Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

that's a weird one, at bottom of 1st post of this thread has troubleshooting section so need some log info.

If letsencrypt fails to validate the domain to issue the letsencrypt ssl certificate, acmetool.sh falls back on the prior self-signed ssl certificate. So it's possible the the acmetool.sh DNS check was correct in not finding your DNS for domain and letsencrypt server end couldn't find it either, so failed to validate domain and issue letsencrypt ssl cert.

Troubleshooting Issues

There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.

• acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
  Code (Text):

  ls -lahrt /root/centminlogs

  .
• For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.

 

i think the problem is you ran centmin.sh menu option 2 for a domain that already exists on the server ? so it totally skipped the trigger in inc/nginx_addvhost.inc to call addons/acmetool.sh to do it's thing including properly adjusting the nginx ssl vhost by switching out the self-signed ssl cert for letsencrypt issued ssl cert.

Code (Text):

---------------------------------------------------------------
To get Letsencrypt SSL certificate, you must already have updated intended
domain vhost name's DNS A record to this server's IP addresss.
If top level domain, DNS A record is needed also for www. version of domain
otherwise, Letsencrypt domain name validation will fail.
---------------------------------------------------------------
continue [y/n] ? y


!! Error: thepipestand.com DNS records not found or setup properly yet or thepipestand.com invalid

Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n

------------------------------------------------
You have 4 options:
------------------------------------------------
1. issue staging test cert with HTTP + HTTPS
2. issue staging test cert with HTTPS default
3. issue live cert with HTTP + HTTPS
4. issue live cert with HTTPS default
Enter option number 1-4: 4



-------------------------------------------------------------
vhost for thepipestand.com already exists
/home/nginx/domains/thepipestand.com already exists
-------------------------------------------------------------

 

strange then - if you can zip up the /root/centminlogs/ for the date(s) you ran the centmin.sh menu option 2 including all /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log can private conversation me a link for them. I can go over them to see if i can see anything.

 

also there should be a /root/centminlogs/acmesh-issue_*.log also

 

It could be dns then worked when you ran acme.sh manually. How many times did you run centmin.sh menu option 2 after the 1st failed attempt ?

 

well i plugged that flaw in update to 123.09beta01 so there's an earlier existing vhost domain check right after you enter the vhost domain name to add Beta Branch - update inc/nginx_addvhost.inc move existing vhost check higher in routine | Centmin Mod Community

That should prevent folks from re-running centmin.sh menu 2 when they already have an existing vhost domain. There's a check but prior to the update, it was further down in the routine.

Whether that contributed to the your original issue, hard to say.

 

strange then could be DNS issues as i check against 8.8.8.8 could be a temp problem there. Unfortunatley, letsencrypt doesn't publish which DNS servers they check against, so it's hard to 100% replicate their checks before actually going through the letsencrypt domain validation process

maybe need to use more than one public DNS to check against instead of just 8.8.8.8

 

on the actual server what was your local DNS resolvers in /etc/resolv.conf ? 8.8.8.8 too ?

I just made a slight fix in acmetool.sh 1.0.11 update released just now for 123.09beta01 for nginx vhost dns check Beta Branch - acmetool.sh 1.0.11 | Centmin Mod Community

basically change from

Code (Text):

dig soa $vhostname_dns | grep -v ^\; | grep SOA | awk '{print $1}' | sed 's/\.$//'

to

Code (Text):

dig soa @8.8.8.8 $vhostname_dns | grep -v ^\; | grep SOA | awk '{print $1}' | sed 's/\.$//'

if the value returned from command is empty, you would of gotten the message you ran into

Code (Text):

!! Error: $vhostname_dns DNS records not found or setup properly yet or $vhostname_dns invalid

 

bundle up the logs (they may contain vhost pure-ftpd logins etc), so private conversation link me them and i can take a look. There should be a /root/centminlogs/acmesh-issue_*.log also that's the one triggered from centmin.sh menu option 2 runs when you opt for letsencrypt ssl cert with LETSENCRYPT_DETECT='y' enabled to log everything on the acmetool.sh letsencrypt routines. There should be one that corresponds to the first time you ran centmin.sh menu option 2.

 

ok, checked, there's no check for that it asks if you want to abort whether or not the A DNS record exists or not. As it could be the end user has old outdated DNS A records etc. Centmin Mod isn't able to tell if the end user's desired DNS A records are the ones they want.

Probably can add a check so if DNS A record is same as the server IP the user is running centmin.sh on.

edit: updated 123.09beta01 for such a check now Beta Branch - update inc/nginx_addvhost.inc update DNS checks in 123.09beta01 | Centmin Mod Community