeout  5m;
    /usr/local/nginx/conf/conf.d/ssl.conf:11:#    ssl_session_timeout  5m;
    /usr/local/nginx/conf/conf.d/ssl.conf:20:#    ssl_session_timeout  10m;
    /usr/local/nginx/conf/conf.d/quantnet.com.conf.save:22:        ssl_session_timeout  10m;
    /usr/local/nginx/conf/ssl-include.conf:2:  ssl_session_timeout    10m;
    /usr/local/nginx/conf/ssl_include.conf:2:ssl_session_timeout    10m;
    I see that you use 60m value for the time out in the guide at step 5. That's what I copied.
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    change all references to 60m and see
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    ah ha - it's why i usually disable IPv6 on servers not needed and adds potential issues!
     
    • Like Like x 1
  13. Andy

    Andy Active Member

    331
    47
    28
    Aug 6, 2014
    Ratings:
    +56
    Local Time:
    5:45 PM
    I changed them to 10m. Is there a reason for picking one over another?
     
  14. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    performance (higher value) vs security (lower value) for ssl session resumption Module ngx_http_ssl_module