Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Strange. I fired up a new linode centos 7 specially to test this - and this is what came up.

---

 

Yea I already did that in my install. Fast work frm you as usual

 

Howdy, excellent thread. I only started testing last night and used 2 methods to test.

VPS Spec:

• 0.5 Core
• 512 RAM
• 123.09beta01
• acmetool.sh v 0.4
• acme.sh v 2.4.1

The 1st was (is) related to your reply quoted above but I want to clarify.

I setup centminmod beta 09 which uses fqdn.domain.com (mainhostname) which as you state above serves via the default main hostname webroot this domain is therefore NOT a valid domain for the purposes of achmetool ?

Code (Text):

if [[ "$vhost_domain" = "$MAIN_HOSTNAME" ]]; then
  # check if vhost domain name is the registered main server hostname first
  # create main vhost's ssl vhost config file
  sslvhostsetup_mainhostname "$vhost_domain"

Unless I specifically setup fqdn.domain.com < mainhostname

I used the centmin menu option 2 method for acme-test-01.domain.com which generates a self signed cert ONLY (even if you request a LE option)

Code (Text):

/usr/local/nginx/html

Code (Text):

Current vhost listing at: /usr/local/nginx/conf/conf.d/

Aug 17  19:31   1.1K   demodomain.com.conf
Aug 17  19:31   1.7K   virtual.conf
Aug 17  19:31   845    ssl.conf

As I understand it, achmetool looks for (mainhostname) a valid DNS and REAL domain setup eg:

Code (Text):

/home/nginx/domains/fqdn.domain.com

If this is the case would it be useful to include a small notice? To make it clear you have to have a REAL and VALID (mainhostname) domain setup otherwise achmetool (via centmin menu 2) will not run (silently fail) (I never setup a domain on the MAIN host)

Anyway I then ran acme-menu option 2 and it worked like a charm very well done, it's an excellent addition to centminmod.

Code (Text):

-----------------------------------------------------------
issue & install letsencrypt ssl certificate for acme-test-01.xxxxx.com
-----------------------------------------------------------
/root/.acme.sh/acme.sh --staging --issue -d acme-test-01.xxxxx.com -w /home/nginx/domains/acme-test-01.xxxxx.com/public -k 2048 --useragent centminmod-centos6-acmesh-webroot
[Sat Aug 20 12:00:27 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
[Sat Aug 20 12:00:27 UTC 2016] Creating account key
[Sat Aug 20 12:00:27 UTC 2016] Use length 2048
[Sat Aug 20 12:00:27 UTC 2016] Using RSA: 2048
[Sat Aug 20 12:00:29 UTC 2016] Registering account
[Sat Aug 20 12:00:32 UTC 2016] Registered
[Sat Aug 20 12:00:32 UTC 2016] Creating domain key
[Sat Aug 20 12:00:32 UTC 2016] Use length 2048
[Sat Aug 20 12:00:32 UTC 2016] Using RSA: 2048
[Sat Aug 20 12:00:32 UTC 2016] Single domain='acme-test-01.xxxxx.com'
[Sat Aug 20 12:00:32 UTC 2016] Verify each domain
[Sat Aug 20 12:00:32 UTC 2016] Getting webroot for domain='acme-test-01.xxxxx.com'
[Sat Aug 20 12:00:32 UTC 2016] Getting token for domain='acme-test-01.xxxxx.com'
[Sat Aug 20 12:00:35 UTC 2016] Verifying:acme-test-01.xxxxx.com
[Sat Aug 20 12:00:43 UTC 2016] Success
[Sat Aug 20 12:00:43 UTC 2016] Verify finished, start to sign.
[Sat Aug 20 12:00:46 UTC 2016] Cert success.

I will have lots more testing over the coming days to help get it ready for release. To that end would it be of any use to share successful logs?

Can you confirm the email passed to LE (stage / live) is the one as set:

Code (Text):

/etc/centminmod/email-primary.ini

 

Earlier what I did was reissue cert and it worked fine when calling acemetool.sh manually after I made said fix. However, from menu #22,

Code:

Create a self-signed SSL certificate Nginx vhost? [y/n]: n
Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y

You have 4 options: 
1. issue staging test cert with HTTP + HTTPS
2. issue staging test cert with HTTPS default
3. issue live cert with HTTP + HTTPS
4. issue live cert with HTTPS default
Enter option number 1-4: 1

This option seemed to generate a self signed SSL and no calling of lesencrypt whatsoever..

[Bash] -------------------------------------------------------- Enter option [ 1 - 24 - Pastebin.com

 

Ok, I have been testing the custom webroot functions and it looks like it is working ok.

I created a fresh test server, installed centmin and updated everything.

pointed test domain DNS entries to the test server.

then ran

Code (Text):

./acmetool.sh webroot-issue test1.example.com /home/nginx/domains/test1.example.com/public/basic/web

And everything worked fine with the expected invalid LE CERT.
Then ran

Code (Text):

./acmetool.sh webroot-issue test2.example.com /home/nginx/domains/test2.example.com/public/basic/web lived

And everything worked fine with a fully valid live LE CERT!!

The only thing that worried me was that I got a forbidden error when I first tried to go to the new sites. acmetool created the vhosts as expected and everything was right, however the webroot was empty and nginx reported an error as it could not find a index.html or index.php.

I would suggest putting a dummy index.html file something like:

Code (Text):

<html>
    <head>
    </head>
    <body>
        <h1>HTTPs version of example.com</h1>
    </body>
</html>

in the newly created webroot.

Looking good!!
-John

 

Why does the script replace in my .conf file
root site.com;

instead of
root /home/nginx/domains/site.com/public

For

--------------------------------------------------------
SSL Reissue Management
--------------------------------------------------------
1). Reissue SSL Cert Staging/Test
2). Reissue SSL Cert Staging/Test HTTPS Default
3). Reissue SSL Cert Live
4). Reissue SSL Cert Live HTTPS Default
5). Custom Webroot Reissue SSL Cert Staging/Test
6). Custom Webroot Reissue SSL Cert Staging/Test HTTPS Default
7). Custom Webroot Reissue SSL Cert Live
8). Custom Webroot Reissue SSL Cert Live HTTPS Default
9). S3 Reissue SSL Cert
10). S3 Reissue SSL Cert
11). S3 Reissue SSL Cert
12). S3 Reissue SSL Cert
13). Exit
--------------------------------------------------------
Enter option [ 1 - 13 ] 3
--------------------------------------------------------

and

--------------------------------------------------------
Enter option [ 1 - 13 ] 5
--------------------------------------------------------

 

Thankyou for the clarification. I plan on throwing a few more tests at this over the coming days as the vp server is due to expire but it's good for 2 weeks.

I asked this because doesn't LE (live) require a valid email ? (for the account registration and agreement) I appreciate this is acme.sh code but it's worth knowing.

I do see /root/.acme.sh/account.json does not have an email for the registration routine (regjson) (This is created via the staging server?)

Code (Text):

.....Q","e":"AQAB"},"contact":[],"agreement":"https://let.....

/root/.acme.sh/acme.sh

Code (Text):

regjson='{"resource": "new-reg", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}'

/root/.acme.sh/account.conf (commented out)

Code (Text):

#ACCOUNT_EMAIL=aaa@aaa.com  # the account email used to register account

 

Thanks for the info, I wasn't 100% sure. The only other implementation of LE I have used is via Webmin/Virtualmin and that requires (their implementation) an email.

 

I think you may have missed something. I have two sucessfull runs. One on a test server and one on a live server.

I was just saying that the test cert on the test server was working, but giving a untrusted cert AS EXPECTED!

Then the lived test server was giving a live cert that was FULLY TRUSTED as expected.

I am sorry if I did not make that clear.

I am using domains that are already registered and just changing the IP address of the server that they point to. This normally only takes a short period of time to propagate. However, I do a quick check to make sure before testing.

New domain names take a lot longer ( several hours usually ).

I just check the version of acmetool.sh and it is 0.4 that is creating empty custom webroots...

-John