SSL My paid SSL expired, How do i switch to letsencrypt.

radbrad · Sep 11, 2020

Hi,
After my paid SSL certificate expired , i got invalid ssl error. Now i wanted to switch to the free letsencrypt SSL. I tried the following command to install letsencrypt SSL

Code:

cd /usr/local/nginx/conf/ssl/domain1.com
openssl dhparam -out dhparam.pem 2048
touch /etc/centminmod/custom_config.inc
echo "LETSENCRYPT_DETECT='y'" >> /etc/centminmod/custom_config.inc
/usr/local/src/centminmod/addons/acmetool.sh acmeupdate

/root/.acme.sh/acme.sh --force --issue --days 60 -d domain1.com -d www.domain1.com -w /home/nginx/domains/domain1.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-domain1.com.log --log-level 2


/root/.acme.sh/acme.sh --installcert -d domain1.com -d www.domain1.com --certpath /usr/local/nginx/conf/ssl/domain1.com/domain1.com-acme.cer --keypath /usr/local/nginx/conf/ssl/domain1.com/domain1.com-acme.key --capath /usr/local/nginx/conf/ssl/domain1.com/domain1.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/domain1.com/domain1.com-fullchain-acme.key

But it failed with the following error

Code:

domain1.com:Verify error:Invalid response from http://domain.com/.well-known/acme-challenge/HsPY_cPydTB-d_rHLnObMunqzkM5goIRymt4Udz11u4 [104.247.221.110]:

 Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-110920-042848.log
LECHECK = 1

My domain.com.ssl.conf output

Code:

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
 server {
   server_name domain1.com www.domain1.com;
    return 301 https://www.domain1.com$request_uri;
 }

server {
  listen 443 ssl http2;
  server_name domain1.com;
  return 3001 https://www.domain1.com$request_uri;

  include /usr/local/nginx/conf/ssl/domain1.com/domain1.com.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;
}

server {
  listen 443 ssl http2;
  server_name www.domain1.com;

  include /usr/local/nginx/conf/ssl/domain1.com/domain1.com.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  # cloudflare authenticated origin pull cert community.centminmod.com/threads/1                                                                                                             3847/
  #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain1.com/origin.                                                                                                             crt;
  #ssl_verify_client on;
  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-P                                                                                                             OLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-A                                                                                                             ES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE                                                                                                             -RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305                                                                                                             :DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:E                                                                                                             CDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-                                                                                                             AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA                                                                                                             :DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-S                                                                                                             HA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-G                                                                                                             CM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DE                                                                                                             S-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.h                                                                                                             tml#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;

  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;

# ngx_pagespeed & ngx_pagespeed handler
include /usr/local/nginx/conf/pagespeed.conf;
include /usr/local/nginx/conf/pagespeedhandler.conf;
include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain1.com/log/access.log combined buffer=256k f                                                                                                             lush=5m;
  error_log /home/nginx/domains/domain1.com/log/error.log;

  include /usr/local/nginx/conf/autoprotect/domain1.com/autoprotect-domain1.com.conf                                                                                                             ;
  root /home/nginx/domains/domain1.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  #include /usr/local/nginx/conf/wpincludes/domain1.com/wpcacheenabler_domain1.com.c                                                                                                             onf;
  #include /usr/local/nginx/conf/wpincludes/domain1.com/wpsupercache_domain1.com.con                                                                                                             f;
  # https://community.centminmod.com/posts/18828/
  include /usr/local/nginx/conf/wpincludes/domain1.com/rediscache_domain1.com.conf;                                                                                                             

  location / {
  include /usr/local/nginx/conf/503include-only.conf;


  # Enables directory listings when index file not found
  #autoindex  on;

  # for wordpress super cache plugin
  #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri                                                                                                              $uri/ /index.php?q=$uri&$args;

  # for wp cache enabler plugin
  #try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;

  # Wordpress Permalinks
  #try_files $uri $uri/ /index.php?q=$uri&$args;

  # Nginx level redis Wordpress
  # https://community.centminmod.com/posts/18828/
  try_files $uri $uri/ /index.php?$args;

  }
#location /home/nginx/domains/domain1.com/public/wp-content/uploads/ {
  #pagespeed off;
  #pagespeed unplugged;
 # autoindex on;
  #add_header X-Robots-Tag "noindex, nofollow";
  #location ~* ^/webp/.+\.(png|jpe?g)$ {
   # expires 30d;
    #add_header Vary "Accept-Encoding";
    #add_header Cache-Control "public, no-transform";
    #try_files $uri$webp_extension $uri =404;
  #}
#}
location ~* /(wp-login\.php) {
    limit_req zone=xwplogin burst=1 nodelay;
    #limit_conn xwpconlimit 30;
    #auth_basic "Private";
   #auth_basic_user_file /home/nginx/domains/domain1.com/htpasswd_wplogin;
    #include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /(xmlrpc\.php) {
    limit_req zone=xwprpc burst=45 nodelay;
    #limit_conn xwpconlimit 30;
    #include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /wp-admin/(load-scripts\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    #include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /wp-admin/(load-styles\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    #include /usr/local/nginx/conf/php-wpsc.conf;

    # https://community.centminmod.com/posts/18828/
    include /usr/local/nginx/conf/php-rediscache.conf;
}

  include /usr/local/nginx/conf/wpincludes/domain1.com/wpsecure_domain1.com.conf;
  #include /usr/local/nginx/conf/php-wpsc.conf;

  # https://community.centminmod.com/posts/18828/
  include /usr/local/nginx/conf/php-rediscache.conf;
  include /usr/local/nginx/conf/pre-staticfiles-local-domain1.com.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

eva2000 · Sep 12, 2020

Are you behind cloudflare ? If you are, are you using cloudflare Full SSL or Flexible SSL ?

You also have a typo for 3001 instead of 301
Code (Text):
return 3001 https://www.domain1.com$request_uri;
First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation.

Sounds like Letsencrypt is following your domain's non-https domain's 301/302 redirect to https based domain to validate the domain. But https based domain's SSL certificate expired.

What you can do is sort of partial manual steps from Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates in that you temporarily disable your /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and recreate the non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf using the official Nginx vhost generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS (which is step 1 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates).

Then follow manual steps 2, 3, 4, 5 and 6 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates where step 6 you can re-enable your https /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and disable your non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf again.

Then you can test your domain at Let's Debug to ensure future renewals work.

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

SSL My paid SSL expired, How do i switch to letsencrypt.

radbrad Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

SSL My paid SSL expired, How do i switch to letsencrypt.

radbrad Member

eva2000 Administrator Staff Member

.