Want more timely Centmin Mod News Updates?
Become a Member

Letsencrypt Letsencrypt failed ssl renewal

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Jon Snow, Nov 12, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    8:12 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    lets clear up the output by excluding the entries with word backup in them so output for
    Code (Text):
    grep -rn 'domain.org' /usr/local/nginx/conf | grep -v 'backup'
    

     
  2. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    6:12 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    The space I mentioned from my last post could just be Putty not opening wide enough.

    Here's the output :
    Code (Text):
    grep -rn 'domain.org' /usr/local/nginx/conf | grep -v 'backup'
    /usr/local/nginx/conf/ssl/domain.org/acme-vhost-config.txt:1:  ssl_dhparam /usr/local/nginx/conf/ssl/domain.org/dhparam.pem;
    /usr/local/nginx/conf/ssl/domain.org/acme-vhost-config.txt:2:  ssl_certificate      /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer;
    /usr/local/nginx/conf/ssl/domain.org/acme-vhost-config.txt:3:  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.key;
    /usr/local/nginx/conf/ssl/domain.org/acme-vhost-config.txt:4:  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer;
    /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf:1:  ssl_dhparam /usr/local/nginx/conf/ssl/domain.org/dhparam.pem;
    /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf:2:  ssl_certificate      /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer;
    /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf:3:  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.key;
    /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf:4:  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:5:  server_name domain.org www.domain.org;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:6:  return 302 https://domain.org$request_uri;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:11:  server_name domain.org;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:13:  include /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:46:  access_log /home/nginx/domains/domain.org/log/access.log combined buffer=256k flush=5m;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:47:  error_log /home/nginx/domains/domain.org/log/error.log;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:49:  include /usr/local/nginx/conf/autoprotect/domain.org/autoprotect-domain.org.conf;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:50:  root /home/nginx/domains/domain.org/public;
    /usr/local/nginx/conf/conf.d/domain.org.ssl.conf:76:  include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.conf;
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    8:12 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    that looks good too so hard to see what's giving 404 not found errors
     
  4. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    6:12 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Are you experiencing the same issue on your test servers? I'm either running into this problem or an invalid SSL certificate issue every time I try to reissue it after using it for a while :
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    [Wed Nov 15 10:04:10 UTC 2017] ===Starting cron===
    [Wed Nov 15 10:04:10 UTC 2017] Renew: 'domain.com'
    [Wed Nov 15 10:04:10 UTC 2017] Skip invalid cert for: domain.com
    [Wed Nov 15 10:04:10 UTC 2017] ===End cron===

    Creating a vhost with SSL works perfectly on the other hand. The only issue is extending the time frame.
     
  5. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    6:12 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Unrelated but do you recommend using Certbot with CMM for getting back the Letsencrypt SSL certificate?

    https://certbot.eff.org/#centosrhel7-nginx

    It seems easy to set up. Would I just use the same vhost ssl config by using sudo certbot --nginx certonly?
     
  6. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    8:12 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    no don't use certbot as could break centmin mod nginx as certbot assumes distro installed nginx which has different structure

    and anyway the problem is validation of domain and certbot would fail too like acme.sh in addons/acmetool.sh as the verification is the same looking for .well-known directory file
     
  7. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    8:12 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    not having any issues on my letsencrypt sites with centmin mod

    problem could be that you let the letsencrypt ssl cert to expiry so on http to https redirect, letsencrypt domain validation isn't following the invalid https ssl cert now ? you could try re-enabling non-https nginx vhost for domain temporarily, and temp disable http to https redirect and re-run renewal cronjob command to see if it validates via non-https vhost
     
  8. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    6:12 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    It also happens on sites where it hasn't expired yet but only has the ssl config (the non-ssl config was disabled).

    How do I set back up the non-ssl file? I think the tool deleted it. Should I just use the vhost generator, upload and rename it? Then edit out the redirect from the ssl config and restart nginx?
     
  9. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    8:12 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yes for non-https vhost you can temp use vhost generator to make one https://centminmod.com/vhost.php saved at /usr/local/nginx/conf/conf.d/yourdomain.com.conf
     
  10. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    6:12 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Done this but for some reason http redirects to https even when there isn't anything to redirect it.

    Non SSL config :

    Code (Text):
    server {
      server_name domain.org www.domain.org;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.org/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.org/log/error.log;
    
      root /home/nginx/domains/domain.org/public;
    
      location / {
        # Wordpress Permalinks
        try_files $uri $uri/ /index.php?q=$request_uri;
    
        include /usr/local/nginx/conf/wpsecure.conf;
        include /usr/local/nginx/conf/wpnocache.conf;
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    


    SSL config (I removed the first server context because I split the config files again) :

    Code (Text):
    server {
      listen 443 ssl http2;
      server_name domain.org;
    
      include /usr/local/nginx/conf/ssl/domain.org/domain.org.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.org/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.org/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.org/autoprotect-domain.org.conf;
      root /home/nginx/domains/domain.org/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      try_files $uri $uri/ /index.php?q=$request_uri;
      include /usr/local/nginx/conf/wpsecure.conf;
      include /usr/local/nginx/conf/wpnocache.conf;
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
     
      # include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  11. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    6:12 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    @eva2000 So I got the two config files to work like normal. Same problem.
    Code (Text):
    Verifying:domain.org
    domain.org:Verify error:Invalid response from http://domain.org/.well-known/acme-challenge/2rQAisLj5JO1Vb-MNB6wvELHpnyNpwglNhlSHofZy5w:
    Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-161117-234142.log
    Error renew domain.org.
    ===End cron===

    Is there any other way I can use Letsencrypt with CMM?
     
  12. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    8:12 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    share the debug log /root/centminlogs/acmetool.sh-debug-log-161117-234142.log as well

    strange should work, I just setup 3x letsencrypt https default centmin mod 123.09beta01 nginx vhost sites last night without any problems
     
  13. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    6:12 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Sent you a PM.

    Setting them up isn't the problem. Trying to reissue/renew it is.
     
  14. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    8:12 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    so it's something you add or alter in your nginx vhost that is causing failed domain validation ?

    i see in latest log a 403 permission denied error
    Code (Text):
    [Thu Nov 16 23:41:51 UTC 2017] ret='0'
    [Thu Nov 16 23:41:51 UTC 2017] original='{
      "type": "http-01",
      "status": "invalid",
      "error": {
       "type": "urn:acme:error:unauthorized",
       "detail": "Invalid response from http://domain.org/.well-known/acme-challenge/FP-R42VHbw4_4F1FjQoH497uVYkAvPVV68HIi9injlw: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e403 Forbidden\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e403 Forbidden\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"",
       "status": 403
      },
    

    non-https vhost still has drop.conf include enabled
    Code (Text):
    include /usr/local/nginx/conf/drop.conf;
    

    see if that is why
    i'll update vhost generator to disable that
    vhost generator's instructed /usr/local/nginx/conf/wpsecure.conf also may have a dot file . directory blocker too so need to punch a hole in that for .well-known directory

    at very top of /usr/local/nginx/conf/wpsecure.conf file add this location context to whitelists .well-known directory
    Code (Text):
        # prepare for letsencrypt
        # https://community.centminmod.com/posts/17774/
        location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }
    

    and restart nginx
     
  15. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    6:12 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    @eva2000 That did the job. It was a sucess :

    Code (Text):
    ===Starting cron===
    Renew: 'domain.org'
    Multi domain='DNS:www.domain.org'
    Getting domain auth token for each domain
    Getting webroot for domain='domain.org'
    Getting new-authz for domain='domain.org'
    The new-authz request is ok.
    Getting webroot for domain='www.domain.org'
    Getting new-authz for domain='www.domain.org'
    [Fri Nov 17 15:21:40 UTC 2017] The new-authz request is ok.
    [Fri Nov 17 15:21:40 UTC 2017] Verifying:domain.org
    [Fri Nov 17 15:21:43 UTC 2017] Success
    [Fri Nov 17 15:21:43 UTC 2017] Verifying:www.domain.org
    [Fri Nov 17 15:21:45 UTC 2017] Success
    [Fri Nov 17 15:21:45 UTC 2017] Verify finished, start to sign.
    Cert success.
    -----BEGIN CERTIFICATE-----
    Placeholder Text
    -----END CERTIFICATE-----
    Your cert is in  /root/.acme.sh/domain.org/domain.org.cer
    Your cert key is in  /root/.acme.sh/domain.org/domain.org.key
    The intermediate CA cert is in  /root/.acme.sh/domain.org/ca.cer
    And the full chain certs is there:  /root/.acme.sh/domain.org/fullchain.cer
    Installing cert to:/usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer
    Installing CA to:/usr/local/nginx/conf/ssl/domain.org/domain.org-acme.cer
    Installing key to:/usr/local/nginx/conf/ssl/domain.org/domain.org-acme.key
    Installing full chain to:/usr/local/nginx/conf/ssl/domain.org/domain.org-fullchain-acme.key
    Run reload cmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):             [  OK  ]
    Reload success
    ===End cron===
    
     
    • Like Like x 1
  16. rdan

    rdan Well-Known Member

    4,741
    1,144
    113
    May 25, 2014
    Ratings:
    +1,711
    Local Time:
    6:12 AM
    Mainline
    10.2
    So how can I test if my cron/auto renew will work fine in the future also?
     
  17. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    8:12 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    great :)
    Just run the cronjob manually it will skip renewal if it's more than 60+ days from expiry though
     
    • Like Like x 1
  18. rdan

    rdan Well-Known Member

    4,741
    1,144
    113
    May 25, 2014
    Ratings:
    +1,711
    Local Time:
    6:12 AM
    Mainline
    10.2
    Got this:
     
  19. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    8:12 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you never installed acme.sh via acmetool.sh https://centminmod.com/acmetool or move servers without reinstalling it
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh acmeinstall

    Or you're missing log directory at /root/centminlogs
     
  20. rdan

    rdan Well-Known Member

    4,741
    1,144
    113
    May 25, 2014
    Ratings:
    +1,711
    Local Time:
    6:12 AM
    Mainline
    10.2
    Works now.
    Code:
    # "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    [Sat Nov 18 00:20:08 +08 2017] ===Starting cron===
    [Sat Nov 18 00:20:08 +08 2017] Renew: 'domain.com'
    [Sat Nov 18 00:20:08 +08 2017] Skip, Next renewal time is: Wed Jan 10 22:44:12 UTC 2018
    [Sat Nov 18 00:20:08 +08 2017] Add '--force' to force to renew.
    [Sat Nov 18 00:20:08 +08 2017] Skipped domain.com
    [Sat Nov 18 00:20:08 +08 2017] ===End cron===
    
     
    • Like Like x 1