vhost installaction ssl fix, cloudflare strict mode

Did you setup Centmin Mod Letsencrypt to use Cloudflare DNS API domain validation method for issuing Letsencrypt SSL certificates on your Centmin Mod Nginx origin server side? Or regular Letsencrypt with LETSENCRYPT_DETECT='y' Letsencrypt Free SSL Certificates Integration For Centmin Mod LEMP Stack

To see your Letsencrypt SSL certificate status for issuances and local server install you can run addons/acmetool.sh checkdates command

Code (Text):

/usr/local/src/centminmod/addons/acmetool.sh checkdates

It will provide you with 2 sections

1. nginx installed - that is letsencrypt SSL certificates that were issues and installed into Centmin Mod Nginx vhost
2. acme.sh obtained - that letsencrypt has issued to you which may be installed or may not be installed.

If you have same domain SSL certificate listed in both sections, it means that SSL certificated is installed and working on your server.

Do you see the SSL certificate for your intended domain in both sections?

 

so 2nd VPS is one with the problem?

First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. If you created Centmin Mod 123.09beta01 or higher Nginx site with Letsencrypt via centmin.sh menu option 2, 22 or nv command line, you now also have an automatic letsdebug.net API check log saved at /root/centminlogs/letsdebug-yourdomain.com-${DT}.log where yourdomain.com is domain specified during nginx vhost creation and DT is date/timestamp. Inspecting the /root/centminlogs/letsdebug-yourdomain.com-${DT}.log log will also give you clues as to why letsencrypt SSL certificate issuance failed.

How was the initial letsencrypt ssl certificate obtained ? Which method ?

• Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
• Via centmin.sh menu option 2, 22, /usr/bin/nv ?
• If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
  Code (Text):

  -------------------------------------------------------------
  Setup full Nginx vhost + Wordpress + WP Plugins
  -------------------------------------------------------------
  
  Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
  
  Create a self-signed SSL certificate Nginx vhost? [y/n]: n
  Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
  
  You have 4 options:
  1. issue staging test cert with HTTP + HTTPS
  2. issue staging test cert with HTTPS default
  3. issue live cert with HTTP + HTTPS
  4. issue live cert with HTTPS default
  Enter option number 1-4: 1
  

• Via addons/acmetool.sh ? which specific command ? examples
  Code (Text):

  ./acmetool.sh issue acme.domain.com
  

  Code (Text):

  ./acmetool.sh issue acme.domain.com live
  

  Code (Text):

  ./acmetool.sh issue acme.domain.com d
  

  Code (Text):

  ./acmetool.sh issue acme.domain.com lived
  

• What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

Centmin Mod Self-Signed SSL Fallback

If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

Troubleshooting

There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.

• acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
  Code (Text):

  ls -lahrt /root/centminlogs

  .
• You can also do a quick grep filter on all previous and current acmetool.sh runs of the underlying acme.sh client for errors listed in errordetails field of each log using the command below:
  Code (Text):

  find /root/centminlogs/ -type f -name 'acme*.log' -printf '%TY-%Tm-%Td %TH:%TM:%TS %p\n' | sort | awk '{print $3}' | xargs -d '\n' grep -i 'errordetail'
  

• For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
• Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
  
  Code (Text):

  ACMEDEBUG='y'

If acme.sh auto renewals didn't happen, check output for the following commands

Code (Text):

grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"

Code (Text):

echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates

Code (Text):

"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"

Code (Text):

echo | openssl s_client -connect yourdomain.com:443

Without the answers to above questions and logs, there is nothing to help troubleshoot.

SSLLabs Test

Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.

Cloudflare

If you use Cloudflare, instead of the default Letsencrypt web root validation, you can use Cloudflare's DNS API for Letsencrypt DNS validation for your domain. See the outline at bottom of page at Letsencrypt Free SSL Certificates

 

If that works, then yes