Learn about Centmin Mod LEMP Stack today
Register Now

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. pamamolf

    pamamolf Well-Known Member

    2,666
    240
    63
    May 31, 2014
    Ratings:
    +424
    Local Time:
    6:23 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    If the user have it there commented for http why not for https? :)

    Do i get at the end an http2 protocol working on the acmetool ssl setup?
     
    Last edited by a moderator: Sep 25, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    29,707
    6,708
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,012
    Local Time:
    1:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod Nginx HTTPS uses HTTP/2 only.
     
  3. pamamolf

    pamamolf Well-Known Member

    2,666
    240
    63
    May 31, 2014
    Ratings:
    +424
    Local Time:
    6:23 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    I just disable cloudflare on my test vps and point an A record for my vps ip but i am getting this :

    centmintest.com
     
  4. eva2000

    eva2000 Administrator Staff Member

    29,707
    6,708
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,012
    Local Time:
    1:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    did you enable HSTS in cloudflare ? it is cached in your browser for HSTS max-age which usually is 6-12 months to force HTTPS. Looks fine for me in curl
    Code (Text):
    curl -Isv https://centmintest.com

    and okay via dev ssllabs SSL Server Test: centmintest.com (Powered by Qualys SSL Labs)

    upload_2016-9-25_21-20-50.png

    make sure browser cache is cleared

    and other HTTPS SSL & HTTP/2 Testing Tools
     
  5. pamamolf

    pamamolf Well-Known Member

    2,666
    240
    63
    May 31, 2014
    Ratings:
    +424
    Local Time:
    6:23 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    I didn't enable HSTS so a simple clear on browser cache fix it :)

    What needs to be done to get the A+ ?
     
  6. eva2000

    eva2000 Administrator Staff Member

    29,707
    6,708
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,012
    Local Time:
    1:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    enable HSTS either in cloudflare or nginx vhost to force HTTP to HTTPS for max-age time 6-12months.
     
    • Informative Informative x 1
  7. JarylW

    JarylW Active Member

    213
    39
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +99
    Local Time:
    11:23 AM
    Hmm was trying to set up a staging site (https only default) using centmin 22. Noticed it doesnt issue cert with menu 22 anymore?

    Do I need to run ./acmetool.sh separately?

    Again got
    Code:
    [Mon Sep 26 16:51:59 UTC 2016] site.com:Verify error:Invalid response from http://site.com/.well-known/acme-challenge/EIaSIBtTtwlSKmRw24eDXhW0rO9A6kRq-OLXSD_mX3s: \n[Mon Sep 26 16:51:59 UTC 2016] Please use add '--debug' or '--log' to check more details.
    [Mon Sep 26 16:51:59 UTC 2016] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
    LECHECK = 1
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    29,707
    6,708
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,012
    Local Time:
    1:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    1st post
    however, looks like you another failed verification, what's the domain name ?

    see 1st post troubleshoot steps too

    Troubleshooting Issues



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    the full log posted to pastebin.com or gist.github.com would help.
     
  9. eva2000

    eva2000 Administrator Staff Member

    29,707
    6,708
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,012
    Local Time:
    1:23 PM
    Nginx 1.13.x
    MariaDB 5.5

    acmetool.sh 1.0.4 new logging option and log display



    acmetool.sh 1.0.4 released with new acme.sh logging option support variable ACMEDEBUG_LOG='y' (enabled by default) and new log saved display at end of runs.

    At end of issuance/reissue/renew stage the output should now also report what log files were saved at /root/centminlogs making it easier to find them. There's a new acmetool.sh-debug-log also created thanks to a new requested log option by me in acme.sh client add an option to re-try in debug mode · Issue #304 · Neilpang/acme.sh · GitHub
    Code (Text):
    log files saved at /root/centminlogs
    -rw-r--r-- 1 root root  26K Sep 27 10:58 acmetool.sh-debug-log-270916-105615.log
    -rw-r--r-- 1 root root  17K Sep 27 10:58 acmesh-issue_270916-105615.log
    

    makes troubleshooting easier with example contents of /root/centminlogs/acmetool.sh-debug-log-270916-105615.log posted to a gist.github.com file at /root/centminlogs/acmetool.sh-debug-log-270916-105615.log · GitHub

    minor adjustment made in acmetool.sh 1.0.4 to filter on timestamp hour and min only and not seconds so to include the nv command that generates the actual nginx vhost and it's log file too
    Code (Text):
    log files saved at /root/centminlogs
    -rw-r--r-- 1 root root 1.1K Sep 27 11:24 centminmod_270916-112025_nginx_addvhost_nv-remove-cmds-newdomain2.com.log
    -rw-r--r-- 1 root root  29K Sep 27 11:24 centminmod_270916-112025_nginx_addvhost_nv.log
    -rw-r--r-- 1 root root  32K Sep 27 11:24 acmetool.sh-debug-log-270916-112021.log
    -rw-r--r-- 1 root root  32K Sep 27 11:24 acmesh-issue_270916-112021.log
     
    Last edited: Sep 27, 2016
    • Like Like x 1
  10. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +161
    Local Time:
    11:23 AM
    latest
    latest
    I'm getting

    debug log - [Apache Log] acme log - Pastebin.com

    commands used -
    ./acmetool.sh issue peristal.xyz d
    ./acmetool.sh reissue peristal.xyz d

    also tried

    ./acmetool.sh reissue peristal.xyz live and
    ./acmetool.sh reissue peristal.xyz lived

    edit: my custom_config.inc

     
    Last edited: Sep 27, 2016
  11. eva2000

    eva2000 Administrator Staff Member

    29,707
    6,708
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,012
    Local Time:
    1:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    @dorobo seems letsencrypt got a 404/403 response for not found or permission denied for letsencrypt domain verification
    Code (Text):
    [Tue Sep 27 21:07:21 PHT 2016] response='{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://peristal.xyz/.well-known/acme-challenge/3YnLya2AK8UmTtcWS6C9xW2z9uvUMbgUw2VIKN1bHDM: "<html>
    <head><title>404 Not Found</title></head>
    <body bgcolor="white">
    <center><h1>404 Not Found</h1></center>
    <hr><center>"","status": 403},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/b9Gs95ihAH9z4MAdphptQ6sB_cOm_yAdrkphk7P72aA/275936785","token":"3YnLya2AK8UmTtcWS6C9xW2z9uvUMbgUw2VIKN1bHDM","keyAuthorization":"3YnLya2AK8UmTtcWS6C9xW2z9uvUMbgUw2VIKN1bHDM.JER0z6aDodb9G1WiDeTkyM1tSyXOXi-lztDh-HJirEs","validationRecord":[{"url":"http://peristal.xyz/.well-known/acme-challenge/3YnLya2AK8UmTtcWS6C9xW2z9uvUMbgUw2VIKN1bHDM","hostname":"peristal.xyz","port":"80","addressesResolved":["45.33.33.220"],"addressUsed":"45.33.33.220"}]}'
    [Tue Sep 27 21:07:21 PHT 2016] error='"error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://peristal.xyz/.well-known/acme-challenge/3YnLya2AK8UmTtcWS6C9xW2z9uvUMbgUw2VIKN1bHDM: "<html>
    <head><title>404 Not Found</title></head>

    can you post the resulting content from /usr/local/nginx/conf/conf.d/ files for peristal.xyz.conf and peristal.xyz.ssl.conf

    also pastebin the log for nginx_addvhost_nv.log that is outlined at Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01 | Page 12 | Centmin Mod Community
     
  12. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +161
    Local Time:
    11:23 AM
    latest
    latest
    I only have peristal.xyz.ssl.conf

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #x# server {
    #x#  
    #x#   server_name peristal.xyz www.peristal.xyz;
    #x#   return 302 https://$server_name$request_uri;
    #x#   include /usr/local/nginx/conf/staticfiles.conf;
    #x# }
    
    server {
      listen 443 ssl http2;
      server_name peristal.xyz www.peristal.xyz;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/peristal.xyz/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/peristal.xyz/peristal.xyz.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/peristal.xyz/peristal.xyz.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/peristal.xyz/peristal.xyz-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/peristal.xyz/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/peristal.xyz/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/peristal.xyz/autoprotect-peristal.xyz.conf;
      root /home/nginx/domains/peristal.xyz/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    it's a fresh install of centminmod using

    Code:
    yum -y update; curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh
    it turns out I already tried letsencrypt the first time I created the vhost via centminmod menu # 2

    here's the centminmod_1.2.3-eva2000.09.001_270916-203656_nginx_addvhost.log - [Apache Log] addvhost log - Pastebin.com

    same error everytime
     
  13. eva2000

    eva2000 Administrator Staff Member

    29,707
    6,708
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,012
    Local Time:
    1:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    yeah you don't need to create nginx vhost before running acmetool.sh as it does it for you. But you ran into another bug i can confirm. Fixing it now and testing it before update acmetool.sh 1.0.5 :)
     
    • Like Like x 1
  14. Tracy Perry

    Tracy Perry Active Member

    188
    81
    28
    Aug 24, 2014
    Texas
    Ratings:
    +130
    Local Time:
    10:23 PM
    1.11.5
    MariaDB 10.0.28
    @eva2000, I don't know if this was on purpose or the "o" key got carried away, but for consistency it may need to be "fixed". :p
    Code:
    [root@whiskey addons]# cat acmetool.sh | grep toool
    # /etc/centminmod/acmetoool-config.ini
    # /etc/centminmod/acmetoool-config.ini
    if [ -f "/etc/centminmod/acmetoool-config.ini" ]; then
      . "/etc/centminmod/acmetoool-config.ini"
     
    • Informative Informative x 1
    • Useful Useful x 1
  15. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +161
    Local Time:
    11:23 AM
    latest
    latest
    When you issue a staging certificate to a domain and later on decide to go live, do you choose reissue or issue domain live?
     
  16. eva2000

    eva2000 Administrator Staff Member

    29,707
    6,708
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,012
    Local Time:
    1:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    @Tracy Perry whoops one too many 'o' :D Thanks for heads up !

    just fixed in acmetool.sh 1.0.6 :)
     
    • Like Like x 1
    • Bad Spelling Bad Spelling x 1
  17. eva2000

    eva2000 Administrator Staff Member

    29,707
    6,708
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,012
    Local Time:
    1:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    from staging to live, first time use issue
     
    • Informative Informative x 1
  18. eva2000

    eva2000 Administrator Staff Member

    29,707
    6,708
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,012
    Local Time:
    1:23 PM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod 123.09beta01 updated to acmetool.sh 1.0.6 and updated /usr/bin/nv command to fix this. What was happening was in HTTPS default mode, acmetool.sh calls nv -d domain -s yd to generate the nginx vhosts. Where s = yd means yes to self-signed and make it default and it does this by removing the non-https domain.com.conf vhost file and set up a domain.com.ssl.conf vhost HTTPS file. This prevents letsencrypt from verifying your domain for validation when acmetool.sh triggers acme.sh client to get the letsencrypt ssl certificate.

    So fix is to have a separate trigger in /usr/bin/nv command line nginx vhost generator to trigger -s ydle where s=ydle and this doesn't remove the non-https domain.com.conf so early in the acmetool.sh process allowing letsencrypt to validate your domain. Then after validation acmetool.sh removes the non-https domain.com.conf vhost file but backing up a copy to defined ACMEBACKUPDIR='/usr/local/nginx/conf/acmevhostbackup' directory.
     
    • Informative Informative x 1
  19. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +161
    Local Time:
    11:23 AM
    latest
    latest
    I finally have a use for the bad spelling rating LOL :D
     
    • Funny Funny x 2
  20. Tracy Perry

    Tracy Perry Active Member

    188
    81
    28
    Aug 24, 2014
    Texas
    Ratings:
    +130
    Local Time:
    10:23 PM
    1.11.5
    MariaDB 10.0.28
    As an aside... and related to the SSL setup - I get this error on my default vhost.
    Looks like it's serving the CSS from a static http: site instead of a general // call.
    Screen Shot 2016-09-27 at 10.00.56 AM.png

    EDIT:
    And it appears it's because that it's not served from a secure location as an option.
     
    • Informative Informative x 1