Want to subscribe to topics you're interested in?
Become a Member

SECOND_IP - SSL Becomes Invalid For Primary Domain?

Discussion in 'Install & Upgrades or Pre-Install Questions' started by JamesJamz, Dec 19, 2020.

  1. JamesJamz

    JamesJamz New Member

    9
    2
    3
    May 4, 2020
    Ratings:
    +2
    Local Time:
    12:25 PM
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit ?
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: i.e. 1.15.3
    • PHP Version Installed: 7.4
    • MariaDB MySQL Version Installed: 10.2.xx
    • When was last time updated Centmin Mod code base ? : Today
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
      Code (Text):
      PHPFINFO='y'
      LETSENCRYPT_DETECT=y
      SECOND_IP=IP_ADDRESS
      

      Post output in CODE tags.

    So not sure whats gone wrong here, I followed the guide here for adding a second IP address I have on the server (already setup and running)
    Sysadmin - Give a domain a different IP?

    But then went to issue a LetsEncrypt cert to the new domain I'm putting on the secondary IP address, and it seems to have knocked all my SSL certs off for all the domains I have on the primary IP address.

    I tried re-issuing them, and they're still not coming back on. No errors in the output of the primary domain SSL, but for the secondary IP address domain I'm trying to set up I get

    Code (Text):
    Verify error:Invalid response from http://DOMAINNAME/.well-known/acme-challenge/qY1X-kJoE4mZh_fZq2wWIjstPsTJwXX0RSlZI6w49j4 [IP_ADDRESS]
    


    When I then remove the new domain name (that is on the secondary IP address) from within /usr/local/nginx/conf/conf.d/domainname.ssl.conf - restart nginx, everything works again.

    Code (Text):
    
    #x# HTTPS-DEFAULT
     server {
       listen   IP_ADDRESS:80;
       server_name DOMAIN www.DOMAIN;
    #x#   return 302 https://DOMAIN$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    #       listen   IP_ADDRESS:80;
    
    server {
      listen IP_ADDRESS:443 ssl http2;
      server_name DOMAIN www.DOMAIN;
    
      include /usr/local/nginx/conf/ssl/DOMAIN/DOMAIN.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/DOMAIN/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      http2_max_requests 50000;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/DOMAIN/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/DOMAIN/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/DOMAIN/autoprotect-DOMAIN.conf;
      root /home/nginx/domains/DOMAIN/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/pre-staticfiles-local-DOMAIN.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    


    I'm a little confused to say the least. Do I need to add the primary IP address to the .conf files of the other domain names?
     
    Last edited: Dec 19, 2020
  2. Jimmy

    Jimmy Well-Known Member

    1,724
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +932
    Local Time:
    7:25 AM
    1.17.x
    MariaDB 10.3.x
    Code:
    #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/DOMAIN/origin.crt;
    Maybe? Not sure if that's needed or not with your config.
     
  3. JamesJamz

    JamesJamz New Member

    9
    2
    3
    May 4, 2020
    Ratings:
    +2
    Local Time:
    12:25 PM
    I'm not using cloudflare. SSL was supposed to be issued by LetsEncrypt - I side by side checked the config files from my working domains on the primary IP address, to the new domain I tried to add on the secondary IP address, and they are all configured the same, with exception to the listen on the new domain.conf file had the IP addresses in place.
     
  4. Jimmy

    Jimmy Well-Known Member

    1,724
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +932
    Local Time:
    7:25 AM
    1.17.x
    MariaDB 10.3.x
    Did you try going into the ssl menu and re-issuing the cert? Otherwise, I'm not sure, @eva2000 might have a suggestion.

    Code:
    addons/acmetool.sh acme-menu
    I think I had that happen to me w/ cloudflare. I removed the whole domain and just did the whole process over again and it worked. Not sure about your situation since it's two IPs. I've used multiple IPs in the past without an issue.
     
  5. JamesJamz

    JamesJamz New Member

    9
    2
    3
    May 4, 2020
    Ratings:
    +2
    Local Time:
    12:25 PM
    Hey Jimmy,

    Yes I did try that, it said it re-issued all the SSL certs for all the other domains, although when visiting them, it stated they didn't have a valid SSL certificate, so I removed the new domain I added, restarted NGINX and they worked again.

    I tried putting the new domain conf file back, reset NGINX again, and the SSL became invalid for all other domains on the server. Again removed the new domain conf file, reset NGINX and the SSL became active again for all the other domains on the primary IP address.

    I've tried all sorts these last couple of hours, I did find another post with a similar issue, but looks like the poster didn't create a new thread about it.

    Puzzling to say the least.
     
  6. Jimmy

    Jimmy Well-Known Member

    1,724
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +932
    Local Time:
    7:25 AM
    1.17.x
    MariaDB 10.3.x
    Post the errors you're getting, that's the only way anyone can tell what is happening or give you a solution.

    It is weird what is happening. If there is an issue, @eva2000 would need to see the errors.
     
  7. eva2000

    eva2000 Administrator Staff Member

    46,017
    10,455
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,220
    Local Time:
    10:25 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    how did you issue the Letsencrypt SSL cert for the new domain with secondary IP address ?

    how did you try re-issuing them ? exact steps/commands you did

    you mean nginx refuses to restart the service when new domain name is in place and when you remove it does nginx restart ? or nginx restarts just the domain doesn't work/inaccessible ?

    when you put new domain nginx vhost config file back and restart nginx, what is the output for this command
    Code (Text):
    nginx -t

    for posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)

    Did you check to see if you properly added the 2nd IP domain to CentOS 7 system network itself as outlined in 2nd post at Sysadmin - Give a domain a different IP? ?

    You can verify and test the 2nd IP is working to make sure you can ping from it from within your server and from another server
    Code (Text):
    ping -c4 your_2nd_ip_address
    

    and check output for ifconfig to see if your 2nd IP is listed like your primary IP
    Code (Text):
    ifconfig | grep -C2 'your_2nd_ip_address'
    

    this command should return an entry of at least 3-4 lines including the 2nd IP address

    you can do the same 2 ping and ifconfig check tests with primary IP to get an idea of what the output should look like
     
  8. eva2000

    eva2000 Administrator Staff Member

    46,017
    10,455
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,220
    Local Time:
    10:25 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    I just updated 123.09beta01 with a bug fix for addons/acmetool.sh for when SECOND_IP is used at Beta Branch - update addons/acmetool.sh 1.0.68 so you can run cmupdate to update your local code first. Though the fix is for symptoms that don't exact match your experience you described.

    What I found bug wise, was when optional non-default SECOND_IP is set and you choose letsencrypt option 4 with HTTPS default (so non-HTTPS is redirected to HTTPS via 302 redirect) then letsencrypt will fail to validate this domain using SECOND_IP as the non-HTTPS server{} context in domain.com.ssl.conf nginx vhost is missing the root directive for /home/nginx/domain/domain.com/public and without that entry instead defaults to primary IP's root directive which is at /usr/local/nginx/html. So when letsencrypt goes to validate the domain at domain.com/.well-known/acme-challenge/Wtvgu8j*** it fails as nginx is telling it to look at /usr/local/nginx/html/.well-known/acme-challenge/Wtvgu8j*** instead of the correct location at of /home/nginx/domain/domain.com/public/.well-known/acme-challenge/Wtvgu8j***. This is only a problem when SECOND_IP Beta Branch - update nginx vhost generator routines support second IP is set it seems.

    But the problem I see presents itself i only SECOND_IP domain validation fails for letsencrypt and other domains on primary IP with letsencrypt are fine and unaffected.

    For that new domain, if the site has no data I would try removing the new domain and after running cmupdate try again to create the new domain from scratch

    To properly remove an Nginx vhost the instructions are on official site at How to delete Nginx vhost account for existing domain/subdomain ? as well as on each Nginx vhost creation's ending output too lists the commands.

    You also get a log file for each Nginx vhost created which also lists the commands in 123.09beta01 and higher example for http2.domain.com remove log at /root/centminlogs/centminmod_140218-021218_nginx_addvhost_nv-remove-cmds-http2.domain.com.log
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep remove
    -rw-r--r--   1 root root 1.3K Feb 14 02:12 centminmod_140218-021218_nginx_addvhost_nv-remove-cmds-http2.domain.com.log
    


    Or if you can't remove the new domain, you can modify it's nginx vhost at /usr/local/nginx/conf/conf.d/domainname.ssl.conf and add the root directive to the non-HTTPS server{} context for 302 redirect

    so change from
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
       listen   IP_ADDRESS:80;
       server_name DOMAIN www.DOMAIN;
    #x#   return 302 https://DOMAIN$request_uri;
       root /home/nginx/domains/DOMAIN/public;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    

    to
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
       listen   IP_ADDRESS:80;
       server_name DOMAIN www.DOMAIN;
       return 302 https://DOMAIN$request_uri;
       root /home/nginx/domains/DOMAIN/public;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
     
  9. eva2000

    eva2000 Administrator Staff Member

    46,017
    10,455
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,220
    Local Time:
    10:25 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    oh wait another 20 minutes from this post. Just found another bug need fixing :)
     
  10. eva2000

    eva2000 Administrator Staff Member

    46,017
    10,455
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,220
    Local Time:
    10:25 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x