Learn about Centmin Mod LEMP Stack today
Register Now

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. pamamolf

    pamamolf Premium Member Premium Member

    3,807
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    9:48 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Last two questions:

    1)I didn't find any info for the bellow lines and i want to ask if you recommend me to enable them or not?

    Code:
     #add_header X-Frame-Options SAMEORIGIN;
     #add_header X-Xss-Protection "1; mode=block" always;
     #add_header X-Content-Type-Options "nosniff" always;
     #spdy_headers_comp 5;
    2)Do i have to use at /etc/centminmod/custom_config.inc that edit so i will be ok for any upgrades Nginx/Php or anything else?

    Code:
    LETSENCRYPT_DETECT='y'

     
  2. eva2000

    eva2000 Administrator Staff Member

    44,426
    10,144
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,696
    Local Time:
    4:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    only touch these 3

    #X-Frame-Options SAMEORIGIN;
    #add_header X-Xss-Protection "1; mode=block" always;
    #add_header X-Content-Type-Options "nosniff" always;

    but google and read up if they apply to your web app and understand what they do

    LETSENCRYPT_DETECT='y' is needed for persistent config file to enable letsencrypt ssl detection of /addons/acmetool.sh only nothing to do with php just nginx related and ssl related routines that use addons/acmeotol.sh
     
  3. pamamolf

    pamamolf Premium Member Premium Member

    3,807
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    9:48 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Do i have to do anything to enable https using acmetool if i am behind Cloudflare?
     
  4. eva2000

    eva2000 Administrator Staff Member

    44,426
    10,144
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,696
    Local Time:
    4:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you don't even need https on local nginx server for cloudflare flexible ssl. But for cloudflare full ssl yes you want https setup locally either done manually or via addons/acmetool.sh
     
  5. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    2:48 PM
    latest
    latest
    You could use a self-signed SSL and then use Full but for Full (Strict) you really need a valid cert.
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    3,807
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    9:48 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Installing on a new server from menu option 4 and again 4 i got this error and Nginx is not starting :(

    Code:
    [root@server addons]# nginx -t
    nginx: [emerg] SSL_CTX_load_verify_locations("/usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt', 'r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    and there is no domain.com-trusted.crt at that path:

    Code:
    /usr/local/nginx/conf/ssl/domain.com/

    If i disable this:

    Code:
    #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;
    all working and https is ok but with a red sign on it as not trusted and with a warning message :(

    Don't know why i miss that file and if i can generate it now .... ?

    Centos 7 and latest Centminmod beta 09

    This is what i have at /usr/local/nginx/conf/ssl/domain.com/ :

    Code:
    acme-vhost-config.txt
    dhparam.pem
    hpkp-info-primary-pin.txt
    hpkp-info-secondary-pin.txt
    domain.com.crt
    domain.com.crt.key.conf
    domain.com.csr
    domain.com.key
    domain.com-acme.cer
    domain.com-acme.key
    domain.com-backup.csr
    domain.com-backup.key
    domain.com-fullchain-acme.key
     
    Last edited: Nov 8, 2016
  7. pamamolf

    pamamolf Premium Member Premium Member

    3,807
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    9:48 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    My config had inside :

    Code:
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
    I comment them and i add there:

    Code:
    include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
    Now all working great ! :)
     
    Last edited: Nov 8, 2016
  8. pamamolf

    pamamolf Premium Member Premium Member

    3,807
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    9:48 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    It looks like it didn't create a new config file as i can see inside of it my old rewrite rules....
     
  9. eva2000

    eva2000 Administrator Staff Member

    44,426
    10,144
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,696
    Local Time:
    4:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    @pamamolf

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    Without the answers to above questions and logs, there is nothing to help troubleshoot.
     
  10. eva2000

    eva2000 Administrator Staff Member

    44,426
    10,144
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,696
    Local Time:
    4:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x

    acmetool.sh 1.0.17 manual steps mode



    Added a literal manual steps mode guide where nothing is automated. So the 3 step guide outlines what you need to do manually command line and nginx vhost setup wise to obtain letsencrypt ssl certificate, copy/set it ssl files at /usr/local/nginx/conf/ssl/yourdomain.com and creating nginx ssl vhost yourdomain.com.ssl.conf and replacing the ssl_certificate, ssl_certificate_key and ssl_trusted_certificate paths with the letsencrypt ssl cert file paths.

    Full example at acmetool.sh 1.0.17 manual steps mode added
     
  11. pamamolf

    pamamolf Premium Member Premium Member

    3,807
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    9:48 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    I had already setup the domain from centminmod menu option 2 with self signed ssl and then i install acme menu and from there i go to option 4 and then again on the next menu option 4 that sets as default the https.

    It looks like it doesn't remove the old entries ????
    But at the top of the config thre was a text: https default

    Also my custom entries was there...
     
  12. eva2000

    eva2000 Administrator Staff Member

    44,426
    10,144
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,696
    Local Time:
    4:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Ok will retest that combination of steps and see
    intended change as per post here.
    so try to just update ssl certs and keep your custom configs in place

    but having the troubleshooting logs would be best as i may not be able to repeat your issue.
     
  13. eva2000

    eva2000 Administrator Staff Member

    44,426
    10,144
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,696
    Local Time:
    4:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  14. Colin

    Colin Premium Member Premium Member

    146
    44
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +112
    Local Time:
    7:48 AM
    1.13.#
    MariaDB 10.1.#
    I'm rebuilding my test server, so I'll note any exceptions. Last one was ultimately a replication of the manual steps and works.

    I'll try to confirm and share what does and does not work from a clean install. I'll try to put my dunce hat on too, so as to not skip an instruction. It's a good well worn fit :D
     
  15. Saumya Majumder

    Saumya Majumder Member

    60
    3
    8
    Mar 16, 2016
    Ratings:
    +12
    Local Time:
    12:18 PM
    1.9.12
    10.0.24
    I saw that you are having issues with not enough user to try the letsencrypt add-on. Honestly I want to try it out, but as there is a huge risk that it may also break my site or configuration, I'm waiting for the stable release to try it out.

    My managed host also recommended me to wait for the stable letsencrypt release and not to use a beta thing on a production environment. I really wish I could help you somehow. Feeling really bad. Sorry!
     
  16. eva2000

    eva2000 Administrator Staff Member

    44,426
    10,144
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,696
    Local Time:
    4:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yeah that's why 1st post of thread recommends to use test server and test domain but understandably not everyone has a test domain/server handy.
     
  17. Saumya Majumder

    Saumya Majumder Member

    60
    3
    8
    Mar 16, 2016
    Ratings:
    +12
    Local Time:
    12:18 PM
    1.9.12
    10.0.24
    Exactly. That's the main problem. Sorry man! I wish I could help somehow. Feeling really bad. I would love to see letsencrypt support in the upcoming version of centminmod.
     
  18. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    2:48 AM
    Ok, I just created a new virtual host from the command line using:
    Code:
    ./acmetool.sh webroot-issue test.zzzz.com /home/nginx/domains/test.zzzz.com lived
    
    I just updated and am using acmetool.sh v0.18

    Things basically worked ok. vhost created, directories create, cert created and loaded.

    However I am getting a 403 forbidden error.

    looking deeper, I found that the index.html is located in /home/nginx/domains/test.zzzz.com/public,
    but the vhost config is setting the root to /home/nginx/domains/test.zzzz.com.

    if I try https://test.zzzz.com/public everything is OK.

    Thinking about it, this is almost the expected behavior since I am specifying a custom web root, however i think the index.html and other assorted files should be put in the custom web root so that an error is not returned.

    Everything else seems to be working fine.

    -John Scott
    Waiting for addons/netdata
     
  19. eva2000

    eva2000 Administrator Staff Member

    44,426
    10,144
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,696
    Local Time:
    4:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    thanks @jscott for testing and feedback - much appreciated. The issue you need to set web root path so instead needed
    Code (Text):
    ./acmetool.sh webroot-issue test.zzzz.com /home/nginx/domains/test.zzzz.com/public lived
    

    For webroot-issue, you need to tell it where the web root path is. If you tell it is it at /home/nginx/domains/test.zzzz.com then that is where nginx will look for a index page so webroot-issue flag is for those that have custom webroots i.e. node.js, laravel projects where you may want to define a web root at a place other than /home/nginx/domains/test.zzzz.com/public
     
  20. Colin

    Colin Premium Member Premium Member

    146
    44
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +112
    Local Time:
    7:48 AM
    1.13.#
    MariaDB 10.1.#
    It's all about risk. I've run alpha code in production, but low risk. Production $$ earning code, I'm more risk adverse ;)

    Did a simple test, beta installer onliner, new domain vhost from centmin menus of old ( pretending I didn't know about acme/letsencrypt ), so I now have a 80 and 443:self-signed working.

    Discovered the acme tool, ran a test install ok.

    This tripped me up manually too, so the test goes ok, you move to install for real. It fails as the issued whatnot is still valid. Passing --force sorts it, but I only know that from doing it manually a few times.

    Slightly unexpected, my 80 traffic is forced to 443, I'm ok with that, it's on test after all ;) So happily running a test IPS 4.1 in full letsencrypt ssl. I'll repeat with my notepad handy. Was doing in lounge while plumbers replaced boiler.

    I've had a few sites running it in production ( manual ) for a few months and no issues at all. I've also been pushing (middleman) static sites out to keycdn under letsencrypt too without issue. So other than how it's setup, I'm happy with letsencrypt.

    This is a possible enhancement down the road; I may of missed it. On the renewal process, If that could mail an update, mostly if the 60 day checkup fails.