/ Register

Discover Centmin Mod today
Register Now

Letsencrypt Letsencrypt failed ssl renewal

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Jon Snow, Nov 12, 2017.

Previous Thread Next Thread
Loading...
Page 2 of 5
  1. Nov 15, 2017 #21
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    7:48 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    lets clear up the output by excluding the entries with word backup in them so output for
    Code (Text):
    grep -rn 'domain.org' /usr/local/nginx/conf | grep -v 'backup'

     
  2. Nov 15, 2017 #22
    Jon Snow

    Jon Snow Active Member

    917
    188
    43
    Jun 30, 2017
    Ratings:
    +293
    Local Time:
    6:48 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    The space I mentioned from my last post could just be Putty not opening wide enough.

    Here's the output :
    Code (Text):
    grep -rn 'domain.org' /usr/local/nginx/conf | grep -v 'backup'
/usr/local/nginx/conf/ssl/domain.org/acme-vhost-config.txt:1:  ssl_dhparam /usr/local/nginx/conf/ssl/domain.org/dhparam.pem;
/usr/local/nginx/conf/ssl/domain.org/acme-vhost-config.txt:2:  ssl_certificate      /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer;
/usr/local/nginx/conf/ssl/domain.org/acme-vhost-config.txt:3:  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.key;
/usr/local/nginx/conf/ssl/domain.org/acme-vhost-config.txt:4:  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer;
/usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf:1:  ssl_dhparam /usr/local/nginx/conf/ssl/domain.org/dhparam.pem;
/usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf:2:  ssl_certificate      /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer;
/usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf:3:  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.key;
/usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf:4:  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer;
/usr/local/nginx/conf/conf.d/domain.org.ssl.conf:5:  server_name domain.org www.domain.org;
/usr/local/nginx/conf/conf.d/domain.org.ssl.conf:6:  return 302 https://domain.org$request_uri;
/usr/local/nginx/conf/conf.d/domain.org.ssl.conf:11:  server_name domain.org;
/usr/local/nginx/conf/conf.d/domain.org.ssl.conf:13:  include /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf;
/usr/local/nginx/conf/conf.d/domain.org.ssl.conf:46:  access_log /home/nginx/domains/domain.org/log/access.log combined buffer=256k flush=5m;
/usr/local/nginx/conf/conf.d/domain.org.ssl.conf:47:  error_log /home/nginx/domains/domain.org/log/error.log;
/usr/local/nginx/conf/conf.d/domain.org.ssl.conf:49:  include /usr/local/nginx/conf/autoprotect/domain.org/autoprotect-domain.org.conf;
/usr/local/nginx/conf/conf.d/domain.org.ssl.conf:50:  root /home/nginx/domains/domain.org/public;
/usr/local/nginx/conf/conf.d/domain.org.ssl.conf:76:  include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.conf;
     
  3. Nov 15, 2017 #23
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    7:48 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    that looks good too so hard to see what's giving 404 not found errors
     
  4. Nov 15, 2017 #24
    Jon Snow

    Jon Snow Active Member

    917
    188
    43
    Jun 30, 2017
    Ratings:
    +293
    Local Time:
    6:48 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    Are you experiencing the same issue on your test servers? I'm either running into this problem or an invalid SSL certificate issue every time I try to reissue it after using it for a while :
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
[Wed Nov 15 10:04:10 UTC 2017] ===Starting cron===
[Wed Nov 15 10:04:10 UTC 2017] Renew: 'domain.com'
[Wed Nov 15 10:04:10 UTC 2017] Skip invalid cert for: domain.com
[Wed Nov 15 10:04:10 UTC 2017] ===End cron===

    Creating a vhost with SSL works perfectly on the other hand. The only issue is extending the time frame.
     
  5. Nov 15, 2017 #25
    Jon Snow

    Jon Snow Active Member

    917
    188
    43
    Jun 30, 2017
    Ratings:
    +293
    Local Time:
    6:48 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    Unrelated but do you recommend using Certbot with CMM for getting back the Letsencrypt SSL certificate?

    https://certbot.eff.org/#centosrhel7-nginx

    It seems easy to set up. Would I just use the same vhost ssl config by using sudo certbot --nginx certonly?
     
  6. Nov 15, 2017 #26
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    7:48 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    no don't use certbot as could break centmin mod nginx as certbot assumes distro installed nginx which has different structure

    and anyway the problem is validation of domain and certbot would fail too like acme.sh in addons/acmetool.sh as the verification is the same looking for .well-known directory file
     
  7. Nov 15, 2017 #27
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    7:48 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    not having any issues on my letsencrypt sites with centmin mod

    problem could be that you let the letsencrypt ssl cert to expiry so on http to https redirect, letsencrypt domain validation isn't following the invalid https ssl cert now ? you could try re-enabling non-https nginx vhost for domain temporarily, and temp disable http to https redirect and re-run renewal cronjob command to see if it validates via non-https vhost
     
  8. Nov 15, 2017 #28
    Jon Snow

    Jon Snow Active Member

    917
    188
    43
    Jun 30, 2017
    Ratings:
    +293
    Local Time:
    6:48 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    It also happens on sites where it hasn't expired yet but only has the ssl config (the non-ssl config was disabled).

    How do I set back up the non-ssl file? I think the tool deleted it. Should I just use the vhost generator, upload and rename it? Then edit out the redirect from the ssl config and restart nginx?
     
  9. Nov 15, 2017 #29
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    7:48 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    yes for non-https vhost you can temp use vhost generator to make one https://centminmod.com/vhost.php saved at /usr/local/nginx/conf/conf.d/yourdomain.com.conf
     
  10. Nov 15, 2017 #30
    Jon Snow

    Jon Snow Active Member

    917
    188
    43
    Jun 30, 2017
    Ratings:
    +293
    Local Time:
    6:48 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    Done this but for some reason http redirects to https even when there isn't anything to redirect it.

    Non SSL config :

    Code (Text):
    server {
  server_name domain.org www.domain.org;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain.org/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/domain.org/log/error.log;

  root /home/nginx/domains/domain.org/public;

  location / {
    # Wordpress Permalinks
    try_files $uri $uri/ /index.php?q=$request_uri;

    include /usr/local/nginx/conf/wpsecure.conf;
    include /usr/local/nginx/conf/wpnocache.conf;
  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}


    SSL config (I removed the first server context because I split the config files again) :

    Code (Text):
    server {
  listen 443 ssl http2;
  server_name domain.org;

  include /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
 
  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain.org/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/domain.org/log/error.log;

  include /usr/local/nginx/conf/autoprotect/domain.org/autoprotect-domain.org.conf;
  root /home/nginx/domains/domain.org/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  location / {
  try_files $uri $uri/ /index.php?q=$request_uri;
  include /usr/local/nginx/conf/wpsecure.conf;
  include /usr/local/nginx/conf/wpnocache.conf;
  include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Wordpress Permalinks example
  #try_files $uri $uri/ /index.php?q=$uri&$args;

  }

  include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
 
  # include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}
     
  11. Nov 17, 2017 #31
    Jon Snow

    Jon Snow Active Member

    917
    188
    43
    Jun 30, 2017
    Ratings:
    +293
    Local Time:
    6:48 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    @eva2000 So I got the two config files to work like normal. Same problem.
    Code (Text):
    Verifying:domain.org
domain.org:Verify error:Invalid response from http://domain.org/.well-known/acme-challenge/2rQAisLj5JO1Vb-MNB6wvELHpnyNpwglNhlSHofZy5w:
Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-161117-234142.log
Error renew domain.org.
===End cron===

    Is there any other way I can use Letsencrypt with CMM?
     
  12. Nov 17, 2017 #32
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    7:48 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    share the debug log /root/centminlogs/acmetool.sh-debug-log-161117-234142.log as well

    strange should work, I just setup 3x letsencrypt https default centmin mod 123.09beta01 nginx vhost sites last night without any problems
     
  13. Nov 17, 2017 #33
    Jon Snow

    Jon Snow Active Member

    917
    188
    43
    Jun 30, 2017
    Ratings:
    +293
    Local Time:
    6:48 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    Sent you a PM.

    Setting them up isn't the problem. Trying to reissue/renew it is.
     
  14. Nov 18, 2017 #34
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    7:48 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    so it's something you add or alter in your nginx vhost that is causing failed domain validation ?

    i see in latest log a 403 permission denied error
    Code (Text):
    [Thu Nov 16 23:41:51 UTC 2017] ret='0'
[Thu Nov 16 23:41:51 UTC 2017] original='{
  "type": "http-01",
  "status": "invalid",
  "error": {
   "type": "urn:acme:error:unauthorized",
   "detail": "Invalid response from http://domain.org/.well-known/acme-challenge/FP-R42VHbw4_4F1FjQoH497uVYkAvPVV68HIi9injlw: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e403 Forbidden\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e403 Forbidden\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"",
   "status": 403
  },

    non-https vhost still has drop.conf include enabled
    Code (Text):
    include /usr/local/nginx/conf/drop.conf;

    see if that is why
    i'll update vhost generator to disable that
    vhost generator's instructed /usr/local/nginx/conf/wpsecure.conf also may have a dot file . directory blocker too so need to punch a hole in that for .well-known directory

    at very top of /usr/local/nginx/conf/wpsecure.conf file add this location context to whitelists .well-known directory
    Code (Text):
        # prepare for letsencrypt
    # https://community.centminmod.com/posts/17774/
    location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }

    and restart nginx
     
  15. Nov 18, 2017 #35
    Jon Snow

    Jon Snow Active Member

    917
    188
    43
    Jun 30, 2017
    Ratings:
    +293
    Local Time:
    6:48 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    @eva2000 That did the job. It was a sucess :

    Code (Text):
    ===Starting cron===
Renew: 'domain.org'
Multi domain='DNS:www.domain.org'
Getting domain auth token for each domain
Getting webroot for domain='domain.org'
Getting new-authz for domain='domain.org'
The new-authz request is ok.
Getting webroot for domain='www.domain.org'
Getting new-authz for domain='www.domain.org'
[Fri Nov 17 15:21:40 UTC 2017] The new-authz request is ok.
[Fri Nov 17 15:21:40 UTC 2017] Verifying:domain.org
[Fri Nov 17 15:21:43 UTC 2017] Success
[Fri Nov 17 15:21:43 UTC 2017] Verifying:www.domain.org
[Fri Nov 17 15:21:45 UTC 2017] Success
[Fri Nov 17 15:21:45 UTC 2017] Verify finished, start to sign.
Cert success.
-----BEGIN CERTIFICATE-----
Placeholder Text
-----END CERTIFICATE-----
Your cert is in  /root/.acme.sh/domain.org/domain.org.cer
Your cert key is in  /root/.acme.sh/domain.org/domain.org.key
The intermediate CA cert is in  /root/.acme.sh/domain.org/ca.cer
And the full chain certs is there:  /root/.acme.sh/domain.org/fullchain.cer
Installing cert to:/usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer
Installing CA to:/usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer
Installing key to:/usr/local/nginx/conf/ssl/domain.org/domain.org-acme.key
Installing full chain to:/usr/local/nginx/conf/ssl/domain.org/domain.org-fullchain-acme.key
Run reload cmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl):             [  OK  ]
Reload success
===End cron===
     
  16. Nov 18, 2017 #36
    rdan

    rdan Well-Known Member

    5,452
    1,418
    113
    May 25, 2014
    Ratings:
    +2,212
    Local Time:
    5:48 PM
    Mainline
    10.2
    So how can I test if my cron/auto renew will work fine in the future also?
     
  17. Nov 18, 2017 #37
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    7:48 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    great :)
    Just run the cronjob manually it will skip renewal if it's more than 60+ days from expiry though
     
  18. Nov 18, 2017 #38
    rdan

    rdan Well-Known Member

    5,452
    1,418
    113
    May 25, 2014
    Ratings:
    +2,212
    Local Time:
    5:48 PM
    Mainline
    10.2
    Got this:
     
  19. Nov 18, 2017 #39
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    7:48 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    you never installed acme.sh via acmetool.sh https://centminmod.com/acmetool or move servers without reinstalling it
    Code (Text):
    cd /usr/local/src/centminmod/addons
./acmetool.sh acmeinstall

    Or you're missing log directory at /root/centminlogs
     
  20. Nov 18, 2017 #40
    rdan

    rdan Well-Known Member

    5,452
    1,418
    113
    May 25, 2014
    Ratings:
    +2,212
    Local Time:
    5:48 PM
    Mainline
    10.2
    Works now.
    Code:
    # "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
[Sat Nov 18 00:20:08 +08 2017] ===Starting cron===
[Sat Nov 18 00:20:08 +08 2017] Renew: 'domain.com'
[Sat Nov 18 00:20:08 +08 2017] Skip, Next renewal time is: Wed Jan 10 22:44:12 UTC 2018
[Sat Nov 18 00:20:08 +08 2017] Add '--force' to force to renew.
[Sat Nov 18 00:20:08 +08 2017] Skipped domain.com
[Sat Nov 18 00:20:08 +08 2017] ===End cron===
     
Previous Thread Next Thread
Loading...
Page 2 of 5

.