Join the community today
Become a Member

Letsencrypt Letsencrypt failed ssl renewal

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Jon Snow, Nov 12, 2017.

  1. rdan

    rdan Well-Known Member

    4,741
    1,144
    113
    May 25, 2014
    Ratings:
    +1,711
    Local Time:
    4:55 AM
    Mainline
    10.2
    I've installed it but I usually delete this directory "/root/centminlogs/" every after exiting SSH.
    I re run centmin to create it then all works now.
     
  2. rdan

    rdan Well-Known Member

    4,741
    1,144
    113
    May 25, 2014
    Ratings:
    +1,711
    Local Time:
    4:55 AM
    Mainline
    10.2
    Although it was noted:
    But didn't work when I try:
     
  3. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    not recommended to delete as centmin.sh menu every option writes a log to that directory for debugging
    wrong order of commands
     
  4. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:55 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    @eva2000

    One last problem I encountered. On only one of my servers, I'm running into an invalid cert error :
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    ===Starting cron===
    Renew: 'domain.com'
    Skip invalid cert for: domain.com
    ===End cron===

    Using ./acmetool.sh reissue blah blah blah fails too and my site goes down until I re-upload the previous vhost file and restart nginx. wpsecure.conf isn't in the vhost and the site runs on the SSL certificate fine atm. I commented out drop.conf from the vhost + restarted nginx then ran the renew and it still didn't work.

    All of my other servers including fresh installs are fine. It's just this one server but it doesn't have anything different from the others so I'm not sure why it's happening to this specific one.

    It only has the ssl vhost config. Should I try making a non-ssl version?
     
  5. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you should have a debug log for that run, post contents to pastebin.com or gist.github.com
    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    


    Without the answers to above questions and logs, there is nothing to help troubleshoot.
     
  6. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:55 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    After running the command? Because that was everything on the screen from the post above. Only when I use the reissue command, I think something gets logged.

    Do I need to enable acmetool.sh debug mode in persistent config file first?
    I think through :
    Code (Text):
    ./acmetool.sh issue acme.domain.com live

    Then I moved the website files to the server.

    I'll post the outputs in a bit for the last three commands from your post.
     
  7. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    the live flag makes http + https site available versus ending flag lived which is for https default only site.

    not needed as by default now debug mode is set so just the log file contents
     
  8. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:55 PM
    Nginx 1.13.9
    MariaDB 10.1.31
  9. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:55 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    /var/log/cron:Dec 18 00:30:01 host CROND[24385]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Dec 19 00:30:01 host CROND[28562]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Dec 20 00:30:02 host CROND[15806]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Dec 21 00:30:01 host CROND[431]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron:Dec 22 00:30:02 host CROND[23266]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171126:Nov 21 00:30:02 host CROND[18002]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171126:Nov 22 00:30:01 host CROND[31934]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171126:Nov 23 00:30:01 host CROND[14427]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171126:Nov 24 00:30:01 host CROND[27637]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171126:Nov 25 00:30:02 host CROND[8257]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171126:Nov 26 00:30:02 host CROND[23439]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171204:Nov 27 00:30:01 host CROND[4575]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171204:Nov 28 00:30:01 host CROND[18426]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171204:Nov 29 00:30:02 host CROND[32543]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171204:Nov 30 00:30:01 host CROND[15234]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171204:Dec  1 00:30:01 host CROND[30257]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171204:Dec  2 00:30:02 host CROND[11891]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171204:Dec  3 00:30:01 host CROND[26173]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171204:Dec  4 00:30:01 host CROND[9322]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171210:Dec  5 00:30:01 host CROND[24488]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171210:Dec  6 00:30:01 host CROND[6947]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171210:Dec  7 00:30:02 host CROND[22592]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171210:Dec  8 00:30:02 host CROND[5752]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171210:Dec  9 00:30:02 host CROND[20525]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171210:Dec 10 00:30:01 host CROND[2795]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171217:Dec 11 00:30:02 host CROND[18102]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171217:Dec 12 00:30:01 host CROND[336]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171217:Dec 13 00:30:01 host CROND[16127]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171217:Dec 14 00:30:02 host CROND[31684]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171217:Dec 15 00:30:01 host CROND[14633]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171217:Dec 16 00:30:01 host CROND[29005]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20171217:Dec 17 00:30:01 host CROND[10991]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    


    The site works fine, but just can't renew the SSL certificate because it gives an invalid error.
     
  10. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    so the command below is empty with no listed ssl certs ?
    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    that would suggest somehow you lost the acme.sh config files for your domain's ssl certs that cronjob reads for auto renewals. They should have files at /root/.acme.sh/yourdomain.com/

    i.e. for my mysqlmymon.com site the vhost web root path and auto renewal method is listed in /root/.acme.sh/mysqlmymon.com/mysqlmymon.com.conf config file
    Code (Text):
    ls -lah /root/.acme.sh/mysqlmymon.com/
    total 40K
    drwxr-xr-x 2 root root 4.0K Feb 11  2017 .
    drwx------ 6 root root 4.0K Feb 11  2017 ..
    -rw-r--r-- 1 root root 1.7K Nov 13 00:00 ca.cer
    -rw-r--r-- 1 root root 3.4K Nov 13 00:00 fullchain.cer
    -rw-r--r-- 1 root root 1.8K Nov 13 00:00 mysqlmymon.com.cer
    -rw-r--r-- 1 root root  955 Nov 13 00:00 mysqlmymon.com.conf
    -rw-r--r-- 1 root root  980 Nov 13 00:00 mysqlmymon.com.csr
    -rw-r--r-- 1 root root  213 Nov 13 00:00 mysqlmymon.com.csr.conf
    -rw-r--r-- 1 root root 1.7K Sep  2  2016 mysqlmymon.com.key
    -rw-r--r-- 1 root root  212 Nov 22  2016 mysqlmymon.com.ssl.conf
    

    what's contents of your /root/.acme.sh/mysqlmymon.com/yourdomain.com.conf
     
  11. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:55 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Code (Text):
    Le_Keylength='2048'
    Le_Domain='domain.com'
    Le_Alt='www.domain.com'
    Le_Webroot='/home/nginx/domains/domain.com/public'
    Le_PreHook=''
    Le_PostHook=''
    Le_RenewHook=''
    Le_API='https://acme-v01.api.letsencrypt.org/directory'


    The contents of /root/.acme.sh/domain.com/ :
    Code (Text):
    ls -lah /root/.acme.sh/domain.com/
    total 24K
    drwxr-xr-x 2 root root 4.0K Nov 13 01:58 .
    drwx------ 6 root root 4.0K Dec 21 03:05 ..
    -rw-r--r-- 1 root root  237 Dec 21 03:05 domain.com.conf
    -rw-r--r-- 1 root root  985 Dec 21 03:05 domain.com.csr
    -rw-r--r-- 1 root root  215 Dec 21 03:05 domain.com.csr.conf
    -rw-r--r-- 1 root root 1.7K Dec 21 03:05 domain.com.key
     
  12. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you seem to be missing alot of entries in /root/.acme.sh/mysqlmymon.com/yourdomain.com.conf ?

    what's output for
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --debug
    
     
  13. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:55 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --debug
    [Sat Dec 23 03:25:46 UTC 2017] Lets find script dir.
    [Sat Dec 23 03:25:46 UTC 2017] _SCRIPT_='/root/.acme.sh/acme.sh'
    [Sat Dec 23 03:25:46 UTC 2017] _script='/root/.acme.sh/acme.sh'
    [Sat Dec 23 03:25:46 UTC 2017] _script_home='/root/.acme.sh'
    [Sat Dec 23 03:25:46 UTC 2017] Using config home:/root/.acme.sh
    https://github.com/Neilpang/acme.sh
    v2.7.6
    [Sat Dec 23 03:25:46 UTC 2017] Using config home:/root/.acme.sh
    [Sat Dec 23 03:25:46 UTC 2017] ===Starting cron===
    [Sat Dec 23 03:25:46 UTC 2017] Using config home:/root/.acme.sh
    [Sat Dec 23 03:25:46 UTC 2017] _stopRenewOnError
    [Sat Dec 23 03:25:46 UTC 2017] di='/root/.acme.sh/domain.com/'
    [Sat Dec 23 03:25:46 UTC 2017] d='domain.com'
    [Sat Dec 23 03:25:46 UTC 2017] Using config home:/root/.acme.sh
    [Sat Dec 23 03:25:46 UTC 2017] DOMAIN_PATH='/root/.acme.sh/domain.com'
    [Sat Dec 23 03:25:46 UTC 2017] Renew: 'domain.com'
    [Sat Dec 23 03:25:46 UTC 2017] Using config home:/root/.acme.sh
    [Sat Dec 23 03:25:46 UTC 2017] Skip invalid cert for: domain.com
    [Sat Dec 23 03:25:46 UTC 2017] Return code: 0
    [Sat Dec 23 03:25:46 UTC 2017] ===End cron===
    
     
  14. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  15. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:55 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Didn't work, unfortunately :( Same invalid cert error with no log file.

    Using this gets a log file though :
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue domain.com lived
    
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://centminmod.com/acmetool
    -------------------------------------------------
    
    continue [y/n] ? y
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    It is recommended to install socat first.
    We use socat for standalone server if you use standalone mode.
    If you don't use standalone mode, just ignore this warning.
    Installing to /root/.acme.sh
    Installed to /root/.acme.sh/acme.sh
    Installing alias to '/root/.bashrc'
    OK, Close and reopen your terminal to start using acme.sh
    Installing alias to '/root/.cshrc'
    Installing alias to '/root/.tcshrc'
    Installing cron job
    30 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    Good, bash is found, so change the shebang to use bash as preferred.
    OK
    https://github.com/Neilpang/acme.sh
    v2.7.6
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    backup & remove /usr/local/nginx/conf/conf.d/domain.com.conf
    
    [self-signed ssl cert check] required by acmetool.sh
    
    [self-signed ssl] /usr/local/nginx/conf/ssl/domain.com/dhparam.pem exists
    [self-signed ssl] /usr/local/nginx/conf/ssl/domain.com/domain.com.crt exists
    [self-signed ssl] /usr/local/nginx/conf/ssl/domain.com/domain.com.key exists
    
    [sslvhostsetup] create /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    
    [non-wp] backup & remove /usr/local/nginx/conf/conf.d/domain.com.conf
    cat /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf
    ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
    ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain_com.crt;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain_com.key;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;
    cp -a /usr/local/nginx/conf/conf.d/domain.com.ssl.conf /usr/local/nginx/conf/conf.d/domain.com.ssl.conf-nonwp2
    cat /usr/local/nginx/conf/conf.d/domain.com.ssl.conf-nonwp1 /usr/local/nginx/conf/conf.d/domain.com.ssl.conf-nonwp2 > /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    Reloading nginx configuration (via systemctl):  [  OK  ]
    
    setting HTTPS default in /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    
    sed -i 's|^##x# HTTPS-DEFAULT|#x# HTTPS-DEFAULT|g' /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    
    remove /usr/local/nginx/conf/conf.d/domain.com.conf
    
    grep 'root' /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
      root /home/nginx/domains/domain.com/public;
            fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    
    -----------------------------------------------------------
    reissue & install letsencrypt ssl certificate for domain.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --force --createDomainKey -d domain.com -d www.domain.com -k 2048 --useragent centminmod-centos7-acmesh-webroot
    Creating domain key
    [Sat Dec 23 04:04:14 UTC 2017] The domain key is here: /root/.acme.sh/domain.com/domain.com.key
    testcert value = lived
    /root/.acme.sh/acme.sh --force --issue -d domain.com -d www.domain.com --days 60 -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-231217-040403.log --log-level 2
    Multi domain='DNS:www.domain.com'
    Getting domain auth token for each domain
    Getting webroot for domain='domain.com'
    Getting new-authz for domain='domain.com'
    The new-authz request is ok.
    Getting webroot for domain='www.domain.com'
    Getting new-authz for domain='www.domain.com'
    The new-authz request is ok.
    Verifying:domain.com
    domain.com:Verify error:Fetching https://domain.com/.well-known/acme-challenge/utHeY9zmAsh_LvptTgU0tGFMHT7SEKSn_TYipjJ8ORs: Connection reset by peer
    Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-231217-040403.log
    LECHECK = 1
    
    log files saved at /root/centminlogs
    -rw-r--r-- 1 root root  37K Dec 23 04:04 acmetool.sh-debug-log-231217-040403.log
    -rw-r--r-- 1 root root 4.8K Dec 23 04:04 acmesh-reissue_231217-040403.log
    

    What's different about this error is that it says "Connection reset by peer".
     
    Last edited: Dec 23, 2017
  16. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    post contents of /root/centminlogs/acmetool.sh-debug-log-231217-040403.log to pastebin.com or gist.github.com
     
  17. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:55 PM
    Nginx 1.13.9
    MariaDB 10.1.31
  18. eva2000

    eva2000 Administrator Staff Member

    42,372
    9,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,742
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    when you setup temp non-https nginx vhost, did you replicate nginx rules from your https based nginx vhost ?

    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags
     
  19. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:55 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Results :
    Code (Text):
    curl -I https://domain.com
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: xf_session=59f3366ff35d8871e4a5025fb2d28a0c; path=/; secure; httponly
    X-Frame-Options: SAMEORIGIN
    X-Xss-Protection: 1
    Server: Nginx
    X-Powered-By: Nginx
    Date: Sat, 23 Dec 2017 05:44:18 GMT
    X-Page-Speed: 1.13.35.1-0
    Cache-Control: max-age=0, no-cache
    
    
    curl -I https://www.domain.com
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: xf_session=6aa562904a5417ebaaf533f1200a2df1; path=/; secure; httponly
    X-Frame-Options: SAMEORIGIN
    X-Xss-Protection: 1
    Server: Nginx
    X-Powered-By: Nginx
    Date: Sat, 23 Dec 2017 05:44:46 GMT
    X-Page-Speed: 1.13.35.1-0
    Cache-Control: max-age=0, no-cache
    
    
    curl -I http://domain.com
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: xf_session=4b3b30ef4ef2ab002fba37139bff13b0; path=/; secure; httponly
    X-Frame-Options: SAMEORIGIN
    X-Xss-Protection: 1
    Server: Nginx
    X-Powered-By: Nginx
    Date: Sat, 23 Dec 2017 05:45:11 GMT
    X-Page-Speed: 1.13.35.1-0
    Cache-Control: max-age=0, no-cache
    
    
    curl -I http://www.domain.com
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: xf_session=23aee0ed038607aa2cb76266ac293abe; path=/; secure; httponly
    X-Frame-Options: SAMEORIGIN
    X-Xss-Protection: 1
    Server: Nginx
    X-Powered-By: Nginx
    Date: Sat, 23 Dec 2017 05:45:27 GMT
    X-Page-Speed: 1.13.35.1-0
    Cache-Control: max-age=0, no-cache
    

    Posting the vhost contents in the following post.
     
  20. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:55 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Non-SSL :
    Code (Text):
    server {
      server_name domain.com www.domain.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    include /usr/local/nginx/conf/pagespeed.conf;
    include /usr/local/nginx/conf/pagespeedhandler.conf;
    include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      root /home/nginx/domains/domain.com/public;
    
    location / {
         index index.php index.html index.htm;
         try_files $uri $uri/ /index.php?$uri&$args;
    }
    
    location /install/ {
        auth_basic "Private";
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        deny all;
            } 
    
    location /install/data/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    location /install/templates/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    location /internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    location /library/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass    127.0.0.1:9000;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include         fastcgi_params;
    }
    
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      #include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    


    SSL :
    Code (Text):
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      # ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain_com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain_com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt; 
    
    # ngx_pagespeed & ngx_pagespeed handler
     include /usr/local/nginx/conf/pagespeed.conf;
     include /usr/local/nginx/conf/pagespeedhandler.conf;
     include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #} 
    
      location / {
    
      try_files $uri $uri/ /index.php?$uri&$args;
      index index.php index.html;
    
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
    
    
    location /install/ {
        auth_basic "Private";
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        deny all;
            } 
    
    location /install/data/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    location /install/templates/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    location /internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    location /library/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass    127.0.0.1:9000;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include         fastcgi_params;
    }
    
    
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
     
      #include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }