Letsencrypt Migrating to HTTP/2 HTTPS with LetsEncrypt stumbling at cert check at .well-known

josh · Sep 26, 2017

Not sure what I did wrong here but I'm not able to get passed this step.

Code:

[19:02][[email protected] apistogramma.com]# /root/.acme.sh/acme.sh --force --issue --days 60 -d apistogramma.com -d www.apistogramma.com -w /home/nginx/domains/apistogramma.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-apistogramma.com.log --log-level 2
[Mon Sep 25 19:03:04 UTC 2017] Multi domain='DNS:www.apistogramma.com'
[Mon Sep 25 19:03:04 UTC 2017] Getting domain auth token for each domain
[Mon Sep 25 19:03:04 UTC 2017] Getting webroot for domain='apistogramma.com'
[Mon Sep 25 19:03:04 UTC 2017] Getting new-authz for domain='apistogramma.com'
[Mon Sep 25 19:03:05 UTC 2017] The new-authz request is ok.
[Mon Sep 25 19:03:05 UTC 2017] Getting webroot for domain='www.apistogramma.com'
[Mon Sep 25 19:03:05 UTC 2017] Getting new-authz for domain='www.apistogramma.com'
[Mon Sep 25 19:03:06 UTC 2017] The new-authz request is ok.
[Mon Sep 25 19:03:06 UTC 2017] Verifying:apistogramma.com
[Mon Sep 25 19:03:09 UTC 2017] apistogramma.com:Verify error:Invalid response from http://apistogramma.com/.well-known/acme-challenge/j6U_GFcZCLpFWlcU2w-6XNSpvAiOOfA_MlDhC3L6m0Y:
[Mon Sep 25 19:03:09 UTC 2017] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-apistogramma.com.log

apistogramma.com.ssl.conf looks like this ** snipped **

eva2000 · Sep 26, 2017

When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)

Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf

Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com

Vhost public web root will be at /home/nginx/domains/newdomain.com/public

Vhost log directory will be at /home/nginx/domains/newdomain.com/log

Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

josh · Sep 26, 2017

Thanks for the prompt reply!

The site was initially set up without HTTP/2 using menu option 2.
The SSL Conf file was linked in the original post. The domain.com.conf file was "disabled" per the guide on migrating to HTTP/2 with HTTPS

eva2000 · Sep 26, 2017

might want to remove the allow ips from your nginx vhost conf file

but nginx vhost looks right

is your domain behind a proxy like cloudflare ?

josh · Sep 26, 2017

Nope. I followed the same guide (https://centminmod.com/migrating-to-https.html) for another domain on the same VPS last week with relative ease. Can't figure out where I went wrong...

eva2000 · Sep 26, 2017

oh i see curling your header for domain from page at https://tools.keycdn.com/curl shows you are redirecting to /forum so letsencrypt can't verify the .well-known file
Code (Text):
HTTP/1.1 301 Moved Permanently
Date: Mon, 25 Sep 2017 19:32:38 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://www.apistogramma.com/forum/
Server: nginx centminmod
X-Powered-By: centminmod

josh · Sep 26, 2017

Ah shit! what's an appropriate work-around?

eva2000 · Sep 26, 2017

not seeing the 301 redirect in your nginx ssl vhost conf you posted so something else in another vhost file is doing that 301 redirect it seems

josh · Sep 26, 2017

eva2000 said: ↑

not seeing the 301 redirect in your nginx ssl vhost conf you posted so something else in another vhost file is doing that 301 redirect it seems
Click to expand...

It's in the normal vhost conf file but that's been disabled. Not sure why that's still being used because I've restarting nginx...
Here's the original vhost file https://pastebin.com/digdzST5

eva2000 · Sep 26, 2017

original vhost has 301 redirect
Code (Text):
location = / {
    return 301 http://www.apistogramma.com/forum;
}

josh · Sep 26, 2017

So how long until the SSL vhost is used since the original has been disabled for hours now.

eva2000 · Sep 26, 2017

301 redirects are permanently cached in web browsers but curl command shouldn't have such cache so seems like it isn't disabled. Try removing the vhost instead of disabling it and restart nginx

josh · Sep 26, 2017

Restarted nginx but then got this which is probably part of the issue...

Code:

[22:40][[email protected] conf.d]# service nginx restart
nginx: [emerg] PEM_read_bio_X509_AUX("/usr/local/nginx/conf/ssl/apistogramma.com/apistogramma.com-acme.cer") failed (SSL: error:09FFF06C:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

eva2000 · Sep 26, 2017

re-run first 6 steps of https://centminmod.com/migrating-to-https.html as you don't have a valid ssl cert yet as domain validation failed

josh · Sep 26, 2017

And the valid ssl cert isn't being generated because of the redirect that is blocking the verification of the well-known file. Am I stuck in a loop? Am I wrong in assuming that I can host many sites on the same Digital Ocean droplet using this method?

eva2000 · Sep 26, 2017

just need to remove 301 redirect + restart nginx server and then do steps 1-6 of the guide

josh · Sep 26, 2017

I can't find where else the redirect would be coming from. I've removed the original conf file and rebooting the entire server because I wasn't confident that nginx was restarting with all the error messages. I still get the same error when I try to verify the domain cert.
Moreover, I'm getting this when I try to access https://apistogramma.com (and the other domains on the server I'm trying to migrate to HTTPS) :
Code:
Your connection is not private
Attackers might be trying to steal your information from apistogramma.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
 Back to safetyHIDE ADVANCED
This server could not prove that it is apistogramma.com; its security certificate is from tarantulaforum.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
Proceed to apistogramma.com (unsafe)

eva2000 · Sep 26, 2017

I think the problem is the letsencrypt is trying to follow your http to https redirect but https has invalid cert. So probably need to temporarily reinstate the non-ssl nginx vhost without the 301 redirect to /forum and without the a forced http to https 302 redirect from ssl nginx vhost. Then run steps 1-6 to get valid ssl cert from letsencrypt which would look at non-https site for /.well-known validation. Then once ssl cert is issues, check https version of your site to make sure it's working. Then remove non-ssl nginx vhost and reinstate in ssl vhost the http to https 302 redirect

eva2000 · Sep 26, 2017

but from dev ssllab test your https site is working now in terms of valid ssl cert just your http status response is HTTP 500 internal error so probably just need to fix up vhost for ssl https://dev.ssllabs.com/ssltest/analyze.html?d=apistogramma.com&hideResults=on

make sure you test your https site via browser cache cleared session or incognito session to ensure previously caches are clean

josh · Sep 26, 2017

I reverted to self-signed certs on apistogramma.com and was able to get nginx to properly restart with valid conf files then i re-requested the validation from LE and i think i'm back on the road!
Testing in incognito mode now. Thank you George! You're a huge help.

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Letsencrypt Migrating to HTTP/2 HTTPS with LetsEncrypt stumbling at cert check at .well-known

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

josh New Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Letsencrypt Migrating to HTTP/2 HTTPS with LetsEncrypt stumbling at cert check at .well-known

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

josh New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

josh New Member

.