Discover Centmin Mod today
Register Now

SSL Letsencrypt Letsencrypt issuance failed ?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by speedway, Aug 27, 2020.

  1. speedway

    speedway Premium Member Premium Member

    44
    13
    8
    Nov 28, 2015
    Sydney, AUSTRALIA
    Ratings:
    +18
    Local Time:
    10:21 AM
    1.19.2
    Dont' Know Right Now
    Why am I getting this when trying to create a letsencrypt cert for my domain?

    Code:
    bsww.com.au:Verify error:Invalid response from http://bsww.com.au/.well-known/acme-challenge/o50kz-w8q-wCDQAKI5GShaUHuBeR6gWRdgnHpol5h4M [158.69.25.2]:
    
    I used the following to generate:
    Code:
    /root/.acme.sh/acme.sh --force --issue --days 60 -d bsww.com.au -d www.bsww.com.au -w /home/nginx/domains/bsww.com.au/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-bsww.com.au.log --log-level 2
    
    as per Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates

    the directory DOES exist (along with the other required directory under .well-known:
    Code:
    -rw-r--r--  1 nginx nginx  7278 Aug 13 13:04 readme.html
    drwxrwsrwx  3 nginx nginx  4096 Aug 13 13:36 .well-known
    
    All I am try to do is create SSL for my domain that already exists but I am now at a loss.....

    Cheers
    Bruce
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,459
    10,315
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,000
    Local Time:
    9:21 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    This the domain that already exists run on HTTPS or non-HTTPS currently ? Is it behind Cloudflare ?

    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation.

    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
  3. speedway

    speedway Premium Member Premium Member

    44
    13
    8
    Nov 28, 2015
    Sydney, AUSTRALIA
    Ratings:
    +18
    Local Time:
    10:21 AM
    1.19.2
    Dont' Know Right Now
    Got it to work by putting this in the .conf file

    Code:
    
    #  # prevent access to ./directories and files
     # location ~ (?:^|/)\. {
     #  deny all;
     # }
    
        # prepare for letsencrypt
        # https://community.centminmod.com/posts/17774/
        location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }
    
    No Cloudflare, OVH dedicated server, current HTTP site moving to HTTPS

    Do I have to have this in the .conf if renewing the cert or is this a one time thing?
     
  4. eva2000

    eva2000 Administrator Staff Member

    45,459
    10,315
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,000
    Local Time:
    9:21 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    default nginx generated vhosts should have a /usr/local/nginx/conf/staticfiles.conf include file which already has this at the top
    Code (Text):
        # prepare for letsencrypt
        # https://community.centminmod.com/posts/17774/
        location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }
    

    but new 123.09beta01's remove/disabled this part already as it would prevent letsencrypt validations
    Code (Text):
    #  # prevent access to ./directories and files
     # location ~ (?:^|/)\. {
     #  deny all;
     # }
    
     
  5. speedway

    speedway Premium Member Premium Member

    44
    13
    8
    Nov 28, 2015
    Sydney, AUSTRALIA
    Ratings:
    +18
    Local Time:
    10:21 AM
    1.19.2
    Dont' Know Right Now
    All of my confs were transferred from an old server that was pre 123.09 and only this current server was moved to 123.09 when installing, so anything in them was created prior to this new server.

    Thanks for the headsup