Join the community today
Become a Member

Problem issuing LE cert to subdomain

Discussion in 'Bug Reports' started by fly, Sep 28, 2019.

  1. fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    11:37 AM
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.17.3
    • PHP Version Installed: 7.3.9
    • MariaDB MySQL Version Installed: 10.3.18
    • When was last time updated Centmin Mod code base ? : Today
    • Persistent Config:
      Code:
      LETSENCRYPT_DETECT='y'
      
    Getting an odd error with Let's Encrypt when attempting to do Option 2. When attempting to request a cert, I get the following error:

    Code:
    sub.domain.com is not a top level domain
    your server IPv4 IP address: 1.2.3.4
    current DNS A rv4ecord IP address for sub.domain.com is: 1.2.3.4
    
    !! Error: DNS A record IP doesn't match any found on this server
    
    Abort this Nginx vhost domain setup to setup updated DNS A record(s) first? [y/n]: 
    
    So the IPs obviously match. The server is running on AWS, so its essentially NAT'd. Not sure if that has something to do with it?

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    What's output for these commands replacing yourdomain.com with your actual domain name entered on centmin.sh menu option 2 prompt
    Code (Text):
    vhostname_dns=yourdomain.com
    VHOST_ACHECK=$(dig -t A +short @8.8.8.8 $vhostname_dns)
    echo $VHOST_ACHECK
    

    and within same SSH session as above command, run command and post any output if any for
    Code (Text):
    ifconfig | grep 'inet' | grep $VHOST_ACHECK
    

    Most likely as Centmin Mod hasn't been tested for NAT'd where there is no public IPv4 IP address. You'd need to assign a public IPv4 IP address to server as that is what the above error is checking for in order for Letsencrypt domain validation to work as it needs to check that domain is pointing to the server's IPv4 IP address.

    You can bypass centmin.sh menu option 2's DNS check if you use nv command line method of creating Nginx vhost outlined at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS but there's no guarantee for Letsencrypt domain validation as Letsencrypt via webroot authentication in nv command is same as centmin.sh menu option 2 or 22 - in that Letsencrypt side needs to check that domain is pointing to the server's IPv4 IP address.

    Only other way is via Letsencrypt DNS based validation which is a manual process supported in addons/acmetool.sh's underlying acme.sh client. Centmin Mod only supports Cloudflare DNS API for validation outlined at Cloudflare API Support in DNS Mode. However, the acme.sh client installed by addons/acmetool.sh supports many other DNS clients you can do manually yourself Neilpang/acme.sh

    Easiest way though is having public IPv4 IP address on the server.
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Actually rethinking what I said, as it's webroot authentication nv cmd method might work behind NAT without public IPv4 IP as all letsencrypt is validating is against /.well-known validation for your domain you want SSL for. So if your domain.com/.well-known validation works, it shouldn't matter if you're using NAT without public IPv4 IP address. No guarantees, but you can try.

    What were you using before for Centmin Mod Letsencrypt SSL based HTTPS on your AWS servers ? Surely isn't first time this issue has come up ?
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @fly also do you get your domain's DNS A record IP address, when you run this command in SSH for your NAT based AWS server ?
    Code (Text):
    curl -4sL https://ipinfo.io/

    and
    Code (Text):
    curl http://169.254.169.254/latest/meta-data/public-ipv4

    and return local private IP for this command ?
    Code (Text):
    curl http://169.254.169.254/latest/meta-data/local-ipv4

    also on your AWS NAT enabled server do these 2 files exist ?
    Code (Text):
    ls -lah /etc/sysctl.d/10-nat-settings.conf
    ls -lah /usr/sbin/configure-pat.sh
    
     
  5. fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    11:37 AM
    Thanks for the replies!

    In the past, I've used the acmetool to request SSL certs for various domains on Amazon Linux without issue. And of note, it seems to work fine on Centmin Mod if its a root domain. The only issue is with subdomains.

    The commands you listed above work as expected, except the check for the last two files - those don't exist.
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    'only issue' you mean with this message in 1st post ? that I added a while back to 123.09beta01
    Code (Text):
    sub.domain.com is not a top level domain
    your server IPv4 IP address: 1.2.3.4
    current DNS A rv4ecord IP address for sub.domain.com is: 1.2.3.4
    
    !! Error: DNS A record IP doesn't match any found on this server
    
    Abort this Nginx vhost domain setup to setup updated DNS A record(s) first? [y/n]:
    

    looking at 123.09beta01's inc/nginx_addvhost.inc include file's commit history and blame mode, it appears I added this check into centmin.sh menu option 2 way back 3yrs ago though it was revised ~6 months ago in commit update inc/nginx_addvhost.inc check_dns function in 123.09beta01 ยท centminmod/centminmod@0d00a15

    seems to be related to ifconfig grep check and for NAT system with reported public IP, I guess the check fails
    Code (Text):
    ifconfig | grep 'inet' | grep thedomain-lookedup-public-ip

    Assumption I made in the routine checks is that public IPv4 IP of server would be found in ifconfig grep filter of keyword 'inet'. Obviously, for NAT based AWS server, ifconfig won't show the public IPv4 IP looked up.

    I could revise it so detect if server is hosted on AWS, use a different check from ifconfig grep i.e. use AWS available metadata for AWS server instance
    Code (Text):
    curl http://169.254.169.254/latest/meta-data/public-ipv4
    

    though a better way to detect NAT system and alternative generic method from ifconfig would be better for non-AWS NAT based systems.
     
  7. fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    11:37 AM
    You are correct. ifconfig only has the local address, and nothing of the public address.
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    oh and if it isn't obvious the message you see is informational, it prompts if you want to abort, if you answer = no = n, then it will continue to create Centmin Mod Nginx vhost and attempt letsencrypt validation/issuance which should work as your domain resolves to the server
    Code (Text):
    sub.domain.com is not a top level domain
    your server IPv4 IP address: 1.2.3.4
    current DNS A rv4ecord IP address for sub.domain.com is: 1.2.3.4
    
    !! Error: DNS A record IP doesn't match any found on this server
    
    Abort this Nginx vhost domain setup to setup updated DNS A record(s) first? [y/n]:
    

    I could add a check to that message for NAT system and note, detected NAT system so you can pretty sure continue without aborting type message
     
  9. fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    11:37 AM
    OMG I'm so dumb. I didn't know it was informational!

    *smacks head*
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah
    Code (Text):
    Abort this Nginx vhost domain setup to setup updated DNS A record(s) first? [y/n]:
    

    :D