Want more timely Centmin Mod News Updates?
Become a Member

Beta Branch LetsEncrypt issue

Discussion in 'Beta release code' started by Matt Williams, Dec 7, 2015.

  1. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    3:23 AM
    latest
    10
    Installed beta09le and ran auto WP setup and selected to get the LetsEncrypt SSL ad at the end I get:

    What does it mean lacks sufficient authorization? I thought they were in public beta now?
     
  2. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    5:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    2 reasons this could happen

    1. the .well-know url isn't working properly in Centmin Mod's Nginx implementation i.e. 403 error is permission denied
    2. you're hitting LE server side rate limits set during public beta see SSL - Letsencrypt Free SSL Public Beta December 3th 6PM GMT | Centmin Mod Community
    so if wphstest3.xyz domain and subdomains total more than 5 per 7 days, you'll hit a rate limit. So if you have main wphstest3.xyz and 4 subdomains off it, you would hit 5 certs per domain limit per 7 days.
     
  3. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    3:23 AM
    latest
    10
    I've only run this once. This is my first time ever trying to use LetsEncrypt so it must be option #1?
     
  4. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    5:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    try verbose manual run with -v and see

    Code:
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos7-webroot --webroot-path /home/nginx/domains/wphstest3.xyz/public -d wphstest3.xyz -d www.wphstest3.xyz certonly -v
    
    see what the output shows - post to gist or pastebin
     
  5. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    3:23 AM
    latest
    10
    Same thing:
    Should I just try a new Domain with a different Registration email during menu Opt. 22?
     
  6. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    3:23 AM
    latest
    10
    The whole thing:

    Code:
    [root@vultr ~]# /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos7-webroot --webroot-path /home/nginx/domains/wphstest3.xyz/public -d wphstest3.xyz -d wphstest3.xyz certonly -v
    2015-12-07 03:32:27,693:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2015-12-07 03:32:27,716:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    2015-12-07 03:32:28,102:INFO:letsencrypt.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-letsencrypt.pem
    2015-12-07 03:32:28,106:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0001_csr-letsencrypt.pem
    2015-12-07 03:32:28,108:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    2015-12-07 03:32:28,192:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    2015-12-07 03:32:28,322:INFO:letsencrypt.auth_handler:Performing the following challenges:
    2015-12-07 03:32:28,322:INFO:letsencrypt.auth_handler:http-01 challenge for wphstest3.xyz
    2015-12-07 03:32:28,330:INFO:letsencrypt.auth_handler:Waiting for verification...
    2015-12-07 03:32:28,337:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    2015-12-07 03:32:31,456:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    2015-12-07 03:32:31,539:INFO:letsencrypt.reporter:Reporting to user: The following 'urn:acme:error:unauthorized' errors were reported by the server:
    
    Domains: wphstest3.xyz
    Error: The client lacks sufficient authorization
    2015-12-07 03:32:31,540:INFO:letsencrypt.auth_handler:Cleaning up challenges
    Failed authorization procedure. wphstest3.xyz (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wphstest3.xyz/.well-known/acme-challenge/jzYdRsFj6wRXsUzrQ68uISRrv1HiBdEJyt9givOGBqc [108.61.119.113]: 403
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    5:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    you can wipe the test nginx vhost using the generated output at bottom when you created a nginx vhost, you would of gotten some rm -rf lines which remove the nginx vhost etc so you can try same domain again

    also post the output for your /usr/local/nginx/conf/staticfiles.conf file which has the .well-know url support added which allows LE validations
    i.e.
    Code:
        # prepare for letsencrypt
        # https://community.centminmod.com/posts/17774/
        location ~ ^/.well-known {
            location ~ ^/.well-known/acme-challenge/(.*) {
                    default_type text/plain;
                    charset off;
            }
        }
     
  8. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    5:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    also post your contents in CODE tags for your /usr/local/nginx/conf/conf.d/wphstest3.xyz.ssl.conf and /usr/local/nginx/conf/conf.d/wphstest3.xyz.conf vhost config files
     
  9. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    3:23 AM
    latest
    10
    Do I create a Self Signed SSL?
     
  10. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    5:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    yes it's required before LE can work as self-signed ssl creates ssl nginx vhost structure and config first and LE utilises that and replaces self-signed ssl cert with LE SSL cert when successful. If LE validation fails, then self-signed ssl cert is left in place
     
  11. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    3:23 AM
    latest
    10
    /usr/local/nginx/conf/staticfiles.conf had this at the top:

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #   server_name wphstest3.xyz www.wphstest3.xyz;
    #    return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
      server_name wphstest3.xyz www.wphstest3.xyz;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/wphstest3.xyz/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/wphstest3.xyz/wphstest3.xyz.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/wphstest3.xyz/wphstest3.xyz.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM$
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
      # You'd want to include subdomains if you're using SSL wildcard certificates
      # include subdomain
      #add_header Public-Key-Pins 'pin-sha256="Xy8HBUE2Myob4Xs7CvS2/uwBGc1OE9PCM+1p1QxhidA="; pin-sha256="iVRmyhRfMry8GSSM8d+bGh8aIzAFbfe2RtesQ0gDS0c="; max-age=86400; includeSubDomains';
      # exclude subdomains
      #add_header Public-Key-Pins 'pin-sha256="Xy8HBUE2Myob4Xs7CvS2/uwBGc1OE9PCM+1p1QxhidA="; pin-sha256="iVRmyhRfMry8GSSM8d+bGh8aIzAFbfe2RtesQ0gDS0c="; max-age=86400';
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      #spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/wphstest3.xyz/wphstest3.xyz-trusted.crt;
    
    

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name wphstest3.xyz;
    #            return 301 $scheme://www.wphstest3.xyz$request_uri;
    #       }
    
    server {
      server_name wphstest3.xyz www.wphstest3.xyz;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/wphstest3.xyz/log/access.log combined buffer=256k$
      error_log /home/nginx/domains/wphstest3.xyz/log/error.log;
    
      root /home/nginx/domains/wphstest3.xyz/public;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
    include /usr/local/nginx/conf/wpsupercache_wphstest3.xyz.conf;
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/rediscache_wphstest3.xyz.conf;
    
      location / {
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $ur$
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
    
     
  12. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    3:23 AM
    latest
    10
    The second run had the same output:

    Code:
    letsencrypt client is installed at:
    /root/.local/share/letsencrypt/bin/letsencrypt
    ----------------------------------------------------
    
    
    obtaining Letsencrypt SSL certificate via webroot authentication...
    
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --usphstest3.xyz/public -d wphstest3.xyz -d www.wphstest3.xyz certonly
    Failed authorization procedure. wphstest3.xyz (http-01): urn:acme:error:unauthorizehttp://wphstest3.xyz/.well-known/acme-challenge/O-p-5iUF1Ww9Fu9uIQQ4THoHpu_Zy3lCia1ror:unauthorized :: The client lacks sufficient authorization :: Invalid response fqz1-BsW3WB1JcnmIicfiniEHK7c [IP]: 403
    IMPORTANT NOTES:
    - The following 'urn:acme:error:unauthorized' errors were reported by
       the server:
    
       Domains: wphstest3.xyz, www.wphstest3.xyz
       Error: The client lacks sufficient authorization
    
     
  13. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    5:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    did you enable drop.conf include in your vhost as that's the only other place I know with dot prefix file and directory blocking which could interfere with .well-known uri access by LE servers for validation
     
  14. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    3:23 AM
    latest
    10
    It's enabled in both ssl.conf and the non conf - should I comment them then re run:

    Code:
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos7-webroot --webroot-path /home/nginx/domains/wphstest3.xyz/public -d wphstest3.xyz -d www.wphstest3.xyz certonly -v
    
     
  15. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    5:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    yeah try that although it worked for me with drop.conf enabled
     
  16. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    5:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    You can also check /home/nginx/domains/wphstest3.xyz/log/access.log to see 403 error details too
     
  17. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    3:23 AM
    latest
    10
    Same thing - very strange
     
  18. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    3:23 AM
    latest
    10
    I see this:

     
  19. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    5:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    oh you're using cloudflare intoDNS: wphstest3.xyz - check DNS server and mail server health ? won't work with cloudflare in front of server!

    i added a check for that in 123.09beta01le maybe you didn't get that update yet update letsencrypt integration add cloudflare check · centminmod/centminmod@8366122 · GitHub ?

    also cloudflare note at SSL - Letsencrypt Free SSL Public Beta December 3th 6PM GMT | Centmin Mod Community
     
  20. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    3:23 AM
    latest
    10
    I turned Cloudflare off " Clicked the cloud off" but forgot to turn it completely off and only use the DNS :rolleyes:
    I'll try again in 10-15 minutes

    I'm only using the DNS on Cloudflare. You can use the DNS only right?