Letsencrypt Letsencrypt failed ssl renewal

Removed it

Anything else?

 

Already have but same error Just tried it again and same.

 

No log was created today :



I think the one I attached from the last time in this post is the latest - Letsencrypt - Letsencrypt failed ssl renewal

But that's from running this :

Code (Text):

cd /usr/local/src/centminmod/addons
./acmetool.sh reissue domain.com lived

I'll do that next one soon and post the output.

 

I could have sworn I used Let's Encrypt for this site as I don't remember paying for a certificate Guess I need to write this stuff down now haha.

 

@eva2000 I'm having a similar issue again.

Code (Text):

"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
[Sun Apr 15 20:19:58 UTC 2018] ===Starting cron===
[Sun Apr 15 20:19:58 UTC 2018] Renew: 'domain.com'
[Sun Apr 15 20:19:58 UTC 2018] Skip, Next renewal time is: Fri Apr 20 23:41:52 UTC 2018
[Sun Apr 15 20:19:58 UTC 2018] Add '--force' to force to renew.
[Sun Apr 15 20:19:58 UTC 2018] Skipped domain.com
[Sun Apr 15 20:19:58 UTC 2018] ===End cron===

This is the ending contents if you use the normal re-issue command :

Code (Text):

[Sun Apr 15 18:03:29 UTC 2018] Multi domain='DNS:domain.com,DNS:www.domain.com'
[Sun Apr 15 18:03:29 UTC 2018] Getting domain auth token for each domain
[Sun Apr 15 18:03:29 UTC 2018] Getting webroot for domain='domain.com'
[Sun Apr 15 18:03:29 UTC 2018] Getting new-authz for domain='domain.com'
[Sun Apr 15 18:03:30 UTC 2018] The new-authz request is ok.
[Sun Apr 15 18:03:30 UTC 2018] Getting webroot for domain='www.domain.com'
[Sun Apr 15 18:03:30 UTC 2018] Getting new-authz for domain='www.domain.com'
[Sun Apr 15 18:03:31 UTC 2018] The new-authz request is ok.
[Sun Apr 15 18:03:31 UTC 2018] Verifying:domain.com
[Sun Apr 15 18:03:35 UTC 2018] Pending
[Sun Apr 15 18:03:37 UTC 2018] Pending
[Sun Apr 15 18:03:39 UTC 2018] Pending
[Sun Apr 15 18:03:42 UTC 2018] Pending
[Sun Apr 15 18:03:44 UTC 2018] domain.com:Verify error:Fetching http://domain.com/.well-known/acme-challenge/SvZFbEg51RAe6JV_CfiF6uBFMe52I9kC2FS_YXntJsU: Timeout
[Sun Apr 15 18:03:44 UTC 2018] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-150418-180320.log
LECHECK = 1

log files saved at /root/centminlogs
-rw-r--r-- 1 root root  42K Apr 15 18:03 acmetool.sh-debug-log-150418-180320.log
-rw-r--r-- 1 root root 4.7K Apr 15 18:03 acmesh-reissue_150418-180320.log

I commented out drop.conf.
I have the correct wp secure conf and it's in the ssl config.
I tried adding both regular and ssl configs for the domain name.

Nginx SSL config :

Code (Text):

server {
  server_name domain.com www.domain.com;
  return 302 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name domain.com www.domain.com;

  include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
  ssl_prefer_server_ciphers   on;
  ####add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  ####spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
 
  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on; 

# ngx_pagespeed & ngx_pagespeed handler
  include /usr/local/nginx/conf/pagespeed.conf;
  include /usr/local/nginx/conf/pagespeedhandler.conf;
  include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/domain.com/log/error.log;

  # include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
  root /home/nginx/domains/domain.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  location / {
  try_files $uri $uri/ /index.php?q=$request_uri;

  include /usr/local/nginx/conf/wpsecure.conf;
  include /usr/local/nginx/conf/wpnocache.conf;
  include /usr/local/nginx/conf/blockbots.conf;
  include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centminmod.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  }


  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  #include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

I removed the first server context when testing the regular config file to get http up.

Will send the log file via PM.

 

Code (Text):

echo | openssl s_client -connect domain.com:443

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = domain.com
verify return:1
---
Certificate chain
 0 s:/CN=domain.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Website works fine and I see the LE SSL cert when clicking "Secure" on the browser address bar.

 

I've already disabled IPv6 and checked using ipconfig.

Should I run those commands with only the ssl config or should I re-add both non-sss and ssl configs?

 

Strangely they were still there. I normally delete them from all my Linode servers since Linode automatically adds them but this one was so old it was still there.

Should I try again, restart anything, make certain changes like re-add non-ssl config etc then run the reissue?

 

@eva2000 That worked.

I tried using SSL Checker - SSL Certificate Verify

But it says :

Maybe it could be cached related? I tried using the website to check before removing the AAAA record.

 

@eva2000 Ran that test and I found some issues:

Handshake Simulation

Android 2.3.7 No SNI 2 Server sent fatal alert: handshake_failure
IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure
Java 6u45 No SNI 2 Server sent fatal alert: handshake_failure
OpenSSL 0.9.8y Server sent fatal alert: handshake_failure

Is it possible to fix these? My guess is by weakening cipher suites but not sure. I'm aiming to get the site to load in a unique browser people use to visit the site that's on this server. Right now they can't connect with it.