Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

eva2000 · Aug 18, 2016

@jscott just did a test server customweb root run on a test domain acme3.domain.com and worked fine full output at acme3.domain.com test for acmetool.sh for centminmod.com · GitHub to keep this thread cleaner

excerpt below

command ran

Code (Text):

./acmetool.sh webroot-issue acme3.domain1.com /home/nginx/domains/acme3.domain1.com/customwebroot

output

Code (Text):

-------------------------------------------------------------
vhost for acme3.domain1.com created successfully

domain: http://acme3.domain1.com
vhost conf file for acme3.domain1.com created: /usr/local/nginx/conf/conf.d/acme3.domain1.com.conf

vhost ssl for acme3.domain1.com created successfully

domain: https://acme3.domain1.com
vhost ssl conf file for acme3.domain1.com created: /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.crt
SSL Private Key: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.key
SSL CSR File: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-backup.csr

upload files to /home/nginx/domains/acme3.domain1.com/public
vhost log files directory is /home/nginx/domains/acme3.domain1.com/log

Code (Text):

-------------------------------------------------------------
Commands to remove acme3.domain1.com

pure-pw userdel ***
rm -rf /usr/local/nginx/conf/conf.d/acme3.domain1.com.conf
rm -rf /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.crt
rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.key
rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.csr
rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com
rm -rf /home/nginx/domains/acme3.domain1.com
service nginx restart

-------------------------------------------------------------
vhost for acme3.domain1.com setup successfully
acme3.domain1.com setup info log saved at:
/root/centminlogs/centminmod_180816-035035_nginx_addvhost_nv.log
-------------------------------------------------------------


adjusting /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
change web root:
from:
to: /home/nginx/domains/acme3.domain1.com/customwebroot
  root /home/nginx/domains/acme3.domain1.com/customwebroot;

adjusting /usr/local/nginx/conf/conf.d/acme3.domain1.com.conf
change web root:
from:
to: /home/nginx/domains/acme3.domain1.com/customwebroot
  root /home/nginx/domains/acme3.domain1.com/customwebroot;

grep 'root' /usr/local/nginx/conf/conf.d/acme3.domain1.com.conf
  root /home/nginx/domains/acme3.domain1.com/customwebroot;
grep 'root' /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
  root /home/nginx/domains/acme3.domain1.com/customwebroot;

Code (Text):

-----------------------------------------------------------
issue & install letsencrypt ssl certificate for acme3.domain1.com
-----------------------------------------------------------
/root/.acme.sh/acme.sh --staging --issue -d acme3.domain1.com -w /home/nginx/domains/acme3.domain1.com/customwebroot -k ec-256 --useragent centminmod-centos7-acmesh-webroot
[Thu Aug 18 03:51:26 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
[Thu Aug 18 03:51:29 UTC 2016] Registering account
[Thu Aug 18 03:51:35 UTC 2016] Already registered
[Thu Aug 18 03:51:35 UTC 2016] Creating domain key
[Thu Aug 18 03:51:35 UTC 2016] Use length 256
[Thu Aug 18 03:51:35 UTC 2016] Using ec name: prime256v1
[Thu Aug 18 03:51:35 UTC 2016] Single domain='acme3.domain1.com'
[Thu Aug 18 03:51:35 UTC 2016] Verify each domain
[Thu Aug 18 03:51:35 UTC 2016] Getting webroot for domain='acme3.domain1.com'
[Thu Aug 18 03:51:35 UTC 2016] Getting token for domain='acme3.domain1.com'
[Thu Aug 18 03:51:41 UTC 2016] Verifying:acme3.domain1.com
[Thu Aug 18 03:51:53 UTC 2016] Success
[Thu Aug 18 03:51:53 UTC 2016] Verify finished, start to sign.
[Thu Aug 18 03:52:00 UTC 2016] Cert success.
-----BEGIN CERTIFICATE-----
MIIEIjCCAwqgAwIBAgITAPpj24sLhHf1bFpstZ/vM3kHLTANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjA4MTgw
MjUyMDBaFw0xNjExMTYwMjUyMDBaMB8xHTAbBgNVBAMTFGFjbWUzLmNlbnRtaW5t
b2QuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6ohDC8gIO21qPOwEwKpp
U19MzjaIqffw1/ssssssssssssssssssssddBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUOcYxRj3whiriFsDbk29O
lGvgavQwHwYDVR0jBBgwFoAUwMwDRrlYIMxccnDz4S7LIKb1aDoweAYIKwYBBQUH
AQEEbDBqMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5zdGctaW50LXgxLmxldHNl
bmNyeXB0Lm9yZy8wMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jZXJ0LnN0Zy1pbnQteDEu
bGV0c2VuY3J5cHQub3JnLzAfBgNVHREEGDAWghRhY21lMy5jZW50bWlubW9kLmNv
bTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC
AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g
YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0
aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5
cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQA5FizBSptl8KBQ
lgXuVTH20qAgue3KCNEJ8vPWAlu1/9huAVeu+FSwXo0oHlBUlYMjd3Ikvw9FLAbe
deGYqLqa8Je3eW8LQB/CrdN8IZ/XJhuJaR9Py5PaqZgD/vDaxmHXEjrBpvtJPJCU
Ve8dy5uPvHmLkEIKNZm/3o6ox7xtM13SvgqrlUdPnKH3vmJOf5/Azy7TDtj7rco4
45c7XU/m6lL1cIbXZNHHgzUyT98NjIDSfkea9ol+18qB5xxO9lr3JDKgmzBHv7AX
WwD1WN6xsiUR13yjR9Ier7gj9E9YvA6O+d709o2Nwu1Ha6euVueCVFaJ8gcR26Om
R5Gz+EtX
-----END CERTIFICATE-----
[Thu Aug 18 03:52:00 UTC 2016] Your cert is in /root/.acme.sh/acme3.domain1.com_ecc/acme3.domain1.com.cer
[Thu Aug 18 03:52:01 UTC 2016] The intermediate CA cert is in /root/.acme.sh/acme3.domain1.com_ecc/ca.cer
[Thu Aug 18 03:52:01 UTC 2016] And the full chain certs is there: /root/.acme.sh/acme3.domain1.com_ecc/fullchain.cer
  ssl_certificate      /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.key;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer;

Code (Text):

-----------------------------------------------------------
install cert
-----------------------------------------------------------
/root/.acme.sh/acme.sh --installcert -d acme3.domain1.com --certpath /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer --keypath /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.key --capath /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-fullchain-acme-ecc.key --ecc
[Thu Aug 18 03:52:01 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer
[Thu Aug 18 03:52:01 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer
[Thu Aug 18 03:52:01 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.key
[Thu Aug 18 03:52:01 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-fullchain-acme-ecc.key
[Thu Aug 18 03:52:01 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl):  [  OK  ]
[Thu Aug 18 03:52:01 UTC 2016] Reload success

letsencrypt ssl certificate setup completed
ssl certs located at: /usr/local/nginx/conf/ssl/acme3.domain1.com

openssl x509 -noout -text < /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fa:63:db:8b:0b:84:77:f5:6c:5a:6c:b5:9f:ef:33:79:07:2d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Fake LE Intermediate X1
        Validity
            Not Before: Aug 18 02:52:00 2016 GMT
            Not After : Nov 16 02:52:00 2016 GMT
        Subject: CN=acme3.domain1.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:ea:88:43:0b:c8:08:3b:6d:6a:3c:ec:04:c0:aa:
                    69:53:5f:4c:ce:36:88:a9:f7:f0:d7:ff:ff:cd:3a:
                    fc:7b:1a:52:99:29:ba:95:e9:f9:c9:5d:49:9d:37:
                    88:85:12:48:15:b1:55:84:40:f3:c4:99:db:a6:ab:
                    e2:a1:60:ac:77
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                39:C6:31:46:3D:F0:86:2A:E2:16:C0:DB:93:6F:4E:94:6B:E0:6A:F4
            X509v3 Authority Key Identifier:
                keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A

            Authority Information Access:
                OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org/
                CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:acme3.domain1.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

checkdates

Code (Text):

./acmetool.sh checkdates

/usr/local/nginx/conf/ssl/acme.domain1.com/acme.domain1.com-acme.cer
certificate expires in 16 days on 4 Sep 2016

/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer
certificate expires in 89 days on 16 Nov 2016

/usr/local/nginx/conf/ssl/acme2.domain1.com/acme2.domain1.com-acme.cer
certificate expires in 14 days on 2 Sep 2016

/usr/local/nginx/conf/ssl/acme1.domain1.com/acme1.domain1.com-acme-ecc.cer
certificate expires in 84 days on 11 Nov 2016

SeaTea · Aug 18, 2016

jscott said: ↑

I thought that the validation file was not in my root but it was hidden by starting with a dot. I though ls -l would show those, but it does not. so the file is there.

So this 403 error is the only problem at the moment. I did not change any configuration files.
Click to expand...

Do you have the following in /usr/local/nginx/conf/conf.d/yoursite.conf ?
Code (Text):
# Prevent access to ./directories and files
    location ~ (?:^|/)\. {
        deny all;
    }
comment this out, otherwise there will be a 403-error.

I don't know if this is still default-setting in centminmod. I had this in my config files when starting to test letsencrypt some months ago and have removed it. Did not test the new acmetool.sh yet. Still using certbot renewals here.

jscott · Aug 18, 2016

AH! This was the problem.

I just updated centmin, edited the .conf file and reran the command line option I had been using to update the cert.

It looks like it worked, but my browser complains about unknown issuer - Fake LE Intermediate X1

Is this normal for a staging site?

Looks like you need to re-remove the block for . files.

I will wipe and rebuild this system from scratch and in several hours and update you on how it is working. If you want me to try anything else before then let me know.

Thanks for all your help!!

eva2000 · Aug 19, 2016

SeaTea said: ↑

I don't know if this is still default-setting in centminmod.
Click to expand...

New 123.09beta01 builds should have it commented out by default

If you updated centmin mod via centmin.sh menu option 23 then any new nginx vhost created has the dot file block commented out by default. This has been the case for months now

@jscott how old is your 123.09beta01?

jscott said: ↑

It looks like it worked, but my browser complains about unknown issuer - Fake LE Intermediate X1
Click to expand...

Yes read the notes in this thread's 3rd post regarding staging vs live certificates

jscott · Aug 19, 2016

The whole server is less then 24 hours old. Centminmod was installed with the beta test one line method.

until this morning ACMETOOL was version 0.1. After I saw your post I removed the . block, updated CENTMIN and verified that it was 0.2. Then I retried the submission and it worked.

There is a lot of detail in this thread, sorry about missing the untrusted part...
By the way, it is at the top of the 3rd post now.

I will delete this machine and start from scratch in a few hours.
I will probably try a "live" cert after that. I am not worried about hitting the limits, this is a test domain.

Thanks
-John

eva2000 · Aug 19, 2016

jscott said: ↑

The whole server is less then 24 hours old. Centminmod was installed with the beta test one line method.
Click to expand...

strange then none of the current nginx vhost generation routines' vhost templates have the .dot file in 123.09beta01 right now. Let me know how you do
Code (Text):
Searching 597 files for "Prevent access to ./directories" (case sensitive)

0 matches across 0 files

eva2000 · Aug 19, 2016

@jscott updated 123.09beta01 with a fix seems i missed 3 instances at Beta Branch - update disable dot files block | Centmin Mod Community

jscott · Aug 19, 2016

AH!!! I just found the one in /usr/local/src/centminmod/inc/nginx_addvhost.inc and was getting ready to write you a note!! Glad you found two more!! err... well you know what I mean...

I have a virgin centminmod system. I was getting ready to create a vhost.

Should I wait till you get everything updated? Any tests you want me to run?
I can wait a while, I will be here several more hours.

-John

eva2000 · Aug 19, 2016

jscott said: ↑

AH!!! I just found the one in /usr/local/src/centminmod/inc/nginx_addvhost.inc and was getting ready to write you a note!! Glad you found two more!! err... well you know what I mean...

I have a virgin centminmod system. I was getting ready to create a vhost.

Should I wait till you get everything updated? Any tests you want me to run?
I can wait a while, I will be here several more hours.

-John
Click to expand...

just run centmin.sh menu option 23 to update code, exit centmin.sh and re-running centmin.sh should use updated inc/nginx_addvhost.inc

no idea why those instances were missed!

jscott · Aug 19, 2016

OK... Next problem....

started with virgin system freshly updated...

performed the following steps ( from my notes... )
Code:
test yii.atlone.com
    Shows 'Centmin Mod Nginx Test Page'

run centmin.sh option 2 to create yii.atlone.com

run ./acmetool.sh acme-menu
select 4)Issue SSL Management
select 6)Custom Webroot Issue SSL Cert Staging/Test HTTPS Default
set domain to yii.atlone.com
enter custom webroot path you want: /home/nginx/domains/yii.atlone.com/public/basic/web
It fails with
Code (Text):
[Thu Aug 18 23:05:47 UTC 2016] Verify each domain
[Thu Aug 18 23:05:47 UTC 2016] Getting webroot for domain='yii.atlone.com'
[Thu Aug 18 23:05:47 UTC 2016] Getting token for domain='yii.atlone.com'
[Thu Aug 18 23:05:48 UTC 2016] Verifying:yii.atlone.com
[Thu Aug 18 23:05:55 UTC 2016] yii.atlone.com:Verify error:Invalid response from http://yii.atlone.com/.well-known/acme-challenge/byn_HTfMWy8fa3mc1nNknrPEgxEWJTj8girIXCld7JM: \
Checked my web root, no sign off .well-known directory.

Then ran debug enabled script
Code (Text):
 /root/.acme.sh/acme.sh --staging --issue -d yii.atlone.com -w /home/nginx/domains/yii.atlone.com/public/basic/web -k 2048 --useragent centminmod-centos6-acmesh-webroot --debug
and it fails with
Code (Text):
[Fri Aug 19 00:22:10 UTC 2016] timeout
[Fri Aug 19 00:22:10 UTC 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Fri Aug 19 00:22:10 UTC 2016] ret='0'
[Fri Aug 19 00:22:10 UTC 2016] yii.atlone.com:Verify error:Invalid response from http://yii.atlone.com/.well-known/acme-challenge/BnalTUIZxK4HucNYpbdTNEC34hTUGnBzf2XAKvJkUL4: \
[Fri Aug 19 00:22:10 UTC 2016] GET
[Fri Aug 19 00:22:10 UTC 2016] url='http://yii.atlone.com/.well-known/acme-challenge/BnalTUIZxK4HucNYpbdTNEC34hTUGnBzf2XAKvJkUL4'
[Fri Aug 19 00:22:10 UTC 2016] timeout
[Fri Aug 19 00:22:10 UTC 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
However this time the .well-know directory shows up in my webroot.

I notice that the validation is trying to use http:// but it is not reachable that way and returns a 404.

If I try with https:// I get the file.

It looks like there may be a problem in acmetool.sh acme-menu that does not create the .well-known directory and files, and another problem that causes LE to look for the validation file using http:// instead of https://.

I have only tried with the 'https default' menu option so far. I am getting ready to try with the other option. I will update you how it works out.

Thanks
-John

eva2000 · Aug 19, 2016

jscott said: ↑

It looks like there may be a problem in acmetool.sh acme-menu that does not create the .well-known directory and files, and another problem that causes LE to look for the validation file using http:// instead of https://.
Click to expand...

letsencrypt always looks for http when using webroot and follows any redirect to https, so probably could be the http to https redirect. Will have to check though i haven't really tested custom web root much yet.

eva2000 · Aug 19, 2016

jscott said: ↑

run centmin.sh option 2 to create yii.atlone.com run ./acmetool.sh acme-menu select 4)Issue SSL Management select 6)Custom Webroot Issue SSL Cert Staging/Test HTTPS Default set domain to yii.atlone.com enter custom webroot path you want: /home/nginx/domains/yii.atlone.com/public/basic/web
Click to expand...

oh i see a problem, if you intend to run acmetool.sh acme-menu options, you DO NOT need to setup vhost via centmin.sh menu option 2 as acmetool.sh does it for you so could be conflicting

tested custom webroot with acmetool.sh only and no centmin.sh menu option 2 run
Code (Text):
./acmetool.sh webroot-issue acme3.domain1.com /home/nginx/domains/acme3.domain1.com/customwebroot d
Code (Text):
curl -Ik http://acme3.domain1.com
HTTP/1.1 302 Moved Temporarily
Date: Fri, 19 Aug 2016 00:55:34 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: https://acme3.domain1.com/
Server: nginx centminmod
X-Powered-By: centminmod

jscott · Aug 19, 2016

Ah.. OK.

So....

1. centmin.sh menu option 2 does not give the option for custom webroot.
2. acmetool.sh will create the vhost with the custom webroot.

Is this correct?

-John

eva2000 · Aug 19, 2016

yup acmetool.sh creates nginx vhost if it doesn't exist and yes centmin.sh menu option 2 doesn't have support for custom webroot, only acmetool.sh does

also just updated acmetool.sh 0.3 was updated in 123.09beta01 fix a typo

jscott · Aug 19, 2016

ok just ran
Code (Text):
/root/.acme.sh/acme.sh  --staging --issue -d yii3.atlone.com -w /home/nginx/domains/yii3.atlone.com/public/basic/web -k 2048 --useragent centminmod-centos6-acmesh-webroot --debug
With a brand new subdomain and it failed with the https and http.

The validation file is in the .well-known dir in my webroot

If I load the webroot in the browser it shows the 'Centmin Mod Nginx Test Page'

There is no .conf file in /usr/local/nginx/conf.d for yii3

-John

eva2000 · Aug 19, 2016

jscott said: ↑
ok just ran
Code (Text):
/root/.acme.sh/acme.sh  --staging --issue -d yii3.atlone.com -w /home/nginx/domains/yii3.atlone.com/public/basic/web -k 2048 --useragent centminmod-centos6-acmesh-webroot --debug
With a brand new subdomain and it failed with the https and http.

The validation file is in the .well-known dir in my webroot

If I load the webroot in the browser it shows the 'Centmin Mod Nginx Test Page'

There is no .conf file in /usr/local/nginx/conf.d for yii3

-John
Click to expand...
did you setup main hostname properly as per Getting Started Guide step 1 ? Main hostname for server most not be same as any nginx vhost domain you intend to setup on the server as per Getting Started bottom of page summary.

Summary
End result is that visiting:

hostname.newdomain.com should have a valid working DNS entry (either an A record pointing to server's IP address or CNAME entry) and should go to default Nginx setup page which is controlled via Nginx vhost configuration file at /usr/local/nginx/conf/conf.d/virtual.conf with document root at /usr/local/nginx/html

newdomain.com should also have a valid DNS entry preferably A record pointing to server IP address and go to your site's pages controlled via Nginx vhost configuration file at /usr/local/nginx/conf/conf.d/newdomain.com.conf with document root at/home/nginx/domains/newdomain.com/public

Click to expand...

eva2000 · Aug 19, 2016

jscott said: ↑
k just ran
Code (Text):
/root/.acme.sh/acme.sh  --staging --issue -d yii3.atlone.com -w /home/nginx/domains/yii3.atlone.com/public/basic/web -k 2048 --useragent centminmod-centos6-acmesh-webroot --debug
Click to expand...
that acme.sh run only gets the certificate via acme.sh so not vhost is setup, only via addons/acmetool.sh do you get both ssl cert + nginx vhost setup

jscott · Aug 19, 2016

oh yes... I knew that... I got the two scripts confused in my mind.

Is there a way to wipe a domain completely from LE?
I tried revoking, but I don't think that worked....

-John

eva2000 · Aug 19, 2016

there's no revoking, you can wipe the nginx vhost and ssl certs installed via the 1st post example where each nginx vhost run created as a set of commands to remove files and pure-ftpd user. It does leave acme.sh obtained cert stored at /root/.acme.sh/yourdomainname or /root/.achem.sh/yourdomain_ecc for ECDSA certs directory which can be manually removed too

so when i created acme3.domain1.com, the output which is logged at /root/centminlogs too gives me commands to remove the site vhost etc
Code (Text):
pure-pw userdel vq4QKxGjf4Uy01a
rm -rf /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.crt
rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.key
rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.csr
rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com
rm -rf /home/nginx/domains/acme3.domain1.com
service nginx restart
then as i created ECDSA SSL cert, acme.sh housed cert is in directory /root/.acme.sh/acme3.domain1.com_ecc/
Code (Text):
ls -lah /root/.acme.sh/acme3.domain1.com_ecc/
total 36K
drwxr-xr-x 2 root root 4.0K Aug 19 02:21 .
drwx------ 8 root root 4.0K Aug 19 02:21 ..
-rw-r--r-- 1 root root 1.5K Aug 19 02:21 acme3.domain1.com.cer
-rw-r--r-- 1 root root  921 Aug 19 02:21 acme3.domain1.com.conf
-rw-r--r-- 1 root root  371 Aug 19 02:21 acme3.domain1.com.csr
-rw-r--r-- 1 root root  302 Aug 19 02:21 acme3.domain1.com.key
-rw-r--r-- 1 root root   79 Aug 19 02:21 acme3.domain1.com.ssl.conf
-rw-r--r-- 1 root root 1.7K Aug 19 02:21 ca.cer
-rw-r--r-- 1 root root 3.1K Aug 19 02:21 fullchain.cer
so I can remove that directory too
Code (Text):
rm -rf /root/.acme.sh/acme3.domain1.com_ecc/
I might create and removal script for acmetool.sh as well

eva2000 · Aug 19, 2016

Ah forgot i did create a log for removing vhost in /root/centminlogs

Code (Text):

ls -lahrt /root/centminlogs/ | grep remove
-rw-r--r--   1 root root 1.1K Aug 19 02:21 centminmod_190816-021907_nginx_addvhost_nv-remove-cmds-acme3.domain1.com.log

Code (Text):

cat /root/centminlogs/centminmod_190816-021907_nginx_addvhost_nv-remove-cmds-acme3.domain1.com.log
-------------------------------------------------------------
Commands to remove acme3.domain1.com

pure-pw userdel vq4QKxGjf4Uy01a
rm -rf /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.crt
rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.key
rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.csr
rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com
rm -rf /home/nginx/domains/acme3.domain1.com
service nginx restart

-------------------------------------------------------------
vhost for acme3.domain1.com setup successfully
acme3.domain1.com setup info log saved at:
/root/centminlogs/centminmod_190816-021907_nginx_addvhost_nv.log
-------------------------------------------------------------

Then for original acme.sh obtained cert

Code (Text):

rm -rf /root/.acme.sh/acme3.domain1.com_ecc/

Log in / Register

Forums

Welcome to Centmin Mod Community

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

eva2000 Administrator Staff Member

SeaTea Member

jscott Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

eva2000 Administrator Staff Member

SeaTea Member

jscott Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.