Learn about Centmin Mod LEMP Stack today
Register Now

Letsencrypt Cloudflare Replacing with New CF Token

Discussion in 'Domains, DNS, Email & SSL Certificates' started by quicksalad, Sep 22, 2023.

  1. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    4:48 AM
    I created a new CF token as I don't know why my previous CF token was not there anymore (https://dash.cloudflare.com/profile/api-tokens).

    I did replace the previous token with the newly created one.
    Code:
    CF_DNSAPI_GLOBAL='y'
    CF_Token="NEWLY_CREATED_CF_TOKENCASFDEDSFSDFWEFWW34238458SDFH853F"
    CF_Account_ID="YOUR_CF_ACCOUNT_ID"
    Do I need to run something after replacing the new CF token?


    checkdates below

    Code:
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer
    SHA1 Fingerprint=RANDOMCHAR1
    certificate expires in X days on X Oct 2023
    
    /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.cer
    SHA1 Fingerprint=RANDOMCHAR2
    certificate expires in X days on X Oct 2023
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/mydomain.com/mydomain.com.cer
    SHA1 Fingerprint=RANDOMCHAR1
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=RANDOMCHAR1
    certificate expires in X days on X Oct 2023
    Letsencrypt validation method: Le_Webroot='/home/nginx/domains/mydomain.com/public'
    
    /root/.acme.sh/mydomain.com_ecc/mydomain.com.cer
    SHA1 Fingerprint=RANDOMCHAR2
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=RANDOMCHAR2
    certificate expires in X days on X Oct 2023
    Letsencrypt validation method: Le_Webroot='/home/nginx/domains/mydomain.com/public'
    I cannot see
    Code:
    Le_Webroot='dns_cf'
     
  2. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    4:48 AM
    I have this error when using letsdebug
    Code:
    IssueFromLetsEncrypt
    ERROR
    A test authorization for www.mydomain.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
    104.X.X.X: Fetching https://www.mydomain.com/.well-known/acme-challenge/bsdf45-4gsdfgd6h56t53453DWGmd_WA: Timeout during connect (likely firewall problem)
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Try acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time or for this situation. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.com live
    

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
     
  4. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    4:48 AM
    @eva2000 Thank you!
    Here's the checkdates
    Code:
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer
    SHA1 Fingerprint=RANDCHAR
    certificate expires in x days on x Dec 2023
    
    /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.cer
    SHA1 Fingerprint=RANDCHAR
    certificate expires in x days on x Dec 2023
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/mydomain.com/mydomain.com.cer
    SHA1 Fingerprint=RANDCHAR
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=RANDCHAR
    certificate expires in x days on x Dec 2023
    Letsencrypt validation method: Le_Webroot='dns_cf,/home/nginx/domains/mydomain.com/public'
    
    /root/.acme.sh/mydomain.com_ecc/mydomain.com.cer
    SHA1 Fingerprint=RANDCHAR
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=RANDCHAR
    certificate expires in x days on x Dec 2023
    Letsencrypt validation method: Le_Webroot='dns_cf,/home/nginx/domains/mydomain.com/public'
    I did restart nginx and get an alert
    Code:
    "ssl_trusted_certificate" directive is duplicate in /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com.crt.key.conf:9
    I also tried accessing links, I get Certificate not found
    Code:
    https://crt.sh/?sha1=RANDCHAR
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what does contents of /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com.crt.key.conf look like?
    Code (Text):
    cat /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com.crt.key.conf


    there's a note there in checkdates output ;)
     
  6. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    4:48 AM
    Thanks @eva2000
    Maybe my english and reading is not good, I misunderstood the note. :)
    here's the content
    Code:
      ssl_dhparam /usr/local/nginx/conf/ssl/mydomain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.key;
    
      ssl_certificate      /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.key;
    
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.cer;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-dualcert-rsa-ecc.cer;
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    There's only one instance of ssl_trusted_certificate in the file. So the duplicate must me an instance in your actual nginx vhost file /usr/local/nginx/conf/conf.d/domain.com.ssl.conf that you can comment out now
     
  8. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    4:48 AM
    @eva2000
    I only have this lines
    Code:
    server {
      listen 443 ssl http2;
      server_name www.mydomain.com;
    
      include /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
       ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/mydomain.com/origin.crt;
       ssl_verify_client on;
    ----rest conf---
    
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you sure? try grep search for term 'ssl_trusted_certificate' minus hash commented out instances
    Code (Text):
    grep -rin 'ssl_trusted_certificate' /usr/local/nginx/conf/conf.d | grep -v '#'
    

    this will list all domain's nginx vhost, so check for your specific domain
     
  10. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    4:48 AM
    Hi @eva2000
    Here's my mydomain.com.ss.conf
    Code:
    # must read https://centminmod.com/getstarted.html
    # read https://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    #x# HTTPS-DEFAULT
    # server { 
    #   server_name myadomain.com www.myadomain.com;
    #   return 302 https://www.myadomain.com$request_uri;
    #   root /home/nginx/domains/myadomain.com/public;
    #   include /usr/local/nginx/conf/staticfiles.conf;
    # }
    #server {
    #  listen 443 ssl http2;
    #  server_name myadomain.com;
    #  return 302 https://www.myadomain.com$request_uri;
    #  include /usr/local/nginx/conf/ssl/myadomain.com/myadomain.com.crt.key.conf;
    #  include /usr/local/nginx/conf/ssl_include.conf;
    #}
    server {
      listen 443 ssl http2;
      server_name www.myadomain.com;
    
      include /usr/local/nginx/conf/ssl/myadomain.com/myadomain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
       ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/myadomain.com/origin.crt;
       ssl_verify_client on;
     
     
     
      # mozilla recommended
      ssl_ciphers ERANDCHARDS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/myadomain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/myadomain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/myadomain.com/autoprotect-myadomain.com.conf;
      root /home/nginx/domains/myadomain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      include /usr/local/nginx/conf/wpincludes/myadomain.com/wpcacheenabler_myadomain.com.conf;
      #include /usr/local/nginx/conf/wpincludes/myadomain.com/wpsupercache_myadomain.com.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/wpincludes/myadomain.com/rediscache_myadomain.com.conf;
    
      location /go/ {
      rewrite ^/go/(.*)$ /go/index.php?s=$1 last;
      }
      location /continue/ {
      rewrite ^/continue/(.*)$ /continue/index.php?s=$1 last;
      }
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
     
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      try_files $cache_enabler_uri_webp $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args; 
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        auth_basic_user_file /home/nginx/domains/myadomain.com/htpasswd_wplogin;   
        include /usr/local/nginx/conf/php-wpsc.conf;
        
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://jetpack.com/support/hosting-faq/
        include /usr/local/nginx/conf/jetpack_whitelist_ip.conf;
        
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-scripts\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-styles\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/myadomain.com/wpsecure_myadomain.com.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
     
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/pre-staticfiles-local-myadomain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    command returns nothing, see my conf path files attached image Conf.png
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    strange indeed, what's output for nginx config check
    Code (Text):
    nginx -t
     
  12. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    4:48 AM
    Here's the response
    Code:
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    here is my acme reissue-only log
    Code:
    -----END CERTIFICATE-----
    [Fri Sep 22 19:14:36 UTC 2023] Your cert is in: /root/.acme.sh/mydomain.com_ecc/mydomain.com.cer
    [Fri Sep 22 19:14:36 UTC 2023] Your cert key is in: /root/.acme.sh/mydomain.com_ecc/mydomain.com.key
    [Fri Sep 22 19:14:36 UTC 2023] The intermediate CA cert is in: /root/.acme.sh/mydomain.com_ecc/ca.cer
    [Fri Sep 22 19:14:36 UTC 2023] And the full chain certs is there: /root/.acme.sh/mydomain.com_ecc/fullchain.cer
    
    success: 2nd SSL cert issued for dual ssl cert config
    
    LECHECK = 0
      ssl_dhparam /usr/local/nginx/conf/ssl/mydomain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.key;
      ssl_certificate      /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.key;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.cer;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-dualcert-rsa-ecc.cer;
    
    -----------------------------------------------------------
    install cert
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --installcert -d mydomain.com -d www.mydomain.com --certpath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.key --capath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-fullchain-acme.key
    [Fri Sep 22 19:14:37 UTC 2023] Installing cert to: /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer
    [Fri Sep 22 19:14:37 UTC 2023] Installing CA to: /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer
    [Fri Sep 22 19:14:37 UTC 2023] Installing key to: /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.key
    [Fri Sep 22 19:14:37 UTC 2023] Installing full chain to: /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-fullchain-acme.key
    [Fri Sep 22 19:14:37 UTC 2023] Run reload cmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):  Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
    [FAILED]
    [Fri Sep 22 19:14:37 UTC 2023] Reload error for :
    
    install 2nd SSL cert issued for dual ssl cert config
    
    /root/.acme.sh/acme.sh --installcert -d mydomain.com -d www.mydomain.com --certpath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.cer --keypath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.key --capath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-fullchain-acme-ecc.key --ecc
    [Fri Sep 22 19:14:37 UTC 2023] Installing cert to: /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.cer
    [Fri Sep 22 19:14:37 UTC 2023] Installing CA to: /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.cer
    [Fri Sep 22 19:14:37 UTC 2023] Installing key to: /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme-ecc.key
    [Fri Sep 22 19:14:37 UTC 2023] Installing full chain to: /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-fullchain-acme-ecc.key
    [Fri Sep 22 19:14:37 UTC 2023] Run reload cmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):  Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
    [FAILED]
    [Fri Sep 22 19:14:37 UTC 2023] Reload error for :
    
    setup ssl_trusted_certificate dual cert version:
    /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-dualcert-rsa-ecc.cer
    
    letsencrypt ssl certificate setup completed
    ssl certs located at: /usr/local/nginx/conf/ssl/mydomain.com
    
    openssl x509 -noout -text < /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer
    Certificate:
    
    Thanks
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Nginx config test looks OK. So restarting Nginx should be fine?

    Looks like error was only due temporarily yo reissue.where temporarily there would have been a duplicate instance. Will need to add an additional nginx restart to reissue routine
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ok I see the problem now, it's a bug in acmetool.sh reissue-only option if DUALCERTS='y' is set as it mistakenly uncomments the first commented ssl_trusted_certificate instance in existing Nginx vhosts that use DUACERTS='y', so there's now a duplicate active ssl_trusted_certificate instance. About to update Centmin Mod addons/acmetool.sh with the fix for reissue-only option when DUALCERTS='y' is set
     
  15. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    4:48 AM
    thanks always @eva2000
    I check my nginx log I'm seeing this
    Code:
    2023/09/24 16:43:58 [error] 26718#26718: connect() to [2611:14XX:5d::11122:3x41]:                                                                                                                                                             80 failed (101: Network is unreachable) while requesting certificate status, res                                                                                                                                                             ponder: r3.o.lencr.org, peer: [2611:14XX:5d::11122:3x41]:80, certificate: "/usr/l                                                                                                                                                             ocal/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer"
    also the letsdebug still prompting this error
    Code:
    IssueFromLetsEncrypt
    ERROR
    A test authorization for mydomain.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
    172.66.273.57: Fetching https://www.mydomain.com/.well-known/acme-challenge/vgCDcw51tpyTluXgqVrev-T8n_lrnItSdpKyFU3ElRSQ: Timeout during connect (likely firewall problem)
    and the crt sha is still showing Certificate not found when accessing the URL
    Code:
    https://crt.sh/?sha1=RANDCHARS
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Not enough info there for context for the error
    you can ignore letsdebug reported test issue as it uses default webroot authentication to validate domain, but you switched to use Cloudflare DNS API validation via
    Code (Text):
    CF_DNSAPI_GLOBAL='y'
    CF_Token="NEWLY_CREATED_CF_TOKENCASFDEDSFSDFWEFWW34238458SDFH853F"
    CF_Account_ID="YOUR_CF_ACCOUNT_ID"
    

    so that message doesn't apply to your usage case anymore
    how long as it been? give it 24-48hrs and see or search crt.sh web site for your domain and see if the SSL cert entry exists
     
  17. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    4:48 AM
    @eva2000 Thanks for the confirmation, i can now stop overthinking about that error
    almost 48 hrs I think

    Here the crt search on both non-www and www version
    domain1.png domain2.png
    Thanks
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  19. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    4:48 AM
    thanks @eva2000
    why is that I have 2 Lets Encrypt (Issuer) cert ends on Oct, and another 2 that will ends on Dec. (2nd maybe from the reissue?)
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Check your Cloudflare front end SSL cert it could be issued by Letsencrypt too as it and Cloudflare backup SSL certs can be issued by either Google Trust Services, Let’s Encrypt, or Sectigo Backup certificates · Cloudflare SSL/TLS docs.

    Certificate Transparency logs record all SSL certificate issuances for your domain.