Join the community today
Register Now

SSL My paid SSL expired, How do i switch to letsencrypt.

Discussion in 'Domains, DNS, Email & SSL Certificates' started by radbrad, Sep 11, 2020.

  1. radbrad

    radbrad Member

    31
    3
    8
    Feb 15, 2020
    Ratings:
    +4
    Local Time:
    3:36 AM
    Hi,
    After my paid SSL certificate expired , i got invalid ssl error. Now i wanted to switch to the free letsencrypt SSL. I tried the following command to install letsencrypt SSL
    Code:
    cd /usr/local/nginx/conf/ssl/domain1.com
    openssl dhparam -out dhparam.pem 2048
    touch /etc/centminmod/custom_config.inc
    echo "LETSENCRYPT_DETECT='y'" >> /etc/centminmod/custom_config.inc
    /usr/local/src/centminmod/addons/acmetool.sh acmeupdate
    
    /root/.acme.sh/acme.sh --force --issue --days 60 -d domain1.com -d www.domain1.com -w /home/nginx/domains/domain1.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-domain1.com.log --log-level 2
    
    
    /root/.acme.sh/acme.sh --installcert -d domain1.com -d www.domain1.com --certpath /usr/local/nginx/conf/ssl/domain1.com/domain1.com-acme.cer --keypath /usr/local/nginx/conf/ssl/domain1.com/domain1.com-acme.key --capath /usr/local/nginx/conf/ssl/domain1.com/domain1.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/domain1.com/domain1.com-fullchain-acme.key
    
    But it failed with the following error

    Code:
    domain1.com:Verify error:Invalid response from http://domain.com/.well-known/acme-challenge/HsPY_cPydTB-d_rHLnObMunqzkM5goIRymt4Udz11u4 [104.247.221.110]:
    
     Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-110920-042848.log
    LECHECK = 1
    
    My domain.com.ssl.conf output

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
     server {
       server_name domain1.com www.domain1.com;
        return 301 https://www.domain1.com$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name domain1.com;
      return 3001 https://www.domain1.com$request_uri;
    
      include /usr/local/nginx/conf/ssl/domain1.com/domain1.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    }
    
    server {
      listen 443 ssl http2;
      server_name www.domain1.com;
    
      include /usr/local/nginx/conf/ssl/domain1.com/domain1.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/1                                                                                                             3847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain1.com/origin.                                                                                                             crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-P                                                                                                             OLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-A                                                                                                             ES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE                                                                                                             -RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305                                                                                                             :DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:E                                                                                                             CDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-                                                                                                             AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA                                                                                                             :DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-S                                                                                                             HA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-G                                                                                                             CM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DE                                                                                                             S-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.h                                                                                                             tml#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    include /usr/local/nginx/conf/pagespeed.conf;
    include /usr/local/nginx/conf/pagespeedhandler.conf;
    include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain1.com/log/access.log combined buffer=256k f                                                                                                             lush=5m;
      error_log /home/nginx/domains/domain1.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain1.com/autoprotect-domain1.com.conf                                                                                                             ;
      root /home/nginx/domains/domain1.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      #include /usr/local/nginx/conf/wpincludes/domain1.com/wpcacheenabler_domain1.com.c                                                                                                             onf;
      #include /usr/local/nginx/conf/wpincludes/domain1.com/wpsupercache_domain1.com.con                                                                                                             f;
      # https://community.centminmod.com/posts/18828/
      include /usr/local/nginx/conf/wpincludes/domain1.com/rediscache_domain1.com.conf;                                                                                                             
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri                                                                                                              $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      #try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      try_files $uri $uri/ /index.php?$args;
    
      }
    #location /home/nginx/domains/domain1.com/public/wp-content/uploads/ {
      #pagespeed off;
      #pagespeed unplugged;
     # autoindex on;
      #add_header X-Robots-Tag "noindex, nofollow";
      #location ~* ^/webp/.+\.(png|jpe?g)$ {
       # expires 30d;
        #add_header Vary "Accept-Encoding";
        #add_header Cache-Control "public, no-transform";
        #try_files $uri$webp_extension $uri =404;
      #}
    #}
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        #auth_basic "Private";
       #auth_basic_user_file /home/nginx/domains/domain1.com/htpasswd_wplogin;
        #include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        #include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-scripts\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        #include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-styles\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        #include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/domain1.com/wpsecure_domain1.com.conf;
      #include /usr/local/nginx/conf/php-wpsc.conf;
    
      # https://community.centminmod.com/posts/18828/
      include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/pre-staticfiles-local-domain1.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    

     
  2. eva2000

    eva2000 Administrator Staff Member

    45,459
    10,315
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,000
    Local Time:
    8:06 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Are you behind cloudflare ? If you are, are you using cloudflare Full SSL or Flexible SSL ?

    You also have a typo for 3001 instead of 301
    Code (Text):
    return 3001 https://www.domain1.com$request_uri;
    

    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation.

    Sounds like Letsencrypt is following your domain's non-https domain's 301/302 redirect to https based domain to validate the domain. But https based domain's SSL certificate expired.

    What you can do is sort of partial manual steps from Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates in that you temporarily disable your /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and recreate the non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf using the official Nginx vhost generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS (which is step 1 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates).

    Then follow manual steps 2, 3, 4, 5 and 6 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates where step 6 you can re-enable your https /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and disable your non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf again.

    Then you can test your domain at Let's Debug to ensure future renewals work.