Letsencrypt Letsencrypt failed ssl renewal

rdan · Nov 18, 2017

eva2000 said: ↑
you never installed acme.sh via acmetool.sh https://centminmod.com/acmetool or move servers without reinstalling it
Code (Text):
cd /usr/local/src/centminmod/addons
./acmetool.sh acmeinstall
Or you're missing log directory at /root/centminlogs
Click to expand...
I've installed it but I usually delete this directory "/root/centminlogs/" every after exiting SSH.
I re run centmin to create it then all works now.

rdan · Nov 18, 2017

Although it was noted:

Add '--force' to force to renew.
Click to expand...

But didn't work when I try:

# "/root/.acme.sh"/acme.sh --cron --home --force "/root/.acme.sh"
[Sat Nov 18 00:23:36 +08 2017] Unknown parameter : /root/.acme.sh
Click to expand...

eva2000 · Nov 18, 2017

RoldanLT said: ↑

I've installed it but I usually delete this directory "/root/centminlogs/" every after exiting SSH.
I re run centmin to create it then all works now.
Click to expand...

not recommended to delete as centmin.sh menu every option writes a log to that directory for debugging

RoldanLT said: ↑

Although it was noted:

But didn't work when I try:
Click to expand...

wrong order of commands

Jon Snow · Dec 23, 2017

@eva2000

One last problem I encountered. On only one of my servers, I'm running into an invalid cert error :
Code (Text):
"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
===Starting cron===
Renew: 'domain.com'
Skip invalid cert for: domain.com
===End cron===
Using ./acmetool.sh reissue blah blah blah fails too and my site goes down until I re-upload the previous vhost file and restart nginx. wpsecure.conf isn't in the vhost and the site runs on the SSL certificate fine atm. I commented out drop.conf from the vhost + restarted nginx then ran the renew and it still didn't work.

All of my other servers including fresh installs are fine. It's just this one server but it doesn't have anything different from the others so I'm not sure why it's happening to this specific one.

It only has the ssl vhost config. Should I try making a non-ssl version?

eva2000 · Dec 23, 2017

Jon Snow said: ↑

Using ./acmetool.sh reissue blah blah blah fails too
Click to expand...

you should have a debug log for that run, post contents to pastebin.com or gist.github.com
How was the initial letsencrypt ssl certificate obtained ? Which method ?
Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?

Via centmin.sh menu option 2, 22, /usr/bin/nv ?
If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
Code (Text):
-------------------------------------------------------------
Setup full Nginx vhost + Wordpress + WP Plugins
-------------------------------------------------------------

Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com

Create a self-signed SSL certificate Nginx vhost? [y/n]: n
Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y

You have 4 options:
1. issue staging test cert with HTTP + HTTPS
2. issue staging test cert with HTTPS default
3. issue live cert with HTTP + HTTPS
4. issue live cert with HTTPS default
Enter option number 1-4: 1
Via addons/acmetool.sh ? which specific command ? examples
Code (Text):
./acmetool.sh issue acme.domain.com
Code (Text):
./acmetool.sh issue acme.domain.com live
Code (Text):
./acmetool.sh issue acme.domain.com d
Code (Text):
./acmetool.sh issue acme.domain.com lived
What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?
Centmin Mod Self-Signed SSL Fallback

If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

Troubleshooting

There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
Code (Text):
ls -lahrt /root/centminlogs
.
For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
Code (Text):
ACMEDEBUG='y'
If acme.sh auto renewals didn't happen, check output for the following commands
Code (Text):
grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
Code (Text):
echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
Code (Text):
"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
Without the answers to above questions and logs, there is nothing to help troubleshoot.

Jon Snow · Dec 23, 2017

eva2000 said: ↑

you should have a debug log for that run, post contents to pastebin.com or gist.github.com
Click to expand...

After running the command? Because that was everything on the screen from the post above. Only when I use the reissue command, I think something gets logged.

Do I need to enable acmetool.sh debug mode in persistent config file first?

eva2000 said: ↑

How was the initial letsencrypt ssl certificate obtained ? Which method ?
Click to expand...

I think through :
Code (Text):
./acmetool.sh issue acme.domain.com live
Then I moved the website files to the server.

I'll post the outputs in a bit for the last three commands from your post.

eva2000 · Dec 23, 2017

the live flag makes http + https site available versus ending flag lived which is for https default only site.

Jon Snow said: ↑

Only when I use the reissue command, I think something gets logged.

Do I need to enable acmetool.sh debug mode in persistent config file first?
Click to expand...

not needed as by default now debug mode is set so just the log file contents

Jon Snow · Dec 23, 2017

eva2000 said: ↑

the live flag makes http + https site available versus ending flag lived which is for https default only site.
Click to expand...

It was actually "lived". Somehow I missed the "d" at the end when reading your post, but it came from Using Centmin Mod acmetool.sh addon for Nginx HTTP/2 based HTTPS with free Letsencrypt SSL certificates

Jon Snow · Dec 23, 2017

Code (Text):

grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
/var/log/cron:Dec 18 00:30:01 host CROND[24385]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron:Dec 19 00:30:01 host CROND[28562]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron:Dec 20 00:30:02 host CROND[15806]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron:Dec 21 00:30:01 host CROND[431]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron:Dec 22 00:30:02 host CROND[23266]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171126:Nov 21 00:30:02 host CROND[18002]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171126:Nov 22 00:30:01 host CROND[31934]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171126:Nov 23 00:30:01 host CROND[14427]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171126:Nov 24 00:30:01 host CROND[27637]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171126:Nov 25 00:30:02 host CROND[8257]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171126:Nov 26 00:30:02 host CROND[23439]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171204:Nov 27 00:30:01 host CROND[4575]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171204:Nov 28 00:30:01 host CROND[18426]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171204:Nov 29 00:30:02 host CROND[32543]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171204:Nov 30 00:30:01 host CROND[15234]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171204:Dec  1 00:30:01 host CROND[30257]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171204:Dec  2 00:30:02 host CROND[11891]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171204:Dec  3 00:30:01 host CROND[26173]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171204:Dec  4 00:30:01 host CROND[9322]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171210:Dec  5 00:30:01 host CROND[24488]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171210:Dec  6 00:30:01 host CROND[6947]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171210:Dec  7 00:30:02 host CROND[22592]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171210:Dec  8 00:30:02 host CROND[5752]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171210:Dec  9 00:30:02 host CROND[20525]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171210:Dec 10 00:30:01 host CROND[2795]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171217:Dec 11 00:30:02 host CROND[18102]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171217:Dec 12 00:30:01 host CROND[336]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171217:Dec 13 00:30:01 host CROND[16127]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171217:Dec 14 00:30:02 host CROND[31684]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171217:Dec 15 00:30:01 host CROND[14633]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171217:Dec 16 00:30:01 host CROND[29005]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
/var/log/cron-20171217:Dec 17 00:30:01 host CROND[10991]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)

eva2000 said: ↑

Code (Text):

echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates

Code (Text):

echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates

-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://centminmod.com/acmetool
-------------------------------------------------

----------------------------------------------
nginx installed
----------------------------------------------

----------------------------------------------
acme.sh obtained
----------------------------------------------

Code (Text):

"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
[Fri Dec 22 23:51:09 UTC 2017] ===Starting cron===
[Fri Dec 22 23:51:09 UTC 2017] Renew: 'domain.com'
[Fri Dec 22 23:51:09 UTC 2017] Skip invalid cert for: domain.com
[Fri Dec 22 23:51:09 UTC 2017] ===End cron===

Click to expand...

The site works fine, but just can't renew the SSL certificate because it gives an invalid error.

eva2000 · Dec 23, 2017

so the command below is empty with no listed ssl certs ?
Code (Text):
echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
that would suggest somehow you lost the acme.sh config files for your domain's ssl certs that cronjob reads for auto renewals. They should have files at /root/.acme.sh/yourdomain.com/

i.e. for my mysqlmymon.com site the vhost web root path and auto renewal method is listed in /root/.acme.sh/mysqlmymon.com/mysqlmymon.com.conf config file
Code (Text):
ls -lah /root/.acme.sh/mysqlmymon.com/
total 40K
drwxr-xr-x 2 root root 4.0K Feb 11  2017 .
drwx------ 6 root root 4.0K Feb 11  2017 ..
-rw-r--r-- 1 root root 1.7K Nov 13 00:00 ca.cer
-rw-r--r-- 1 root root 3.4K Nov 13 00:00 fullchain.cer
-rw-r--r-- 1 root root 1.8K Nov 13 00:00 mysqlmymon.com.cer
-rw-r--r-- 1 root root  955 Nov 13 00:00 mysqlmymon.com.conf
-rw-r--r-- 1 root root  980 Nov 13 00:00 mysqlmymon.com.csr
-rw-r--r-- 1 root root  213 Nov 13 00:00 mysqlmymon.com.csr.conf
-rw-r--r-- 1 root root 1.7K Sep  2  2016 mysqlmymon.com.key
-rw-r--r-- 1 root root  212 Nov 22  2016 mysqlmymon.com.ssl.conf
what's contents of your /root/.acme.sh/mysqlmymon.com/yourdomain.com.conf

Jon Snow · Dec 23, 2017

Code (Text):

Le_Keylength='2048'
Le_Domain='domain.com'
Le_Alt='www.domain.com'
Le_Webroot='/home/nginx/domains/domain.com/public'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_API='https://acme-v01.api.letsencrypt.org/directory'

The contents of /root/.acme.sh/domain.com/ :

Code (Text):

ls -lah /root/.acme.sh/domain.com/
total 24K
drwxr-xr-x 2 root root 4.0K Nov 13 01:58 .
drwx------ 6 root root 4.0K Dec 21 03:05 ..
-rw-r--r-- 1 root root  237 Dec 21 03:05 domain.com.conf
-rw-r--r-- 1 root root  985 Dec 21 03:05 domain.com.csr
-rw-r--r-- 1 root root  215 Dec 21 03:05 domain.com.csr.conf
-rw-r--r-- 1 root root 1.7K Dec 21 03:05 domain.com.key

eva2000 · Dec 23, 2017

you seem to be missing alot of entries in /root/.acme.sh/mysqlmymon.com/yourdomain.com.conf ?

what's output for
Code (Text):
"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --debug

Jon Snow · Dec 23, 2017

Code (Text):

"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --debug
[Sat Dec 23 03:25:46 UTC 2017] Lets find script dir.
[Sat Dec 23 03:25:46 UTC 2017] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sat Dec 23 03:25:46 UTC 2017] _script='/root/.acme.sh/acme.sh'
[Sat Dec 23 03:25:46 UTC 2017] _script_home='/root/.acme.sh'
[Sat Dec 23 03:25:46 UTC 2017] Using config home:/root/.acme.sh
https://github.com/Neilpang/acme.sh
v2.7.6
[Sat Dec 23 03:25:46 UTC 2017] Using config home:/root/.acme.sh
[Sat Dec 23 03:25:46 UTC 2017] ===Starting cron===
[Sat Dec 23 03:25:46 UTC 2017] Using config home:/root/.acme.sh
[Sat Dec 23 03:25:46 UTC 2017] _stopRenewOnError
[Sat Dec 23 03:25:46 UTC 2017] di='/root/.acme.sh/domain.com/'
[Sat Dec 23 03:25:46 UTC 2017] d='domain.com'
[Sat Dec 23 03:25:46 UTC 2017] Using config home:/root/.acme.sh
[Sat Dec 23 03:25:46 UTC 2017] DOMAIN_PATH='/root/.acme.sh/domain.com'
[Sat Dec 23 03:25:46 UTC 2017] Renew: 'domain.com'
[Sat Dec 23 03:25:46 UTC 2017] Using config home:/root/.acme.sh
[Sat Dec 23 03:25:46 UTC 2017] Skip invalid cert for: domain.com
[Sat Dec 23 03:25:46 UTC 2017] Return code: 0
[Sat Dec 23 03:25:46 UTC 2017] ===End cron===

eva2000 · Dec 23, 2017

Might need to setup a temp non-https nginx vhost using official vhost generator Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS and temp disable http to https redirect so letsencrypt renewal can read and validate domain on non-https vhost first

then remove non-https vhost and re-enable http to https redirect

Jon Snow · Dec 23, 2017

Didn't work, unfortunately

Same invalid cert error with no log file.

Using this gets a log file though :

Code (Text):

cd /usr/local/src/centminmod/addons
./acmetool.sh reissue domain.com lived

-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://centminmod.com/acmetool
-------------------------------------------------

continue [y/n] ? y

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
It is recommended to install socat first.
We use socat for standalone server if you use standalone mode.
If you don't use standalone mode, just ignore this warning.
Installing to /root/.acme.sh
Installed to /root/.acme.sh/acme.sh
Installing alias to '/root/.bashrc'
OK, Close and reopen your terminal to start using acme.sh
Installing alias to '/root/.cshrc'
Installing alias to '/root/.tcshrc'
Installing cron job
30 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
Good, bash is found, so change the shebang to use bash as preferred.
OK
https://github.com/Neilpang/acme.sh
v2.7.6
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------
backup & remove /usr/local/nginx/conf/conf.d/domain.com.conf

[self-signed ssl cert check] required by acmetool.sh

[self-signed ssl] /usr/local/nginx/conf/ssl/domain.com/dhparam.pem exists
[self-signed ssl] /usr/local/nginx/conf/ssl/domain.com/domain.com.crt exists
[self-signed ssl] /usr/local/nginx/conf/ssl/domain.com/domain.com.key exists

[sslvhostsetup] create /usr/local/nginx/conf/conf.d/domain.com.ssl.conf

[non-wp] backup & remove /usr/local/nginx/conf/conf.d/domain.com.conf
cat /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf
ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain_com.crt;
ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain_com.key;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;
cp -a /usr/local/nginx/conf/conf.d/domain.com.ssl.conf /usr/local/nginx/conf/conf.d/domain.com.ssl.conf-nonwp2
cat /usr/local/nginx/conf/conf.d/domain.com.ssl.conf-nonwp1 /usr/local/nginx/conf/conf.d/domain.com.ssl.conf-nonwp2 > /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
Reloading nginx configuration (via systemctl):  [  OK  ]

setting HTTPS default in /usr/local/nginx/conf/conf.d/domain.com.ssl.conf

sed -i 's|^##x# HTTPS-DEFAULT|#x# HTTPS-DEFAULT|g' /usr/local/nginx/conf/conf.d/domain.com.ssl.conf

remove /usr/local/nginx/conf/conf.d/domain.com.conf

grep 'root' /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
  root /home/nginx/domains/domain.com/public;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;

-----------------------------------------------------------
reissue & install letsencrypt ssl certificate for domain.com
-----------------------------------------------------------
/root/.acme.sh/acme.sh --force --createDomainKey -d domain.com -d www.domain.com -k 2048 --useragent centminmod-centos7-acmesh-webroot
Creating domain key
[Sat Dec 23 04:04:14 UTC 2017] The domain key is here: /root/.acme.sh/domain.com/domain.com.key
testcert value = lived
/root/.acme.sh/acme.sh --force --issue -d domain.com -d www.domain.com --days 60 -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-231217-040403.log --log-level 2
Multi domain='DNS:www.domain.com'
Getting domain auth token for each domain
Getting webroot for domain='domain.com'
Getting new-authz for domain='domain.com'
The new-authz request is ok.
Getting webroot for domain='www.domain.com'
Getting new-authz for domain='www.domain.com'
The new-authz request is ok.
Verifying:domain.com
domain.com:Verify error:Fetching https://domain.com/.well-known/acme-challenge/utHeY9zmAsh_LvptTgU0tGFMHT7SEKSn_TYipjJ8ORs: Connection reset by peer
Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-231217-040403.log
LECHECK = 1

log files saved at /root/centminlogs
-rw-r--r-- 1 root root  37K Dec 23 04:04 acmetool.sh-debug-log-231217-040403.log
-rw-r--r-- 1 root root 4.8K Dec 23 04:04 acmesh-reissue_231217-040403.log

What's different about this error is that it says "Connection reset by peer".

eva2000 · Dec 23, 2017

post contents of /root/centminlogs/acmetool.sh-debug-log-231217-040403.log to pastebin.com or gist.github.com

Jon Snow · Dec 23, 2017

eva2000 said: ↑

post contents of /root/centminlogs/acmetool.sh-debug-log-231217-040403.log to pastebin.com or gist.github.com
Click to expand...

Done - [Sat Dec 23 04:04:14 UTC 2017] Lets find script dir. [Sat Dec 23 04:04:14 UTC 2 - Pastebin.com

eva2000 · Dec 23, 2017

when you setup temp non-https nginx vhost, did you replicate nginx rules from your https based nginx vhost ?

Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

what is output of these commands in ssh
Code (Text):
curl -I https://domain.com
Code (Text):
curl -I https://www.domain.com
Code (Text):
curl -I http://domain.com
Code (Text):
curl -I http://www.domain.com
wrap output in CODE tags

Jon Snow · Dec 23, 2017

Results :

Code (Text):

curl -I https://domain.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: xf_session=59f3366ff35d8871e4a5025fb2d28a0c; path=/; secure; httponly
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1
Server: Nginx
X-Powered-By: Nginx
Date: Sat, 23 Dec 2017 05:44:18 GMT
X-Page-Speed: 1.13.35.1-0
Cache-Control: max-age=0, no-cache


curl -I https://www.domain.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: xf_session=6aa562904a5417ebaaf533f1200a2df1; path=/; secure; httponly
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1
Server: Nginx
X-Powered-By: Nginx
Date: Sat, 23 Dec 2017 05:44:46 GMT
X-Page-Speed: 1.13.35.1-0
Cache-Control: max-age=0, no-cache


curl -I http://domain.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: xf_session=4b3b30ef4ef2ab002fba37139bff13b0; path=/; secure; httponly
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1
Server: Nginx
X-Powered-By: Nginx
Date: Sat, 23 Dec 2017 05:45:11 GMT
X-Page-Speed: 1.13.35.1-0
Cache-Control: max-age=0, no-cache


curl -I http://www.domain.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: xf_session=23aee0ed038607aa2cb76266ac293abe; path=/; secure; httponly
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1
Server: Nginx
X-Powered-By: Nginx
Date: Sat, 23 Dec 2017 05:45:27 GMT
X-Page-Speed: 1.13.35.1-0
Cache-Control: max-age=0, no-cache

Posting the vhost contents in the following post.

Jon Snow · Dec 23, 2017

Non-SSL :

Code (Text):

server {
  server_name domain.com www.domain.com;

# ngx_pagespeed & ngx_pagespeed handler
include /usr/local/nginx/conf/pagespeed.conf;
include /usr/local/nginx/conf/pagespeedhandler.conf;
include /usr/local/nginx/conf/pagespeedstatslog.conf;

  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/domain.com/log/error.log;

  root /home/nginx/domains/domain.com/public;

location / {
     index index.php index.html index.htm;
     try_files $uri $uri/ /index.php?$uri&$args;
}

location /install/ {
    auth_basic "Private";
    include /usr/local/nginx/conf/php.conf;
    allow 127.0.0.1;
    deny all;
        } 

location /install/data/ {
    internal;
    allow 127.0.0.1;
    deny all;
}
location /install/templates/ {
    internal;
    allow 127.0.0.1;
    deny all;
}
location /internal_data/ {
    internal;
    allow 127.0.0.1;
    deny all;
}
location /library/ {
    internal;
    allow 127.0.0.1;
    deny all;
}

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass    127.0.0.1:9000;
    fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include         fastcgi_params;
}


  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  #include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

SSL :

Code (Text):

server {
  listen 443 ssl http2;
  server_name domain.com www.domain.com;

  # ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain_com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain_com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
 
  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt; 

# ngx_pagespeed & ngx_pagespeed handler
 include /usr/local/nginx/conf/pagespeed.conf;
 include /usr/local/nginx/conf/pagespeedhandler.conf;
 include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/domain.com/log/error.log;

  include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
  root /home/nginx/domains/domain.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  # prevent access to ./directories and files
  #location ~ (?:^|/)\. {
  # deny all;
  #} 

  location / {

  try_files $uri $uri/ /index.php?$uri&$args;
  index index.php index.html;

  include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Wordpress Permalinks example
  #try_files $uri $uri/ /index.php?q=$uri&$args;

  }



location /install/ {
    auth_basic "Private";
    include /usr/local/nginx/conf/php.conf;
    allow 127.0.0.1;
    deny all;
        } 

location /install/data/ {
    internal;
    allow 127.0.0.1;
    deny all;
}
location /install/templates/ {
    internal;
    allow 127.0.0.1;
    deny all;
}
location /internal_data/ {
    internal;
    allow 127.0.0.1;
    deny all;
}
location /library/ {
    internal;
    allow 127.0.0.1;
    deny all;
}

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass    127.0.0.1:9000;
    fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include         fastcgi_params;
}



  include /usr/local/nginx/conf/pre-staticfiles-local-domain.com.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
 
  #include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

Log in / Register

Forums

Discover Centmin Mod today

Letsencrypt Letsencrypt failed ssl renewal

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Centmin Mod Self-Signed SSL Fallback

Troubleshooting

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

Jon Snow Active Member

.

Log in / Register

Useful Searches

Discover Centmin Mod today

Letsencrypt Letsencrypt failed ssl renewal

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Centmin Mod Self-Signed SSL Fallback

Troubleshooting

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

Jon Snow Active Member

.