Discover Centmin Mod today
Register Now

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    44,784
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    3:04 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    auto renewals via cron based renewals only replace the ssl certs in /usr/local/nginx/conf/ssl/domain.com/* which is paths set in your vhost for the site, so as long as vhost set path remains the same, it shouldn't renew with minimal impact

    as to acmetool.sh manual runs for reissue/renewal they should be the same as auto renewal cronjobs from what I coded. Unless they change the options i.e. if you issued with test ssl cert and http + https and then try reissue with live ssl cert by https default - then yes vhost changes will happen. Latest updates try to preserve your existing vhost and just touch the ssl stuff. But needs folks to test and report feedback and bugs. Hence, why recommended to do on test server :)
     
  2. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    7:04 PM
    1
    10
    No bugs noticed so far everything works perfectly
     
  3. RB1

    RB1 Active Member

    285
    75
    28
    Nov 11, 2016
    California
    Ratings:
    +122
    Local Time:
    10:04 AM
    Nginx 1.18.x
    MariaDB 10.1.x
    Will come back here and let you know what happens when it's time for my SSLs to renew.
    Hope it all goes to plan and the cron is successful :)
     
  4. RB1

    RB1 Active Member

    285
    75
    28
    Nov 11, 2016
    California
    Ratings:
    +122
    Local Time:
    10:04 AM
    Nginx 1.18.x
    MariaDB 10.1.x
    LetsEncrypt SSL should have renewed after 1 month on Centminmod beta? I'm still seeing the same cert with the same expiration date. :(

    How can I troubleshoot this...hopefully I can provide the correct info.
     
  5. eva2000

    eva2000 Administrator Staff Member

    44,784
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    3:04 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    It won't renewal if it hasn't expired and within the auto renewal time which for addons/acmetool.sh is right now 21 days during beta instead of 60 days after acmetool.sh goes stable.

    what's the domain name ?

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    Without the answers to above questions and logs, there is nothing to help troubleshoot for initial issuance or figuring out how you originally got your letsencrypt ssl cert.

    Then for renewal

    what's output for command
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    for example my mysqlmymon.com domain used addons/acmetool.sh for letsencrypt issuance and output
    Code (Text):
    addons/acmetool.sh checkdates
    
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://centminmod.com/acmetool
    -------------------------------------------------
    
    continue [y/n] ? y
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/mysqlmymon.com/mysqlmymon.com-acme.cer
    SHA1 Fingerprint=663D4311FCBFD214075E66EC7399CE6B8E9F0E55
    certificate expires in 52 days on 19 Feb 2017
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/mysqlmymon.com/mysqlmymon.com.cer
    SHA1 Fingerprint=663D4311FCBFD214075E66EC7399CE6B8E9F0E55
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=663D4311FCBFD214075E66EC7399CE6B8E9F0E55
    certificate expires in 52 days on 19 Feb 2017
    


    check acme.sh client cronjob is added via grep of cronjob list output
    Code (Text):
    crontab -l | grep acme
    

    example
    Code (Text):
    crontab -l | grep acme
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    

    check cronjob log via grep of /var/log/cron log for acme.sh keyword and using sed to rewrite hostname shortform to = hostname to mask hostname
    Code (Text):
    grep 'acme.sh' /var/log/cron | sed -e "s|$(hostname -s)|hostname|"
    

    example
    Code (Text):
    grep 'acme.sh' /var/log/cron* | sed -e "s|$(hostname -s)|hostname|"
    Dec 26 00:00:01 hostname CROND[5520]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    Dec 27 00:00:01 hostname CROND[15068]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    Dec 28 00:00:01 hostname CROND[4561]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    

    daily run of acme.sh client working

    are you behind cloudflare ?
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    3,831
    374
    83
    May 31, 2014
    Ratings:
    +718
    Local Time:
    8:04 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Does that mean that when the certificate expires then all visitors get a warning and maybe site doesn't work until the cron run to renew it? :(
     
  7. RB1

    RB1 Active Member

    285
    75
    28
    Nov 11, 2016
    California
    Ratings:
    +122
    Local Time:
    10:04 AM
    Nginx 1.18.x
    MariaDB 10.1.x
    Here is the log: acmetool.sh-debug-log · GitHub
    I setup my vhosts using centmin.sh menu option 2 without SSL and later followed the steps in the correct order using this tool: Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS

    Output of:
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh checkdates

    checkdates_output · GitHub


    I already have this cron job:
    Code (Text):
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    


    Output of cron log:
    Code (Text):
    Dec 27 00:00:01 hostname CROND[32226]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    Dec 28 00:00:01 hostname CROND[26924]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    


    I am not using Cloudflare on any of my domains.

    Edit: There's one domain that had an invalid cert...you will probably see an error for "example3.com" in acme-tool.sh-debug-log, however this domain doesn't show in the output of checkdates because I removed /usr/local/nginx/conf/ssl/example3.com/ before running that command
     
  8. eva2000

    eva2000 Administrator Staff Member

    44,784
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    3:04 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    in general when https ssl cert expires, visitors get a pop-up in browser saying issue with ssl certificate and allows visitors to view the error i.e. cert expired.

    For letsencrypt ssl in context of acmetool.sh addon, cronjob runs daily and auto renews only if not within preset threshold which is during beta 21 days or stable 60 days. So if cronjob auto renews and the letsencrypt ssl cert is only 14 days old, it's within 21 days so still valid and cron skips auto renewal.

    If cronjob checks again on 22nd day of ssl cert, it seem it's 22>21 so auto renews. So it auto renews 90-21 = ~69 days before expiry. Once acmetool.sh is stable, i will change threshold from 21 to 60 days. So auto renew cronjob only renews once ssl cert is 61 days old or 90-61 = ~29-30 days before expiry.

    acmetool.sh and underlying acme.sh client should never have a situation where visitors are served expired ssl cert due to cronjob auto renewal if it is working properly. If end user deletes the acme.sh cronjob, then that would break auto renewal or of cron service is stopped or disabled, that would break auto renewal too.

    So check if cron is working too
     
  9. eva2000

    eva2000 Administrator Staff Member

    44,784
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    3:04 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    example3.com is the one that expired ? from the output it looks like it never was issued as letsencrypt failed to verify the domain due to improper DNS i.e. ip for example3.com not pointing to server ip

    auto renewal cronjobs won't renew a failed domain validated example3.com. You would need to try issuing example.com letsencrypt ssl cert again
     
  10. RB1

    RB1 Active Member

    285
    75
    28
    Nov 11, 2016
    California
    Ratings:
    +122
    Local Time:
    10:04 AM
    Nginx 1.18.x
    MariaDB 10.1.x
    No, you can ignore the example3.com domain...didn't mean to ever attempt SSL issue for that one.
    I'm talking about domain example2.com (SSL issued 11/27) and example.com (SSL issued 11/28).
     
  11. eva2000

    eva2000 Administrator Staff Member

    44,784
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    3:04 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    from checkdates output they're still valid till 25-27 Feb 2017 and not expired though checkdates_output · GitHub
    Code (Text):
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/example.com/example.com-acme.cer
    SHA1 Fingerprint=F36B7C65CE7DCCFF41B6972612DD0226162254FF
    certificate expires in 60 days on 27 Feb 2017
    
    /usr/local/nginx/conf/ssl/example2.com/example2.com-acme.cer
    SHA1 Fingerprint=9C0617423202A361020162664E80209DEF0F7AB3
    certificate expires in 58 days on 25 Feb 2017
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/example.com/example.com.cer
    SHA1 Fingerprint=F36B7C65CE7DCCFF41B6972612DD0226162254FF
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=F36B7C65CE7DCCFF41B6972612DD0226162254FF
    certificate expires in 60 days on 27 Feb 2017
    
    /root/.acme.sh/example2.com/example2.com.cer
    SHA1 Fingerprint=9C0617423202A361020162664E80209DEF0F7AB3
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=9C0617423202A361020162664E80209DEF0F7AB3
    certificate expires in 58 days on 25 Feb 2017


    Though i see what you mean i think as i set to renew every 21 days instead of 60 days but it's not renewing until later. Same happened for mysqlmymon.com and i think it's because of underlying acme.sh client

    manual run of cronjob acme.sh command output
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    [Wed Dec 28 21:19:27 UTC 2016] Renew: 'mysqlmymon.com'
    [Wed Dec 28 21:19:27 UTC 2016] Skip, Next renewal time is: Fri Feb 10 00:00:21 UTC 2017
    [Wed Dec 28 21:19:27 UTC 2016] Add '--force' to force to renew.
    [Wed Dec 28 21:19:27 UTC 2016] Skipped mysqlmymon.com
    
     
  12. RB1

    RB1 Active Member

    285
    75
    28
    Nov 11, 2016
    California
    Ratings:
    +122
    Local Time:
    10:04 AM
    Nginx 1.18.x
    MariaDB 10.1.x
    Wait I was under the assumption that in beta, SSL certs will be renewed after they are 21 days old
     
  13. eva2000

    eva2000 Administrator Staff Member

    44,784
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    3:04 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    see my previous post might of just missed it
     
  14. RB1

    RB1 Active Member

    285
    75
    28
    Nov 11, 2016
    California
    Ratings:
    +122
    Local Time:
    10:04 AM
    Nginx 1.18.x
    MariaDB 10.1.x
    Ahh OK thanks! I also received the message that 2 domains were skipped (due to renew on Jan 26 and Jan 28). I may try a --force renew.

    How can I remove a domain from getting checked by the acme tool? The domain example3.com has no files in "/usr/local/nginx/conf/ssl" or in "/usr/local/nginx/conf/conf.d" but it's still attempting to renew via acme.sh

    Thanks! :)

    Edit: Force renew worked wonderfully for the other 2 domains
     
  15. eva2000

    eva2000 Administrator Staff Member

    44,784
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    3:04 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    delete the directory at /root/.acme.sh/example3.com
    yes that works if you want
     
  16. RB1

    RB1 Active Member

    285
    75
    28
    Nov 11, 2016
    California
    Ratings:
    +122
    Local Time:
    10:04 AM
    Nginx 1.18.x
    MariaDB 10.1.x
    Great, everything is working properly now thank you!

    I guess I should have just waited until January for the auto-renew to see if that's working...at least we know manual forced renew works :p
     
  17. eva2000

    eva2000 Administrator Staff Member

    44,784
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    3:04 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  18. RB1

    RB1 Active Member

    285
    75
    28
    Nov 11, 2016
    California
    Ratings:
    +122
    Local Time:
    10:04 AM
    Nginx 1.18.x
    MariaDB 10.1.x
    Ahh, cool that you figured out so quickly :)
    Do acmetool.sh updates come from Centminmod Code Base updates or from manually running acmetool (I believe it checks for an update before running that process).
     
  19. eva2000

    eva2000 Administrator Staff Member

    44,784
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    3:04 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    addon/acmetool.sh updates do come from centmin mod code base updates via centmin.sh menu optio 23 submenu option 2 :)
     
  20. pamamolf

    pamamolf Premium Member Premium Member

    3,831
    374
    83
    May 31, 2014
    Ratings:
    +718
    Local Time:
    8:04 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Great i wait also for this update :)