Learn about Centmin Mod LEMP Stack today
Register Now

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. ElChorizo

    ElChorizo Premium Member Premium Member

    44
    4
    8
    Apr 29, 2021
    Ratings:
    +8
    Local Time:
    8:32 AM
    1.19.10
    10.3.28
    Ran into a bug today. Followed the instructions for migrating a non https host over to https with a lets encrypt certificate. The example config generated on this page: https://centminmod.com/vhost.php includes the line that I had to comment out:

    include /usr/local/nginx/conf/ssl_include.conf;

    As in the example config alot of the ssl values are already included in the vhost config.... Here is what it told me to use:


    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #   server_name xxx.com www.xxxk.com;
    #    return 302 https://xxx.com$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
      server_name xxx.com www.xxx.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/xxx.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/xxx.com/xxx.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/xxx.com/xxx.com-acme.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      http2_max_requests 5000;
      # dual cert supported ssl ciphers
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/xxx.com/xxx.com-trusted.crt; 
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/mxxx.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/xxx.com/log/error.log;
    
      root /home/nginx/domains/xxx.com/public;
    
    location / {
         index index.php index.html index.htm;
         try_files $uri $uri/ /index.php?$uri&$args;
    }
    
    location /admin.php {
         auth_basic "Private";
         auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
            include /usr/local/nginx/conf/php.conf;
            allow 127.0.0.1;
            #allow YOURIPADDRESS;
            deny all;
    }
    
    location /install/data/ {
         internal;
    }
    
    location /install/templates/ {
         internal;
    }
    
    location /internal_data/ {
         internal;
    }
    
    location /library/ {
         internal;
    } 
    
    # xenforo 2 uncomment / remove hash from next 3 lines
    #location /src/ {
    #     internal;
    #}
    
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      #include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:32 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    cheers yes latest SSL vhost config differs from the vhost.php generated one and needs an update :)
     
  3. Mr. Jinx

    Mr. Jinx New Member

    29
    8
    3
    Apr 18, 2021
    Ratings:
    +15
    Local Time:
    3:32 PM
    I am creating multiple vhosts using 'acmetool.sh issue testdomain.com lived'.
    I noticed that by default it creates a vhost config with 'reuseport':
    Code:
    server {
      listen 443 ssl http2 reuseport;
      server_name testdomain.com www.testdomain.com;
    
    But then nginx fails to start with this error:
    Code:
    Starting nginx: nginx: [emerg] duplicate listen options for 0.0.0.0:443 in /usr/local/nginx/conf/conf.d/virtual.conf:9
    
    Same happens when I create vhosts using centmin.sh > menu 2 (selfsigned or let's encrypt)

    By removing 'reuseport' everything works fine.
    But I am a bit confused if this is supposed to work like this?
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:32 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    no it shouldn't centmin.sh menu option 2, 22, nv and acmetool.sh have a check to ensure reuseport is only added once per IP port 443 pairings unless have manual nginx vhosts setup with reuseport that the checks don't see.

    what's output for following commands
    Code (Text):
    grep -rn listen /usr/local/nginx/conf/conf.d/*.conf | grep -v '#' | grep 443 | grep ' ssl' | grep ' http2' | grep reuseport

    and
    Code (Text):
    grep -rn listen /usr/local/nginx/conf/conf.d/*.conf | grep -v '#' | grep 443 | grep reuseport

    both outputs should show only one reuseport instance - 1st command is the check and 2nd command is checking for instances not picked up by my check
     
  5. Mr. Jinx

    Mr. Jinx New Member

    29
    8
    3
    Apr 18, 2021
    Ratings:
    +15
    Local Time:
    3:32 PM
    That is interesting.
    Both commands give the same result:
    Code:
    /usr/local/nginx/conf/conf.d/virtual.conf:9:  listen 443 ssl http2 default_server backlog=4095 reuseport;
    /usr/local/nginx/conf/conf.d/virtual.conf:10:  listen [::]:443 ssl http2 default_server backlog=4095 reuseport;
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:32 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah usually by default have 1 reuseport in virtual.conf for IPv4 listener so IPv6 you added yourself ? But it shouldn't impact the reuseport check, it would of still checked and saw that reuseport is already in use so would not add it on new Nginx vhosts.

    Do you use a secondary IP for new Nginx vhosts ?

    Try modifying IPv6 listener as per official Centmin Mod FAQ item 34
    Code (Text):
    listen 443 ssl http2 default_server backlog=4095 reuseport;
    listen [::]:443 ssl http2 default_server backlog=4095 reuseport ipv6only=on;
    

    or
    Code (Text):
    listen 443 ssl http2 default_server backlog=4095 reuseport;
    listen [::]:443 ssl http2 default_server backlog=4095 ipv6only=on;
    
     
  7. Mr. Jinx

    Mr. Jinx New Member

    29
    8
    3
    Apr 18, 2021
    Ratings:
    +15
    Local Time:
    3:32 PM
    Yep, I added IPv6 myself, as well as let's encrypt on the hostname.
    I thought that I could use 'reuseport' for ipv4 and ipv6, because those are different IP:PORT combinations.

    Anyway, if I use your second example, the vhost creation goes well. Thnx!
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:32 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    that's because [::]:443 means both IPv4 and IPv6 unless you add ipv6only=on :)
     
  9. Mr. Jinx

    Mr. Jinx New Member

    29
    8
    3
    Apr 18, 2021
    Ratings:
    +15
    Local Time:
    3:32 PM
    I tried that also! So your first example also works:
    Code:
    listen 443 ssl http2 default_server backlog=4095 reuseport;
    listen [::]:443 ssl http2 default_server backlog=4095 reuseport ipv6only=on;
    
    ..but then the creation of new vhosts fails, because the script tries to add 'reuseport' for the newly created vhost.
    Probably because it detects more than one reuseport and fails that check.
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:32 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    the check only checks to see if anything is returned 1 or more outputs = reuseport detected so doesn't matter if it's only 1. So the shouldn't fail. Strange
     
  11. ElChorizo

    ElChorizo Premium Member Premium Member

    44
    4
    8
    Apr 29, 2021
    Ratings:
    +8
    Local Time:
    8:32 AM
    1.19.10
    10.3.28
    Does this have a cron job to automatically request new certs at certain intervals or do we need to remind ourselves to update every 60 days?

    edit: I just read that it does.
     
    Last edited: May 24, 2021
  12. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:32 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod installs acme.sh client which is used in addon/acmetool.sh wrapper. When acme.sh is installed, it auto installs cronjob to auto renew Letsencrypt SSL certificates :)

    cronjob listing filtered by acme keyword reveals the acme.sh auto renewal cronjob
    Code (Text):
    crontab -l | grep acme
    7 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:32 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    In light of Letsencrypt DST Root CA X3 certificate expiration on September 30, 2021, two updates to addons/acmetool.sh were made
    1. acmetool.sh 1.0.76 - update addons/acmetool.sh to 1.0.76 to support configuring the preferred SSL certificate chain for Letsencrypt SSL certificates to switch from default DST Root CA X3 certificate chain to newer ISRG X1 certificate chain https://community.centminmod.com/th...workaround-on-centos-7-x-openssl-1-0-2.21965/
    2. acmetool.sh 1.0.77 - prep for addons/acmetool.sh buypass CA SSL provider support
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:32 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  15. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:32 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    acmetool.sh 1.0.87 for 130.00beta01 updates checkdates function for additional info to display which Letsencrypt domain validation method was used by inspecting the Le_Webroot variable in acme.sh config files like /root/.acme.sh/yourdomain.com/yourdomain.com.conf for either the value of dns_cf for Cloudflare DNS API validation or full path to Nginx domain's vhost public web root like /home/nginx/domains/yourdomain.com/public

    see https://community.centminmod.com/th...ol-sh-checkdate-option-in-130-00beta01.23544/