/ Register

Want to subscribe to topics you're interested in?
Become a Member

Bug Set up new site with live LE SSL

Discussion in 'AlmaLinux 8 & Rocky Linux 8 Beta Testing' started by Tracy Perry, Nov 11, 2022.

Tags:
Previous Thread Next Thread
Loading...
  1. Nov 11, 2022 #1
    Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    5:11 AM
    1.21.6
    MariaDB 10.3.36
    1. Your web host and VPS/dedicated server plan?
    Code:
    Hetzner 4cCPU/8GB
    2. Centmin Mod installed version info via command below:

    Code:
    [root@rem.astrowhat.com conf.d]# cminfo
Installed:
  tree-1.7.0-15.el8.x86_64                                                                                                Installed:
  smem-1.5-6.el8.noarch                                                                                                   PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20200930/memcache.so' (tried: /usr/local/lib/php/extensions/no-debug-non-zts-20200930/memcache.so (/usr/local/lib/php/extensions/no-debug-non-zts-20200930/memcache.so: cannot open shared object file: No such file or directory), /usr/local/lib/php/extensions/no-debug-non-zts-20200930//usr/local/lib/php/extensions/no-debug-non-zts-20200930/memcache.so.so (/usr/local/lib/php/extensions/no-debug-non-zts-20200930//usr/local/lib/php/extensions/no-debug-non-zts-20200930/memcache.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
------------------------------------------------------------------
 Centmin Mod Quick Info:
------------------------------------------------------------------
Server Location Info
  city: null
  region: null
  country: US
  org: 213230 Hetzner Online GmbH
  timezone America/Chicago
Processors physical = 1, cores = 4, virtual = 4, hyperthreading = no
      4  2445.406
      4  AMD EPYC Processor
      4  512 KB
 System Up Since:     2022-11-11 04:49:19
 System Uptime:     up 25 minutes
 MySQL Server Started     2022-11-11 04:49:22
 MySQL Uptime:         25 min 52 sec   
 MySQL Uptime (secs):     1552
 Server Type:         kvm
 CentOS Version:     8.7
 Centmin Mod:         130.00beta01.b244
 Nginx PageSpeed:     OFF
 Nginx Version:     1.23.2 (111122-042459-almalinux8-kvm-3bcdf53-br-6e975bc)
 PHP-FPM Version:     8.0.25
 MariaDB Version:     10.3.35
 CSF Firewall:         v14.17
 Memcached Server:     1.6.17
 NSD Version:        -
 Siege Version:     4.1.5
 Maldet Version:     not installed
 ClamAV Version:     not installed
 ElasticSearch:     not installed
------------------------------------------------------------------
    3. Provide CPU, memory and disk info via these 3 commands below:

    lscpu

    Code:
    [05:15][root@rem.astrowhat.com conf.d]# lscpu
Architecture:        x86_64
CPU op-mode(s):      32-bit, 64-bit
Byte Order:          Little Endian
CPU(s):              4
On-line CPU(s) list: 0-3
Thread(s) per core:  1
Core(s) per socket:  4
Socket(s):           1
NUMA node(s):        1
Vendor ID:           AuthenticAMD
BIOS Vendor ID:      QEMU
CPU family:          23
Model:               49
Model name:          AMD EPYC Processor
BIOS Model name:     NotSpecified
Stepping:            0
CPU MHz:             2445.406
BogoMIPS:            4890.81
Hypervisor vendor:   KVM
Virtualization type: full
L1d cache:           32K
L1i cache:           32K
L2 cache:            512K
L3 cache:            16384K
NUMA node0 CPU(s):   0-3

Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm rep_good nopl cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw topoext perfctr_core ssbd ibrs ibpb stibp vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 xsaves clzero xsaveerptr wbnoinvd arat umip rdpid arch_capabilities
    free -mlt
    Screen Shot 2022-11-11 at 5.19.33 AM.png

    df -hT
    Code:
    Filesystem                     Type      Size  Used Avail Use% Mounted on
devtmpfs                       devtmpfs  3.7G     0  3.7G   0% /dev
tmpfs                          tmpfs     3.7G     0  3.7G   0% /dev/shm
tmpfs                          tmpfs     3.7G  8.6M  3.7G   1% /run
tmpfs                          tmpfs     3.7G     0  3.7G   0% /sys/fs/cgroup
/dev/mapper/almalinux_rem-root xfs       144G  9.9G  134G   7% /
tmpfs                          tmpfs     3.7G  8.0K  3.7G   1% /tmp
/dev/sda2                      xfs      1014M  282M  733M  28% /boot
tmpfs                          tmpfs     758M     0  758M   0% /run/user/1000
    Having an issue when I create a new vhost, I usually choose a option 4 (Live) SSL from LetsEncrypt but every time I do, I get an error (which can be resolved, detailed below).

    Code:
    testcert value = lived

/root/.acme.sh/acme.sh --issue -d tdperry.us -d www.tdperry.us --days 60 -w /home/nginx/domains/tdperry.us/public -k 2048 --useragent centminmod--acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-111122-051259.log --log-level 2 --preferred-chain  "ISRG"
[Fri Nov 11 05:13:02 CST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Nov 11 05:13:02 CST 2022] Creating domain key
[Fri Nov 11 05:13:02 CST 2022] The domain key is here: /root/.acme.sh/tdperry.us/tdperry.us.key
[Fri Nov 11 05:13:02 CST 2022] Multi domain='DNS:tdperry.us,DNS:www.tdperry.us'
[Fri Nov 11 05:13:02 CST 2022] Getting domain auth token for each domain
[Fri Nov 11 05:13:03 CST 2022] Getting webroot for domain='tdperry.us'
[Fri Nov 11 05:13:04 CST 2022] Getting webroot for domain='www.tdperry.us'
[Fri Nov 11 05:13:04 CST 2022] Verifying: tdperry.us
[Fri Nov 11 05:13:04 CST 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Fri Nov 11 05:13:06 CST 2022] tdperry.us:Verify error:5.161.56.239: Invalid response from https://astrowhat.com/.well-known/acme-challenge/5rI6ZV5_psxcFMwpLw-iKLNB2EsRSkDaHMW7Dhy2KYk: 404
[Fri Nov 11 05:13:06 CST 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-111122-051259.log
LECHECK = 1

log files saved at /root/centminlogs

-rw-r--r--  1 root root  2.3K Nov 11 05:12 centminmod_130.00beta01.b244_111122-051231_nginx_addvhost.log
-rw-r--r--  1 root root   47K Nov 11 05:13 acmetool.sh-debug-log-111122-051259.log
-rw-r--r--  1 root root  5.5K Nov 11 05:13 acmesh-issue_111122-051259.log
-------------------------------------------------------------
{
  "id": 1259532,
  "domain": "tdperry.us",
  "method": "http-01",
  "status": "Complete",
  "created_at": "2022-11-11T11:13:07.293461Z",
  "started_at": "2022-11-11T11:13:07.29926Z",
  "completed_at": "2022-11-11T11:13:09.750122Z",
  "result": {
    "problems": [
      {
        "name": "AAAANotWorking",
        "explanation": "tdperry.us has an AAAA (IPv6) record (2a01:4ff:f0:c00c::20) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.",

        "detail": "Get \"https://tdperry.us/.well-known/acme-challenge/letsdebug-test\": dial tcp [2a01:4ff:f0:c00c::20]:443: connect: connection refused\n\nTrace:\n@0ms: Making a request to http://tdperry.us/.well-known/acme-challenge/letsdebug-test (using initial IP 2a01:4ff:f0:c00c::20)\n@0ms: Dialing 2a01:4ff:f0:c00c::20\n@14ms: Server response: HTTP 302 Moved Temporarily\n@14ms: Received redirect to https://tdperry.us/.well-known/acme-challenge/letsdebug-test\n@14ms: Dialing 2a01:4ff:f0:c00c::20\n@21ms: Experienced error: dial tcp [2a01:4ff:f0:c00c::20]:443: connect: connection refused",

        "severity": "Error"
    Apparently if you have IPv6 DNS entries, you have to specify that IPv6 in the vhost.... which you can't do because it hasn't been created yet.

    Another issue I've had is it times out... as it tries to redirect to the HTTPS site, which it can't since there is not a valid SSL cert. I can disable the 302 redirect and run a manual reissue and it works fine, then re-enable the redirect and from that point on it works.
     
    Last edited: Nov 11, 2022
  2. Nov 12, 2022 #2
    wmtech

    wmtech Active Member

    175
    44
    28
    Jul 22, 2017
    Ratings:
    +132
    Local Time:
    12:11 PM
    Yes, this is annoying at ipv6 enabled hosts.

    LE seems to prefer authorizing via ipv6 (if both are available) and a new host will be set up by CMM with ipv4 only. So the authorization fails and you have to manually add the ipv6 address to the vhost config and then request the LE certificate again.

    Would be perfect if the vhost would be set up with both ipv4 and ipv6 addresses if the hostname resolves to an A and an AAAA DNS record.

    Or at least if you could bind LE to authorize via IPv4 only. But I think this is not configurable.

    A quick solution is to set up the ipv4 address for the hostname in DNS first, then install the CMM vhost and add the ipv6 address record in DNS later. But be careful, if you do not also add the ipv6 address to the vhost config the renewal of LE cert will fail!
     
    Last edited: Nov 12, 2022
  3. Nov 12, 2022 #3
    eva2000

    eva2000 Administrator Staff Member

    55,223
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,831
    Local Time:
    8:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah it's due to Centmin Mod Nginx vhosts don't setup IPv6 by default.
    Yeah that's recommended way right now
    That definitely could be a way to do it - though if you do migrate to another server without IPv6, then you'd also have issues.

    Or if you're using Cloudflare, skip webroot letsencrypt validation and use Cloudflare DNS API as per Letsencrypt Free SSL Certificates
     
  4. Nov 14, 2022 #4
    cloud9

    cloud9 Premium Member Premium Member

    435
    118
    43
    Oct 6, 2015
    England
    Ratings:
    +218
    Local Time:
    11:11 AM
    1.25.3
    10.6.x
    What are the advantages / disadvantages of using IPv6 compared to IPv4, not from a CMM/Linux point of view but a website/internet point of view
     
  5. Nov 14, 2022 #5
    wmtech

    wmtech Active Member

    175
    44
    28
    Jul 22, 2017
    Ratings:
    +132
    Local Time:
    12:11 PM
    At this time you simply have to set up all servers and services with an IPv4 and an IPv6 address. If you miss the IPv6 address some people may not be able to reach your server/website. Using IPv6 will also be more and more important in the future.

    You cannot simply ignore IPv6 anymore, like many of us did until now.

    Reason: Many providers worldwide do not have any IPv4 addresses left and assign IPv6 addresses to their customers only. IPv4 and IPv6 nets are completely different networks and IPv4 <> IPv6 bridges/tunnels are not always available and not good for network speed and traffic.

    There are also many VPS providers who sell VPSs with IPv6 only. At the other VPS providers prices for IPv4 are raised and will continue to get higher in the future. Hetzner for example currently charges almost $5000 for a /24 IPv4 network setup and $500 per month!
     
  6. Nov 14, 2022 #6
    eva2000

    eva2000 Administrator Staff Member

    55,223
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,831
    Local Time:
    8:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Still ignoring it myself LOL. But I do have some experimental 130.00beta01 code to add conditional Nginx vhost IPv6 listener support out of the box when the server does have a IPv6 resolvable public IP address. I'll start a new thread on the public forum soon inviting folks to test it out :)
     
  7. Nov 14, 2022 #7
    eva2000

    eva2000 Administrator Staff Member

    55,223
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,831
    Local Time:
    8:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  8. Nov 19, 2022 #8
    cloud9

    cloud9 Premium Member Premium Member

    435
    118
    43
    Oct 6, 2015
    England
    Ratings:
    +218
    Local Time:
    11:11 AM
    1.25.3
    10.6.x
    @eva2000

    Just setting up a new WP website for a mate, so doing a Hetzner VPS with AlmaLinux and CMM Beta under Cloudflare

    Whilst its a live site - doesn't matter if it goes tits up as not an important site and will have backups and can revert but so far everything (apart from IPV6 as I don't use it) works fine

    Also going to use IPV6 on this install as well

    @Tracy Perry - For Alma on Hetzner - I installed Rocky 8 and then migrated to Alma 8
     
  9. Nov 19, 2022 #9
    Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    5:11 AM
    1.21.6
    MariaDB 10.3.36
    i went a tad bit different direction. I installed CentOS v7 and then mounted an AlmaLinux image and then went through the default install process, blowing the CentOS v7 image off the VPS.
    Using the upgrade may have been "easier" but by doing it the way I did, I KNOW I got a clean install of AlmaLinux. ;)

    Did I mention that so far I'm digging the sh*t out of Hetzner?
     
  10. Nov 19, 2022 #10
    cloud9

    cloud9 Premium Member Premium Member

    435
    118
    43
    Oct 6, 2015
    England
    Ratings:
    +218
    Local Time:
    11:11 AM
    1.25.3
    10.6.x
    :D
     
  11. Nov 27, 2022 #11
    Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    5:11 AM
    1.21.6
    MariaDB 10.3.36
    Yep, I'm actually getting site visits from what appear to be valid visitors using IPv6, mainly from the EU area.
    Being an astronomy site, I figured it is a topic that has worldwide interest... and surprisingly quite a bit from China.

    Right now my plate is rather full... and I don't have any "spare" sites to set up on a new system... so I'll have to wait a bit before I can dip my toes into the pool. :bookworm:
     
Previous Thread Next Thread
Loading...

.