Learn about Centmin Mod LEMP Stack today
Register Now

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    11:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    unfortunately it's directly a Letsencrypt side issue they don't support internationalized domains starting with xn-- see Upcoming Features - Let's Encrypt - Free SSL/TLS Certificates

    What was your domain name extension ?

    what was the exact acmetool.sh command you ran originally to get letsencrypt ssl cert ? also where did you get the backup from ? from /usr/local/nginx/conf/acmevhostbackup ? you can list the acmetool.sh backups at /usr/local/nginx/conf/acmevhostbackup with ascending date order so most recent at bottom of list
    Code (Text):
    ls -lahrt /usr/local/nginx/conf/acmevhostbackup

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    edit: also what's output for these 2 commands - wrap output in CODE tags
    Code (Text):
    curl -Isv https://domainname.com
    curl -Isv http://domainnanme.com
     
    Last edited: Sep 9, 2016
  2. erfolgskompass

    erfolgskompass New Member

    13
    1
    3
    Jun 8, 2016
    Ratings:
    +10
    Local Time:
    8:00 AM
    .com

    I used the menu and copied this from the log file

    Code:
    /root/.acme.sh/acme.sh --issue -d domain.com -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos6-acmesh-webroot
    yes


    I have reinstalled nginx now and it has altered the config files once more. Also I rebooted the server. However here is the current config file as requested.

    File: /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #       listen   80;
    #       server_name domain.com www.domain.com;
    #       return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    Basically after running acmetool the following was uncommented even though the file /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt doesn't exist:

    Code:
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;
    
    File: /usr/local/nginx/conf/conf.d/newdomain.com.conf

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name domain.com www.domain.com;
    #            return 301 $scheme://www.domain.com$request_uri;
    #       }
    
    server {
    
      server_name domain.com www.domain.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    So in the case acmetool does only change the files /usr/local/nginx/conf/conf.d/newdomain.com.conf and /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf the problem should be solved after reinstalling nginx and rebooting the server, I will check it again after reconnecting to the internet.
     
    • Informative Informative x 2
  3. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    11:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    can you copy the contents of recent log file and post contents of log to pastebin.com or gist.github.com
    you shouldn't need to reinstall nginx, when you mean reinstall you mean recompile via centmin.sh menu option 4 ?
    after you run acmetool.sh is nginx running and online all the time ? you can check the config file syntax is correct via
    Code (Text):
    nginx -t
    

    sounds like a bug in the logic but will know more once i can check the log via pastebin/gist
    which menu and submenu option did you use ? if you posted the log file to pastebin/gist i can see for myself anyway
     
  4. pamamolf

    pamamolf Well-Known Member

    2,670
    240
    63
    May 31, 2014
    Ratings:
    +425
    Local Time:
    4:00 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    If i set the ssl and then want to move to another server should i copy some files (which files?) to the new server and it will work or i must do it again on the new server?

    Thanks
     
  5. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    11:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    Read updated official site's config file list https://centminmod.com/configfiles.html on dealing with Nginx & Nginx site domain vhost config files :)

    basically transfer /usr/local/nginx/conf/ssl/yourdomain.com/ contents which has Letsencrypt ssl certs and your existing nginx vhost will point to certs at /usr/local/nginx/conf/ssl/yourdomain.com/ so site transfer should work fine up until ssl cert expiry date. Then run acmetool.sh reissue or renew for domain to re-register it on new server for auto renewal.
     
    Last edited: Sep 11, 2016
    • Like Like x 1
  6. narji

    narji Member

    69
    6
    8
    Feb 4, 2016
    Ratings:
    +12
    Local Time:
    8:00 AM
    hello , it's my first time to test and adding
    Let's Encrypt for new vps , already install 123.09beta01 with this command "
    yum -y update; curl -O https://centminmod.com/betainstaller7.sh && chmod 0700 betainstaller7.sh && bash betainstaller7.sh

    can i choose menu 22 to setup wordpress with Letsencrypt SSL certificates ?
     
  7. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    11:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    Welcome @narji :) Yes you can - read the first 10 posts of this thread particularly:
     
  8. pamamolf

    pamamolf Well-Known Member

    2,670
    240
    63
    May 31, 2014
    Ratings:
    +425
    Local Time:
    4:00 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    If i am not wrong there is no option to get that ready to go when i create a new vhost or not from menu option 2?

    If i remember correct there was a question about self signed cert or nothing and not any option to get the Let's encrypt ssl....
     
  9. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    11:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    • Informative Informative x 1
  10. narji

    narji Member

    69
    6
    8
    Feb 4, 2016
    Ratings:
    +12
    Local Time:
    8:00 AM
    thank you for fast respon

    for domain.com without www is success
    then i get this massage
    [Sun Sep 11 04:07:01 WIB 2016] Verifying: www.domain.com
    [Sun Sep 11 04:11:27 WIB 2016] Please refer to libcurl - Error Codes for error code: 35
    [Sun Sep 11 04:11:27 WIB 2016] Can not post to https://acme-v01.api.letsencrypt.or...ph4Fwbzv8S8xz7X7xNCgaur8ubgEfOaYF7k/260641530.
    [Sun Sep 11 04:11:27 WIB 2016] www.domain.com:Can not get challenge:
    LECHECK = 1

    what should i do now ?
     
  11. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    11:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    strange did you also add DNS A record for your www version of your domain ?

    libcurl error 35
    in /root/centminlogs you would have a log file of centmin.sh menu option 22 run you can find the file by listing directory contents in ascending date order
    Code (Text):
    ls -lahrt /root/centminlogs
    

    copy contents of the specific log file and post contents of log to pastebin.com or gist.github.com so can see what the full log says.
     
    Last edited: Sep 11, 2016
  12. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    11:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    @narji correct meant in /root/centminlogs not /etc/centminlogs heh
     
  13. narji

    narji Member

    69
    6
    8
    Feb 4, 2016
    Ratings:
    +12
    Local Time:
    8:00 AM
    yes i have www in dns panel or dnsmadeeasy manage
    vps rdns to "www.domain.com"

    my config
    /etc/hosts
    127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
    111.111.111.123 "www" "www...domain.com"

    and /etc/hotname
    "www...domain.com"

    currently i reinstall centos 7.1 again now
     
    • Informative Informative x 1
  14. narji

    narji Member

    69
    6
    8
    Feb 4, 2016
    Ratings:
    +12
    Local Time:
    8:00 AM
    replace www with non www domain files in /etc/hosts and /etc/hostname , now finish and success verify letsencript with no error , with wordpress install no 22 at menu centmin

    in page 1 can i get notify with pushover?
    i do not have acmetoool-config.ini in /etc/centminmod folder

    it is acmetoool-config.ini ? or acmetool-config.ini with double 'oo'?
     
    • Like Like x 1
  15. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    11:00 AM
    Nginx 1.13.x
    MariaDB 5.5
  16. erfolgskompass

    erfolgskompass New Member

    13
    1
    3
    Jun 8, 2016
    Ratings:
    +10
    Local Time:
    8:00 AM
    Hey I was quite busy in the past days and the site is working for us... we are getting good amounts of sales in, so I think its solved.

    However here are the logs

    Here is the acmelog, I hope thats all you need

    ----------------------------------------------------- updating acme.sh client - Pastebin.com

    yes...

    yes, nginx was running

    Option 3). Issue SSL Cert Live
     
    • Informative Informative x 1
  17. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    11:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    possibly 2 separate issues from pastebin log which i can see from this part of the log

    Code (Text):
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for domain.com
    -----------------------------------------------------------
    testcert value = live
    /root/.acme.sh/acme.sh --issue -d domain.com -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos6-acmesh-webroot
    [Wed Sep  7 14:02:08 CEST 2016] Creating account key
    [Wed Sep  7 14:02:09 CEST 2016] Registering account
    [Wed Sep  7 14:02:11 CEST 2016] Registered
    [Wed Sep  7 14:02:11 CEST 2016] Creating domain key
    [Wed Sep  7 14:02:11 CEST 2016] Single domain='domain.com'
    [Wed Sep  7 14:02:11 CEST 2016] Verify each domain
    [Wed Sep  7 14:02:11 CEST 2016] Getting webroot for domain='domain.com'
    [Wed Sep  7 14:02:11 CEST 2016] Getting token for domain='domain.com'
    [Wed Sep  7 14:02:13 CEST 2016] new-authz error: {"type":"urn:acme:error:unsupportedIdentifier","detail":"Internationalized domain names (starting with xn--) not yet supported","status": 400}
    LECHECK = 1


    1st is probably a bug, for top level domain it should auto append www version of domain.com to issue command but it's missing from this part
    Code (Text):
    /root/.acme.sh/acme.sh --issue -d domain.com -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos6-acmesh-webroot

    should have an extra -d www.domain.com appeneded to command

    2nd issue is
    Code (Text):
    {"type":"urn:acme:error:unsupportedIdentifier","detail":"Internationalized domain names (starting with xn--) not yet supported","status": 400}

    so letsencrypt's server detected an unsupported domain extension which is weird if you said your domain is a .com ? really need to know the domain name to be sure.
     
  18. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    11:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    could be down to specific domain name and how i determine if a domain is top level or subdomain

    what do you get when you run these commands replacing yourdomain.com with your domain that failed to issue

    Code (Text):
    vhostname_dns=yourdomain.com
    dig soa $vhostname_dns | grep -v ^\; | grep SOA | awk '{print $1}' | sed 's/\.$//'
    

    example for centminmod.com output would be
    Code (Text):
    vhostname_dns=centminmod.com
    dig soa $vhostname_dns | grep -v ^\; | grep SOA | awk '{print $1}' | sed 's/\.$//'
    centminmod.com

    basically i use comparison match against vhostname_dns value and dig filtered soa output to see if a domain entered is subdomain or not. If vhostname_dns and SOA values match it's not a subdomain and auto appends www version to issuance run. If they do not match, it's subdomain and DO NOT append www version to command
     
  19. erfolgskompass

    erfolgskompass New Member

    13
    1
    3
    Jun 8, 2016
    Ratings:
    +10
    Local Time:
    8:00 AM
    Yes, it is an internationalized domain name though... xn--domain.com

    it just displays the domain name without errors, however only when using the xn--domain-xyz.com notation

    when using the international name with special characters:
    Code:
    dig: convert textname to UTF-8: failure
    
     
    • Informative Informative x 1
  20. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    11:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    ah that's the culprit then the comparison triggers a non-match so thinks domain is a subdomain so does not append www to issuance command. Never read up on internationalized domains myself so will have to read up so can add a check for them so it aborts with a better message as Letsencrypt doesn't support such domains :)

    cheers for the info which is helpful for troubleshooting and further improving acmetool.sh :)

    guess need to read Internationalized domain name - Wikipedia, the free encyclopedia and filter/check for xn-- prefixed domains

    For a proper match for example for xn--bcher-kva.ch, I would need to convert the idn to punycode via idn command
    Code (Text):
    vhostname_dns=xn--bcher-kva.ch
    

    without idn conversion don't get punycode version of domain
    Code (Text):
    dig soa $vhostname_dns | grep -v ^\; | grep SOA | awk '{print $1}' | sed 's/\.$//'
    bücher.ch

    with idn conversion get punycode version matching the inputted domain
    Code (Text):
    dig soa $vhostname_dns | grep -v ^\; | grep SOA | awk '{print $1}' | sed 's/\.$//' | idn
    xn--bcher-kva.ch

    but letsencrypt won't accept xn-- anyway. Not until after November 30, 2016 Upcoming Features - Let's Encrypt - Free SSL/TLS Certificates

    i'll add a check for idn domains to make sure to not accept them with a descriptive message
    Code (Text):
    if [[ "$(echo $vhostname_dns | grep '^xn--')" ]]; then echo idn; else echo 'not idn'; fi
    idn
     
    Last edited: Sep 15, 2016