Welcome to Centmin Mod Community
Register Now

centmin.sh Registering a new toplevel domain with IPv4 "A" and IPv6 "AAAA" records, without www record, fails.

Discussion in 'Bug Reports' started by happyhacking, Feb 14, 2023.

  1. happyhacking

    happyhacking Member

    111
    18
    18
    Apr 23, 2021
    Ratings:
    +61
    Local Time:
    6:55 AM
    1.22.0
    MariadDB 10.4.25
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 130.00beta01
    • Nginx Version Installed: 1.23.3
    • PHP Version Installed: 8.0.26
    • MariaDB MySQL Version Installed: 10.4.27
    After trying to register a new toplevel domain with IPv4 and IPv6 records and without www cname record, the script failed to get the LE certificate:

    • Code (Text):
      DOMAIN.org is a top level domain
      your server IPv4 IP address: X.126.152.9
      current DNS A record IPv4 address for DOMAIN is: X.126.152.9
      current DNS AAAA record IPv6 address for DOMAIN.org is: 2605:a140:2073:8910::1
      current DNS A record IP address for www.DOMAIN.org is: 
      !! Error: missing DNS A record for www.DOMAIN.org
      
      Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
      
      Do you want to continue [y/n]: y
      
      ------------------------------------------------
      You have 4 options: 
      ------------------------------------------------
      1. issue staging test cert with HTTP + HTTPS (untrusted)
      2. issue staging test cert with HTTPS default (untrusted)
      3. issue live cert with HTTP + HTTPS (trusted)
      4. issue live cert with HTTPS default (trusted)
      Enter option number 1-4: 4
      
      ---------------------------------------------------------------------------
      
      "problems": [
            {
              "name": "AAAANotWorking",
              "explanation": "DOMAIN.org has an AAAA (IPv6) record (2605:X:X:8910::1) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.",
              "detail": "Get \"http://DOMAIN.org/.well-known/acme-challenge/letsdebug-test\": dial tcp [2605:X:X:8910::1]:80: connect: connection refused\n\nTrace:\n@0ms: Making a request to http://DOMAIN.org/.well-known/acme-challenge/letsdebug-test (using initial IP 2605:X:X:8910::1)\n@0ms: Dialing 2605:X:X:8910::1\n@27ms: Experienced error: dial tcp [2605:X:X:8910::1]:80: connect: connection refused",
              "severity": "Error"
      
      


     
  2. eva2000

    eva2000 Administrator Staff Member

    54,113
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    10:55 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    www doesn't seem to have www domain DNS A/AAAA records though? Centmin Mod letsencrypt for apex top level domain will check for both non-www and www versions of the domain by default.

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -4I https://domain.com
    

    Code (Text):
    curl -4I https://www.domain.com
    

    Code (Text):
    curl -4I http://domain.com
    

    Code (Text):
    curl -4I http://www.domain.com
    

    Code (Text):
    curl -6I https://domain.com
    

    Code (Text):
    curl -6I https://www.domain.com
    

    Code (Text):
    curl -6I http://domain.com
    

    Code (Text):
    curl -6I http://www.domain.com
    

    wrap output in CODE tags
     
  3. happyhacking

    happyhacking Member

    111
    18
    18
    Apr 23, 2021
    Ratings:
    +61
    Local Time:
    6:55 AM
    1.22.0
    MariadDB 10.4.25
    The DOMAIN.ssl.conf file has the following lines with possible errors.

    Here we should have uncommented the IPv6 directive if we need to validate with LE:
    Code (Text):
       listen   80;
    #x#   listen   [::]:80;
    


    The next lines are missing the ÏPv6 directives:
    listen [::]:443 ssl http2;
    Code (Text):
    server {
      listen 443 ssl http2;
    
      server_name DOMAIN.org www.DOMAIN.org;
    


    after fixing those lines i did:

    /usr/local/src/centminmod/addons/acmetool.sh reissue-only DOMAIN.org live

    acme.sh keeps looking for www.DOMAIN.org record refusing to continue without it
    Code (Text):
    www.DOMAIN.org:Verify error:DNS problem: NXDOMAIN looking up A for www.DOMAIN.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.DOMAIN.org - check that a DNS record exists for this domain
    


    At CMM 124.00stable if the www record is not pointed in DNS its ignored and LE just signs the certificate for top level domain without www, but here appears its not optional.
     
  4. happyhacking

    happyhacking Member

    111
    18
    18
    Apr 23, 2021
    Ratings:
    +61
    Local Time:
    6:55 AM
    1.22.0
    MariadDB 10.4.25
    commands with https drops:
    Code (Text):
    curl: (60) Issuer certificate is invalid
    

    http commands got a:
    Code (Text):
    HTTP/1.1 302 Moved Temporarily
    


    BTW: Its possible to downgrade to CMM 124.00stable ?
     
  5. happyhacking

    happyhacking Member

    111
    18
    18
    Apr 23, 2021
    Ratings:
    +61
    Local Time:
    6:55 AM
    1.22.0
    MariadDB 10.4.25
    Against my feelings but since im in a hurry, i pointed the www to the same IPv4 and IPv6 address and fixed the conf.ssl file as stated on my previous post then i did the reissue certificate command and everything worked as it should, but i would like a way to avoid the imperative use of "www" for top level domains and perhaps the vhost template should be generated properly if IPv6 is used. Thanks for your hard work eva2000.
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,113
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    10:55 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    I think the problem is Centmin Mod expects both www and non-www domain to have valid DNS A records and if applicable also valid DNS AAAA records. You ended up with 2 issues
    1. If you don't have valid DNS AAAA record (for www and non-www, if you case for www), Nginx vhost setup skips enabling the listen directive for IPv6 and leaves it commented out
    2. If you don't have a valid DNS A record for www domain, Letsencrypt will fail to validation domain as it's looking for www + non-www DNS A records
    You can confirm this with a 2nd test Nginx vhost creation with has valid DNS A and AAA records for both non-www and www versions of the domain name.
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,113
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    10:55 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Oh if you didn't release auto nginx IPv6 listen configuration isn't enabled by default in Centmin Mod 130.00beta01. You need to set in persistent config file /etc/centminmod/custom_config.inc the variables
    Code (Text):
    VPS_IPSIX_CHECK_DISABLE='n'
    VPS_IPSIX_CHECK_DISABLE_DEBUG='y'
    

    as per https://community.centminmod.com/threads/23463/
     
  8. happyhacking

    happyhacking Member

    111
    18
    18
    Apr 23, 2021
    Ratings:
    +61
    Local Time:
    6:55 AM
    1.22.0
    MariadDB 10.4.25
    After trying on a new domain, but now using those variables:
    Code (Text):
    VPS_IPSIX_CHECK_DISABLE='n'
    VPS_IPSIX_CHECK_DISABLE_DEBUG='y'
    


    It failed again:
    Code (Text):
    -------------------------------------------------------------
    ok: /usr/local/src/centminmod/addons/acmetool.sh
    /usr/local/src/centminmod/addons/acmetool.sh issue DOMAIN.TLD lived
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    Cloning into 'acme.sh'...
    [Wed Mar  1 19:52:31 CST 2023] Installing to /root/.acme.sh
    [Wed Mar  1 19:52:31 CST 2023] Installed to /root/.acme.sh/acme.sh
    [Wed Mar  1 19:52:31 CST 2023] Installing alias to '/root/.bashrc'
    [Wed Mar  1 19:52:31 CST 2023] OK, Close and reopen your terminal to start using acme.sh
    [Wed Mar  1 19:52:31 CST 2023] Installing alias to '/root/.cshrc'
    [Wed Mar  1 19:52:31 CST 2023] Installing alias to '/root/.tcshrc'
    [Wed Mar  1 19:52:31 CST 2023] Installing cron job
    40 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Wed Mar  1 19:52:31 CST 2023] Good, bash is found, so change the shebang to use bash as preferred.
    [Wed Mar  1 19:52:32 CST 2023] OK
    https://github.com/acmesh-official/acme.sh
    v3.0.6
    -----------------------------------------------------
    set default acme.sh CA to letsencrypt:
    acme.sh --set-default-ca --server letsencrypt
    [Wed Mar  1 19:52:32 CST 2023] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    backup & remove /usr/local/nginx/conf/conf.d/DOMAIN.TLD.conf
    
    [self-signed ssl cert check] required by acmetool.sh
    
    [self-signed ssl] /usr/local/nginx/conf/ssl/DOMAIN.TLD/dhparam.pem exists
    [self-signed ssl] /usr/local/nginx/conf/ssl/DOMAIN.TLD/DOMAIN.TLD.crt exists
    [self-signed ssl] /usr/local/nginx/conf/ssl/DOMAIN.TLD/DOMAIN.TLD.key exists
    
    [sslvhostsetup] create /usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf
    
    
    VPS_IPSIX_CHECK_DISABLE=n
    IP_SYSTEM_VALIDATE_V4=0
    IP_SYSTEM_VALIDATE_V6=0
    DEDI_LISTEN="listen   80;"
    DEDI_LISTEN_V6="listen   [::]:80;"
    DEDI_LISTEN_HTTPS_V6="listen   [::]:443 ssl http2;"
    DEDI_LISTEN=listen   80;
    DEDI_LISTEN_V6=listen   [::]:80;
    [non-wp] backup & remove /usr/local/nginx/conf/conf.d/DOMAIN.TLD.conf
    cat /usr/local/nginx/conf/ssl/DOMAIN.TLD/DOMAIN.TLD.crt.key.conf
      ssl_dhparam /usr/local/nginx/conf/ssl/DOMAIN.TLD/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/DOMAIN.TLD/DOMAIN.TLD.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/DOMAIN.TLD/DOMAIN.TLD.key;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/DOMAIN.TLD/DOMAIN.TLD-trusted.crt;
    cp -a /usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf /usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf-nonwp2
    cat /usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf-nonwp1 /usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf-nonwp2 > /usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf
    Redirecting to /bin/systemctl reload nginx.service
    
    setting HTTPS default in /usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf
    
    sed -i 's|^##x# HTTPS-DEFAULT|#x# HTTPS-DEFAULT|g' "/usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf"
    sed -i "s|#x# server {| server {|" "/usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf"
    sed -i "s|#x#   listen   80;|   listen   80;|" "/usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf"
    sed -i "s|#x#   listen   [::]:80;|   listen   [::]:80;|" "/usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf"
    sed -i "s|#x#   server_name DOMAIN.TLD www.DOMAIN.TLD;|   server_name DOMAIN.TLD www.DOMAIN.TLD;|" "/usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf"
    sed -i "s|#x#   return 302 https://DOMAIN.TLD$request_uri;|   return 302 https://DOMAIN.TLD$request_uri;|" "/usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf"
    sed -i "s|#x#   root /home/nginx/domains/DOMAIN.TLD/public;|   root /home/nginx/domains/DOMAIN.TLD/public;|" "/usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf"
    sed -i "s|#x#   include \/usr\/local\/nginx\/conf\/staticfiles.conf;|   include \/usr\/local\/nginx\/conf\/staticfiles.conf;|" "/usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf"
    sed -i "s|#x# }| }|" "/usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf"
    
    remove /usr/local/nginx/conf/conf.d/DOMAIN.TLD.conf
    
    grep 'root' /usr/local/nginx/conf/conf.d/DOMAIN.TLD.ssl.conf
       root /home/nginx/domains/DOMAIN.TLD/public;
      root /home/nginx/domains/DOMAIN.TLD/public;
    
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for DOMAIN.TLD
    -----------------------------------------------------------
    testcert value = lived
    /root/.acme.sh/acme.sh --issue -d DOMAIN.TLD --days 60 -w /home/nginx/domains/DOMAIN.TLD/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-010323-195229.log --log-level 2 --preferred-chain  "ISRG"
    [Wed Mar  1 19:52:34 CST 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Wed Mar  1 19:52:34 CST 2023] Creating domain key
    [Wed Mar  1 19:52:34 CST 2023] The domain key is here: /root/.acme.sh/DOMAIN.TLD/DOMAIN.TLD.key
    [Wed Mar  1 19:52:34 CST 2023] Single domain='DOMAIN.TLD'
    [Wed Mar  1 19:52:34 CST 2023] Getting domain auth token for each domain
    [Wed Mar  1 19:52:35 CST 2023] Getting webroot for domain='DOMAIN.TLD'
    [Wed Mar  1 19:52:35 CST 2023] Verifying: DOMAIN.TLD
    [Wed Mar  1 19:52:36 CST 2023] Pending, The CA is processing your order, please just wait. (1/30)
    [Wed Mar  1 19:52:38 CST 2023] DOMAIN.TLD:Verify error:XXX.XXX.XXX.XXX: Invalid response from https://DOMAIN.TLD/.well-known/acme-challenge/DxamfvWw3-9Qf4zTPMC6bT4g3LAFaCzgAfyNidvNYRE: 404
    [Wed Mar  1 19:52:38 CST 2023] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-010323-195229.log
    LECHECK = 1
    
    log files saved at /root/centminlogs
    -rw-r--r-- 1 root root   35K Mar  1 19:52 acmetool.sh-debug-log-010323-195229.log
    -rw-r--r-- 1 root root  6.0K Mar  1 19:52 acmesh-issue_010323-195229.log
    
    
    -------------------------------------------------------------
    
    waiting on letsdebug.net API check completion...
    waiting on letsdebug.net API check completion...
    
    {
      "id": 1392458,
      "domain": "DOMAIN.TLD",
      "method": "http-01",
      "status": "Complete",
      "created_at": "2023-03-02T01:52:39.128734Z",
      "started_at": "2023-03-02T01:52:39.132906Z",
      "completed_at": "2023-03-02T01:52:51.073827Z",
      "result": {
        "problems": [
          {
            "name": "AAAANotWorking",
            "explanation": "DOMAIN.TLD has an AAAA (IPv6) record (XXXX:XXXX:XXXX:XXXX::1) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.",
            "detail": "Get \"http://DOMAIN.TLD/.well-known/acme-challenge/letsdebug-test\": dial tcp [XXXX:XXXX:XXXX:XXXX::1]:80: connect: connection refused\n\nTrace:\n@0ms: Making a request to http://DOMAIN.TLD/.well-known/acme-challenge/letsdebug-test (using initial IP XXXX:XXXX:XXXX:XXXX::1)\n@0ms: Dialing XXXX:XXXX:XXXX:XXXX::1\n@27ms: Experienced error: dial tcp [XXXX:XXXX:XXXX:XXXX::1]:80: connect: connection refused",
            "severity": "Error"
          },
          {
            "name": "StatusNotOperational",
            "explanation": "The current status as reported by the Let's Encrypt status page is Degraded Performance as at 2023-03-01 19:57:06.729 +0000 UTC. Depending on the reported problem, this may affect certificate issuance. For more information, please visit the status page.",
            "detail": "https://letsencrypt.status.io/",
            "severity": "Warning"
          }
        ]
      }
    }
    


    The reason ? The DOMAIN.TLD.ssl.conf doesnt have the proper IPv6 directives, then i correct that file adding the proper IPv6 parameters, then i run the command:

    Code:
    /usr/local/src/centminmod/addons/acmetool.sh reissue-only DOMAIN.TLD live
    
    And everything works fine.
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,113
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    10:55 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    hmm the IPv6 listener value defined by DEDI_LISTEN_HTTPS_V6="listen [::]:443 ssl http2;" should be dynamically added to your domain.com.ssl.conf nginx vhost when all the debug output shows like yours
    Code (Text):
    VPS_IPSIX_CHECK_DISABLE=n
    IP_SYSTEM_VALIDATE_V4=0
    IP_SYSTEM_VALIDATE_V6=0
    DEDI_LISTEN="listen   80;"
    DEDI_LISTEN_V6="listen   [::]:80;"
    DEDI_LISTEN_HTTPS_V6="listen   [::]:443 ssl http2;"
    DEDI_LISTEN=listen   80;
    DEDI_LISTEN_V6=listen   [::]:80;
    

    Doesn't have proper IPv6 directives meaning incorrect syntax or totally missing from domain.com.ssl.conf nginx vhost config file?
     
  10. happyhacking

    happyhacking Member

    111
    18
    18
    Apr 23, 2021
    Ratings:
    +61
    Local Time:
    6:55 AM
    1.22.0
    MariadDB 10.4.25
    That 2 lines (IPv6 directives) were totally missing from vhost conf file.
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,113
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    10:55 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ok will have to do more testing on my side then as I haven't been able to reproduce this issue on my end.