Join the community today
Register Now

DNS Letsencrypt Cloudflare nv command not detecting CF_Token CF_Token and CF_Account_ID in custom_config.inc

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Earl, Nov 29, 2024.

  1. Earl

    Earl New Member

    16
    6
    3
    Sep 17, 2015
    Ratings:
    +9
    Local Time:
    8:03 AM
    Today after I freshly installed Centminmod server to a VPS using this script: (trying to setup xenforo website)
    https://centminmod.com/betainstaller80.sh
    Running on Almalinux 8.10. el8

    I've created this file before I ran the installer.
    /etc/centminmod/custom_config.inc
    Code:
    PHP_ARGON='y'
    NGINX_LIBBROTLI='y'
    NGXDYNAMIC_BROTLI='y'
    PHP_PGO='y'
    NGINX_ZERODT='y'
    MARIADB_INSTALLTENTHREE='y'
    ZSTD_LOGROTATE_NGINX='y'
    ZSTD_LOGROTATE_PHPFPM='y'
    DMOTD_PHPCHECK='y'
    PHPFINFO='y'
    MM_LICENSE_KEY='***removed from public view***'
    MM_CSF_SRC='y'
    LETSENCRYPT_DETECT='y'
    KEYLENGTH='ec-256'
    DUALCERTS='y'
    CF_DNSAPI_GLOBAL='y'
    CF_Token='**removed from public view***'
    CF_Account_ID='**removed from public view**'
    SELFSIGNEDSSL_ECDSA='y'
    PHPFINFO='y'
    PHP_OVERWRITECONF='n'
    PYTHON_INSTALL_ALTERNATIVES='y'
    I have Cloudflare SSL/TLS settings set to Full (Strict) for my domain, and the orange cloud proxy enabled.
    Also disabled always use HTTPS option in Cloudflare dashboard.

    And I tried to create the Vhost using this command:
    Code (Text):
    nv -d removed.from.view -s lelived -u userx

    But it doesn't seem to be working, because I have this part in the logs:
    Code (Text):
    -----------------------------------------------------------                                                                                                                         [284/462]
    issue & install letsencrypt ssl certificate for **removed**
    -----------------------------------------------------------
    testcert value = lived
    /root/.acme.sh/acme.sh --dns dns_cf --issue -d **removed** -d www.**removed** --days 60 --pre-hook "/usr/local/src/centminmod/tools/pre-acme-hooks.sh all-check **removed**" -k "ec-256" --useragent "ce$
    tminmod-el8-acmesh-webroot" --log /root/centminlogs/acmetool.sh-debug-log-291124-070809.log --log-level 2 --preferred-chain "ISRG"
    [Fri Nov 29 07:08:15 UTC 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Fri Nov 29 07:08:15 UTC 2024] Runing pre hook:'/usr/local/src/centminmod/tools/pre-acme-hooks.sh all-check **removed**'
    The acme.sh configuration file /root/.acme.sh/**removed**/**removed**.conf does not exist or
    The Nginx HTTPS vhost configuration file /usr/local/nginx/conf/conf.d/**removed**.ssl.conf does not exist
    [Fri Nov 29 07:08:15 UTC 2024] Error occurred when running pre hook.
    [Fri Nov 29 07:08:15 UTC 2024] _on_before_issue.
    LECHECK = 1
    
    log files saved at /root/centminlogs
    -rw-r--r-- 1 root root 3.5K Nov 29 07:08 acmetool.sh-debug-log-291124-070809.log
    -rw-r--r-- 1 root root 4.8K Nov 29 07:08 acmesh-issue_291124-070809.log
    
    
    -------------------------------------------------------------
    

    Code (Text):
    {
      "id": 2295856,
      "domain": "**removed**",
      "method": "http-01",
      "status": "Complete",
      "created_at": "2024-11-29T07:08:15.384584Z",
      "started_at": "2024-11-29T07:08:15.386782Z",
      "completed_at": "2024-11-29T07:08:20.707301Z",
      "result": {
        "problems": [
          {
            "name": "CloudflareCDN",
            "explanation": "The domain **removed** is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server
    and Cloudflare. It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.",
            "detail": "https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-",
            "severity": "Warning"
          },
          {
            "name": "UnexpectedHttpResponse",
            "explanation": "Sending an ACME HTTP validation request to **removed** results in unexpected HTTP response 526 . This indicates that the webserver is misconfigured or misbehaving.",
            "detail": "526 \n\n<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ie7 oldie\" lang=\"en-US\">
     <![endif]-->\n<!--[if IE 8]>    <html class=\"no-js ie8 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if gt IE 8]><!--> <html class=\"no-js\" lang=\"en-US\"> <!--<![endif]-->\n<head>\n\n\n<ti
    tle>**removed** | 526: Invalid SSL certificate</title>\n<meta charset=\"UTF-8\" />\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n<meta http-equiv=\"X-UA-Compatible
    \" content=\"IE=Edge\" />\n<meta name=\"robots\" content=\"noindex, nofollow\" />\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1\" />\n<link rel=\"stylesheet\" id=\"c
    f_styles-css\" href=\"/cdn-cgi/styles/main.css\" />\n\n\n</head>\n<body>\n<div id=\"cf-wrapper\">\n    <div id=\"cf-error-details\" class=\"p-0\">\n        <header class=\"mx-auto pt-10 lg:
    pt-6 lg:px-8 w-240 lg......
    


    And I don't see the CF token settings have been imported into acme.sh account.conf file.
    Code (Text):
    cat ~/.acme.sh/account.conf
    
    
    LOG_FILE='/root/centminlogs/acmetool.sh-debug-log-291124-071658.log'
    LOG_LEVEL='2'
    
    #AUTO_UPGRADE="1"
    
    #NO_TIMESTAMP=1
    
    
    UPGRADE_HASH='5d6f1bd2d7d1dbb2ac880dbf59d3eee7a79fb1bb'
    DEFAULT_ACME_SERVER='https://acme-v02.api.letsencrypt.org/directory'
    USER_AGENT='centminmod-el8-acmesh-webroot'
    


    I ran this command, I can see the token is correct.

    Code (Text):
    # echo y | /usr/local/src/centminmod/addons/acmetool.sh check_cfapi
    Verifying working Cloudflare DNS API Credentials
    CF API Tokens detected
    Ok: CF API Token works


    Code (Text):
    cat /root/centminlogs/acmetool.sh-debug-log-291124-071658.log
    [Fri Nov 29 07:17:03 UTC 2024] Let's find the script directory.
    [Fri Nov 29 07:17:03 UTC 2024] _SCRIPT_='/root/.acme.sh/acme.sh'
    [Fri Nov 29 07:17:03 UTC 2024] _script='/root/.acme.sh/acme.sh'
    [Fri Nov 29 07:17:03 UTC 2024] _script_home='/root/.acme.sh'
    [Fri Nov 29 07:17:03 UTC 2024] Using config home: /root/.acme.sh
    [Fri Nov 29 07:17:03 UTC 2024] LE_WORKING_DIR='/root/.acme.sh'
    [Fri Nov 29 07:17:03 UTC 2024] Running cmd: issue
    [Fri Nov 29 07:17:03 UTC 2024] _main_domain='**removed**'
    [Fri Nov 29 07:17:03 UTC 2024] _alt_domains='www.**removed**'
    [Fri Nov 29 07:17:03 UTC 2024] Using config home: /root/.acme.sh
    [Fri Nov 29 07:17:03 UTC 2024] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
    [Fri Nov 29 07:17:03 UTC 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Fri Nov 29 07:17:03 UTC 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Fri Nov 29 07:17:03 UTC 2024] _ACME_SERVER_PATH='directory'
    [Fri Nov 29 07:17:03 UTC 2024] DOMAIN_PATH='/root/.acme.sh/**removed**_ecc'
    [Fri Nov 29 07:17:03 UTC 2024] 'dns_cf' does not contain 'dns'
    [Fri Nov 29 07:17:03 UTC 2024] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
    [Fri Nov 29 07:17:03 UTC 2024] _init API for server: https://acme-v02.api.letsencrypt.org/directory
    [Fri Nov 29 07:17:03 UTC 2024] GET
    [Fri Nov 29 07:17:03 UTC 2024] url='https://acme-v02.api.letsencrypt.org/directory'
    [Fri Nov 29 07:17:03 UTC 2024] timeout=
    [Fri Nov 29 07:17:03 UTC 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
    [Fri Nov 29 07:17:03 UTC 2024] ret='0'
    [Fri Nov 29 07:17:03 UTC 2024] response='{
      "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
      "meta": {
        "caaIdentities": [
          "letsencrypt.org"
        ],
        "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
        "website": "https://letsencrypt.org"
      },
      "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
      "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
      "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
      "qdK2ddyXmA4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
      "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
      "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
    }'
    [Fri Nov 29 07:17:04 UTC 2024] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
    [Fri Nov 29 07:17:04 UTC 2024] ACME_NEW_AUTHZ
    [Fri Nov 29 07:17:04 UTC 2024] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
    [Fri Nov 29 07:17:04 UTC 2024] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
    [Fri Nov 29 07:17:04 UTC 2024] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
    [Fri Nov 29 07:17:04 UTC 2024] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf'
    [Fri Nov 29 07:17:04 UTC 2024] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Fri Nov 29 07:17:04 UTC 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Fri Nov 29 07:17:04 UTC 2024] _on_before_issue
    [Fri Nov 29 07:17:04 UTC 2024] _chk_main_domain='**removed**'
    [Fri Nov 29 07:17:04 UTC 2024] _chk_alt_domains='www.**removed**'
    [Fri Nov 29 07:17:04 UTC 2024] Runing pre hook:'/usr/local/src/centminmod/tools/pre-acme-hooks.sh all-check **removed**'
    [Fri Nov 29 07:17:04 UTC 2024] Error occurred when running pre hook.
    [Fri Nov 29 07:17:04 UTC 2024] _on_before_issue.
    




    Please tell me how to fix.
    this letsencrypt dns method is important. I am trying to setup gitlab-ci.yml job
     
    Last edited: Nov 29, 2024
  2. Earl

    Earl New Member

    16
    6
    3
    Sep 17, 2015
    Ratings:
    +9
    Local Time:
    8:03 AM
    I tried using acmetool.sh acme-menu
    Issue SSL Cert Staging/Test HTTPS Default from the menu, and I still get this hook error.
    Also I tried centmin menu #2 option to create vhost and lets encrypt option, but still get the same error.
    I ran the acme pre-hooks file manually:
    Code (Text):
    /usr/local/src/centminmod/tools/pre-acme-hooks.sh all-check **removed**
    The acme.sh configuration file /root/.acme.sh/lk1.net/**removed**.conf does not exist or
    The Nginx HTTPS vhost configuration file /usr/local/nginx/conf/conf.d/**removed**.ssl.conf does not exist


    And I made sure the nginx vhost file exists, but root/.acme.sh/lk1.net/mydomain.co.cc.conf does not exist.

    hmmm, why is the file not getting created? :pompous:
     
    Last edited: Nov 29, 2024
  3. eva2000

    eva2000 Administrator Staff Member

    54,126
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    12:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Is the domain name non-english based? Each centmin.sh menu option has auto logging to /root/centminlogs as does nv command for creating nginx vhosts. You can find list of nv logs using ls list command in date ascending order so latest log is listed last
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep  'nginx_addvhost_nv'
    

    i.e. if i used nv to create nginx vhost with domain.com first log has full log of nv command run so you an inspect it for clues as to issue and 2nd log is list of commands to remove the nginx vhost if you want to try again
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep  'nginx_addvhost_nv'
    -rw-r--r--   1 root root 7.3K Jun  7  2023 centminmod_070623-022820_nginx_addvhost_nv.log
    -rw-r--r--   1 root root 1.2K Jun  7  2023 centminmod_070623-022820_nginx_addvhost_nv-remove-cmds-domain.com.log
    
     
  4. Earl

    Earl New Member

    16
    6
    3
    Sep 17, 2015
    Ratings:
    +9
    Local Time:
    8:03 AM
    Thank you for replying fast!
    even running the acmetool.sh issue domain.co.cc d command failed.
    After removing this line from the custom_config.inc
    KEYLENGTH='ec-256'
    I was able to generate the certificate. I'm not sure why. Maybe the pre-acme-hooks.sh script might not be properly handling EC certificates.
    but that's okay. I can't even remember why I put that line in the config file :ROFLMAO:
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,126
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    12:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ah that is the issue

    You have
    Code (Text):
    KEYLENGTH='ec-256'
    DUALCERTS='y'
    

    when you set DUALCERTS='y', the underlying addons/acmetool.sh will detect that setting and auto set KEYLENGTH='ec-256' for the 2nd SSL certificate issues while 1st SSL certificate is RSA 2048bit based. You setting KEYLENGTH='ec-256' overrode addons/acmetool.sh expectation and thus /root/.acme.sh directories didn't get properly created - one for ecc and one for rsa.

    Now if you used below to disable DUALCERTS or removed DUALCERTS='y', then KEYLENGTH='ec-256' would of worked as it issues a single ecc based SSL certificate
    Code (Text):
    KEYLENGTH='ec-256'
    DUALCERTS='n'