Join the community today
Become a Member

SSL Letsencrypt LETSENCRYPT Failed to install

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Itworx4me, Mar 18, 2019.

  1. Itworx4me

    Itworx4me Member

    196
    21
    18
    Mar 14, 2017
    Ratings:
    +34
    Local Time:
    11:13 AM
    Nginx 1.17.X
    MariaDB 10.3.X
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.15.9
    • PHP Version Installed: 7.3.3
    • MariaDB MySQL Version Installed: 10.1.38
    • When was last time updated Centmin Mod code base ? : today
    • Persistent Config:
      Code (Text):
      LETSENCRYPT_DETECT='y'
      
    I get this error when trying to install letsencrypt:

    Code (Text):
    -- Unit nginx.service has begun reloading its configuration
    Mar 18 13:30:11 firegrilled.domain.com nginx[22000]: nginx: [emerg] cannot load certificate "/usr/local/nginx/conf/ssl/domain.com/domain.com.crt": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such fil
    Mar 18 13:30:11 firegrilled.domain.com nginx[22000]: nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    Mar 18 13:30:11 firegrilled.domain.com systemd[1]: nginx.service: control process exited, code=exited status=1
    Mar 18 13:30:11 firegrilled.domain.com systemd[1]: Reload failed for SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
    -- Subject: Unit nginx.service has finished reloading its configuration
    -- Defined-By: systemd
    -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
    --
    -- Unit nginx.service has finished reloading its configuration
    

    Code (Text):
    * systemd-vconsole-setup.service           loaded failed failed    Setup Virtual Console

    Any idea as to why it failed?

    Thanks,
    Itworx4me
     
    Last edited: Mar 19, 2019
  2. eva2000

    eva2000 Administrator Staff Member

    43,074
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    5:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation.

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
    • Like Like x 1
  3. Itworx4me

    Itworx4me Member

    196
    21
    18
    Mar 14, 2017
    Ratings:
    +34
    Local Time:
    11:13 AM
    Nginx 1.17.X
    MariaDB 10.3.X
    @eva2000 I chose option 2 when creating the vhost. I do think I goofed and selected create self-signed ssl. So I went in and deleted the self-signed cert and key. Then I ran theses commands:

    Code (Text):
    /root/.acme.sh/acme.sh --force --issue --days 60 -d newdomain.com -d www.newdomain.com -w /home/nginx/domains/newdomain.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-newdomain.com.log --log-level 2


    Code (Text):
    /root/.acme.sh/acme.sh --installcert -d newdomain.com -d www.newdomain.com --certpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key --capath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-fullchain-acme.key


    And this is where those errors ended up happening after running the second command. I went to letsdebug.net and was able to get the ssl to work. At least this happened on my test server rather than the production server. Worse case scenario I would just have to start over.....lol

    Thanks for your help.
    Itworx4me
     
  4. Itworx4me

    Itworx4me Member

    196
    21
    18
    Mar 14, 2017
    Ratings:
    +34
    Local Time:
    11:13 AM
    Nginx 1.17.X
    MariaDB 10.3.X
    What is the difference between a staging test and a live cert?
    Code (Text):
    You have 4 options:
    1. issue staging test cert with HTTP + HTTPS
    2. issue staging test cert with HTTPS default
    3. issue live cert with HTTP + HTTPS
    4. issue live cert with HTTPS default
     
  5. eva2000

    eva2000 Administrator Staff Member

    43,074
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    5:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    staging test ssl cert is same as self-signed ssl cert = not trusted in web browsers

    while live cert is trusted by web browsers and what you would use if you want visitors to visit your https site in web browser swithout errors

    if the site is new and no data is there yet, you can just remove the nginx vhost completely and just do a fresh centmin.sh menu option 2 run this time selecting option 3 or 4 from
    Code (Text):
    You have 4 options:
    1. issue staging test cert with HTTP + HTTPS
    2. issue staging test cert with HTTPS default
    3. issue live cert with HTTP + HTTPS
    4. issue live cert with HTTPS default
    
     
    • Like Like x 1