Get the most out of your Centmin Mod LEMP stack
Become a Member

Letsencrypt Letsencrypt failed ssl renewal

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Jon Snow, Nov 12, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    8:21 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    both vhosts don't need
    Code (Text):
    location ~ \.php$ {
       try_files $uri =404;
       fastcgi_pass    127.0.0.1:9000;
       fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
       include         fastcgi_params;
    }
    

    as include file php.conf takes care of that
    Code (Text):
    include /usr/local/nginx/conf/php.conf;
    

    from Nginx Rewrites for Xenforo Friendly Urls - CentminMod.com LEMP Nginx web stack for CentOS
     
  2. Jon Snow

    Jon Snow Active Member

    374
    60
    28
    Jun 30, 2017
    Ratings:
    +90
    Local Time:
    7:21 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Removed it :cow:

    Anything else? :bookworm:
     
    Last edited by a moderator: Dec 26, 2017
  3. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    8:21 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    try and see
     
  4. Jon Snow

    Jon Snow Active Member

    374
    60
    28
    Jun 30, 2017
    Ratings:
    +90
    Local Time:
    7:21 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Already have but same error :( Just tried it again and same.
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    8:21 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    post contents of lastest /root/centminlogs/acmetool.sh-debug-log-XXXXX.log to pastebin.com or gist.github.com where XXXXX is date timestamp
     
  6. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    8:21 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    @Jon Snow also what's output for replacing yourdomain.com with yours
    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    
     
  7. Jon Snow

    Jon Snow Active Member

    374
    60
    28
    Jun 30, 2017
    Ratings:
    +90
    Local Time:
    7:21 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    No log was created today :

    log.png

    I think the one I attached from the last time in this post is the latest - Letsencrypt - Letsencrypt failed ssl renewal

    But that's from running this :
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue domain.com lived

    I'll do that next one soon and post the output.
     
  8. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    8:21 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    from your openssl command output shows you have a paid comodo positive domain validaed ssl certificate already in place as such letsencrypt aborts issuance of ssl cert AFAIK
    Code (Text):
    echo | openssl s_client -connect domain.com:443
    CONNECTED(00000003)
    depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
    verify return:1
    depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
    verify return:1
    depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
    verify return:1
    depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = domain.com
    verify return:1
    ---
    Certificate chain
     0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=domain.com
       i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
     1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
       i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
     2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
       i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
     3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
       i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    

    a letsencrypt ssl cert would look like this
    Code (Text):
     echo | openssl s_client -connect mysqlmymon.com:443
    CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = mysqlmymon.com
    verify return:1
    ---
    Certificate chain
     0 s:/CN=mysqlmymon.com
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    
     
    • Like Like x 1
  9. Jon Snow

    Jon Snow Active Member

    374
    60
    28
    Jun 30, 2017
    Ratings:
    +90
    Local Time:
    7:21 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    I could have sworn I used Let's Encrypt for this site as I don't remember paying for a certificate :facepalm: Guess I need to write this stuff down now haha.
     
  10. Jon Snow

    Jon Snow Active Member

    374
    60
    28
    Jun 30, 2017
    Ratings:
    +90
    Local Time:
    7:21 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    @eva2000 I'm having a similar issue again.
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    [Sun Apr 15 20:19:58 UTC 2018] ===Starting cron===
    [Sun Apr 15 20:19:58 UTC 2018] Renew: 'domain.com'
    [Sun Apr 15 20:19:58 UTC 2018] Skip, Next renewal time is: Fri Apr 20 23:41:52 UTC 2018
    [Sun Apr 15 20:19:58 UTC 2018] Add '--force' to force to renew.
    [Sun Apr 15 20:19:58 UTC 2018] Skipped domain.com
    [Sun Apr 15 20:19:58 UTC 2018] ===End cron===


    This is the ending contents if you use the normal re-issue command :


    Code (Text):
    [Sun Apr 15 18:03:29 UTC 2018] Multi domain='DNS:domain.com,DNS:www.domain.com'
    [Sun Apr 15 18:03:29 UTC 2018] Getting domain auth token for each domain
    [Sun Apr 15 18:03:29 UTC 2018] Getting webroot for domain='domain.com'
    [Sun Apr 15 18:03:29 UTC 2018] Getting new-authz for domain='domain.com'
    [Sun Apr 15 18:03:30 UTC 2018] The new-authz request is ok.
    [Sun Apr 15 18:03:30 UTC 2018] Getting webroot for domain='www.domain.com'
    [Sun Apr 15 18:03:30 UTC 2018] Getting new-authz for domain='www.domain.com'
    [Sun Apr 15 18:03:31 UTC 2018] The new-authz request is ok.
    [Sun Apr 15 18:03:31 UTC 2018] Verifying:domain.com
    [Sun Apr 15 18:03:35 UTC 2018] Pending
    [Sun Apr 15 18:03:37 UTC 2018] Pending
    [Sun Apr 15 18:03:39 UTC 2018] Pending
    [Sun Apr 15 18:03:42 UTC 2018] Pending
    [Sun Apr 15 18:03:44 UTC 2018] domain.com:Verify error:Fetching http://domain.com/.well-known/acme-challenge/SvZFbEg51RAe6JV_CfiF6uBFMe52I9kC2FS_YXntJsU: Timeout
    [Sun Apr 15 18:03:44 UTC 2018] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-150418-180320.log
    LECHECK = 1
    
    log files saved at /root/centminlogs
    -rw-r--r-- 1 root root  42K Apr 15 18:03 acmetool.sh-debug-log-150418-180320.log
    -rw-r--r-- 1 root root 4.7K Apr 15 18:03 acmesh-reissue_150418-180320.log


    I commented out drop.conf.
    I have the correct wp secure conf and it's in the ssl config.
    I tried adding both regular and ssl configs for the domain name.

    Nginx SSL config :
    Code (Text):
    server {
      server_name domain.com www.domain.com;
      return 302 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      ####add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      ####spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on; 
    
    # ngx_pagespeed & ngx_pagespeed handler
      include /usr/local/nginx/conf/pagespeed.conf;
      include /usr/local/nginx/conf/pagespeedhandler.conf;
      include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      # include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      try_files $uri $uri/ /index.php?q=$request_uri;
    
      include /usr/local/nginx/conf/wpsecure.conf;
      include /usr/local/nginx/conf/wpnocache.conf;
      include /usr/local/nginx/conf/blockbots.conf;
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      #include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }

    I removed the first server context when testing the regular config file to get http up.

    Will send the log file via PM.
     
  11. Jon Snow

    Jon Snow Active Member

    374
    60
    28
    Jun 30, 2017
    Ratings:
    +90
    Local Time:
    7:21 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Code (Text):
    echo | openssl s_client -connect domain.com:443
    
    CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = domain.com
    verify return:1
    ---
    Certificate chain
     0 s:/CN=domain.com
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3


    Website works fine and I see the LE SSL cert when clicking "Secure" on the browser address bar.
     
  12. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    8:21 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    tried disable/comment out include file for include /usr/local/nginx/conf/blockbots.conf; ?
     
  13. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    8:21 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    also what's output for these 2 commands
    Code (Text):
    curl -4Ivs https://acme-v01.api.letsencrypt.org 2>&1 | grep -C10 'Connected to'
    

    Code (Text):
    curl -6Ivs https://acme-v01.api.letsencrypt.org 2>&1 | grep -C10 'Connected to'
    

    double check if you have working IPv6 networking on server and domain ? if not working remove your IPv6 AAAA dns record from your domain so letsencrypt can resolve and verify your domain using IPv4 A dns record instead

    use same commands to verify IPv6 works for yourdomain.com
    Code (Text):
    curl -4Ivs https://yourdomain.com 2>&1 | grep -C10 'Connected to'
    

    Code (Text):
    curl -6Ivs https://yourdomain.com 2>&1 | grep -C10 'Connected to'
    
     
  14. Jon Snow

    Jon Snow Active Member

    374
    60
    28
    Jun 30, 2017
    Ratings:
    +90
    Local Time:
    7:21 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    I've already disabled IPv6 and checked using ipconfig.

    Should I run those commands with only the ssl config or should I re-add both non-sss and ssl configs?
     
  15. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    8:21 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    disabling IPv6 is one thing but did you remove AAAA DNS record too ?

    updated acmetool.sh with checkdomains option to automate such checks https://community.centminmod.com/th...tmin-mod-123-09beta01.8290/page-24#post-62477 for troubleshooting issues like yours
     
  16. Jon Snow

    Jon Snow Active Member

    374
    60
    28
    Jun 30, 2017
    Ratings:
    +90
    Local Time:
    7:21 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Strangely they were still there. I normally delete them from all my Linode servers since Linode automatically adds them but this one was so old it was still there.

    Should I try again, restart anything, make certain changes like re-add non-ssl config etc then run the reissue?
     
  17. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    8:21 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    just remove the AAAA DNS record from your domain wait up to 24hrs and re-try cronjob command with force command
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --force
    
     
    • Like Like x 1
  18. Jon Snow

    Jon Snow Active Member

    374
    60
    28
    Jun 30, 2017
    Ratings:
    +90
    Local Time:
    7:21 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    @eva2000 That worked.

    I tried using SSL Checker - SSL Certificate Verify

    But it says :
    Maybe it could be cached related? I tried using the website to check before removing the AAAA record.
     
  19. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    8:21 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  20. Jon Snow

    Jon Snow Active Member

    374
    60
    28
    Jun 30, 2017
    Ratings:
    +90
    Local Time:
    7:21 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    @eva2000 Ran that test and I found some issues:

    Handshake Simulation

    Android 2.3.7 No SNI 2 Server sent fatal alert: handshake_failure
    IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure
    Java 6u45 No SNI 2 Server sent fatal alert: handshake_failure
    OpenSSL 0.9.8y Server sent fatal alert: handshake_failure

    Is it possible to fix these? My guess is by weakening cipher suites but not sure. I'm aiming to get the site to load in a unique browser people use to visit the site that's on this server. Right now they can't connect with it.
     
..