Letsencrypt Letsencrypt

lostincable · Jun 6, 2022

Hi there

I have centminmod running for a while now no issues.

I added a bunch of new vhosts and letsencrypt blocked me for to many requests.

The last vhost got a staging certificate when we got blocked.

I am now out of the block period but trying to change from a staging certificate to a live certificate.

Whenever I run the acetools reissue with reissue force + lived I get a staging certificate not a live certificate.

What is the correct way to

a) remove all ssl staging certs without deleting the entire vhost
b) request a live certificate from letsencrypt

Thanks.

Thanks.

eva2000 · Jun 7, 2022

lostincable said: ↑

I added a bunch of new vhosts and letsencrypt blocked me for to many requests.
Click to expand...

What was the exact steps you took to add these new Nginx vhosts ?

lostincable said: ↑

The last vhost got a staging certificate when we got blocked.

I am now out of the block period but trying to change from a staging certificate to a live certificate.
Click to expand...

What is the exact error message you get when you are 'blocked'?

Strange unless letsencrypt or acme.sh client which is used by addons/acmetool.sh is doing auto switch to staging SSL cert, then it wouldn't be something I coded for Centmin Mod. When Centmin Mod via centmin.sh menu option 2, 22 or nv command tries to get Letsencrypt SSL certificates it does via addons/acmetool.sh and it's coded for when Letsencrypt SSL certificate issuance fails, then it will fall back to the Centmin Mod created self-signed SSL non-trusted browser certificates and not to Letsencrypt staging.

lostincable said: ↑

Whenever I run the acetools reissue with reissue force + lived I get a staging certificate not a live certificate.
Click to expand...

First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. If you created Centmin Mod 123.09beta01 or higher Nginx site with Letsencrypt via centmin.sh menu option 2, 22 or nv command line, you now also have an automatic letsdebug.net API check log saved at /root/centminlogs/letsdebug-yourdomain.com-${DT}.log where yourdomain.com is domain specified during nginx vhost creation and DT is date/timestamp. Inspecting the /root/centminlogs/letsdebug-yourdomain.com-${DT}.log log will also give you clues as to why letsencrypt SSL certificate issuance failed.

How was the initial letsencrypt ssl certificate obtained ? Which method ?
Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?

Via centmin.sh menu option 2, 22, /usr/bin/nv ?
If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
Code (Text):
-------------------------------------------------------------
Setup full Nginx vhost + Wordpress + WP Plugins
-------------------------------------------------------------

Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com

Create a self-signed SSL certificate Nginx vhost? [y/n]: n
Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y

You have 4 options:
1. issue staging test cert with HTTP + HTTPS
2. issue staging test cert with HTTPS default
3. issue live cert with HTTP + HTTPS
4. issue live cert with HTTPS default
Enter option number 1-4: 1
Via addons/acmetool.sh ? which specific command ? examples
Code (Text):
./acmetool.sh issue acme.domain.com
Code (Text):
./acmetool.sh issue acme.domain.com live
Code (Text):
./acmetool.sh issue acme.domain.com d
Code (Text):
./acmetool.sh issue acme.domain.com lived
What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?
Centmin Mod Self-Signed SSL Fallback

If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

Troubleshooting

There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
Code (Text):
ls -lahrt /root/centminlogs
.
For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
Code (Text):
ACMEDEBUG='y'
If acme.sh auto renewals didn't happen, check output for the following commands
Code (Text):
grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
Code (Text):
echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
Code (Text):
"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
Code (Text):
echo | openssl s_client -connect yourdomain.com:443
Without the answers to above questions and logs, there is nothing to help troubleshoot.

SSLLabs Test

Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.

lostincable · Jun 7, 2022

Hi @eva2000

The issue not from the script.

When creating the vhost it was made with centmin option 22 wordpress install for one domain.

Unfortunately we need to delete the vhost twice and on the third attempt we were rate limited by letsencrpyt.

Because we had deleted the vhost + ssl on the third attempt to create the vhost we where issued a self signed cert.

The history of events is like this:

1) VHOST CREATED + SSL GENERATED - We then removed this VHOST + SSL with the bash script due to setup errors we made in creating the vhost
2) VHOST CREATED + SSL GENERATED - We then removed this VHOST + SSL with the bash script due to setup errors we made in creating the vhost
3) VHOST CREATED + SSL NOT GENERATED - Rate limited by lets encrypt reverted to a self signed / staging certificate

ONE WEEK LETS ENCRYPT LIMIT LIFTED

1) RE ISSUE Requested to LETSENCRYPT, this just reissued the same self signed certificate didn't give a production SSL

cd /usr/local/src/centminmod/addons
./acmetool.sh reissue-only shepherdcentre.org.au lived

2) Then tried to re issue / issue and got blocked again

Once the block is lifted how do we correctly remove the self-signed ssl and request a live ssl?

This is the last re issue log -

** removed **

Also should we consider move to zerossl is that sustainable?

eva2000 · Jun 7, 2022

lostincable said: ↑

VHOST CREATED + SSL NOT GENERATED - Rate limited by lets encrypt reverted to a self signed / staging certificate
Click to expand...

Oh you mean self-signed SSL cert. I though you meant staging Letsencrypt SSL certs which are untrusted which are different issuer to self-signed SSL cert created by Centmin Mod

lostincable said: ↑

2) Then tried to re issue / issue and got blocked again

Once the block is lifted how do we correctly remove the self-signed ssl and request a live ssl?
Click to expand...

You may have other issued SSL certs from letsencrypt for the same domain? Have you tried issuing Letsencrypt SSL certs for same domain name elsewhere recently other than Centmin Mod server? You can run acmetool.sh checkdates command to see what SSL certificates have been issued and installed on Nginx vhosts right now
Code (Text):
/usr/local/src/centminmod/addons/acmetool.sh checkdates
Though you can try switching from Letsencrypt to ZeroSSL certificates as outlined at Letsencrypt Free SSL Certificates as ZeroSSL doesn't have rate limits for SSL certificate issuance.

eva2000 · Jun 7, 2022

Also seems you're using Cloudflare in front of Centmin Mod Nginx site, so you may want to use Cloudflare DNS API for domain validation for Letsencrypt/Zero SSL certificate issuance instead of the default web root domain validation Letsencrypt Free SSL Certificates

lostincable · Jun 7, 2022

eva2000 said: ↑

checkdates
Click to expand...
eva2000 said: ↑
Oh you mean self-signed SSL cert. I though you meant staging Letsencrypt SSL certs which are untrusted which are different issuer to self-signed SSL cert created by Centmin Mod

You may have other issued SSL certs from letsencrypt for the same domain? Have you tried issuing Letsencrypt SSL certs for same domain name elsewhere recently other than Centmin Mod server? You can run acmetool.sh checkdates command to see what SSL certificates have been issued and installed on Nginx vhosts right now
Code (Text):
/usr/local/src/centminmod/addons/acmetool.sh checkdates
Though you can try switching from Letsencrypt to ZeroSSL certificates as outlined at Letsencrypt Free SSL Certificates as ZeroSSL doesn't have rate limits for SSL certificate issuance.
Click to expand...
Hi @eva2000

Thanks for the above.

Under checkdates I have two test sub domains and two records for the one production domain.

Is there a way to determine if they are self signed or live? Or are they all live?

And how do I obtain them and install them if they are available?

gist:50bddd86585067ca327a6d4bae5e31eb

eva2000 · Jun 8, 2022

lostincable said: ↑

Is there a way to determine if they are self signed or live? Or are they all live?
Click to expand...

Check dates lists in acme issued section only live SSL certificates and if they're listed under nginx installed, they maybe live or not you can match their fingerprint values to see if they are the same SSL certificate

If the aren't being served by Centmin Mod Nginx, the you'd need to check your domain's nginx vhost config file.

When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)

Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf

Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com

Vhost public web root will be at /home/nginx/domains/newdomain.com/public

Vhost log directory will be at /home/nginx/domains/newdomain.com/log

Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

what is output of these commands in ssh
Code (Text):
curl -I https://domain.com
Code (Text):
curl -I https://www.domain.com
Code (Text):
curl -I http://domain.com
Code (Text):
curl -I http://www.domain.com
wrap output in CODE tags

lostincable · Jun 8, 2022

@eva2000 outputs below for the curl commands -

Code (Text):

[23:01][root@domain ~]# curl -I https://domain.org.au
HTTP/1.1 200 OK
Date: Tue, 07 Jun 2022 23:01:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
vary: Accept-Encoding
link: <https://domain.org.au/wp-json/>; rel="https://api.w.org/"
link: <https://domain.org.au/wp-json/wp/v2/pages/53497>; rel="alternate"; type="application/json"
link: <https://domain.org.au/>; rel=shortlink
x-powered-by: centminmod
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=k3Sn5wIyQgSjkLkzYNTaMTSNDhYZVb8JoHYXMZ0tRivkPkCXpOnikm1WxdHGTtISqT9XVzamwN1hspbSYbqicdvPWXuGfYfPcyxFoUeFFRv0V3feqba%2BrMgtJQy0%2F5it1w3TWVzHZQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 717d02dcce58558d-SYD

Code (Text):

[23:01][root@domain ~]# curl -I https://www.domain.org.au
HTTP/1.1 301 Moved Permanently
Date: Tue, 07 Jun 2022 23:02:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
location: https://domain.org.au/
expires: Wed, 08 Jun 2022 00:02:00 GMT
Cache-Control: max-age=3600
x-redirect-by: WordPress
x-powered-by: centminmod
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xMLO6wg6xoZgRfZrpUTjDIJlsv4GF8vJ9GPRLyA1RWqYObAlexyZVkfKsK44p8ECn1qCGxslW2c%2BDauJ0dLksGIBTgZbtdr5htH9B6aCCuPAqdk5Kmd%2BcTozv4O7uh3b%2Fpejj1fClmzc%2F5g%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 717d034b7c60aac9-SYD

Code (Text):


[23:02][root@domain ~]# curl -I http://domain.org.au
HTTP/1.1 302 Found
Date: Tue, 07 Jun 2022 23:02:15 GMT
Content-Type: text/html
Connection: keep-alive
Location: https://domain.org.au/
X-Powered-By: centminmod
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FUXehK4iLt6Bf%2FrUwJK6l%2F3dDOFQ9XMIWFAngZwNyGRUK2cXbTxrXDp6cj2LGcRJZ12OVuy8QJhcpBqjpglzZqV0vsmMvHmRmG1BJ2xuZziJmCp%2Fqf%2F2NtV1mxNbj1S94409v2Um%2BA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 717d03a86bc3aac1-SYD

Code (Text):

[23:02][root@domain ~]# curl -I http://www.domain.org.au
HTTP/1.1 302 Found
Date: Tue, 07 Jun 2022 23:02:24 GMT
Content-Type: text/html
Connection: keep-alive
Location: https://domain.org.au/
X-Powered-By: centminmod
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8FyDAXNRkvmMaVzKaNw0TfVz5EWOFrqPQq4jeNCMi5e8Nb%2F%2FJOaR5HDef3HYHOEHpozKqH7JO858O7CDn6jOYoYeHhOna2PaqRrzKaELjU3gRlE%2FZKIfel2O2eK1RFsrObEjihwpNzfFnPE%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 717d03e448b5555d-SYD

lostincable · Jun 8, 2022

@eva2000

This one does not exist -

/usr/local/nginx/conf/conf.d/newdomain.com.conf

But the ssl conf does exist -

Code (Text):

  #auth_basic_user_file /home/nginx/domains/domain.org.au/htpasswd_wplogin;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /(xmlrpc\.php) {
    limit_req zone=xwprpc burst=45 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    # https://jetpack.com/support/hosting-faq/
    include /usr/local/nginx/conf/jetpack_whitelist_ip.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /wp-admin/(load-scripts\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /wp-admin/(load-styles\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

  include /usr/local/nginx/conf/wpincludes/domain.org.au/wpsecure_domain.org.au.conf;
  include /usr/local/nginx/conf/php-wpsc.conf;

  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/php-rediscache.conf;
  include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.au.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}
[23:21][root@tscws01 conf.d]# clear

[23:21][root@tscws01 conf.d]# cat domain.org.au.ssl.conf
# must read https://centminmod.com/getstarted.html
# read https://centminmod.com/nginx_configure_https_ssl_spdy.html

#x# HTTPS-DEFAULT
 server {

   server_name domain.org.au www.domain.org.au;
   return 302 https://domain.org.au$request_uri;
   root /home/nginx/domains/domain.org.au/public;
   include /usr/local/nginx/conf/staticfiles.conf;
 }

server {
  listen 443 ssl http2;
  server_name domain.org.au www.domain.org.au;

  include /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
  #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.org.au/origin.crt;
  #ssl_verify_client on;



  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain.org.au/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/domain.org.au/log/error.log;

  include /usr/local/nginx/conf/autoprotect/domain.org.au/autoprotect-domain.org.au.conf;
  root /home/nginx/domains/domain.org.au/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  include /usr/local/nginx/conf/wpincludes/domain.org.au/wpcacheenabler_domain.org.au.conf;
  #include /usr/local/nginx/conf/wpincludes/domain.org.au/wpsupercache_domain.org.au.conf;
  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/wpincludes/domain.org.au/rediscache_domain.org.au.conf;

  location / {
  include /usr/local/nginx/conf/503include-only.conf;


  # Enables directory listings when index file not found
  #autoindex  on;

  # for wordpress super cache plugin
  #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;

  # for wp cache enabler plugin
  try_files $cache_enabler_uri_webp $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;

  # Wordpress Permalinks
  #try_files $uri $uri/ /index.php?q=$uri&$args;

  # Nginx level redis Wordpress
  # https://community.centminmod.com/posts/18828/
  #try_files $uri $uri/ /index.php?$args;

  }

location ~* /(wp-login\.php) {
    limit_req zone=xwplogin burst=1 nodelay;
    #limit_conn xwpconlimit 30;
    #auth_basic "Private";
    #auth_basic_user_file /home/nginx/domains/domain.org.au/htpasswd_wplogin;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /(xmlrpc\.php) {
    limit_req zone=xwprpc burst=45 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    # https://jetpack.com/support/hosting-faq/
    include /usr/local/nginx/conf/jetpack_whitelist_ip.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /wp-admin/(load-scripts\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /wp-admin/(load-styles\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

  include /usr/local/nginx/conf/wpincludes/domain.org.au/wpsecure_domain.org.au.conf;
  include /usr/local/nginx/conf/php-wpsc.conf;

  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/php-rediscache.conf;
  include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.au.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

eva2000 · Jun 8, 2022

for
Code (Text):
  include /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;
what's contents for /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au.crt.key.conf
Code (Text):
cat /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au.crt.key.conf

lostincable · Jun 8, 2022

Thanks @eva2000

Code (Text):

[23:59][root@domain conf.d]# cat /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au.crt.key.conf
  ssl_dhparam /usr/local/nginx/conf/ssl/domain.org.au/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-acme.key;

  ssl_certificate      /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-acme-ecc.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-acme-ecc.key;

  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-acme.cer;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-acme-ecc.cer;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-dualcert-rsa-ecc.cer;
[23:59][root@domain conf.d]#

eva2000 · Jun 8, 2022

lostincable said: ↑

outputs below for the curl commands -
Click to expand...

one of your previous edits shows the domain resolving to OpenResty Nginx server and not Centmin Mod? Make sure your DNS records for both www and non-www are pointing to Centmin Mod server IP too
Code (Text):
curl -I wwww.domain.org.au
HTTP/1.1 404 Not Found
Server: openresty

lostincable · Jun 8, 2022

Thanks @eva2000

Ill update the DNS records.

Can any of the SSL certs be used?

eva2000 · Jun 8, 2022

lostincable said: ↑

Thanks @eva2000

Ill update the DNS records.

Can any of the SSL certs be used?
Click to expand...

Probably not if the DNS record was the issue as Letsencrypt validates the domain on both www and non-www DNS records so if one failed, so would domain validation.

eva2000 · Jun 8, 2022

Note if you use CF DNS API validation with Letsencrypt Letsencrypt Free SSL Certificates then that might help somewhat. Though I never tried with one www domain record pointing to an incorrect server IP.

lostincable · Jun 8, 2022

Ok thanks @eva2000

So we need to resolve the DNS issue

Then after the ban is lifted what is the correct way to change from self signed to live SSL?

eva2000 · Jun 8, 2022

lostincable said: ↑

Ok thanks @eva2000

So we need to resolve the DNS issue

Then after the ban is lifted what is the correct way to change from self signed to live SSL?
Click to expand...

reissue command should work
Code (Text):
cd /usr/local/src/centminmod/addons
./acmetool.sh reissue-only yourdomain.com lived

lostincable · Jun 8, 2022

eva2000 said: ↑
reissue command should work
Code (Text):
cd /usr/local/src/centminmod/addons
./acmetool.sh reissue-only yourdomain.com lived
Click to expand...
Thanks for the support @eva2000

We ran these exact commands when the block was lifted.

Below is the log from the first "re issue" command, if you look at the logs it switched to staging letsencrypt url?

gist:3d1ca3656ea025a9a543f0b3508864b8

I don't want to get blocked again would you know if the dns issue is why it changed to staging?

eva2000 · Jun 8, 2022

what is output for the domains Letsencrypt config at
/root/.acme.sh/domain.com.au/domain.com.au.conf
Code (Text):
cat /root/.acme.sh/domain.com.au/domain.com.au.conf
can you try updating to latest Centmin Mod 124.00stable or 130.00beta01 and cmupdate and acme.sh client with these commands
Code (Text):
cmupdate
/usr/local/src/centminmod/addons/acmetool.sh acmeupdate
what is output for 2nd command too?

lostincable · Jun 8, 2022

@eva2000 output is below

And confirming I am on 130.00beta01 already.

Code (Text):

Le_Domain='domain.com.au'
Le_Alt='www.domain.com.au'
Le_Webroot='/home/nginx/domains/domain.com.au/public'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_Preferred_Chain='__ACME_BASE64__START_IklTUkci__ACME_BASE64__END_'
Le_API='https://acme-staging-v02.api.letsencrypt.org/directory'
Le_Keylength='2048'
Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/55697444/2772503624'
Le_LinkOrder='https://acme-staging-v02.api.letsencrypt.org/acme/order/55697444/2772503624'
Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa0c0345f1a97658f740227bfc433c657b5d'
Le_CertCreateTime='1654499803'
Le_CertCreateTimeStr='2022-06-06T07:16:43Z'
Le_RenewalDays='60'
Le_NextRenewTimeStr='2022-08-05T07:16:43Z'
Le_NextRenewTime='1659597403'
Le_RealCertPath='/usr/local/nginx/conf/ssl/domain.com.au/domain.com.au-acme.cer'
Le_RealCACertPath='/usr/local/nginx/conf/ssl/domain.com.au/domain.com.au-acme.cer'
Le_RealKeyPath='/usr/local/nginx/conf/ssl/domain.com.au/domain.com.au-acme.key'
Le_ReloadCmd='__ACME_BASE64__START_L3Vzci9iaW4vbmd4cmVsb2Fk__ACME_BASE64__END_'
Le_RealFullChainPath='/usr/local/nginx/conf/ssl/domain.com.au/domain.com.au-fullchain-acme.key

I also had a look at the conf file of a subdomain and it has the staging links in it as well.

Code (Text):

Le_Domain='subtest.domain.com.au'
Le_Alt='no'
Le_Webroot='/home/nginx/domains/subtest.domain.com.au/public'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_Preferred_Chain='__ACME_BASE64__START_IklTUkci__ACME_BASE64__END_'
Le_API='https://acme-staging-v02.api.letsencrypt.org/directory'
Le_Keylength='2048'
Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/55697444/2710276794'
Le_LinkOrder='https://acme-staging-v02.api.letsencrypt.org/acme/order/55697444/2710276794'
Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fabc2a296f707d3ad7bacb584d7b3838f7f4'
Le_CertCreateTime='1653881047'
Le_CertCreateTimeStr='2022-05-30T03:24:07Z'
Le_RenewalDays='60'
Le_NextRenewTimeStr='2022-07-29T03:24:07Z'
Le_NextRenewTime='1658978647'
Le_RealCertPath='/usr/local/nginx/conf/ssl/subtest.domain.com.au/subtest.domain.com.au-acme.cer'
Le_RealCACertPath='/usr/local/nginx/conf/ssl/subtest.domain.com.au/subtest.domain.com.au-acme.cer'
Le_RealKeyPath='/usr/local/nginx/conf/ssl/subtest.domain.com.au/subtest.domain.com.au-acme.key'
Le_ReloadCmd='__ACME_BASE64__START_L3Vzci9iaW4vbmd4cmVsb2Fk__ACME_BASE64__END_'
Le_RealFullChainPath='/usr/local/nginx/conf/ssl/subtest.domain.com.au/subtest.domain.com.au-fullchain-acme.key'

Log in / Register

Forums

Welcome to Centmin Mod Community

Letsencrypt Letsencrypt

lostincable New Member

eva2000 Administrator Staff Member

Centmin Mod Self-Signed SSL Fallback

Troubleshooting

SSLLabs Test

lostincable New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

lostincable New Member

eva2000 Administrator Staff Member

lostincable New Member

lostincable New Member

eva2000 Administrator Staff Member

lostincable New Member

eva2000 Administrator Staff Member

lostincable New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

lostincable New Member

eva2000 Administrator Staff Member

lostincable New Member

eva2000 Administrator Staff Member

lostincable New Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

Letsencrypt Letsencrypt

lostincable New Member

eva2000 Administrator Staff Member

Centmin Mod Self-Signed SSL Fallback

Troubleshooting

SSLLabs Test

lostincable New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

lostincable New Member

eva2000 Administrator Staff Member

lostincable New Member

lostincable New Member

eva2000 Administrator Staff Member

lostincable New Member

eva2000 Administrator Staff Member

lostincable New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

lostincable New Member

eva2000 Administrator Staff Member

lostincable New Member

eva2000 Administrator Staff Member

lostincable New Member

.