Want more timely Centmin Mod News Updates?
Become a Member

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    9:51 PM
    Problem with custom webroot

    It looks like there is a problem creating vhosts with custom web roots.

    Code:
    
    mkdir -p /home/nginx/domains/it.test.com/public/basic/web
    \cp -Raf /home/nginx/domains/it.test.com/public/* /home/nginx/domains/it.test.com/public/basic/web
    cp: cannot copy a directory, `/home/nginx/domains/it.test.com/public/basic', into itself, `/home/nginx/domains/it.test.com/public/basic/web/basic'
    
    This is the tree that it created. However, the root seems to be set correctly, as the cert was issued and the nginx default new page comes up when I visit it.

    Code:
    /home/nginx/domains/it.test.com/public/basic/web/basic/web
    -John
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,196
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,804
    Local Time:
    11:51 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    That's okay as cp copy command can't copy on into itself. That's one scenerio I hadn't thought of for custom webroot though where it's within /public as usually you would set it outside /public but within /home/nginx/domains/it.test.com/ as ideal location i.e. /home/nginx/domains/it.test.com/basic/web
     
  3. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    9:51 PM
    I take this back. I deleted the directories to make sure I could duplicate the error. Now my certs are gone, but acme.sh thinks everything is OK. I am getting the dreaded..

    Code:
    
    Your connection is not private
    
    Attackers might be trying to steal your information fromimaginethatfun.registrationworx.com (for example, passwords, messages, or credit cards).
    
     
    NET::ERR_CERT_AUTHORITY_INVALID
    
    
    What do I need to do to get things put back together?

    Thanks
    -John
     
  4. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    9:51 PM
    But is still somehow creating a somewhat messed up directory path. It is duplicating the basic/web part. Sorry, I should have been more clear....

    It is creating..
    /home/nginx/domains/it.test.com/public/basic/web/basic/web

    but it should only be creating...
    /home/nginx/domains/it.test.com/public/basic/web

    -John
     
  5. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,196
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,804
    Local Time:
    11:51 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    oh that is because copying /public/* will copy /public/basic/web too that is why so normal for that custom webroot you specified. The nginx vhost web root is set as /home/nginx/domains/it.test.com/public/basic/web though right ?
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,196
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,804
    Local Time:
    11:51 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    if it's a new site, just use the removal commands from the removal log listed in /root/centminlogs/
    list logs in ascending date order
    Code (Text):
    ls -lahrt /root/centminlogs/


    after removal, just try re-creating nginx vhost site again
     
  7. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    9:51 PM
    OK, I have done this twice and it gives me the same problem each time.

    My site is coming up with the self-signed cert... :(

    Code:
    
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for it.test.com
    -----------------------------------------------------------
    testcert value = lived
    /root/.acme.sh/acme.sh --issue -d it.test.com -w /home/nginx/domains/it.test.com/public/basic/web -k 2048 --useragent centminmod-centos6-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-230117-165702.log --log-level 2
    [Mon Jan 23 16:58:20 EST 2017] Domains not changed.
    [Mon Jan 23 16:58:20 EST 2017] Skip, Next renewal time is: Fri Mar 24 21:52:42 UTC 2017
    [Mon Jan 23 16:58:20 EST 2017] Add '--force' to force to renew.
    LECHECK = 2
    
    issue skipped as ssl cert still valid
    
    The log files says...
    Code:
    [Mon Jan 23 16:58:20 EST 2017] Lets find script dir.
    [Mon Jan 23 16:58:20 EST 2017] _SCRIPT_='/root/.acme.sh/acme.sh'
    [Mon Jan 23 16:58:20 EST 2017] _script='/root/.acme.sh/acme.sh'
    [Mon Jan 23 16:58:20 EST 2017] _script_home='/root/.acme.sh'
    [Mon Jan 23 16:58:20 EST 2017] Using config home:/root/.acme.sh
    [Mon Jan 23 16:58:20 EST 2017] 49:LOG_LEVEL='2'
    [Mon Jan 23 16:58:20 EST 2017] 16:USER_AGENT='centminmod-centos6-acmesh-webroot'
    [Mon Jan 23 16:58:20 EST 2017] LE_WORKING_DIR='/root/.acme.sh'
    [Mon Jan 23 16:58:20 EST 2017] Using api:
    [Mon Jan 23 16:58:20 EST 2017] Using config home:/root/.acme.sh
    [Mon Jan 23 16:58:20 EST 2017] DOMAIN_PATH='/root/.acme.sh/it.test.com'
    [Mon Jan 23 16:58:20 EST 2017] Le_NextRenewTime='1490305962'
    [Mon Jan 23 16:58:20 EST 2017] _saved_domain='it.test.com'
    [Mon Jan 23 16:58:20 EST 2017] _saved_alt='no'
    [Mon Jan 23 16:58:20 EST 2017] Domains not changed.
    [Mon Jan 23 16:58:20 EST 2017] Skip, Next renewal time is: Fri Mar 24 21:52:42 UTC 2017
    [Mon Jan 23 16:58:20 EST 2017] Add '--force' to force to renew.
    [
    
     
    Last edited: Jan 24, 2017
  8. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,196
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,804
    Local Time:
    11:51 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you nginx vhost contents for /usr/local/nginx/conf/conf.d/it.test.com.conf and /usr/local/nginx/conf/conf.d/it.test.com.ssl.conf ? and for
    /usr/local/nginx/conf/staticfiles.conf ?
    letsencrypt is also skipping renewal as you have a valid ssl cert, so instead of install use reissue command

    one of these
    Code (Text):
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot d
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot live
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot lived

    what is the exact command you using ?
     
  9. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    9:51 PM

    Reissue did not work. Same thing....
    I am using ./acmetool.sh webroot-reissue it.test.com /home/nginx/domains/it.test.com/public/basic/web lived

    Staticfiles.conf
    Code:
     cat staticfiles.conf
        location ~* \.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso)$ {
            gzip_static off;
            #add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 30d;
            break;
            }
    
        location ~* \.(js)$ {
            #add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 30d;
            break;
            }
    
        location ~* \.(css)$ {
            #add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 30d;
            break;
            }
    
        location ~* \.(html|htm|txt)$ {
            #add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 1d;
            break;
            }
    
        location ~* \.(eot|svg|ttf|woff|woff2)$ {
            #add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 30d;
            break;
            }
        # prepare for letsencrypt
        # https://community.centminmod.com/posts/17774/
        location ~ ^/.well-known {
            location ~ ^/.well-known/acme-challenge/(.*) {
                    default_type text/plain;
                    charset off;
            }
        }
    
    
    Code:
    
    cat it.test.com.ssl.conf
    
    #x# HTTPS-DEFAULT
    server {
    
      server_name it.test.com www.it.test.com;
      return 302 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name it.test.com www.it.test.com;
    
      include /usr/local/nginx/conf/ssl/it.test.com/it.test.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/it.test.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/it.registratesttionworx.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/it.test.com/autoprotect-it.test.com.conf;
      root /home/nginx/domains/it.test.com/public/basic/web;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    
    
     
  10. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    9:51 PM
    OK, I did a nprestart and it looks like everything is loading correctly....

    Could this be a caching problem somewhere?

    It is late here, so I will try again in about 10 hours from scratch to see if I can be sure what is going on.

    Thanks for your help on this!
    -John
     
  11. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,196
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,804
    Local Time:
    11:51 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    could be or that it didn't restart... your staticfiles.conf doesn't look right too centminmod/staticfiles.conf at 123.09beta01 · centminmod/centminmod · GitHub

    There are further steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
     
  12. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,196
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,804
    Local Time:
    11:51 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  13. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    9:51 PM
    Well, I did a wipe and restart this morning, and it looks like everything worked ok. It still generated the extra directories in the web root, but the root in the .conf file is correct, so I am not going to worry about that. And the https site came right up without me needing to do anything special.

    It looks like my staticfiles.conf is the file from .08, I updated from .08 to .09 and had to add the .well-known rule for letencrypt to be able to validate. Maybe centmin.sh option 23 update to different branch did not update this file??

    I will have to revisit this later. I need to get my test site up for a meeting tomorrow.

    Thanks for your help.
    -John
     
  14. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,196
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,804
    Local Time:
    11:51 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Good to know.. any reason you use /home/nginx/domains/it.test.com/public/basic/web as opposed to /home/nginx/domains/it.test.com/basic/web ?

    centmin.sh doesn't really touch staticfiles.conf on updates as folks may have custom edited theirs so don't want to mess it up. But i guess for 123.08stable to 123.09beta01 update I should check at least :)
     
  15. Saumya Majumder

    Saumya Majumder Member

    60
    3
    8
    Mar 16, 2016
    Ratings:
    +12
    Local Time:
    7:21 AM
    1.9.12
    10.0.24
    Hey, is there any update when this letsencrypt ssl is gout to come out of beta? I wanna desperately use it in my live server as I cannot buy a multidomain ssl. I hope you uinderstand. So, how much more time does it need before I can actually use it on my live server?
     
  16. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,196
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,804
    Local Time:
    11:51 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  17. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    9:51 PM
    Thats just the way the project was set up initially... Might look into changing it someday, but too much development going on now to worry about it.

    Now I know what is going on, and that it just causes some insignificant errors, I will make a note of it, and ignore.

    -John
     
  18. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    9:51 PM
    I just had a Letsencrypt renew fail. It shows up as a .well-known response error.

    I might be doing some stuff that is breaking it.

    After I create my vhost and the LE config get done. Everything is working fine.

    Then when I go to install my app, I do a
    Code:
    rm -rf /home/nginx/domains/www.example.com/*
    
    This will wipe the .well-know stuff.

    Is the challenge stuff recreated just before the renew, or do I need to take care to save this when I wipe that directory?

    I think I could also do a
    Code:
    ./acmetool.sh webroot-reissue www.example.com /home/nginx/domains/www.example.com/public/basic/web lived
    
    to set the .well-known back up...

    -John
     
    Last edited: Feb 9, 2017
  19. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,196
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,804
    Local Time:
    11:51 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    it's created again on renew so shouldn't be an issue

    also double check if the problem wasn't at letsencrypt's end look at their service status history https://letsencrypt.status.io/pages/history/55957a99e800baa4470002da

    i.e.
    this wipes the public directory so you recreating it as public/basic/web ? ensure you have the right file and directory user/group permissions for nginx user. If you aren't recreating public/basic/web then yes LE renew will fail as nginx vhost as directory root set to /home/nginx/domains/www.example.com/public/basic/web
     
  20. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    9:51 PM
    I am recreating the directory structure the same.

    I have changed the permissions to 777 and run the renew again. I get...
    Code:
    [Wed Feb  8 21:00:40 EST 2017] error='"error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://www.example.com/.well-known/acme-challenge/3YNuS9GdQmyDURwxrgX73_vItJ2gKZSgaGXrX7misuo: '
    [Wed Feb  8 21:00:40 EST 2017] errordetail='Invalid response from http://www.example.com/.well-known/acme-challenge/3YNuS9GdQmyDURwxrgX73_vItJ2gKZSgaGXrX7misuo: '
    [Wed Feb  8 21:00:40 EST 2017] www.example.com:Verify error:Invalid response from http://www.example.com/.well-known/acme-challenge/3YNuS9GdQmyDURwxrgX73_vItJ2gKZSgaGXrX7misuo: 
    
    AH! Just looked at my nginx .conf file for that domain. Looks like I had a rouge
    Code:
      location ~* /\. {
          deny all;
      }
    
    
    In there before loading staticfiles.conf. It looks like it might have been blocking .well-known as the renew worked after that and a nprestart.

    Thanks.
    -John