Join the community today
Register Now

New vhost failing

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Tracy Perry, May 19, 2018.

  1. Tracy Perry

    Tracy Perry Active Member

    213
    87
    28
    Aug 24, 2014
    Texas
    Ratings:
    +145
    Local Time:
    10:59 AM
    1.11.5
    MariaDB 10.0.28
    I'm trying to create two new vhosts under the latest BETA code of CentMin and use the LE certificate.

    On both domains I'm getting this error (the domains are just different)
    Code:
    issue & install letsencrypt ssl certificate for servinglinux.com
    -----------------------------------------------------------
    testcert value = d
    /root/.acme.sh/acme.sh --staging --issue -d servinglinux.com -d www.servinglinux.com --days 60 -w /home/nginx/domains/servinglinux.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-180518-084601.log --log-level 2
    [Fri May 18 08:46:10 CDT 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
    [Fri May 18 08:46:10 CDT 2018] Creating domain key
    [Fri May 18 08:46:10 CDT 2018] The domain key is here: /root/.acme.sh/servinglinux.com/servinglinux.com.key
    [Fri May 18 08:46:10 CDT 2018] Multi domain='DNS:servinglinux.com,DNS:www.servinglinux.com'
    [Fri May 18 08:46:11 CDT 2018] Getting domain auth token for each domain
    [Fri May 18 08:46:11 CDT 2018] Getting webroot for domain='servinglinux.com'
    [Fri May 18 08:46:11 CDT 2018] Getting new-authz for domain='servinglinux.com'
    [Fri May 18 08:46:11 CDT 2018] The new-authz request is ok.
    [Fri May 18 08:46:12 CDT 2018] Getting webroot for domain='www.servinglinux.com'
    [Fri May 18 08:46:12 CDT 2018] Getting new-authz for domain='www.servinglinux.com'
    [Fri May 18 08:46:12 CDT 2018] The new-authz request is ok.
    [Fri May 18 08:46:12 CDT 2018] Verifying:servinglinux.com
    [Fri May 18 08:46:15 CDT 2018] servinglinux.com:Verify error:Invalid response from http://servinglinux.com/.well-known/acme-challenge/XPz917GjpsFVkOe-hdSAJODYXeUBLJITRjadauWZYjU:
    [Fri May 18 08:46:15 CDT 2018] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-180518-084601.log
    LECHECK = 1
    
    log files saved at /root/centminlogs
    -rw-r--r--  1 root root  39K May 18 08:46 acmetool.sh-debug-log-180518-084601.log
    -rw-r--r--  1 root root 4.7K May 18 08:46 acmesh-issue_180518-084601.log
    It seems that nginx is not responding to the challenge request?

    The debug log is here (pastebin due to size).
     
  2. Tracy Perry

    Tracy Perry Active Member

    213
    87
    28
    Aug 24, 2014
    Texas
    Ratings:
    +145
    Local Time:
    10:59 AM
    1.11.5
    MariaDB 10.0.28
    Part of the issue may be that I'm using multiple vhosts and each has it's own IPv6 address but shares a IPv4 one.
    I had to modify the Server stanza's to reflect the IPv6 addresses and then restart the HTTP process. Once I did that I manually ran
    Code:
    /root/.acme.sh/acme.sh --issue -d servinglinux.com -d www.servinglinux.com --days 60 -w /home/nginx/domains/servinglinux.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-180518-083100.log --log-level 2
    , but instead of putting the certs where you would expect in CentMin it installed them in the /root directory.

    I guess I could have ran the CentMin tool, but it gave me the above errors when running setting up a vhost.
     
  3. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    1:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    The first post commands show --staging flag so you issued test staging letsencrypt SSL certs not live ones. But yes first post debug log shows it was trying to validate and resolve to the IPv6 address of the domain.

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Yes if you don't use centmin.sh or acmetool.sh integration that letsencrypt ssl certs obtained directly via acme.sh need 2 steps/commands to get letsencrypt ssl certs in the right directory and manual editing of vhost. If you use centmin.sh or acmetool.sh then it automatically does the 2 step/commands required + auto configures nginx vhost for HTTP/2 HTTPS. If you want to manually do acme.sh, use Method 3 outlined below. Though centmin.sh menu option 2 method should work if you just fix up your DNS on IPv6 side and select live letsencrypt SSL cert and not staging test letsencrypt SSL certs.

    There's generally 3 ways of setting up HTTPS SSL certificate for Centmin Mod Nginx HTTP/2 based HTTPS

    Method 1. The traditional way via centmin.sh menu option 2, 22 and selecting yes to self-signed ssl certificates first. Then converting the self-signed ssl certificate to paid or free (Letsencrypt) web browser trusted SSL certificates outlined at How to switch self-signed SSL certificate to paid SSL certificate ? You would still need to follow the same steps outlined at Nginx SPDY SSL Configuration for obtaining and purchasing the paid SSL certificate and most important part is the concatenation of the SSL provider provided filesto create the mentioned /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crtfiles referenced in your Nginx SSL vhost config file.

    You may need to also decide if you want to enable HTTP to HTTPS redirect outlined at How to force redirect from HTTP:// to HTTPS:// ?

    If you didn't answer yes at time of initial nginx vhost creation to self-signed ssl certificates, you can manually setup the self-signed ssl certificate via the vhost generator by checking self-signed ssl box and enter a domain name. This will outline instructions for manually creating and setting up self-signed ssl certificate and nginx vhost settings. Then for web browser trusted ssl certificates you switch follow - How to switch self-signed SSL certificate to paid SSL certificate ?.

    Method 2. Using and testing Centmin Mod 123.09beta01's new addons/acmetool.sh addon which is still in beta testing only for integrating Letsencrypt SSL certificates. And has both auto and manual methods.

    Method 3. Fully manual method for free Letsencrypt SSL certificates.
    Note:
    • For wordpress auto installer, you actually need a read method 2 to enable LETSENCRYPT_DETECT='y' then run centmin.sh menu option 22 which will detect letsencrypt support and display the additional letsencrypt prompts required to issue free letsencrypt ssl certificates for wordpress auto installer
    If your site has no data or can be re-created, you can remove the Nginx vhost account and try again. To properly remove an Nginx vhost the instructions are on official site at How to delete Nginx vhost account for existing domain/subdomain ? as well as on each Nginx vhost creation's ending output too lists the commands.

    You also get a log file for each Nginx vhost created which also lists the commands in 123.09beta01 and higher example for http2.domain.com remove log at /root/centminlogs/centminmod_140218-021218_nginx_addvhost_nv-remove-cmds-http2.domain.com.log
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep remove
    -rw-r--r--   1 root root 1.3K Feb 14 02:12 centminmod_140218-021218_nginx_addvhost_nv-remove-cmds-http2.domain.com.log
    
     
  4. Tracy Perry

    Tracy Perry Active Member

    213
    87
    28
    Aug 24, 2014
    Texas
    Ratings:
    +145
    Local Time:
    10:59 AM
    1.11.5
    MariaDB 10.0.28
    Used option 2 to create the vhost... and then selected <N> to self signed and <Y> to LE.
    Just tried it (new install for the domain) again after using the RM commands that are given at creation time and still getting the same issue. I think what is happening is that due to my configuration it is hitting the default redneckhost.com website instead of the appropriate one. I was able to get the servinglinux.com up by running it manually - but it puts the certs in the /root/acme.sh directory instead of the /usr/local/nginx/ssl setup.

    Screen Shot 2018-05-18 at 3.49.50 PM.png
    Screen Shot 2018-05-18 at 3.51.32 PM.png
    Screen Shot 2018-05-18 at 3.51.52 PM.png

    The vhost is the default one that is created... but when I change it to this (for the server stanzas)
    Code:
    server {
    # ipv4
    
        listen [2604:180:0:5::45]:80;
        listen   107.161.30.23:80;
        server_name sayapple.com www.sayapple.com;
        return 302 https://sayapple.com$request_uri;
    }
    server {
        listen   107.161.30.23:80;
        listen [2604:180:0:5::45]:80;
        server_name sayapple.com www.sayapple.com;
        return 301 https://$server_name$request_uri;
    }
        server {
        listen  107.161.30.23:443 ssl http2;
        listen [2604:180:0:5::45]:80 ;
        listen [2604:180:0:5::45]:443 ssl http2;
        listen   107.161.30.23:80;
    
    and then restart nginx and run
    Code:
     /root/.acme.sh/acme.sh --issue -d sayapple.com -d www.sayapple.com --days 60 -w /home/nginx/domains/sayapple.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-180518-154133.log --log-level 2
    the certificate is generated fine as the domain is now responding instead of the default domain (redneckhost.com).
    The only issue is that it generates the SSL related files at an alternative location (/root/.acme.sh/sayapple.com/sayapple.com.???) and I have to modify the .conf file or make symbolic links.

    And yes, I know it's sayapple.com and not servinglinux.com - was working on both domains and the servinglinux.com was already up and running and the sayapple.com wasn't so worked with that one for the latest example. ;)
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    1:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    full vhost contents ? you could be blocking .well-known directory validation requests in your vhost

    see method 3 outlined above which outline the additional commands to move ssl certs to right directories

    Method 3. Fully manual method for free Letsencrypt SSL certificates.
     
..