Discover Centmin Mod today
Register Now

Letsencrypt Migrating to HTTP/2 HTTPS with LetsEncrypt stumbling at cert check at .well-known

Discussion in 'Domains, DNS, Email & SSL Certificates' started by josh, Sep 26, 2017.

  1. josh

    josh New Member

    23
    2
    3
    May 27, 2014
    Ratings:
    +2
    Local Time:
    2:23 AM
    Not sure what I did wrong here but I'm not able to get passed this step.

    Code:
    [19:02][root@epn2017 apistogramma.com]# /root/.acme.sh/acme.sh --force --issue --days 60 -d apistogramma.com -d www.apistogramma.com -w /home/nginx/domains/apistogramma.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-apistogramma.com.log --log-level 2
    [Mon Sep 25 19:03:04 UTC 2017] Multi domain='DNS:www.apistogramma.com'
    [Mon Sep 25 19:03:04 UTC 2017] Getting domain auth token for each domain
    [Mon Sep 25 19:03:04 UTC 2017] Getting webroot for domain='apistogramma.com'
    [Mon Sep 25 19:03:04 UTC 2017] Getting new-authz for domain='apistogramma.com'
    [Mon Sep 25 19:03:05 UTC 2017] The new-authz request is ok.
    [Mon Sep 25 19:03:05 UTC 2017] Getting webroot for domain='www.apistogramma.com'
    [Mon Sep 25 19:03:05 UTC 2017] Getting new-authz for domain='www.apistogramma.com'
    [Mon Sep 25 19:03:06 UTC 2017] The new-authz request is ok.
    [Mon Sep 25 19:03:06 UTC 2017] Verifying:apistogramma.com
    [Mon Sep 25 19:03:09 UTC 2017] apistogramma.com:Verify error:Invalid response from http://apistogramma.com/.well-known/acme-challenge/j6U_GFcZCLpFWlcU2w-6XNSpvAiOOfA_MlDhC3L6m0Y:
    [Mon Sep 25 19:03:09 UTC 2017] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-apistogramma.com.log
    
    apistogramma.com.ssl.conf looks like this ** snipped **
     
    Last edited by a moderator: Sep 26, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    7:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
     
  3. josh

    josh New Member

    23
    2
    3
    May 27, 2014
    Ratings:
    +2
    Local Time:
    2:23 AM
    Thanks for the prompt reply!

    The site was initially set up without HTTP/2 using menu option 2.
    The SSL Conf file was linked in the original post. The domain.com.conf file was "disabled" per the guide on migrating to HTTP/2 with HTTPS
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    7:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    might want to remove the allow ips from your nginx vhost conf file ;)

    but nginx vhost looks right

    is your domain behind a proxy like cloudflare ?
     
  5. josh

    josh New Member

    23
    2
    3
    May 27, 2014
    Ratings:
    +2
    Local Time:
    2:23 AM
  6. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    7:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    oh i see curling your header for domain from page at https://tools.keycdn.com/curl shows you are redirecting to /forum so letsencrypt can't verify the .well-known file
    Code (Text):
    HTTP/1.1 301 Moved Permanently
    Date: Mon, 25 Sep 2017 19:32:38 GMT
    Content-Type: text/html
    Content-Length: 178
    Connection: keep-alive
    Location: http://www.apistogramma.com/forum/
    Server: nginx centminmod
    X-Powered-By: centminmod
     
  7. josh

    josh New Member

    23
    2
    3
    May 27, 2014
    Ratings:
    +2
    Local Time:
    2:23 AM
    Ah shit! what's an appropriate work-around?
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    7:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    not seeing the 301 redirect in your nginx ssl vhost conf you posted so something else in another vhost file is doing that 301 redirect it seems
     
  9. josh

    josh New Member

    23
    2
    3
    May 27, 2014
    Ratings:
    +2
    Local Time:
    2:23 AM
    It's in the normal vhost conf file but that's been disabled. Not sure why that's still being used because I've restarting nginx...
    Here's the original vhost file https://pastebin.com/digdzST5
     
  10. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    7:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    original vhost has 301 redirect
    Code (Text):
    location = / {
        return 301 http://www.apistogramma.com/forum;
    }
     
  11. josh

    josh New Member

    23
    2
    3
    May 27, 2014
    Ratings:
    +2
    Local Time:
    2:23 AM
    So how long until the SSL vhost is used since the original has been disabled for hours now.
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    7:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    301 redirects are permanently cached in web browsers but curl command shouldn't have such cache so seems like it isn't disabled. Try removing the vhost instead of disabling it and restart nginx
     
  13. josh

    josh New Member

    23
    2
    3
    May 27, 2014
    Ratings:
    +2
    Local Time:
    2:23 AM
    Restarted nginx but then got this which is probably part of the issue...
    Code:
    [22:40][root@epn2017 conf.d]# service nginx restart
    nginx: [emerg] PEM_read_bio_X509_AUX("/usr/local/nginx/conf/ssl/apistogramma.com/apistogramma.com-acme.cer") failed (SSL: error:09FFF06C:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE)
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    
     
    Last edited: Sep 26, 2017
  14. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    7:23 PM
    Nginx 1.13.x
    MariaDB 5.5
  15. josh

    josh New Member

    23
    2
    3
    May 27, 2014
    Ratings:
    +2
    Local Time:
    2:23 AM
    And the valid ssl cert isn't being generated because of the redirect that is blocking the verification of the well-known file. Am I stuck in a loop? Am I wrong in assuming that I can host many sites on the same Digital Ocean droplet using this method?
     
    Last edited: Sep 26, 2017
  16. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    7:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    just need to remove 301 redirect + restart nginx server and then do steps 1-6 of the guide
     
  17. josh

    josh New Member

    23
    2
    3
    May 27, 2014
    Ratings:
    +2
    Local Time:
    2:23 AM
    I can't find where else the redirect would be coming from. I've removed the original conf file and rebooting the entire server because I wasn't confident that nginx was restarting with all the error messages. I still get the same error when I try to verify the domain cert.
    Moreover, I'm getting this when I try to access https://apistogramma.com (and the other domains on the server I'm trying to migrate to HTTPS) :
    Code:
    Your connection is not private
    Attackers might be trying to steal your information from apistogramma.com (for example, passwords, messages, or credit cards). Learn more
    NET::ERR_CERT_COMMON_NAME_INVALID
     Back to safetyHIDE ADVANCED
    This server could not prove that it is apistogramma.com; its security certificate is from tarantulaforum.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
    Proceed to apistogramma.com (unsafe)
     
  18. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    7:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    I think the problem is the letsencrypt is trying to follow your http to https redirect but https has invalid cert. So probably need to temporarily reinstate the non-ssl nginx vhost without the 301 redirect to /forum and without the a forced http to https 302 redirect from ssl nginx vhost. Then run steps 1-6 to get valid ssl cert from letsencrypt which would look at non-https site for /.well-known validation. Then once ssl cert is issues, check https version of your site to make sure it's working. Then remove non-ssl nginx vhost and reinstate in ssl vhost the http to https 302 redirect
     
  19. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    7:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    but from dev ssllab test your https site is working now in terms of valid ssl cert just your http status response is HTTP 500 internal error so probably just need to fix up vhost for ssl https://dev.ssllabs.com/ssltest/analyze.html?d=apistogramma.com&hideResults=on

    make sure you test your https site via browser cache cleared session or incognito session to ensure previously caches are clean
     
    • Like Like x 1
  20. josh

    josh New Member

    23
    2
    3
    May 27, 2014
    Ratings:
    +2
    Local Time:
    2:23 AM
    I reverted to self-signed certs on apistogramma.com and was able to get nginx to properly restart with valid conf files then i re-requested the validation from LE and i think i'm back on the road!
    Testing in incognito mode now. Thank you George! You're a huge help.
     
    • Like Like x 1