Want more timely Centmin Mod News Updates?
Become a Member

Bug Set up new site with live LE SSL

Discussion in 'AlmaLinux 8 & Rocky Linux 8 Beta Testing' started by Tracy Perry, Nov 11, 2022.

  1. Tracy Perry

    Tracy Perry Active Member

    276
    115
    43
    Aug 24, 2014
    Texas
    Ratings:
    +205
    Local Time:
    11:02 PM
    1.21.6
    MariaDB 10.3.36
    1. Your web host and VPS/dedicated server plan?
    Code:
    Hetzner 4cCPU/8GB
    2. Centmin Mod installed version info via command below:

    Code:
    [root@rem.astrowhat.com conf.d]# cminfo
    Installed:
      tree-1.7.0-15.el8.x86_64                                                                                                Installed:
      smem-1.5-6.el8.noarch                                                                                                   PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20200930/memcache.so' (tried: /usr/local/lib/php/extensions/no-debug-non-zts-20200930/memcache.so (/usr/local/lib/php/extensions/no-debug-non-zts-20200930/memcache.so: cannot open shared object file: No such file or directory), /usr/local/lib/php/extensions/no-debug-non-zts-20200930//usr/local/lib/php/extensions/no-debug-non-zts-20200930/memcache.so.so (/usr/local/lib/php/extensions/no-debug-non-zts-20200930//usr/local/lib/php/extensions/no-debug-non-zts-20200930/memcache.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
    ------------------------------------------------------------------
     Centmin Mod Quick Info:
    ------------------------------------------------------------------
    Server Location Info
      city: null
      region: null
      country: US
      org: 213230 Hetzner Online GmbH
      timezone America/Chicago
    Processors physical = 1, cores = 4, virtual = 4, hyperthreading = no
          4  2445.406
          4  AMD EPYC Processor
          4  512 KB
     System Up Since:     2022-11-11 04:49:19
     System Uptime:     up 25 minutes
     MySQL Server Started     2022-11-11 04:49:22
     MySQL Uptime:         25 min 52 sec   
     MySQL Uptime (secs):     1552
     Server Type:         kvm
     CentOS Version:     8.7
     Centmin Mod:         130.00beta01.b244
     Nginx PageSpeed:     OFF
     Nginx Version:     1.23.2 (111122-042459-almalinux8-kvm-3bcdf53-br-6e975bc)
     PHP-FPM Version:     8.0.25
     MariaDB Version:     10.3.35
     CSF Firewall:         v14.17
     Memcached Server:     1.6.17
     NSD Version:        -
     Siege Version:     4.1.5
     Maldet Version:     not installed
     ClamAV Version:     not installed
     ElasticSearch:     not installed
    ------------------------------------------------------------------
    3. Provide CPU, memory and disk info via these 3 commands below:

    lscpu

    Code:
    [05:15][root@rem.astrowhat.com conf.d]# lscpu
    Architecture:        x86_64
    CPU op-mode(s):      32-bit, 64-bit
    Byte Order:          Little Endian
    CPU(s):              4
    On-line CPU(s) list: 0-3
    Thread(s) per core:  1
    Core(s) per socket:  4
    Socket(s):           1
    NUMA node(s):        1
    Vendor ID:           AuthenticAMD
    BIOS Vendor ID:      QEMU
    CPU family:          23
    Model:               49
    Model name:          AMD EPYC Processor
    BIOS Model name:     NotSpecified
    Stepping:            0
    CPU MHz:             2445.406
    BogoMIPS:            4890.81
    Hypervisor vendor:   KVM
    Virtualization type: full
    L1d cache:           32K
    L1i cache:           32K
    L2 cache:            512K
    L3 cache:            16384K
    NUMA node0 CPU(s):   0-3
    
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm rep_good nopl cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw topoext perfctr_core ssbd ibrs ibpb stibp vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 xsaves clzero xsaveerptr wbnoinvd arat umip rdpid arch_capabilities
    
    free -mlt
    Screen Shot 2022-11-11 at 5.19.33 AM.png

    df -hT
    Code:
    Filesystem                     Type      Size  Used Avail Use% Mounted on
    devtmpfs                       devtmpfs  3.7G     0  3.7G   0% /dev
    tmpfs                          tmpfs     3.7G     0  3.7G   0% /dev/shm
    tmpfs                          tmpfs     3.7G  8.6M  3.7G   1% /run
    tmpfs                          tmpfs     3.7G     0  3.7G   0% /sys/fs/cgroup
    /dev/mapper/almalinux_rem-root xfs       144G  9.9G  134G   7% /
    tmpfs                          tmpfs     3.7G  8.0K  3.7G   1% /tmp
    /dev/sda2                      xfs      1014M  282M  733M  28% /boot
    tmpfs                          tmpfs     758M     0  758M   0% /run/user/1000
    
    Having an issue when I create a new vhost, I usually choose a option 4 (Live) SSL from LetsEncrypt but every time I do, I get an error (which can be resolved, detailed below).

    Code:
    testcert value = lived
    
    /root/.acme.sh/acme.sh --issue -d tdperry.us -d www.tdperry.us --days 60 -w /home/nginx/domains/tdperry.us/public -k 2048 --useragent centminmod--acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-111122-051259.log --log-level 2 --preferred-chain  "ISRG"
    [Fri Nov 11 05:13:02 CST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Fri Nov 11 05:13:02 CST 2022] Creating domain key
    [Fri Nov 11 05:13:02 CST 2022] The domain key is here: /root/.acme.sh/tdperry.us/tdperry.us.key
    [Fri Nov 11 05:13:02 CST 2022] Multi domain='DNS:tdperry.us,DNS:www.tdperry.us'
    [Fri Nov 11 05:13:02 CST 2022] Getting domain auth token for each domain
    [Fri Nov 11 05:13:03 CST 2022] Getting webroot for domain='tdperry.us'
    [Fri Nov 11 05:13:04 CST 2022] Getting webroot for domain='www.tdperry.us'
    [Fri Nov 11 05:13:04 CST 2022] Verifying: tdperry.us
    [Fri Nov 11 05:13:04 CST 2022] Pending, The CA is processing your order, please just wait. (1/30)
    [Fri Nov 11 05:13:06 CST 2022] tdperry.us:Verify error:5.161.56.239: Invalid response from https://astrowhat.com/.well-known/acme-challenge/5rI6ZV5_psxcFMwpLw-iKLNB2EsRSkDaHMW7Dhy2KYk: 404
    [Fri Nov 11 05:13:06 CST 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-111122-051259.log
    LECHECK = 1
    
    log files saved at /root/centminlogs
    
    -rw-r--r--  1 root root  2.3K Nov 11 05:12 centminmod_130.00beta01.b244_111122-051231_nginx_addvhost.log
    -rw-r--r--  1 root root   47K Nov 11 05:13 acmetool.sh-debug-log-111122-051259.log
    -rw-r--r--  1 root root  5.5K Nov 11 05:13 acmesh-issue_111122-051259.log
    -------------------------------------------------------------
    {
      "id": 1259532,
      "domain": "tdperry.us",
      "method": "http-01",
      "status": "Complete",
      "created_at": "2022-11-11T11:13:07.293461Z",
      "started_at": "2022-11-11T11:13:07.29926Z",
      "completed_at": "2022-11-11T11:13:09.750122Z",
      "result": {
        "problems": [
          {
            "name": "AAAANotWorking",
            "explanation": "tdperry.us has an AAAA (IPv6) record (2a01:4ff:f0:c00c::20) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.",
    
            "detail": "Get \"https://tdperry.us/.well-known/acme-challenge/letsdebug-test\": dial tcp [2a01:4ff:f0:c00c::20]:443: connect: connection refused\n\nTrace:\n@0ms: Making a request to http://tdperry.us/.well-known/acme-challenge/letsdebug-test (using initial IP 2a01:4ff:f0:c00c::20)\n@0ms: Dialing 2a01:4ff:f0:c00c::20\n@14ms: Server response: HTTP 302 Moved Temporarily\n@14ms: Received redirect to https://tdperry.us/.well-known/acme-challenge/letsdebug-test\n@14ms: Dialing 2a01:4ff:f0:c00c::20\n@21ms: Experienced error: dial tcp [2a01:4ff:f0:c00c::20]:443: connect: connection refused",
    
            "severity": "Error"
       
    Apparently if you have IPv6 DNS entries, you have to specify that IPv6 in the vhost.... which you can't do because it hasn't been created yet.


    Another issue I've had is it times out... as it tries to redirect to the HTTPS site, which it can't since there is not a valid SSL cert. I can disable the 302 redirect and run a manual reissue and it works fine, then re-enable the redirect and from that point on it works.
     
    Last edited: Nov 11, 2022
  2. wmtech

    wmtech Active Member

    165
    44
    28
    Jul 22, 2017
    Ratings:
    +125
    Local Time:
    6:02 AM
    Yes, this is annoying at ipv6 enabled hosts.

    LE seems to prefer authorizing via ipv6 (if both are available) and a new host will be set up by CMM with ipv4 only. So the authorization fails and you have to manually add the ipv6 address to the vhost config and then request the LE certificate again.

    Would be perfect if the vhost would be set up with both ipv4 and ipv6 addresses if the hostname resolves to an A and an AAAA DNS record.

    Or at least if you could bind LE to authorize via IPv4 only. But I think this is not configurable.

    A quick solution is to set up the ipv4 address for the hostname in DNS first, then install the CMM vhost and add the ipv6 address record in DNS later. But be careful, if you do not also add the ipv6 address to the vhost config the renewal of LE cert will fail!
     
    Last edited: Nov 12, 2022
  3. eva2000

    eva2000 Administrator Staff Member

    52,186
    11,998
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,501
    Local Time:
    2:02 PM
    Nginx 1.25.x
    MariaDB 10.x
    Yeah it's due to Centmin Mod Nginx vhosts don't setup IPv6 by default.
    Yeah that's recommended way right now
    That definitely could be a way to do it - though if you do migrate to another server without IPv6, then you'd also have issues.

    Or if you're using Cloudflare, skip webroot letsencrypt validation and use Cloudflare DNS API as per Letsencrypt Free SSL Certificates
     
  4. cloud9

    cloud9 Premium Member Premium Member

    423
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +216
    Local Time:
    5:02 AM
    1.25.3
    10.6.x
    What are the advantages / disadvantages of using IPv6 compared to IPv4, not from a CMM/Linux point of view but a website/internet point of view
     
  5. wmtech

    wmtech Active Member

    165
    44
    28
    Jul 22, 2017
    Ratings:
    +125
    Local Time:
    6:02 AM
    At this time you simply have to set up all servers and services with an IPv4 and an IPv6 address. If you miss the IPv6 address some people may not be able to reach your server/website. Using IPv6 will also be more and more important in the future.

    You cannot simply ignore IPv6 anymore, like many of us did until now.

    Reason: Many providers worldwide do not have any IPv4 addresses left and assign IPv6 addresses to their customers only. IPv4 and IPv6 nets are completely different networks and IPv4 <> IPv6 bridges/tunnels are not always available and not good for network speed and traffic.

    There are also many VPS providers who sell VPSs with IPv6 only. At the other VPS providers prices for IPv4 are raised and will continue to get higher in the future. Hetzner for example currently charges almost $5000 for a /24 IPv4 network setup and $500 per month!
     
  6. eva2000

    eva2000 Administrator Staff Member

    52,186
    11,998
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,501
    Local Time:
    2:02 PM
    Nginx 1.25.x
    MariaDB 10.x
    Still ignoring it myself LOL. But I do have some experimental 130.00beta01 code to add conditional Nginx vhost IPv6 listener support out of the box when the server does have a IPv6 resolvable public IP address. I'll start a new thread on the public forum soon inviting folks to test it out :)
     
  7. eva2000

    eva2000 Administrator Staff Member

    52,186
    11,998
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,501
    Local Time:
    2:02 PM
    Nginx 1.25.x
    MariaDB 10.x
  8. cloud9

    cloud9 Premium Member Premium Member

    423
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +216
    Local Time:
    5:02 AM
    1.25.3
    10.6.x
    @eva2000

    Just setting up a new WP website for a mate, so doing a Hetzner VPS with AlmaLinux and CMM Beta under Cloudflare

    Whilst its a live site - doesn't matter if it goes tits up as not an important site and will have backups and can revert but so far everything (apart from IPV6 as I don't use it) works fine

    Also going to use IPV6 on this install as well

    @Tracy Perry - For Alma on Hetzner - I installed Rocky 8 and then migrated to Alma 8
     
  9. Tracy Perry

    Tracy Perry Active Member

    276
    115
    43
    Aug 24, 2014
    Texas
    Ratings:
    +205
    Local Time:
    11:02 PM
    1.21.6
    MariaDB 10.3.36
    i went a tad bit different direction. I installed CentOS v7 and then mounted an AlmaLinux image and then went through the default install process, blowing the CentOS v7 image off the VPS.
    Using the upgrade may have been "easier" but by doing it the way I did, I KNOW I got a clean install of AlmaLinux. ;)

    Did I mention that so far I'm digging the sh*t out of Hetzner?
     
  10. cloud9

    cloud9 Premium Member Premium Member

    423
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +216
    Local Time:
    5:02 AM
    1.25.3
    10.6.x
    :D
     
  11. Tracy Perry

    Tracy Perry Active Member

    276
    115
    43
    Aug 24, 2014
    Texas
    Ratings:
    +205
    Local Time:
    11:02 PM
    1.21.6
    MariaDB 10.3.36
    Yep, I'm actually getting site visits from what appear to be valid visitors using IPv6, mainly from the EU area.
    Being an astronomy site, I figured it is a topic that has worldwide interest... and surprisingly quite a bit from China.

    Right now my plate is rather full... and I don't have any "spare" sites to set up on a new system... so I'll have to wait a bit before I can dip my toes into the pool. :bookworm: