Learn about Centmin Mod LEMP Stack today
Register Now

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:42 AM
    Nginx 1.13.x
    MariaDB 5.5
    @jscott just did a test server customweb root run on a test domain acme3.domain.com and worked fine full output at acme3.domain.com test for acmetool.sh for centminmod.com ยท GitHub to keep this thread cleaner :)

    excerpt below

    command ran
    Code (Text):
    ./acmetool.sh webroot-issue acme3.domain1.com /home/nginx/domains/acme3.domain1.com/customwebroot

    output
    Code (Text):
    -------------------------------------------------------------
    vhost for acme3.domain1.com created successfully
    
    domain: http://acme3.domain1.com
    vhost conf file for acme3.domain1.com created: /usr/local/nginx/conf/conf.d/acme3.domain1.com.conf
    
    vhost ssl for acme3.domain1.com created successfully
    
    domain: https://acme3.domain1.com
    vhost ssl conf file for acme3.domain1.com created: /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.key
    SSL CSR File: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-backup.csr
    
    upload files to /home/nginx/domains/acme3.domain1.com/public
    vhost log files directory is /home/nginx/domains/acme3.domain1.com/log
    

    Code (Text):
    -------------------------------------------------------------
    Commands to remove acme3.domain1.com
    
    pure-pw userdel ***
    rm -rf /usr/local/nginx/conf/conf.d/acme3.domain1.com.conf
    rm -rf /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.crt
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.key
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.csr
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com
    rm -rf /home/nginx/domains/acme3.domain1.com
    service nginx restart
    
    -------------------------------------------------------------
    vhost for acme3.domain1.com setup successfully
    acme3.domain1.com setup info log saved at:
    /root/centminlogs/centminmod_180816-035035_nginx_addvhost_nv.log
    -------------------------------------------------------------
    
    
    adjusting /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
    change web root:
    from:
    to: /home/nginx/domains/acme3.domain1.com/customwebroot
      root /home/nginx/domains/acme3.domain1.com/customwebroot;
    
    adjusting /usr/local/nginx/conf/conf.d/acme3.domain1.com.conf
    change web root:
    from:
    to: /home/nginx/domains/acme3.domain1.com/customwebroot
      root /home/nginx/domains/acme3.domain1.com/customwebroot;
    
    grep 'root' /usr/local/nginx/conf/conf.d/acme3.domain1.com.conf
      root /home/nginx/domains/acme3.domain1.com/customwebroot;
    grep 'root' /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
      root /home/nginx/domains/acme3.domain1.com/customwebroot;
    

    Code (Text):
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for acme3.domain1.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue -d acme3.domain1.com -w /home/nginx/domains/acme3.domain1.com/customwebroot -k ec-256 --useragent centminmod-centos7-acmesh-webroot
    [Thu Aug 18 03:51:26 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Thu Aug 18 03:51:29 UTC 2016] Registering account
    [Thu Aug 18 03:51:35 UTC 2016] Already registered
    [Thu Aug 18 03:51:35 UTC 2016] Creating domain key
    [Thu Aug 18 03:51:35 UTC 2016] Use length 256
    [Thu Aug 18 03:51:35 UTC 2016] Using ec name: prime256v1
    [Thu Aug 18 03:51:35 UTC 2016] Single domain='acme3.domain1.com'
    [Thu Aug 18 03:51:35 UTC 2016] Verify each domain
    [Thu Aug 18 03:51:35 UTC 2016] Getting webroot for domain='acme3.domain1.com'
    [Thu Aug 18 03:51:35 UTC 2016] Getting token for domain='acme3.domain1.com'
    [Thu Aug 18 03:51:41 UTC 2016] Verifying:acme3.domain1.com
    [Thu Aug 18 03:51:53 UTC 2016] Success
    [Thu Aug 18 03:51:53 UTC 2016] Verify finished, start to sign.
    [Thu Aug 18 03:52:00 UTC 2016] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIEIjCCAwqgAwIBAgITAPpj24sLhHf1bFpstZ/vM3kHLTANBgkqhkiG9w0BAQsF
    ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjA4MTgw
    MjUyMDBaFw0xNjExMTYwMjUyMDBaMB8xHTAbBgNVBAMTFGFjbWUzLmNlbnRtaW5t
    b2QuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6ohDC8gIO21qPOwEwKpp
    U19MzjaIqffw1/ssssssssssssssssssssddBgNVHSUEFjAUBggrBgEFBQcDAQYI
    KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUOcYxRj3whiriFsDbk29O
    lGvgavQwHwYDVR0jBBgwFoAUwMwDRrlYIMxccnDz4S7LIKb1aDoweAYIKwYBBQUH
    AQEEbDBqMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5zdGctaW50LXgxLmxldHNl
    bmNyeXB0Lm9yZy8wMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jZXJ0LnN0Zy1pbnQteDEu
    bGV0c2VuY3J5cHQub3JnLzAfBgNVHREEGDAWghRhY21lMy5jZW50bWlubW9kLmNv
    bTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI
    KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC
    AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g
    YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0
    aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5
    cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQA5FizBSptl8KBQ
    lgXuVTH20qAgue3KCNEJ8vPWAlu1/9huAVeu+FSwXo0oHlBUlYMjd3Ikvw9FLAbe
    deGYqLqa8Je3eW8LQB/CrdN8IZ/XJhuJaR9Py5PaqZgD/vDaxmHXEjrBpvtJPJCU
    Ve8dy5uPvHmLkEIKNZm/3o6ox7xtM13SvgqrlUdPnKH3vmJOf5/Azy7TDtj7rco4
    45c7XU/m6lL1cIbXZNHHgzUyT98NjIDSfkea9ol+18qB5xxO9lr3JDKgmzBHv7AX
    WwD1WN6xsiUR13yjR9Ier7gj9E9YvA6O+d709o2Nwu1Ha6euVueCVFaJ8gcR26Om
    R5Gz+EtX
    -----END CERTIFICATE-----
    [Thu Aug 18 03:52:00 UTC 2016] Your cert is in /root/.acme.sh/acme3.domain1.com_ecc/acme3.domain1.com.cer
    [Thu Aug 18 03:52:01 UTC 2016] The intermediate CA cert is in /root/.acme.sh/acme3.domain1.com_ecc/ca.cer
    [Thu Aug 18 03:52:01 UTC 2016] And the full chain certs is there: /root/.acme.sh/acme3.domain1.com_ecc/fullchain.cer
      ssl_certificate      /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.key;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer; 
    

    Code (Text):
    -----------------------------------------------------------
    install cert
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --installcert -d acme3.domain1.com --certpath /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer --keypath /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.key --capath /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-fullchain-acme-ecc.key --ecc
    [Thu Aug 18 03:52:01 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer
    [Thu Aug 18 03:52:01 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer
    [Thu Aug 18 03:52:01 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.key
    [Thu Aug 18 03:52:01 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-fullchain-acme-ecc.key
    [Thu Aug 18 03:52:01 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):  [  OK  ]
    [Thu Aug 18 03:52:01 UTC 2016] Reload success
    
    letsencrypt ssl certificate setup completed
    ssl certs located at: /usr/local/nginx/conf/ssl/acme3.domain1.com
    
    openssl x509 -noout -text < /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                fa:63:db:8b:0b:84:77:f5:6c:5a:6c:b5:9f:ef:33:79:07:2d
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=Fake LE Intermediate X1
            Validity
                Not Before: Aug 18 02:52:00 2016 GMT
                Not After : Nov 16 02:52:00 2016 GMT
            Subject: CN=acme3.domain1.com
            Subject Public Key Info:
                Public Key Algorithm: id-ecPublicKey
                    Public-Key: (256 bit)
                    pub:
                        04:ea:88:43:0b:c8:08:3b:6d:6a:3c:ec:04:c0:aa:
                        69:53:5f:4c:ce:36:88:a9:f7:f0:d7:ff:ff:cd:3a:
                        fc:7b:1a:52:99:29:ba:95:e9:f9:c9:5d:49:9d:37:
                        88:85:12:48:15:b1:55:84:40:f3:c4:99:db:a6:ab:
                        e2:a1:60:ac:77
                    ASN1 OID: prime256v1
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Subject Key Identifier:
                    39:C6:31:46:3D:F0:86:2A:E2:16:C0:DB:93:6F:4E:94:6B:E0:6A:F4
                X509v3 Authority Key Identifier:
                    keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A
    
                Authority Information Access:
                    OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org/
                    CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/
    
                X509v3 Subject Alternative Name:
                    DNS:acme3.domain1.com
                X509v3 Certificate Policies:
                    Policy: 2.23.140.1.2.1
                    Policy: 1.3.6.1.4.1.44947.1.1.1
                      CPS: http://cps.letsencrypt.org
                      User Notice:
                        Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
    

    checkdates
    Code (Text):
    ./acmetool.sh checkdates
    
    /usr/local/nginx/conf/ssl/acme.domain1.com/acme.domain1.com-acme.cer
    certificate expires in 16 days on 4 Sep 2016
    
    /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer
    certificate expires in 89 days on 16 Nov 2016
    
    /usr/local/nginx/conf/ssl/acme2.domain1.com/acme2.domain1.com-acme.cer
    certificate expires in 14 days on 2 Sep 2016
    
    /usr/local/nginx/conf/ssl/acme1.domain1.com/acme1.domain1.com-acme-ecc.cer
    certificate expires in 84 days on 11 Nov 2016

     
    • Informative Informative x 1
  2. SeaTea

    SeaTea Premium Member Premium Member

    49
    13
    8
    Feb 20, 2015
    the Netherlands
    Ratings:
    +28
    Local Time:
    8:42 PM
    Nginx:1.11
    MariaDB-10
    Do you have the following in /usr/local/nginx/conf/conf.d/yoursite.conf ?


    Code (Text):
    # Prevent access to ./directories and files
        location ~ (?:^|/)\. {
            deny all;
        }


    comment this out, otherwise there will be a 403-error.

    I don't know if this is still default-setting in centminmod. I had this in my config files when starting to test letsencrypt some months ago and have removed it. Did not test the new acmetool.sh yet. Still using certbot renewals here.
     
    • Informative Informative x 1
  3. jscott

    jscott Member

    94
    14
    8
    Aug 13, 2015
    Ratings:
    +31
    Local Time:
    2:42 PM
    AH! This was the problem.

    I just updated centmin, edited the .conf file and reran the command line option I had been using to update the cert.

    It looks like it worked, but my browser complains about unknown issuer - Fake LE Intermediate X1

    Is this normal for a staging site?

    Looks like you need to re-remove the block for . files.

    I will wipe and rebuild this system from scratch and in several hours and update you on how it is working. If you want me to try anything else before then let me know.

    Thanks for all your help!!
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:42 AM
    Nginx 1.13.x
    MariaDB 5.5
    New 123.09beta01 builds should have it commented out by default

    If you updated centmin mod via centmin.sh menu option 23 then any new nginx vhost created has the dot file block commented out by default. This has been the case for months now

    @jscott how old is your 123.09beta01?

    Yes read the notes in this thread's 3rd post regarding staging vs live certificates
     
    Last edited: Aug 19, 2016
  5. jscott

    jscott Member

    94
    14
    8
    Aug 13, 2015
    Ratings:
    +31
    Local Time:
    2:42 PM
    The whole server is less then 24 hours old. Centminmod was installed with the beta test one line method.

    until this morning ACMETOOL was version 0.1. After I saw your post I removed the . block, updated CENTMIN and verified that it was 0.2. Then I retried the submission and it worked.

    There is a lot of detail in this thread, sorry about missing the untrusted part...
    By the way, it is at the top of the 3rd post now.

    I will delete this machine and start from scratch in a few hours.
    I will probably try a "live" cert after that. I am not worried about hitting the limits, this is a test domain.

    Thanks
    -John
     
    • Like Like x 1
  6. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:42 AM
    Nginx 1.13.x
    MariaDB 5.5
    strange then none of the current nginx vhost generation routines' vhost templates have the .dot file in 123.09beta01 right now. Let me know how you do :)

    Code (Text):
    Searching 597 files for "Prevent access to ./directories" (case sensitive)
    
    0 matches across 0 files
     
    Last edited: Aug 19, 2016
  7. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:42 AM
    Nginx 1.13.x
    MariaDB 5.5
  8. jscott

    jscott Member

    94
    14
    8
    Aug 13, 2015
    Ratings:
    +31
    Local Time:
    2:42 PM
    AH!!! I just found the one in /usr/local/src/centminmod/inc/nginx_addvhost.inc and was getting ready to write you a note!! Glad you found two more!! err... well you know what I mean...

    I have a virgin centminmod system. I was getting ready to create a vhost.

    Should I wait till you get everything updated? Any tests you want me to run?
    I can wait a while, I will be here several more hours.

    -John
     
    • Informative Informative x 1
  9. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:42 AM
    Nginx 1.13.x
    MariaDB 5.5
    just run centmin.sh menu option 23 to update code, exit centmin.sh and re-running centmin.sh should use updated inc/nginx_addvhost.inc

    no idea why those instances were missed! :LOL:
     
  10. jscott

    jscott Member

    94
    14
    8
    Aug 13, 2015
    Ratings:
    +31
    Local Time:
    2:42 PM
    OK... Next problem....

    started with virgin system freshly updated...

    performed the following steps ( from my notes... )
    Code:
    
    test yii.atlone.com
        Shows 'Centmin Mod Nginx Test Page'
    
    run centmin.sh option 2 to create yii.atlone.com
    
    run ./acmetool.sh acme-menu
    select 4)Issue SSL Management
    select 6)Custom Webroot Issue SSL Cert Staging/Test HTTPS Default
    set domain to yii.atlone.com
    enter custom webroot path you want: /home/nginx/domains/yii.atlone.com/public/basic/web
    
    
    It fails with
    Code (Text):
    [Thu Aug 18 23:05:47 UTC 2016] Verify each domain
    [Thu Aug 18 23:05:47 UTC 2016] Getting webroot for domain='yii.atlone.com'
    [Thu Aug 18 23:05:47 UTC 2016] Getting token for domain='yii.atlone.com'
    [Thu Aug 18 23:05:48 UTC 2016] Verifying:yii.atlone.com
    [Thu Aug 18 23:05:55 UTC 2016] yii.atlone.com:Verify error:Invalid response from http://yii.atlone.com/.well-known/acme-challenge/byn_HTfMWy8fa3mc1nNknrPEgxEWJTj8girIXCld7JM: \
    


    Checked my web root, no sign off .well-known directory.

    Then ran debug enabled script
    Code (Text):
     /root/.acme.sh/acme.sh --staging --issue -d yii.atlone.com -w /home/nginx/domains/yii.atlone.com/public/basic/web -k 2048 --useragent centminmod-centos6-acmesh-webroot --debug
    
    


    and it fails with
    Code (Text):
    [Fri Aug 19 00:22:10 UTC 2016] timeout
    [Fri Aug 19 00:22:10 UTC 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
    [Fri Aug 19 00:22:10 UTC 2016] ret='0'
    [Fri Aug 19 00:22:10 UTC 2016] yii.atlone.com:Verify error:Invalid response from http://yii.atlone.com/.well-known/acme-challenge/BnalTUIZxK4HucNYpbdTNEC34hTUGnBzf2XAKvJkUL4: \
    [Fri Aug 19 00:22:10 UTC 2016] GET
    [Fri Aug 19 00:22:10 UTC 2016] url='http://yii.atlone.com/.well-known/acme-challenge/BnalTUIZxK4HucNYpbdTNEC34hTUGnBzf2XAKvJkUL4'
    [Fri Aug 19 00:22:10 UTC 2016] timeout
    [Fri Aug 19 00:22:10 UTC 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
    


    However this time the .well-know directory shows up in my webroot.

    I notice that the validation is trying to use http:// but it is not reachable that way and returns a 404.

    If I try with https:// I get the file.

    It looks like there may be a problem in acmetool.sh acme-menu that does not create the .well-known directory and files, and another problem that causes LE to look for the validation file using http:// instead of https://.

    I have only tried with the 'https default' menu option so far. I am getting ready to try with the other option. I will update you how it works out.

    Thanks
    -John
     
    • Informative Informative x 1
  11. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:42 AM
    Nginx 1.13.x
    MariaDB 5.5
    letsencrypt always looks for http when using webroot and follows any redirect to https, so probably could be the http to https redirect. Will have to check though i haven't really tested custom web root much yet.
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:42 AM
    Nginx 1.13.x
    MariaDB 5.5
    oh i see a problem, if you intend to run acmetool.sh acme-menu options, you DO NOT need to setup vhost via centmin.sh menu option 2 as acmetool.sh does it for you so could be conflicting

    tested custom webroot with acmetool.sh only and no centmin.sh menu option 2 run
    Code (Text):
    ./acmetool.sh webroot-issue acme3.domain1.com /home/nginx/domains/acme3.domain1.com/customwebroot d

    Code (Text):
    curl -Ik http://acme3.domain1.com
    HTTP/1.1 302 Moved Temporarily
    Date: Fri, 19 Aug 2016 00:55:34 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: keep-alive
    Location: https://acme3.domain1.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
     
  13. jscott

    jscott Member

    94
    14
    8
    Aug 13, 2015
    Ratings:
    +31
    Local Time:
    2:42 PM
    Ah.. OK.

    So....

    1. centmin.sh menu option 2 does not give the option for custom webroot.
    2. acmetool.sh will create the vhost with the custom webroot.

    Is this correct?

    -John
     
  14. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:42 AM
    Nginx 1.13.x
    MariaDB 5.5
    yup acmetool.sh creates nginx vhost if it doesn't exist and yes centmin.sh menu option 2 doesn't have support for custom webroot, only acmetool.sh does

    also just updated acmetool.sh 0.3 was updated in 123.09beta01 fix a typo :)
     
  15. jscott

    jscott Member

    94
    14
    8
    Aug 13, 2015
    Ratings:
    +31
    Local Time:
    2:42 PM
    ok just ran
    Code (Text):
    /root/.acme.sh/acme.sh  --staging --issue -d yii3.atlone.com -w /home/nginx/domains/yii3.atlone.com/public/basic/web -k 2048 --useragent centminmod-centos6-acmesh-webroot --debug
    


    With a brand new subdomain and it failed with the https and http.

    The validation file is in the .well-known dir in my webroot

    If I load the webroot in the browser it shows the 'Centmin Mod Nginx Test Page'

    There is no .conf file in /usr/local/nginx/conf.d for yii3

    -John
     
    • Dislike Dislike x 1
  16. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:42 AM
    Nginx 1.13.x
    MariaDB 5.5
    did you setup main hostname properly as per Getting Started Guide step 1 ? Main hostname for server most not be same as any nginx vhost domain you intend to setup on the server as per Getting Started bottom of page summary.
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:42 AM
    Nginx 1.13.x
    MariaDB 5.5
    that acme.sh run only gets the certificate via acme.sh so not vhost is setup, only via addons/acmetool.sh do you get both ssl cert + nginx vhost setup
     
  18. jscott

    jscott Member

    94
    14
    8
    Aug 13, 2015
    Ratings:
    +31
    Local Time:
    2:42 PM
    oh yes... I knew that... I got the two scripts confused in my mind.

    Is there a way to wipe a domain completely from LE?
    I tried revoking, but I don't think that worked....

    -John
     
  19. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:42 AM
    Nginx 1.13.x
    MariaDB 5.5
    there's no revoking, you can wipe the nginx vhost and ssl certs installed via the 1st post example where each nginx vhost run created as a set of commands to remove files and pure-ftpd user. It does leave acme.sh obtained cert stored at /root/.acme.sh/yourdomainname or /root/.achem.sh/yourdomain_ecc for ECDSA certs directory which can be manually removed too

    so when i created acme3.domain1.com, the output which is logged at /root/centminlogs too gives me commands to remove the site vhost etc
    Code (Text):
    pure-pw userdel vq4QKxGjf4Uy01a
    rm -rf /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.crt
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.key
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.csr
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com
    rm -rf /home/nginx/domains/acme3.domain1.com
    service nginx restart

    then as i created ECDSA SSL cert, acme.sh housed cert is in directory /root/.acme.sh/acme3.domain1.com_ecc/
    Code (Text):
    ls -lah /root/.acme.sh/acme3.domain1.com_ecc/
    total 36K
    drwxr-xr-x 2 root root 4.0K Aug 19 02:21 .
    drwx------ 8 root root 4.0K Aug 19 02:21 ..
    -rw-r--r-- 1 root root 1.5K Aug 19 02:21 acme3.domain1.com.cer
    -rw-r--r-- 1 root root  921 Aug 19 02:21 acme3.domain1.com.conf
    -rw-r--r-- 1 root root  371 Aug 19 02:21 acme3.domain1.com.csr
    -rw-r--r-- 1 root root  302 Aug 19 02:21 acme3.domain1.com.key
    -rw-r--r-- 1 root root   79 Aug 19 02:21 acme3.domain1.com.ssl.conf
    -rw-r--r-- 1 root root 1.7K Aug 19 02:21 ca.cer
    -rw-r--r-- 1 root root 3.1K Aug 19 02:21 fullchain.cer

    so I can remove that directory too
    Code (Text):
    rm -rf /root/.acme.sh/acme3.domain1.com_ecc/


    I might create and removal script for acmetool.sh as well :)
     
  20. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:42 AM
    Nginx 1.13.x
    MariaDB 5.5
    Ah forgot i did create a log for removing vhost in /root/centminlogs :)

    Code (Text):
    ls -lahrt /root/centminlogs/ | grep remove
    -rw-r--r--   1 root root 1.1K Aug 19 02:21 centminmod_190816-021907_nginx_addvhost_nv-remove-cmds-acme3.domain1.com.log
    

    Code (Text):
    cat /root/centminlogs/centminmod_190816-021907_nginx_addvhost_nv-remove-cmds-acme3.domain1.com.log
    -------------------------------------------------------------
    Commands to remove acme3.domain1.com
    
    pure-pw userdel vq4QKxGjf4Uy01a
    rm -rf /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.crt
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.key
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.csr
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com
    rm -rf /home/nginx/domains/acme3.domain1.com
    service nginx restart
    
    -------------------------------------------------------------
    vhost for acme3.domain1.com setup successfully
    acme3.domain1.com setup info log saved at:
    /root/centminlogs/centminmod_190816-021907_nginx_addvhost_nv.log
    -------------------------------------------------------------


    Then for original acme.sh obtained cert
    Code (Text):
    rm -rf /root/.acme.sh/acme3.domain1.com_ecc/
     
    Last edited: Aug 19, 2016