Join the community today
Register Now

Letsencrypt Letsencrypt

Discussion in 'Install & Upgrades or Pre-Install Questions' started by lostincable, Jun 6, 2022.

  1. lostincable

    lostincable New Member

    23
    2
    3
    Feb 17, 2018
    Ratings:
    +3
    Local Time:
    7:02 AM
    Hi there

    I have centminmod running for a while now no issues.

    I added a bunch of new vhosts and letsencrypt blocked me for to many requests.

    The last vhost got a staging certificate when we got blocked.

    I am now out of the block period but trying to change from a staging certificate to a live certificate.

    Whenever I run the acetools reissue with reissue force + lived I get a staging certificate not a live certificate.

    What is the correct way to


    a) remove all ssl staging certs without deleting the entire vhost
    b) request a live certificate from letsencrypt

    Thanks.

    Thanks.
     
  2. eva2000

    eva2000 Administrator Staff Member

    48,894
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    7:02 AM
    Nginx 1.21.x
    MariaDB 10.x
    What was the exact steps you took to add these new Nginx vhosts ?

    What is the exact error message you get when you are 'blocked'?

    Strange unless letsencrypt or acme.sh client which is used by addons/acmetool.sh is doing auto switch to staging SSL cert, then it wouldn't be something I coded for Centmin Mod. When Centmin Mod via centmin.sh menu option 2, 22 or nv command tries to get Letsencrypt SSL certificates it does via addons/acmetool.sh and it's coded for when Letsencrypt SSL certificate issuance fails, then it will fall back to the Centmin Mod created self-signed SSL non-trusted browser certificates and not to Letsencrypt staging.

    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. If you created Centmin Mod 123.09beta01 or higher Nginx site with Letsencrypt via centmin.sh menu option 2, 22 or nv command line, you now also have an automatic letsdebug.net API check log saved at /root/centminlogs/letsdebug-yourdomain.com-${DT}.log where yourdomain.com is domain specified during nginx vhost creation and DT is date/timestamp. Inspecting the /root/centminlogs/letsdebug-yourdomain.com-${DT}.log log will also give you clues as to why letsencrypt SSL certificate issuance failed.

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
  3. lostincable

    lostincable New Member

    23
    2
    3
    Feb 17, 2018
    Ratings:
    +3
    Local Time:
    7:02 AM
    Hi @eva2000

    The issue not from the script.

    When creating the vhost it was made with centmin option 22 wordpress install for one domain.

    Unfortunately we need to delete the vhost twice and on the third attempt we were rate limited by letsencrpyt.

    Because we had deleted the vhost + ssl on the third attempt to create the vhost we where issued a self signed cert.

    The history of events is like this:

    1) VHOST CREATED + SSL GENERATED - We then removed this VHOST + SSL with the bash script due to setup errors we made in creating the vhost
    2) VHOST CREATED + SSL GENERATED - We then removed this VHOST + SSL with the bash script due to setup errors we made in creating the vhost
    3) VHOST CREATED + SSL NOT GENERATED - Rate limited by lets encrypt reverted to a self signed / staging certificate

    ONE WEEK LETS ENCRYPT LIMIT LIFTED

    1) RE ISSUE Requested to LETSENCRYPT, this just reissued the same self signed certificate didn't give a production SSL

    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only shepherdcentre.org.au lived

    2) Then tried to re issue / issue and got blocked again

    Once the block is lifted how do we correctly remove the self-signed ssl and request a live ssl?

    This is the last re issue log -

    ** removed **

    Also should we consider move to zerossl is that sustainable?
     
    Last edited: Jun 7, 2022
  4. eva2000

    eva2000 Administrator Staff Member

    48,894
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    7:02 AM
    Nginx 1.21.x
    MariaDB 10.x
    Oh you mean self-signed SSL cert. I though you meant staging Letsencrypt SSL certs which are untrusted which are different issuer to self-signed SSL cert created by Centmin Mod

    You may have other issued SSL certs from letsencrypt for the same domain? Have you tried issuing Letsencrypt SSL certs for same domain name elsewhere recently other than Centmin Mod server? You can run acmetool.sh checkdates command to see what SSL certificates have been issued and installed on Nginx vhosts right now
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Though you can try switching from Letsencrypt to ZeroSSL certificates as outlined at Letsencrypt Free SSL Certificates as ZeroSSL doesn't have rate limits for SSL certificate issuance.
     
  5. eva2000

    eva2000 Administrator Staff Member

    48,894
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    7:02 AM
    Nginx 1.21.x
    MariaDB 10.x
    Also seems you're using Cloudflare in front of Centmin Mod Nginx site, so you may want to use Cloudflare DNS API for domain validation for Letsencrypt/Zero SSL certificate issuance instead of the default web root domain validation Letsencrypt Free SSL Certificates
     
  6. lostincable

    lostincable New Member

    23
    2
    3
    Feb 17, 2018
    Ratings:
    +3
    Local Time:
    7:02 AM
    Hi @eva2000

    Thanks for the above.

    Under checkdates I have two test sub domains and two records for the one production domain.

    Is there a way to determine if they are self signed or live? Or are they all live?

    And how do I obtain them and install them if they are available?

    gist:50bddd86585067ca327a6d4bae5e31eb
     
    Last edited: Jun 7, 2022
  7. eva2000

    eva2000 Administrator Staff Member

    48,894
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    7:02 AM
    Nginx 1.21.x
    MariaDB 10.x
    Check dates lists in acme issued section only live SSL certificates and if they're listed under nginx installed, they maybe live or not you can match their fingerprint values to see if they are the same SSL certificate

    If the aren't being served by Centmin Mod Nginx, the you'd need to check your domain's nginx vhost config file.

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags
     
    Last edited: Jun 8, 2022
  8. lostincable

    lostincable New Member

    23
    2
    3
    Feb 17, 2018
    Ratings:
    +3
    Local Time:
    7:02 AM
    @eva2000 outputs below for the curl commands -


    Code (Text):
    [23:01][root@domain ~]# curl -I https://domain.org.au
    HTTP/1.1 200 OK
    Date: Tue, 07 Jun 2022 23:01:42 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    vary: Accept-Encoding
    link: <https://domain.org.au/wp-json/>; rel="https://api.w.org/"
    link: <https://domain.org.au/wp-json/wp/v2/pages/53497>; rel="alternate"; type="application/json"
    link: <https://domain.org.au/>; rel=shortlink
    x-powered-by: centminmod
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=k3Sn5wIyQgSjkLkzYNTaMTSNDhYZVb8JoHYXMZ0tRivkPkCXpOnikm1WxdHGTtISqT9XVzamwN1hspbSYbqicdvPWXuGfYfPcyxFoUeFFRv0V3feqba%2BrMgtJQy0%2F5it1w3TWVzHZQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 717d02dcce58558d-SYD
    


    Code (Text):
    [23:01][root@domain ~]# curl -I https://www.domain.org.au
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 07 Jun 2022 23:02:00 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    location: https://domain.org.au/
    expires: Wed, 08 Jun 2022 00:02:00 GMT
    Cache-Control: max-age=3600
    x-redirect-by: WordPress
    x-powered-by: centminmod
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xMLO6wg6xoZgRfZrpUTjDIJlsv4GF8vJ9GPRLyA1RWqYObAlexyZVkfKsK44p8ECn1qCGxslW2c%2BDauJ0dLksGIBTgZbtdr5htH9B6aCCuPAqdk5Kmd%2BcTozv4O7uh3b%2Fpejj1fClmzc%2F5g%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 717d034b7c60aac9-SYD
    


    Code (Text):
    
    [23:02][root@domain ~]# curl -I http://domain.org.au
    HTTP/1.1 302 Found
    Date: Tue, 07 Jun 2022 23:02:15 GMT
    Content-Type: text/html
    Connection: keep-alive
    Location: https://domain.org.au/
    X-Powered-By: centminmod
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FUXehK4iLt6Bf%2FrUwJK6l%2F3dDOFQ9XMIWFAngZwNyGRUK2cXbTxrXDp6cj2LGcRJZ12OVuy8QJhcpBqjpglzZqV0vsmMvHmRmG1BJ2xuZziJmCp%2Fqf%2F2NtV1mxNbj1S94409v2Um%2BA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 717d03a86bc3aac1-SYD
    


    Code (Text):
    [23:02][root@domain ~]# curl -I http://www.domain.org.au
    HTTP/1.1 302 Found
    Date: Tue, 07 Jun 2022 23:02:24 GMT
    Content-Type: text/html
    Connection: keep-alive
    Location: https://domain.org.au/
    X-Powered-By: centminmod
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8FyDAXNRkvmMaVzKaNw0TfVz5EWOFrqPQq4jeNCMi5e8Nb%2F%2FJOaR5HDef3HYHOEHpozKqH7JO858O7CDn6jOYoYeHhOna2PaqRrzKaELjU3gRlE%2FZKIfel2O2eK1RFsrObEjihwpNzfFnPE%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 717d03e448b5555d-SYD
    
     
    Last edited: Jun 8, 2022
  9. lostincable

    lostincable New Member

    23
    2
    3
    Feb 17, 2018
    Ratings:
    +3
    Local Time:
    7:02 AM
    @eva2000

    This one does not exist -

    /usr/local/nginx/conf/conf.d/newdomain.com.conf

    But the ssl conf does exist -

    Code (Text):
      #auth_basic_user_file /home/nginx/domains/domain.org.au/htpasswd_wplogin;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://jetpack.com/support/hosting-faq/
        include /usr/local/nginx/conf/jetpack_whitelist_ip.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-scripts\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-styles\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/domain.org.au/wpsecure_domain.org.au.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
    
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.au.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    [23:21][root@tscws01 conf.d]# clear
    
    [23:21][root@tscws01 conf.d]# cat domain.org.au.ssl.conf
    # must read https://centminmod.com/getstarted.html
    # read https://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    #x# HTTPS-DEFAULT
     server {
    
       server_name domain.org.au www.domain.org.au;
       return 302 https://domain.org.au$request_uri;
       root /home/nginx/domains/domain.org.au/public;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name domain.org.au www.domain.org.au;
    
      include /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.org.au/origin.crt;
      #ssl_verify_client on;
    
    
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.org.au/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.org.au/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.org.au/autoprotect-domain.org.au.conf;
      root /home/nginx/domains/domain.org.au/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      include /usr/local/nginx/conf/wpincludes/domain.org.au/wpcacheenabler_domain.org.au.conf;
      #include /usr/local/nginx/conf/wpincludes/domain.org.au/wpsupercache_domain.org.au.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/wpincludes/domain.org.au/rediscache_domain.org.au.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      try_files $cache_enabler_uri_webp $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        #auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/domain.org.au/htpasswd_wplogin;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://jetpack.com/support/hosting-faq/
        include /usr/local/nginx/conf/jetpack_whitelist_ip.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-scripts\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-styles\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/domain.org.au/wpsecure_domain.org.au.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
    
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.org.au.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
     
  10. eva2000

    eva2000 Administrator Staff Member

    48,894
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    7:02 AM
    Nginx 1.21.x
    MariaDB 10.x
    for
    Code (Text):
      include /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    

    what's contents for /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au.crt.key.conf
    Code (Text):
    cat /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au.crt.key.conf
     
  11. lostincable

    lostincable New Member

    23
    2
    3
    Feb 17, 2018
    Ratings:
    +3
    Local Time:
    7:02 AM
    Thanks @eva2000

    Code (Text):
    [23:59][root@domain conf.d]# cat /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au.crt.key.conf
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.org.au/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-acme.key;
    
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-acme-ecc.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-acme-ecc.key;
    
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-acme.cer;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-acme-ecc.cer;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.org.au/domain.org.au-dualcert-rsa-ecc.cer;
    [23:59][root@domain conf.d]#
     
  12. eva2000

    eva2000 Administrator Staff Member

    48,894
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    7:02 AM
    Nginx 1.21.x
    MariaDB 10.x
    one of your previous edits shows the domain resolving to OpenResty Nginx server and not Centmin Mod? Make sure your DNS records for both www and non-www are pointing to Centmin Mod server IP too
    Code (Text):
    curl -I wwww.domain.org.au
    HTTP/1.1 404 Not Found
    Server: openresty
    
     
  13. lostincable

    lostincable New Member

    23
    2
    3
    Feb 17, 2018
    Ratings:
    +3
    Local Time:
    7:02 AM
    Thanks @eva2000

    Ill update the DNS records.

    Can any of the SSL certs be used?
     
  14. eva2000

    eva2000 Administrator Staff Member

    48,894
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    7:02 AM
    Nginx 1.21.x
    MariaDB 10.x
    Probably not if the DNS record was the issue as Letsencrypt validates the domain on both www and non-www DNS records so if one failed, so would domain validation.
     
  15. eva2000

    eva2000 Administrator Staff Member

    48,894
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    7:02 AM
    Nginx 1.21.x
    MariaDB 10.x
    Note if you use CF DNS API validation with Letsencrypt Letsencrypt Free SSL Certificates then that might help somewhat. Though I never tried with one www domain record pointing to an incorrect server IP.
     
  16. lostincable

    lostincable New Member

    23
    2
    3
    Feb 17, 2018
    Ratings:
    +3
    Local Time:
    7:02 AM
    Ok thanks @eva2000

    So we need to resolve the DNS issue

    Then after the ban is lifted what is the correct way to change from self signed to live SSL?
     
  17. eva2000

    eva2000 Administrator Staff Member

    48,894
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    7:02 AM
    Nginx 1.21.x
    MariaDB 10.x
    reissue command should work
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only yourdomain.com lived
    
     
  18. lostincable

    lostincable New Member

    23
    2
    3
    Feb 17, 2018
    Ratings:
    +3
    Local Time:
    7:02 AM
    Thanks for the support @eva2000

    We ran these exact commands when the block was lifted.

    Below is the log from the first "re issue" command, if you look at the logs it switched to staging letsencrypt url?

    gist:3d1ca3656ea025a9a543f0b3508864b8

    I don't want to get blocked again would you know if the dns issue is why it changed to staging?
     
  19. eva2000

    eva2000 Administrator Staff Member

    48,894
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    7:02 AM
    Nginx 1.21.x
    MariaDB 10.x
    what is output for the domains Letsencrypt config at
    /root/.acme.sh/domain.com.au/domain.com.au.conf
    Code (Text):
    cat /root/.acme.sh/domain.com.au/domain.com.au.conf

    can you try updating to latest Centmin Mod 124.00stable or 130.00beta01 and cmupdate and acme.sh client with these commands
    Code (Text):
    cmupdate
    /usr/local/src/centminmod/addons/acmetool.sh acmeupdate
    

    what is output for 2nd command too?
     
  20. lostincable

    lostincable New Member

    23
    2
    3
    Feb 17, 2018
    Ratings:
    +3
    Local Time:
    7:02 AM
    @eva2000 output is below

    And confirming I am on 130.00beta01 already.

    Code (Text):
    Le_Domain='domain.com.au'
    Le_Alt='www.domain.com.au'
    Le_Webroot='/home/nginx/domains/domain.com.au/public'
    Le_PreHook=''
    Le_PostHook=''
    Le_RenewHook=''
    Le_Preferred_Chain='__ACME_BASE64__START_IklTUkci__ACME_BASE64__END_'
    Le_API='https://acme-staging-v02.api.letsencrypt.org/directory'
    Le_Keylength='2048'
    Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/55697444/2772503624'
    Le_LinkOrder='https://acme-staging-v02.api.letsencrypt.org/acme/order/55697444/2772503624'
    Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa0c0345f1a97658f740227bfc433c657b5d'
    Le_CertCreateTime='1654499803'
    Le_CertCreateTimeStr='2022-06-06T07:16:43Z'
    Le_RenewalDays='60'
    Le_NextRenewTimeStr='2022-08-05T07:16:43Z'
    Le_NextRenewTime='1659597403'
    Le_RealCertPath='/usr/local/nginx/conf/ssl/domain.com.au/domain.com.au-acme.cer'
    Le_RealCACertPath='/usr/local/nginx/conf/ssl/domain.com.au/domain.com.au-acme.cer'
    Le_RealKeyPath='/usr/local/nginx/conf/ssl/domain.com.au/domain.com.au-acme.key'
    Le_ReloadCmd='__ACME_BASE64__START_L3Vzci9iaW4vbmd4cmVsb2Fk__ACME_BASE64__END_'
    Le_RealFullChainPath='/usr/local/nginx/conf/ssl/domain.com.au/domain.com.au-fullchain-acme.key


    I also had a look at the conf file of a subdomain and it has the staging links in it as well.

    Code (Text):
    Le_Domain='subtest.domain.com.au'
    Le_Alt='no'
    Le_Webroot='/home/nginx/domains/subtest.domain.com.au/public'
    Le_PreHook=''
    Le_PostHook=''
    Le_RenewHook=''
    Le_Preferred_Chain='__ACME_BASE64__START_IklTUkci__ACME_BASE64__END_'
    Le_API='https://acme-staging-v02.api.letsencrypt.org/directory'
    Le_Keylength='2048'
    Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/55697444/2710276794'
    Le_LinkOrder='https://acme-staging-v02.api.letsencrypt.org/acme/order/55697444/2710276794'
    Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fabc2a296f707d3ad7bacb584d7b3838f7f4'
    Le_CertCreateTime='1653881047'
    Le_CertCreateTimeStr='2022-05-30T03:24:07Z'
    Le_RenewalDays='60'
    Le_NextRenewTimeStr='2022-07-29T03:24:07Z'
    Le_NextRenewTime='1658978647'
    Le_RealCertPath='/usr/local/nginx/conf/ssl/subtest.domain.com.au/subtest.domain.com.au-acme.cer'
    Le_RealCACertPath='/usr/local/nginx/conf/ssl/subtest.domain.com.au/subtest.domain.com.au-acme.cer'
    Le_RealKeyPath='/usr/local/nginx/conf/ssl/subtest.domain.com.au/subtest.domain.com.au-acme.key'
    Le_ReloadCmd='__ACME_BASE64__START_L3Vzci9iaW4vbmd4cmVsb2Fk__ACME_BASE64__END_'
    Le_RealFullChainPath='/usr/local/nginx/conf/ssl/subtest.domain.com.au/subtest.domain.com.au-fullchain-acme.key'
     
    Last edited: Jun 8, 2022