Want to subscribe to topics you're interested in?
Become a Member

Letsencrypt Parked subdomain SSL certificate renewal failed

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Benjamin74, Feb 2, 2020.

  1. Benjamin74

    Benjamin74 Premium Member Premium Member

    58
    5
    8
    May 2, 2016
    Ratings:
    +12
    Local Time:
    5:21 AM
    Hello!

    I'm stuck and hope someone will be inspired or have an idea of what's going on. I'm using CCM beta Centmin Mod .09 beta.

    Current setup is the following :

    1) domain.com use cloudflare as DNS provider only (no caching, no SSL configured, just DNS)

    2) www.domain.com and domain.com have an A record pointing to server ALPHA's IP and using a Let's Encrypt SSL certificate installed with CMM option 22 (Wordpress with SSL "live" certificate option 4)

    Steps 1 and 2 works as expected, thanks to @eva2000 awesome work ;-)

    3) newsletter.domain.com and www.newsletter.domain.com A records are created on cloudflare to point to server BETA's ip. That's because server BETA host mymailingsoftware.com (the domain and software handling newsletters sending), installed as a PHP application using CMM option 2 and live Let's Encrypt SSL certificate.

    4) on server BETA, I've created newsletter.domain.com subdomain VHOST with CMM option 2, with "live" Let's Encrypt SSL certificate, using method 2 as seen in the thread: subdomain and ssl, i.e. editing the VHOST file newsletter.domain.com.ssl.conf to have the root pointing to: root /home/nginx/domains/mymailingsoftware.com/public

    After all this, everything works flawlessly... except that the SSL certificate of newsletter.domain.com will fail on renewal.

    Running:

    Code:
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    Will give back:

    Code:
    [Sun Feb  2 11:49:01 UTC 2020] Renew: 'newsletter.domain.com'
    [Sun Feb  2 11:49:02 UTC 2020] Single domain='newsletter.domain.com'
    [Sun Feb  2 11:49:02 UTC 2020] Getting domain auth token for each domain
    [Sun Feb  2 11:49:06 UTC 2020] Getting webroot for domain='newsletter.domain.com'
    [Sun Feb  2 11:49:06 UTC 2020] Verifying: newsletter.domain.com
    [Sun Feb  2 11:49:10 UTC 2020] newsletter.domain.com:Verify error:Invalid response from https://newsletter.domain.com/.well-known/acme-challenge/r0IPL9dVi-FoLZ3ljaWSFVt572Gx5JJ5C5rGR-5nQRk [111.222.222.222]:
    [Sun Feb  2 11:49:10 UTC 2020] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-061019-163709.log
    [Sun Feb  2 11:49:11 UTC 2020] Error renew newsletter.domain.com.
    I really don't know what's happening, I probably have forgotten a step somewhere.

    Anyone has an idea of the problem?

    Thanks a lot,

    Benjamin
     
    Last edited: Feb 2, 2020
  2. eva2000

    eva2000 Administrator Staff Member

    45,432
    10,308
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,987
    Local Time:
    1:21 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    When you create a new nginx vhost domain for mymailingsoftware.com via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh where domain.com = mymailingsoftware.com
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags
     
  3. Benjamin74

    Benjamin74 Premium Member Premium Member

    58
    5
    8
    May 2, 2016
    Ratings:
    +12
    Local Time:
    5:21 AM
    OK so for mymailingsoftware.com (which has the SSL certificate working), I have:

    Code:
    #x# HTTPS-DEFAULT
     server {
    
       server_name mymailingsoftware.com www.mymailingsoftware.com;
       return 302 https://mymailingsoftware.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    
    server {
      listen 443 ssl http2;
      server_name mymailingsoftware.com www.mymailingsoftware.com;
    
      include /usr/local/nginx/conf/ssl/mymailingsoftware.com/mymailingsoftware.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/mymailingsoftware.com/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-C$
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/mymailingsoftware.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/mymailingsoftware.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/mymailingsoftware.com/autoprotect-mymailingsoftware.com.conf;
      root /home/nginx/domains/mymailingsoftware.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
      include /usr/local/nginx/conf/pre-staticfiles-local-mymailingsoftware.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    Then for:

    curl -I Website Domains Names & Hosting | Domain.com
    Code:
    HTTP/1.1 200 OK
    Date: Sun, 02 Feb 2020 13:05:29 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: mwsid=dd2h63665fu7cgrc91k2flau0m; path=/; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-XSS-Protection: 1; mode=block
    Set-Cookie: csrf_token=de0cc64fcbdba42e49f64a06a96998fd5f8f45dfs%3A88%3A%22X0s5clNkMXBDWWFIR01JTXBSX0djWnBHVkkySXVsQmy8Un7urRbxbJXaB2YTJd1Qj161V65W5ckDCtMy1BFLZQ%3D%3D%22%3B; path=/; HttpOnly
    Server: nginx centminmod
    X-Powered-By: centminmod
    X-Xss-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    

    curl -I Website Domains Names & Hosting | Domain.com
    Code:
    HTTP/1.1 200 OK
    Date: Sun, 02 Feb 2020 13:07:44 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: mwsid=cif0rd9qadqq8ueijt911fd3en; path=/; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-XSS-Protection: 1; mode=block
    Set-Cookie: csrf_token=d3860b7788d9886b10bace6ac25cf5fd10c91590s%3A88%3A%22RzdMcWpQWmNVc3E4TV9zaThZelpBT0txcDRZNX5XRTa4-nZZRPRXd5F19lrFcFK3KN902b40vFv4Lqv5X-nn1g%3D%3D%22%3B; path=/; HttpOnly
    Server: nginx centminmod
    X-Powered-By: centminmod
    X-Xss-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    

    curl -I Website Domains Names & Hosting | Domain.com
    Code:
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 02 Feb 2020 13:08:17 GMT
    Content-Type: text/html
    Content-Length: 138
    Connection: keep-alive
    Location: https://mymailingsoftware.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    curl -I Website Domains Names & Hosting | Domain.com
    Code:
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 02 Feb 2020 13:08:34 GMT
    Content-Type: text/html
    Content-Length: 138
    Connection: keep-alive
    Location: https://mymailingsoftware.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    

    Now for newsletter.domain.com (which has let's encrypt NOT getting renewed as expected) I have :

    Code:
    #x# HTTPS-DEFAULT
     server {
    
       server_name newsletter.domain.com www.newsletter.domain.com;
       return 302 https://newsletter.domain.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    
    server {
      listen 443 ssl http2;
      server_name newsletter.domain.com www.newsletter.domain.com;
    
      include /usr/local/nginx/conf/ssl/newsletter.domain.com/newsletter.domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/newsletter.domain.com/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-C$
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/newsletter.domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/newsletter.domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/newsletter.domain.com/autoprotect-newsletter.domain.com.conf;
      root /home/nginx/domains/mymailingsoftware.com/public;
    
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-newsletter.domain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
    
    
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    => so the "root" is pointing to mymailingsoftware.com public folder.

    And for:

    curl -I https://newsletter.domain.com
    Code:
    curl: (60) Peer's Certificate has expired.
    More details here: http://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.
    
    curl -I https://www.newsletter.domain.com
    Code:
    curl: (60) Peer's Certificate has expired.
    More details here: http://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.
    
    curl -I http://newsletter.domain.com
    Code:
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 02 Feb 2020 13:16:19 GMT
    Content-Type: text/html
    Content-Length: 138
    Connection: keep-alive
    Location: https://newsletter.domain.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    curl -I http://www.newsletter.domain.com
    Code:
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 02 Feb 2020 13:16:19 GMT
    Content-Type: text/html
    Content-Length: 138
    Connection: keep-alive
    Location: https://newsletter.domain.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    I'm wondering if I shouldn't have used SAN SSL certificates, since I have multiple newsletter.domain.com, newsletter.domain-b.com, newsletter.domain-c.com pointing to mymailingsoftware.com public folder... but I thought it would work with let's encrypt and modifying the root folder of the newsletter.domain.com Vhosts...

    Any idea?

    Thanks
     
    Last edited: Feb 2, 2020
  4. eva2000

    eva2000 Administrator Staff Member

    45,432
    10,308
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,987
    Local Time:
    1:21 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    what's contents of /usr/local/nginx/conf/staticfiles.conf ? post contents in CODE tags
    Code (Text):
    cat /usr/local/nginx/conf/staticfiles.conf
    
     
  5. eva2000

    eva2000 Administrator Staff Member

    45,432
    10,308
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,987
    Local Time:
    1:21 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  6. eva2000

    eva2000 Administrator Staff Member

    45,432
    10,308
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,987
    Local Time:
    1:21 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    For newsletter.domain.com, what you can do is sort of partial manual steps from Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates in that you temporarily disable your /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and recreate the non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf using the official Nginx vhost generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS (which is step 1 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates).

    Then follow manual steps 2, 3, 4, 5 and 6 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates where step 6 you can re-enable your https /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and disable your non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf again.

    Then you can test your domain at Let's Debug to ensure future renewals work.
     
  7. Benjamin74

    Benjamin74 Premium Member Premium Member

    58
    5
    8
    May 2, 2016
    Ratings:
    +12
    Local Time:
    5:21 AM
    It's :

    Code:
    # prepare for letsencrypt
        # https://community.centminmod.com/posts/17774/
        location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }
    
        location ~* \.(gif|jpg|jpeg|png|ico)$ {
          gzip_static off;
          #add_header Pragma public;
          #add_header X-Frame-Options SAMEORIGIN;
          #add_header X-Xss-Protection "1; mode=block" always;
          #add_header X-Content-Type-Options "nosniff" always;
          add_header Access-Control-Allow-Origin *;
          add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, stale-while-revalidate=86400, stale-if-error=604800";
          access_log off;
          expires 30d;
          break;
        }
    
        location ~* \.(3gp|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso)$ {
          gzip_static off;
          sendfile off;
          sendfile_max_chunk 1m;
          #add_header Pragma public;
          #add_header X-Frame-Options SAMEORIGIN;
          #add_header X-Xss-Protection "1; mode=block" always;
          #add_header X-Content-Type-Options "nosniff" always;
          add_header Access-Control-Allow-Origin *;
          add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, stale-while-revalidate=86400, stale-if-error=604800";
          access_log off;
          expires 30d;
          break;
        }
    
        location ~* \.(js)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      add_header Access-Control-Allow-Origin *;
      add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, stale-while-revalidate=86400, stale-if-error=604800";
        access_log off;
        expires 30d;
        break;
            }
    
        location ~* \.(css)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      add_header Access-Control-Allow-Origin *;
      add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, stale-while-revalidate=86400, stale-if-error=604800";
        access_log off;
        expires 30d;
        break;
            }
    
      #  location ~* \.(html|htm|txt)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
        #add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        #access_log off;
        #expires 1d;
        #break;
      #      }
    
        location ~* \.(eot|svg|ttf|woff|woff2)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      add_header Access-Control-Allow-Origin *;
      add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        access_log off;
        expires 365d;
        break;
            }
    I think the problem might be that the newsletter.domain.com SSL certificates renewal expect a file (generated by acmetool?) to be found in "newsletter.domain.com/public/.well-known/acme-challenge/" but due to the editing of the root folder, it's now sent to mymailingsoftware.com/public/.well-known/acme-challenge/ which doesn't contain the file expected by the SSL renewal "checkup"...

    But no clue how to fix this if that's the problem.
     
  8. eva2000

    eva2000 Administrator Staff Member

    45,432
    10,308
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,987
    Local Time:
    1:21 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    no newsletter.domain.com will use whatever root is set as web root and it should work. If you can provide info from letsdebug.net
     
  9. Benjamin74

    Benjamin74 Premium Member Premium Member

    58
    5
    8
    May 2, 2016
    Ratings:
    +12
    Local Time:
    5:21 AM
    Let's debug say it's "All OK!" but running an SSL certificate checker like SSL Server Test (Powered by Qualys SSL Labs) it says the SSL certificate is expired.

    I'll look deeper at your suggestion from #6, I didn't see it yesterday.
     
  10. eva2000

    eva2000 Administrator Staff Member

    45,432
    10,308
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,987
    Local Time:
    1:21 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  11. Benjamin74

    Benjamin74 Premium Member Premium Member

    58
    5
    8
    May 2, 2016
    Ratings:
    +12
    Local Time:
    5:21 AM
    Humm, this looks pretty tedious (because I have a dozen newsletter.domain-A.com, newsletter.domain-B.com, newsletter.domain-C.com, vhosts to configure...).

    And apparently renewal is "only" failing because it cannot reach the :

    Code:
    newsletter.domain-A.com:Verify error:Invalid response from https://newsletter.domain-A.com/.well-known/acme-challenge/gloXmVJRgKx7_z6KJQi-L2r1JJM6TyvYMoaGQ6gKjGw
    So "in theory" it's just a problem of allowing the renewal routine to find this "gloXmVJRgKx7_z6KJQi-L2r1JJM6TyvYMoaGQ6gKjGw" file, isn't it?
     
  12. eva2000

    eva2000 Administrator Staff Member

    45,432
    10,308
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,987
    Local Time:
    1:21 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    You're problem is you have HTTPS default on the domain and ssl cert has expired so letsencrypt can't reach it /.well-known. So temp instructions I outlined allow you to re-enable non-HTTPS and disable non-HTTPS to HTTPS redirect so letsencrypt can validate against non-HTTPS /.well-known first.
     
  13. eva2000

    eva2000 Administrator Staff Member

    45,432
    10,308
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,987
    Local Time:
    1:21 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Or you can manually setup a multi-domain SAN's letsencrypt SSL cert to be used by all your domains.

    So if you want say all 5 domain/subdomains on same Letsencrypt SSL certification for pointing to the same single script/site vhost at /home/nginx/domains/domain.com/public web root.
    • domain.com
    • www.domain.com
    • sub1.domain.com
    • sub2.domain.com
    • sub3.domain.com
    If you have not yet created any of the 5 domains/nginx vhosts, you can use addons/acmetool.sh directly via SANS Multi-Domain SSL Certificates method.

    But if you already created domain.com (example below newdomain.com), then you would have to manually do it using existing vhost guide just with minor change to step 4 instead. So for step 4 of the existing vhost guide, instead of these 2 commands
    Code (Text):
    /root/.acme.sh/acme.sh --force --issue --days 60 -d newdomain.com -d www.newdomain.com -w /home/nginx/domains/newdomain.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-newdomain.com.log --log-level 2
    /root/.acme.sh/acme.sh --installcert -d newdomain.com -d www.newdomain.com --certpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key --capath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-fullchain-acme.key
    

    where you have
    Code (Text):
    -d newdomain.com -d www.newdomain.com
    

    it would be changed to
    Code (Text):
    /root/.acme.sh/acme.sh --force --issue --days 60 -d newdomain.com -d www.newdomain.com -d sub1.newdomain.com -d sub2.newdomain.com -d sub3.newdomain.com -w /home/nginx/domains/newdomain.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-newdomain.com.log --log-level 2
    /root/.acme.sh/acme.sh --installcert -d newdomain.com -d www.newdomain.com -d sub1.newdomain.com -d sub2.newdomain.com -d sub3.newdomain.com --certpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key --capath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-fullchain-acme.key
    

    so pass all domains your want on your letsencrypt ssl certificate
    Code (Text):
    -d newdomain.com -d www.newdomain.com -d sub1.newdomain.com -d sub2.newdomain.com -d sub3.newdomain.com
    

    Note all domains have to have DNS with A records pointing to server IP first and nginx vhost server_name directive has to list them all first too i.e.
    Code (Text):
    server {
      listen 443 ssl http2;
      server_name newdomain.com www.newdomain.com sub1.newdomain.com sub2.newdomain.com sub3.newdomain.com;
    

    Note all domain/subdomains listed in server_name directive would need to be exclusive used in the same single nginx vhost site and not have been created anywhere else on the server i.e. additional/separate centmin.sh menu option 2/22/nv cmd created nginx vhosts should NOT have same domain/subdomain names.

    If you have existing /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf and/or /usr/local/nginx/conf/conf.d/newdomain.com.conf nginx vhosts, back those up as the contents may be changed by the letsencrypt ssl cert process done during setup.
     
  14. Benjamin74

    Benjamin74 Premium Member Premium Member

    58
    5
    8
    May 2, 2016
    Ratings:
    +12
    Local Time:
    5:21 AM
    Hello all,

    I haven't been able to fix this in an @eva2000 recommended way ;-) but found a solution I wanted to share.

    The problem with SAN certificates is that my list of subdomain.domain.com will keep on increasing, so I'm not sure it could work.

    My workaround is the following :

    1) Edit the vhosts of newsletter.domain.com, newsletter.domain2.com, newsletter.domain3.com to have the root pointing where it is supposed to point (i.e. root /home/nginx/domains/newsletter.domain.com/public, root /home/nginx/domains/newsletter.domain2.com/public and root /home/nginx/domains/newsletter.domain3.com/public)

    2) Use acmetool to reissue the certificate... the .well-known file will be reached as expected by let'sencrypt

    3) Switch back the vhosts of newsletter.domain.com, newsletter.domain2.com, newsletter.domain3.com to have the root pointing to the mailing app domain (i.e. all pointing to root /home/nginx/domains/mymailingsoftware.com/public)

    To do that I use the following script "bja_1_point_back_to_subdomain.sh" for 1):

    Code:
     #!/bin/bash
    # Declare an array of string with type
    declare -a DomainStringArray=("newsletter.domain.com" "newsletter.domain2.com" "newsletter.domain3.com")
    # Iterate the string array using for loop
    for domain in ${DomainStringArray[@]}; do
            maindomain="mysuperemailingappdomain.com"
               # We point BACK to the subdomain to allow re-issuance to certificate
            sed -i -e "s~root /home/nginx/domains/$maindomain/public;~root /home/nginx/domains/$domain/public;~g" /usr/local/nginx/conf/conf.d/"$domain".ssl.conf
    done
    service nginx restart
    For the 2) I simply cd /usr/local/src/centminmod/addons && ls and then run all the reissue commands one by one:

    ./acmetool.sh reissue newsletter.domain.com lived
    ./acmetool.sh reissue newsletter.domain2.com lived
    ./acmetool.sh reissue newsletter.domain3.com lived

    Then for 3 I use this script bja_3_point_to_mailapp_after_reissuing_ssl.sh

    Code:
     #!/bin/bash
    # Declare an array of string with type
    declare -a DomainStringArray=("newsletter.domain.com" "newsletter.domain2.com" "newsletter.domain3.com")
    # Iterate the string array using for loop
    for domain in ${DomainStringArray[@]}; do
            maindomain="mysuperemailingappdomain.com"
               # We point to MAINDOMAIN after certificate has been re-issued
            sed -i -e "s~root /home/nginx/domains/$domain/public;~root /home/nginx/domains/$maindomain/public;~g" /usr/local/nginx/conf/conf.d/"$domain".ssl.conf
    done
    service nginx restart
    Hope it helps if someone gets stuck like I was ;-)
     
    Last edited: Aug 26, 2020
  15. eva2000

    eva2000 Administrator Staff Member

    45,432
    10,308
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,987
    Local Time:
    1:21 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Interesting approach thanks for sharing
     
  16. Benjamin74

    Benjamin74 Premium Member Premium Member

    58
    5
    8
    May 2, 2016
    Ratings:
    +12
    Local Time:
    5:21 AM
    No problem, happy to share!

    I'm a total vhost noob but I guess one other solution would be to have a nginx rules that would let "just" the access to the .well-known directory go to the subdomain and the rest of the root pointing to the mailingappdomain.

    Just a question @eva2000 : is it possible to "script" this part that I do manually:

    ./acmetool.sh reissue newsletter.domain.com lived
    ./acmetool.sh reissue newsletter.domain2.com lived
    ./acmetool.sh reissue newsletter.domain3.com lived

    There is a prompt each time (Can't remember the wording but as far as I remember it's maybe "acme is in beta, are you sure you want to continue?"), that's why I'm doing it manually, but maybe there is a command line option to run these commands and "confirm" automatically the prompt?

    apparently from the acmetool documentation it should/could be one of this flag:

    Code:
    --batch
    Do not attempt interaction; useful for cron jobs. (acmetool can still obtain responses from a response file, if one was provided.)
    --stdio
    Don't attempt to use console dialogs; fall back to stdio prompts
    Any idea of what the flag should be? I suspect it's --batch

    Thanks a lot,
     
  17. Benjamin74

    Benjamin74 Premium Member Premium Member

    58
    5
    8
    May 2, 2016
    Ratings:
    +12
    Local Time:
    5:21 AM
    Nevermind I found the solution to script the step 2 (renewal of newsletter.domain.com, newsletter.domain2.com, newsletter.domain3.com):


    Code:
    #!/bin/bash
    # Go to acmetool folder
    cd /usr/local/src/centminmod/addons
    # Declare an array of string with type
    declare -a DomainStringArray=("newsletter.domain.com" "newsletter.domain2.com" "newsletter.domain3.com")
    # Iterate the string array using for loop
    for domain in ${DomainStringArray[@]}; do
            yes | ./acmetool.sh reissue "$domain" lived
    done
    service nginx restart
    So now it can all be done with these 3 scripts (and I guess I can probably group them all into one single script)
     
  18. eva2000

    eva2000 Administrator Staff Member

    45,432
    10,308
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,987
    Local Time:
    1:21 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    for unattended just echo the 'y' answer
    Code (Text):
    echo y | ./acmetool.sh reissue newsletter.domain.com lived
    

    or to completely turn off beta continue prompt just disable it via NOTICE='n' in persistent config file /etc/centminmod/custom_config.inc actually can't do that as it's hardcoded in acmetool.sh itself
     
    Last edited: Aug 26, 2020