Discover Centmin Mod today
Register Now

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. JarylW

    JarylW Active Member

    213
    39
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +99
    Local Time:
    7:53 AM
    Strange. I fired up a new linode centos 7 specially to test this - and this is what came up.
     
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,563
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,268
    Local Time:
    9:53 AM
    Nginx 1.13.x
    MariaDB 5.5
  3. JarylW

    JarylW Active Member

    213
    39
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +99
    Local Time:
    7:53 AM
    • Like Like x 1
  4. eva2000

    eva2000 Administrator Staff Member

    30,563
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,268
    Local Time:
    9:53 AM
    Nginx 1.13.x
    MariaDB 5.5
    cheers thanks for bug report and testing .. more folks testing and reporting bugs = faster acmetool.sh becomes stable = faster 123.09 becomes stable :D
     
  5. apidevlab

    apidevlab Member

    88
    30
    18
    Mar 22, 2016
    /dev/null
    Ratings:
    +54
    Local Time:
    11:53 PM
    1.11.1
    5.2.14-122
    Howdy, excellent thread. I only started testing last night and used 2 methods to test.

    VPS Spec:
    • 0.5 Core
    • 512 RAM
    • 123.09beta01
    • acmetool.sh v 0.4
    • acme.sh v 2.4.1

    The 1st was (is) related to your reply quoted above but I want to clarify.

    I setup centminmod beta 09 which uses fqdn.domain.com (mainhostname) which as you state above serves via the default main hostname webroot this domain is therefore NOT a valid domain for the purposes of achmetool ?

    Code (Text):
    if [[ "$vhost_domain" = "$MAIN_HOSTNAME" ]]; then
      # check if vhost domain name is the registered main server hostname first
      # create main vhost's ssl vhost config file
      sslvhostsetup_mainhostname "$vhost_domain"
    


    Unless I specifically setup fqdn.domain.com < mainhostname

    I used the centmin menu option 2 method for acme-test-01.domain.com which generates a self signed cert ONLY (even if you request a LE option)

    Code (Text):
    /usr/local/nginx/html


    Code (Text):
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
    
    Aug 17  19:31   1.1K   demodomain.com.conf
    Aug 17  19:31   1.7K   virtual.conf
    Aug 17  19:31   845    ssl.conf
    


    As I understand it, achmetool looks for (mainhostname) a valid DNS and REAL domain setup eg:

    Code (Text):
    /home/nginx/domains/fqdn.domain.com


    If this is the case would it be useful to include a small notice? To make it clear you have to have a REAL and VALID (mainhostname) domain setup otherwise achmetool (via centmin menu 2) will not run (silently fail) (I never setup a domain on the MAIN host)

    Anyway I then ran acme-menu option 2 and it worked like a charm :) very well done, it's an excellent addition to centminmod.

    Code (Text):
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for acme-test-01.xxxxx.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue -d acme-test-01.xxxxx.com -w /home/nginx/domains/acme-test-01.xxxxx.com/public -k 2048 --useragent centminmod-centos6-acmesh-webroot
    [Sat Aug 20 12:00:27 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Sat Aug 20 12:00:27 UTC 2016] Creating account key
    [Sat Aug 20 12:00:27 UTC 2016] Use length 2048
    [Sat Aug 20 12:00:27 UTC 2016] Using RSA: 2048
    [Sat Aug 20 12:00:29 UTC 2016] Registering account
    [Sat Aug 20 12:00:32 UTC 2016] Registered
    [Sat Aug 20 12:00:32 UTC 2016] Creating domain key
    [Sat Aug 20 12:00:32 UTC 2016] Use length 2048
    [Sat Aug 20 12:00:32 UTC 2016] Using RSA: 2048
    [Sat Aug 20 12:00:32 UTC 2016] Single domain='acme-test-01.xxxxx.com'
    [Sat Aug 20 12:00:32 UTC 2016] Verify each domain
    [Sat Aug 20 12:00:32 UTC 2016] Getting webroot for domain='acme-test-01.xxxxx.com'
    [Sat Aug 20 12:00:32 UTC 2016] Getting token for domain='acme-test-01.xxxxx.com'
    [Sat Aug 20 12:00:35 UTC 2016] Verifying:acme-test-01.xxxxx.com
    [Sat Aug 20 12:00:43 UTC 2016] Success
    [Sat Aug 20 12:00:43 UTC 2016] Verify finished, start to sign.
    [Sat Aug 20 12:00:46 UTC 2016] Cert success.


    I will have lots more testing over the coming days to help get it ready for release. To that end would it be of any use to share successful logs?

    Can you confirm the email passed to LE (stage / live) is the one as set:

    Code (Text):
    /etc/centminmod/email-primary.ini
    
     
    Last edited: Aug 21, 2016
  6. JarylW

    JarylW Active Member

    213
    39
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +99
    Local Time:
    7:53 AM
    Earlier what I did was reissue cert and it worked fine when calling acemetool.sh manually after I made said fix. However, from menu #22,

    Code:
    Create a self-signed SSL certificate Nginx vhost? [y/n]: n
    Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
    
    You have 4 options: 
    1. issue staging test cert with HTTP + HTTPS
    2. issue staging test cert with HTTPS default
    3. issue live cert with HTTP + HTTPS
    4. issue live cert with HTTPS default
    Enter option number 1-4: 1
    This option seemed to generate a self signed SSL and no calling of lesencrypt whatsoever..

    [Bash] -------------------------------------------------------- Enter option [ 1 - 24 - Pastebin.com
     
  7. jscott

    jscott Member

    94
    14
    8
    Aug 13, 2015
    Ratings:
    +31
    Local Time:
    6:53 PM
    Ok, I have been testing the custom webroot functions and it looks like it is working ok.

    I created a fresh test server, installed centmin and updated everything.

    pointed test domain DNS entries to the test server.

    then ran
    Code (Text):
    ./acmetool.sh webroot-issue test1.example.com /home/nginx/domains/test1.example.com/public/basic/web
    


    And everything worked fine with the expected invalid LE CERT.
    Then ran

    Code (Text):
    ./acmetool.sh webroot-issue test2.example.com /home/nginx/domains/test2.example.com/public/basic/web lived
    


    And everything worked fine with a fully valid live LE CERT!!

    The only thing that worried me was that I got a forbidden error when I first tried to go to the new sites. acmetool created the vhosts as expected and everything was right, however the webroot was empty and nginx reported an error as it could not find a index.html or index.php.

    I would suggest putting a dummy index.html file something like:

    Code (Text):
    <html>
        <head>
        </head>
        <body>
            <h1>HTTPs version of example.com</h1>
        </body>
    </html>
    
    


    in the newly created webroot.

    Looking good!!
    -John
     
  8. JarylW

    JarylW Active Member

    213
    39
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +99
    Local Time:
    7:53 AM
    Why does the script replace in my .conf file
    root site.com;

    instead of
    root /home/nginx/domains/site.com/public

    For

    --------------------------------------------------------
    SSL Reissue Management
    --------------------------------------------------------
    1). Reissue SSL Cert Staging/Test
    2). Reissue SSL Cert Staging/Test HTTPS Default
    3). Reissue SSL Cert Live
    4). Reissue SSL Cert Live HTTPS Default
    5). Custom Webroot Reissue SSL Cert Staging/Test
    6). Custom Webroot Reissue SSL Cert Staging/Test HTTPS Default
    7). Custom Webroot Reissue SSL Cert Live
    8). Custom Webroot Reissue SSL Cert Live HTTPS Default
    9). S3 Reissue SSL Cert
    10). S3 Reissue SSL Cert
    11). S3 Reissue SSL Cert
    12). S3 Reissue SSL Cert
    13). Exit
    --------------------------------------------------------
    Enter option [ 1 - 13 ] 3
    --------------------------------------------------------

    and

    --------------------------------------------------------
    Enter option [ 1 - 13 ] 5
    --------------------------------------------------------
     
    Last edited: Aug 22, 2016
  9. eva2000

    eva2000 Administrator Staff Member

    30,563
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,268
    Local Time:
    9:53 AM
    Nginx 1.13.x
    MariaDB 5.5
    you used custom web root menu so did you specify full path to a custom web root ? i.e. /home/nginx/domains/site.com/mywebroot instead of /home/nginx/domains/site.com/public ? If you want web root default /home/nginx/domains/site.com/public then don't use custom web root menu options

    looks like acme-menu mode for custom webroot isn't complete yet there is no prompt for web root in menu option 5 for reissue management !
     
    Last edited: Aug 22, 2016
  10. eva2000

    eva2000 Administrator Staff Member

    30,563
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,268
    Local Time:
    9:53 AM
    Nginx 1.13.x
    MariaDB 5.5
    strange, centmin.sh menu option 2 and 22 only trigger addons/acmetool.sh if it detects the file at addons/acmetool.sh

    looks like you didn't answer specificy yes = y to continue using addons/acmetool.sh when prompted i see just a question mark ?
    Code (Text):
    -------------------------------------------------------------
    ok: /usr/local/src/centminmod/addons/acmetool.sh
    /usr/local/src/centminmod/addons/acmetool.sh issue domain.com
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://community.centminmod.com/posts/34492/
    -------------------------------------------------
    continue [y/n] ?
    aborting...

    so it aborted using addons/acmetool.sh and continued just with the normal centmin.sh menu option 22 wordpress auto install with self-signed ssl cert
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,563
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,268
    Local Time:
    9:53 AM
    Nginx 1.13.x
    MariaDB 5.5
    how long between updating DNS to point to test server ip and first test webroot-issue run ? did you check dns fully propagated worldwide at Global DNS Propagation Checker - What's My DNS? ? how long between the failed and succeed lived run ? could be DNS only updated by then ? you can check the logs for both runs at /root/centminlogs

    display logs order by ascending date so latest logs are last
    Code:
    ls -lhArt /root/centminlogs
    check the issue & install letsencrypt ssl certificate section of the log for clues as to why it failed
    Code (Text):
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for acme3.domain1.com
    -----------------------------------------------------------
    


    i.e.
    Code (Text):
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for acme3.domain1.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue -d acme3.domain1.com -w /home/nginx/domains/acme3.domain1.com/public -k ec-256 --useragent centminmod-centos7-acmesh-webroot
    [Fri Aug 19 21:08:05 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Fri Aug 19 21:08:08 UTC 2016] Skip register account key
    [Fri Aug 19 21:08:08 UTC 2016] Creating domain key
    [Fri Aug 19 21:08:08 UTC 2016] Use length 256
    [Fri Aug 19 21:08:08 UTC 2016] Using ec name: prime256v1
    [Fri Aug 19 21:08:08 UTC 2016] Single domain='acme3.domain1.com'
    [Fri Aug 19 21:08:08 UTC 2016] Verify each domain
    [Fri Aug 19 21:08:08 UTC 2016] Getting webroot for domain='acme3.domain1.com'
    [Fri Aug 19 21:08:08 UTC 2016] Getting token for domain='acme3.domain1.com'
    [Fri Aug 19 21:08:12 UTC 2016] acme3.domain1.com is already verified, skip.
    [Fri Aug 19 21:08:12 UTC 2016] acme3.domain1.com is already verified, skip http-01.
    [Fri Aug 19 21:08:12 UTC 2016] acme3.domain1.com is already verified, skip http-01.
    [Fri Aug 19 21:08:12 UTC 2016] Verify finished, start to sign.
    [Fri Aug 19 21:08:17 UTC 2016] Cert success.
    

    acmetool.sh 0.4 was updated for this already Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01 | Page 3 | Centmin Mod Community
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,563
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,268
    Local Time:
    9:53 AM
    Nginx 1.13.x
    MariaDB 5.5
    You stumbled on a hidden easter egg routine hehe.. It's for ssl setup for main hostname. And routine is just like any domain for letsencrypt it requires a valid DNS setup so main hostname points to IP of server for letsencrypt to get an ssl cert. But the hidden routine isn't finished. It only sets up the self-signed ssl vhost and is not yet tied into the acmetool.sh part. The acmetool.sh has 2 parts it setups up self-signed ssl vhost if not found + starts issuance for letsencrypt ssl cert which if successfully validated will replace self-signed ssl with letsencrypt ssl cert. That's why i mentioned to @jscott that main vhostname is NOT supported for acmetool.sh letsencrypt ssl as yet.

    Excellent to hear :)
    no need really, though for your own records and testing it doesn't hurt to save them privately so you can compare to failed runs to see what was different. A list of file comparison tools at List of file comparison tools | Centmin Mod Community to compare files and their diffs
    the primary and secondary emails populated in those files come from initial centmin mod 123.09beta01 centmin.sh launched prompts and not relatd to acmetool.sh or letsencrypt. They are preparations for centmin mod future notification alert features which rely on knowing the end users email addresses. They can therefore be used for acmetool.sh or any other backup script or notification feature in future when i write such routines :)
    Code (Text):
     ./centmin.sh
    
    --------------------------------------------------------------------
    Setup Server Administration Email
    Emails will be used for future notification alert features
    --------------------------------------------------------------------
    Hit Enter To Skip...
    Will be prompted everytime run centmin.sh if both emails not entered
    --------------------------------------------------------------------
    enter primary email: email@domain1.com
    enter secondary email: email@domain2.com
    --------------------------------------------------------------------
    
    Primary: 1
    setup at /etc/centminmod/email-primary.ini
    
      email@domain1.com
    
    Secondary: 2
    setup at /etc/centminmod/email-secondary.ini
    
      email@domain2.com
    
     
    Last edited: Aug 22, 2016
    • Like Like x 1
  13. eva2000

    eva2000 Administrator Staff Member

    30,563
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,268
    Local Time:
    9:53 AM
    Nginx 1.13.x
    MariaDB 5.5
  14. apidevlab

    apidevlab Member

    88
    30
    18
    Mar 22, 2016
    /dev/null
    Ratings:
    +54
    Local Time:
    11:53 PM
    1.11.1
    5.2.14-122
    Thankyou for the clarification. I plan on throwing a few more tests at this over the coming days as the vp server is due to expire but it's good for 2 weeks.

    I asked this because doesn't LE (live) require a valid email ? (for the account registration and agreement) I appreciate this is acme.sh code but it's worth knowing.

    I do see /root/.acme.sh/account.json does not have an email for the registration routine (regjson) (This is created via the staging server?)

    Code (Text):
    .....Q","e":"AQAB"},"contact":[],"agreement":"https://let.....


    /root/.acme.sh/acme.sh

    Code (Text):
    regjson='{"resource": "new-reg", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}'
    


    /root/.acme.sh/account.conf (commented out)

    Code (Text):
    #ACCOUNT_EMAIL=aaa@aaa.com  # the account email used to register account
    
     
  15. eva2000

    eva2000 Administrator Staff Member

    30,563
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,268
    Local Time:
    9:53 AM
    Nginx 1.13.x
    MariaDB 5.5
    letsencrypt account email registration is totally optional and not required. If you register an email, you get email notifications from them for stuff like cert expiry. But i intend to bypass that and do notifications totally from the server itself hence why i have added pushover notification support and working on extending that to expiry notifications. I'd rather get a push notification to my mobile/tablet device than an email which may end up buried amongst others to read heh.
    it's created at acme.sh install time via acmetool.sh and specify chose not to register emails with letsencrypt as i am going push notification route
     
  16. apidevlab

    apidevlab Member

    88
    30
    18
    Mar 22, 2016
    /dev/null
    Ratings:
    +54
    Local Time:
    11:53 PM
    1.11.1
    5.2.14-122
    Thanks for the info, I wasn't 100% sure. The only other implementation of LE I have used is via Webmin/Virtualmin and that requires (their implementation) an email.
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,563
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,268
    Local Time:
    9:53 AM
    Nginx 1.13.x
    MariaDB 5.5
    decided to privatise acmetool.sh email and push notifications so only instance of where you email is saved is on your own server rather than in letsencrypt's database :)
     
    • Informative Informative x 1
  18. jscott

    jscott Member

    94
    14
    8
    Aug 13, 2015
    Ratings:
    +31
    Local Time:
    6:53 PM
    I think you may have missed something. I have two sucessfull runs. One on a test server and one on a live server.

    I was just saying that the test cert on the test server was working, but giving a untrusted cert AS EXPECTED!

    Then the lived test server was giving a live cert that was FULLY TRUSTED as expected.

    I am sorry if I did not make that clear.

    I am using domains that are already registered and just changing the IP address of the server that they point to. This normally only takes a short period of time to propagate. However, I do a quick check to make sure before testing.

    New domain names take a lot longer ( several hours usually ).

    I just check the version of acmetool.sh and it is 0.4 that is creating empty custom webroots...

    -John
     
    • Informative Informative x 1
  19. eva2000

    eva2000 Administrator Staff Member

    30,563
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,268
    Local Time:
    9:53 AM
    Nginx 1.13.x
    MariaDB 5.5
    ah i see :) I some how read that as letsencrypt validation failing

    oh interesting acmetool.sh is updated to 0.5 so maybe try again
     
  20. eva2000

    eva2000 Administrator Staff Member

    30,563
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,268
    Local Time:
    9:53 AM
    Nginx 1.13.x
    MariaDB 5.5
    i think i know what's going on.. it's because you ran acmetool.sh webroot-issue back to back i think, the index.html setup copies over generated files from public/* to the custom web root only if the custom webroot directory didn't exist before, so it creates the custom webroot directory and copies the public/* files. But if custom webroot directory exists nothing is copied over.

    acmetool.sh 0.6 update for more checks for this Beta Branch - acmetool 0.6 double check if custom webroot directory is empty | Centmin Mod Community
     
    Last edited: Aug 22, 2016