Welcome to Centmin Mod Community
Register Now

SSL Domains Letsencrypt NET::ERR_CERT_AUTHORITY_INVALID

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Mrbo, Jun 28, 2019.

  1. Mrbo

    Mrbo Member

    113
    7
    18
    Jun 17, 2018
    Ratings:
    +7
    Local Time:
    3:39 PM
    I checked this thread but idk if its still relevant. I installed the wordpress site like I always have done, through the menu option 22. The only difference is that this website nameserver isnt pointing to the server though cloudflare like I always have done it before. (The clients nameregistrar refused to point the nameservers to cloudflare so the nameservers are pointing directly to the server).

    ssllabs says: "Certificate not valid for domain name "
    geocerts says: "A valid Root CA Certificate could not be located"
    The url is: https://nilssonscementgjuteri.se


    How can I proceed?
    Latest CMM code
    Nginx 1.17.0
    PHP: 7.3.6
    MaridDB: 10.3.16
    CentOS 7.6.1810
     
    Last edited: Jun 28, 2019
  2. eva2000

    eva2000 Administrator Staff Member

    54,336
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    6:39 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nameservers or DNS A records ? letsencrypt requires valid dns validation of domains DNS A and optional AAAA records to server's IP address.

    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation.

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
  3. Mrbo

    Mrbo Member

    113
    7
    18
    Jun 17, 2018
    Ratings:
    +7
    Local Time:
    3:39 PM
    Name registrar
    I dont really know what they did since I dont have access to the domain. I sent them the nameservers to vultr and the IPv4 and IPv6 addresses to the server. But it seems to kind of work since I can see the website if I accept the warning and proceed.

    Installation

    I choose the menu option 22, self signed:no, letsencrypt:yes option 4. And then I choose yes for acmetool.

    Letsdebug:
    ssllabs

    Logs
    addvhost
    debug 1
    debug 2
    issue

    Thanks for taking your time!
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,336
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    6:39 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    that's the problem remove your domain's DNS AAAA record as IPv6 isn't working so that letsencrypt can validate your domain only on DNS A IPv4 IP address.

    Then retest intended SSL certificate domain through the letsdebug.net online testing tool to verify letsencrypt will be able to validate your domain. If it can, run acmetool.sh reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.com live
    

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
     
  5. Mrbo

    Mrbo Member

    113
    7
    18
    Jun 17, 2018
    Ratings:
    +7
    Local Time:
    3:39 PM
    Awesome, thanks a lot George!
    Quick question, do you have any clue why IPv6 doesnt work? (It always worked for me when using cloudflare.)
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,336
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    6:39 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    either your server itself doesn't support IPv6 or if server does, it's IPv6 connectivity is broken. You do have centmin mod nginx configured for IPv6 too ? you need to do that if no behind cloudflare

    To enable and setup Nginx IPv6 support, read FAQ item 34.