Welcome to Centmin Mod Community
Become a Member

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. elargento

    elargento Premium Member Premium Member

    140
    12
    18
    Jan 4, 2016
    Ratings:
    +18
    Local Time:
    12:50 PM
    10
    I don't understand when I have to run this command.
    Just to make sure first I have to install acme.sh and then issue a cert following acme.sh instructions? So when should I run ./acmetool.sh acmeinstall command?
    I also don't have any file on /etc/centminmod/custom_config.inc, should I create it? Once I add that line, debug mode will be enabled, but I already have option 22 in centmin menu...so which will be the difference?
     
  2. eva2000

    eva2000 Administrator Staff Member

    26,465
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:50 AM
    Nginx 1.11.x
    MariaDB 5.5
    yes that command installs acme.sh underlying client first time

    yes you need to create it yourself

    centmin.sh menu option 2 and 22 don't see acmetool.sh and doesn't prompt for letsencrypt related questions unless LETSENCRYPT_DETECT='y' is set in /etc/centminmod/custom_config.inc
     
  3. elargento

    elargento Premium Member Premium Member

    140
    12
    18
    Jan 4, 2016
    Ratings:
    +18
    Local Time:
    12:50 PM
    10
    Seems a big warning, is still risky to install Letsencrypt in this way on a live site?
     
  4. eva2000

    eva2000 Administrator Staff Member

    26,465
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:50 AM
    Nginx 1.11.x
    MariaDB 5.5
    that relates to direct tools/acmetool.sh usage as there's many other combinations to test but ok if you follow 1st post's 2 official guides with have limited one known good combinations
     
    • Like Like x 1
  5. elargento

    elargento Premium Member Premium Member

    140
    12
    18
    Jan 4, 2016
    Ratings:
    +18
    Local Time:
    12:50 PM
    10
    I didn't do step 1 and 2: Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates
    just LETSENCRYPT_DETECT='y' and ./acmetool.sh acme-menu and I successfully installed the Letencrypt certificate and forced a redirect because I previously run centmin and option 2 so vhost was already created. Why

    Do I have to set a cron job to autorenew the certificate or will acmetool do it automatically?
     
  6. eva2000

    eva2000 Administrator Staff Member

    26,465
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:50 AM
    Nginx 1.11.x
    MariaDB 5.5
    yeah that's risky process as acmetool.sh is written to work on existing nginx vhosts like you tested just some folks existing nginx vhost gets messed up a bit with the process so hence needing more beta testing and feedback by users on 'test servers' so until then LETSENCRYPT_DETECT='n' is the default

    acmetool.sh acmeinstall command will take care of acme.sh cronjob you can see from cronjobs listed via command
    Code (Text):
    crontab -l
    
     
    • Like Like x 1
  7. jair

    jair Premium Member Premium Member

    15
    1
    3
    Jan 8, 2017
    Ratings:
    +1
    Local Time:
    6:50 PM
    I am having some troubles with renewing the SSL certificate. I managed to track it down to the fact that I changed my webroot folder. Initially it was in:

    Code:
    /home/nginx/domains/mydomain/public 
    But I changed it to

    Code:
    /home/nginx/domains/mydomain/public /new
    I did the change manually in the vhost file, thought this is enough. Anyway, now my cert expired and I am not able to renew, probably, because letsencrypt can't access the initial webroot location. Here is relevant part from the log file:

    Code:
    -----------------------------------------------------------
    reissue & install letsencrypt ssl certificate for devtest.magelanci.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --force --createDomainKey -d devtest.magelanci.com -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Fri Apr 21 18:17:27 UTC 2017] Creating domain key
    testcert value = lived
    /root/.acme.sh/acme.sh --force --issue -d devtest.magelanci.com -w /home/nginx/domains/devtest.magelanci.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-210417-181719.log --log-level 2
    [Fri Apr 21 18:17:28 UTC 2017] Single domain='devtest.magelanci.com'
    [Fri Apr 21 18:17:28 UTC 2017] Getting domain auth token for each domain
    [Fri Apr 21 18:17:28 UTC 2017] Getting webroot for domain='devtest.magelanci.com'
    [Fri Apr 21 18:17:28 UTC 2017] Getting new-authz for domain='devtest.magelanci.com'
    [Fri Apr 21 18:17:33 UTC 2017] The new-authz request is ok.
    [Fri Apr 21 18:17:33 UTC 2017] Verifying:devtest.magelanci.com
    [Fri Apr 21 18:17:38 UTC 2017] devtest.magelanci.com:Verify error:Invalid response from http://devtest.magelanci.com/.well-known/acme-challenge/_kcULzWLUCdHhdnVXwj6yNvh-2yGSXI3yufXU046shc:
    [Fri Apr 21 18:17:38 UTC 2017] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-210417-181719.log
    LECHECK = 1
    
    I guess I probably deleted .well-known folder at some point, arghhh. Is there any way I can completely remove and start this certificate from scratch without messing my vhost conf file?
     
  8. eva2000

    eva2000 Administrator Staff Member

    26,465
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:50 AM
    Nginx 1.11.x
    MariaDB 5.5
    yes you broken .well-known support by change the webroot folder location as underlying acme.sh client dynamically generates a hash coded .well-known file on demand to verify your domain and places it in webroot/.well-known/ directory so if you change the directory for web root, the /.well-known directory location changes too.

    you can manually modifying the config file acme.sh uses to determine your web root it would be in /root/.acme.sh/yourdomain.com/yourdomain.com.conf for Le_Webroot variable where your new webroot is at /home/nginx/domains/domain.com/new
    Code (Text):
    Le_Webroot='/home/nginx/domains/domain.com/new'
    

    then manually renew by manually running the acme.sh cronjob command
    Code (Text):
    /root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    
     
    Last edited: Apr 22, 2017 at 5:34 AM
    • Informative Informative x 1
  9. jair

    jair Premium Member Premium Member

    15
    1
    3
    Jan 8, 2017
    Ratings:
    +1
    Local Time:
    6:50 PM
    My Le_Webroot already points to /new. Maybe I issued the certificate after I made the change, can't remember right now.

    Code:
    [Fri Apr 21 19:54:27 UTC 2017] ===Starting cron===
    [Fri Apr 21 19:54:27 UTC 2017] Renew: 'mydomain'
    [Fri Apr 21 19:54:28 UTC 2017] Single domain='mydomain'
    [Fri Apr 21 19:54:28 UTC 2017] Getting domain auth token for each domain
    [Fri Apr 21 19:54:28 UTC 2017] Getting webroot for domain='mydomain'
    [Fri Apr 21 19:54:28 UTC 2017] Getting new-authz for domain='mydomain'
    [Fri Apr 21 19:54:32 UTC 2017] The new-authz request is ok.
    [Fri Apr 21 19:54:33 UTC 2017] Verifying:mydomain
    [Fri Apr 21 19:54:38 UTC 2017] mydomain:Verify error:Invalid response from http://mydomain/.well-known/acme-challenge/9ObV3Yi9Y21RmG0bOyCvGohTfT3rksu-t54L2SLae34:
    [Fri Apr 21 19:54:38 UTC 2017] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-210417-182003.log
    [Fri Apr 21 19:54:40 UTC 2017] Error renew mydomain.
    [Fri Apr 21 19:54:40 UTC 2017] ===End cron===
    
    where mydomain is the domain name I am trying to issue certificate for. Could it be related to the fact that LE looks at http?
     
  10. eva2000

    eva2000 Administrator Staff Member

    26,465
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:50 AM
    Nginx 1.11.x
    MariaDB 5.5
  11. jair

    jair Premium Member Premium Member

    15
    1
    3
    Jan 8, 2017
    Ratings:
    +1
    Local Time:
    6:50 PM
    Here, domain name is included, I guess there is no reason to hide it:

    Code:
    #x# HTTPS-DEFAULT
    server {
    
      server_name devtest.magelanci.com www.devtest.magelanci.com;
      return 302 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name devtest.magelanci.com www.devtest.magelanci.com;
    
      include /usr/local/nginx/conf/ssl/devtest.magelanci.com/devtest.magelanci.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/devtest.magelanci.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/devtest.magelanci.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/devtest.magelanci.com/autoprotect-devtest.magelanci.com.conf;
      root /home/nginx/domains/devtest.magelanci.com/public/new/;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
    
     # Prevent access to ./directories and files
        location ~ (?:^|/)\. {
            deny all;
        }
    
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      try_files    $uri $uri/ /index.php;
    
      }
    
    
    # IP.Board PHP/CGI Protection
    
        # Allow Access to Interface Files
        # Add Your Specific Application to the List if you Add New Applications
    #    location ~ ^/applications/(calendar|tutorials|cms|core|forums|gallery|nexus|rules|videos|)/interface/.*\.(?:php\d*|phtml)$ {
    #        allow all;
     #       include /usr/local/nginx/conf/php.conf;
      #  }
    
        # Block Access to PHP / PHTML Files
        location ~ ^/(uploads|datastore|system|plugins)/.*\.(?:php\d*|phtml)$ {
            allow 127.0.0.1;
            deny all;
        }
    
        # Block Access to Application PHP / PHTML Files
        # Add Your Specific Application to the List if you Add New Applications
    #    location ~ ^/applications/(calendar|tutorials|cms|core|forums|gallery|nexus|rules|videos|)/.*\.(?:php\d*|phtml)$ {
     #       allow 127.0.0.1;
      #      deny all;
       # }
    
    
    
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    26,465
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:50 AM
    Nginx 1.11.x
    MariaDB 5.5
    remove this part
    Code (Text):
     # Prevent access to ./directories and files
       location ~ (?:^|/)\. {
           deny all;
       }
    

    it's blocking /.well-known directory access
     
  13. jair

    jair Premium Member Premium Member

    15
    1
    3
    Jan 8, 2017
    Ratings:
    +1
    Local Time:
    6:50 PM
    Thanks, that did it! Is it relatively safe to leave this option though? I see that I don't have other /. folders in my webroot, so I guess it is ok to leave it without this protection.