Learn about Centmin Mod LEMP Stack today
Register Now

SSL Letsencrypt ssl not issued for subdomain vhost

Discussion in 'Domains, DNS, Email & SSL Certificates' started by adzkii, Apr 20, 2020.

  1. adzkii

    adzkii Member

    38
    1
    8
    Apr 15, 2020
    Ratings:
    +3
    Local Time:
    10:27 AM
    Code (Text):
    [Mon Apr 20 00:45:00 UTC 2020] Lets find script dir.
    [Mon Apr 20 00:45:00 UTC 2020] _SCRIPT_='/root/.acme.sh/acme.sh'
    [Mon Apr 20 00:45:00 UTC 2020] _script='/root/.acme.sh/acme.sh'
    [Mon Apr 20 00:45:00 UTC 2020] _script_home='/root/.acme.sh'
    [Mon Apr 20 00:45:00 UTC 2020] Using config home:/root/.acme.sh
    [Mon Apr 20 00:45:00 UTC 2020] LE_WORKING_DIR='/root/.acme.sh'
    [Mon Apr 20 00:45:00 UTC 2020] Running cmd: issue
    [Mon Apr 20 00:45:00 UTC 2020] _main_domain='mail.domain.com'
    [Mon Apr 20 00:45:00 UTC 2020] _alt_domains='no'
    [Mon Apr 20 00:45:00 UTC 2020] Using config home:/root/.acme.sh
    [Mon Apr 20 00:45:00 UTC 2020] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Mon Apr 20 00:45:00 UTC 2020] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Mon Apr 20 00:45:00 UTC 2020] DOMAIN_PATH='/root/.acme.sh/mail.domain.com'
    [Mon Apr 20 00:45:00 UTC 2020] '/home/nginx/domains/mail.domain.com/public' does not contain 'dns'
    [Mon Apr 20 00:45:00 UTC 2020] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
    [Mon Apr 20 00:45:00 UTC 2020] _init api for server: https://acme-v02.api.letsencrypt.org/directory
    [Mon Apr 20 00:45:00 UTC 2020] GET
    [Mon Apr 20 00:45:00 UTC 2020] url='https://acme-v02.api.letsencrypt.org/directory'
    [Mon Apr 20 00:45:00 UTC 2020] timeout=
    [Mon Apr 20 00:45:00 UTC 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
    [Mon Apr 20 00:45:01 UTC 2020] ret='0'
    [Mon Apr 20 00:45:01 UTC 2020] response='{
      "6hTF0nbZfHo": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
      "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
      "meta": {
        "caaIdentities": [
          "letsencrypt.org"
        ],
        "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
        "website": "https://letsencrypt.org"
      },
      "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
      "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
      "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
      "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
    }'
    [Mon Apr 20 00:45:01 UTC 2020] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
    [Mon Apr 20 00:45:01 UTC 2020] ACME_NEW_AUTHZ
    [Mon Apr 20 00:45:01 UTC 2020] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
    [Mon Apr 20 00:45:01 UTC 2020] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
    [Mon Apr 20 00:45:01 UTC 2020] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
    [Mon Apr 20 00:45:01 UTC 2020] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
    [Mon Apr 20 00:45:01 UTC 2020] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Mon Apr 20 00:45:01 UTC 2020] ACME_VERSION='2'
    [Mon Apr 20 00:45:01 UTC 2020] Le_NextRenewTime
    [Mon Apr 20 00:45:01 UTC 2020] _on_before_issue
    [Mon Apr 20 00:45:01 UTC 2020] _chk_main_domain='mail.domain.com'
    [Mon Apr 20 00:45:01 UTC 2020] _chk_alt_domains
    [Mon Apr 20 00:45:01 UTC 2020] '/home/nginx/domains/mail.domain.com/public' does not contain 'no'
    [Mon Apr 20 00:45:01 UTC 2020] Le_LocalAddress
    [Mon Apr 20 00:45:01 UTC 2020] d='mail.domain.com'
    [Mon Apr 20 00:45:01 UTC 2020] Check for domain='mail.domain.com'
    [Mon Apr 20 00:45:01 UTC 2020] _currentRoot='/home/nginx/domains/mail.domain.com/public'
    [Mon Apr 20 00:45:01 UTC 2020] d
    [Mon Apr 20 00:45:01 UTC 2020] '/home/nginx/domains/mail.domain.com/public' does not contain 'apache'
    [Mon Apr 20 00:45:01 UTC 2020] _saved_account_key_hash='0qn73TTxalGaekfufPW+sj9CT4rueLUqYxvtO6/DEoc='
    [Mon Apr 20 00:45:01 UTC 2020] _saved_account_key_hash is not changed, skip register account.
    [Mon Apr 20 00:45:01 UTC 2020] Read key length:
    [Mon Apr 20 00:45:01 UTC 2020] Creating domain key
    [Mon Apr 20 00:45:01 UTC 2020] Using config home:/root/.acme.sh
    [Mon Apr 20 00:45:01 UTC 2020] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Mon Apr 20 00:45:01 UTC 2020] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Mon Apr 20 00:45:01 UTC 2020] Domain key exists, do you want to overwrite the key?
    [Mon Apr 20 00:45:01 UTC 2020] Add '--force', and try again.
    [Mon Apr 20 00:45:01 UTC 2020] Create domain key error.
    [Mon Apr 20 00:45:01 UTC 2020] pid
    [Mon Apr 20 00:45:01 UTC 2020] No need to restore nginx, skip.
    [Mon Apr 20 00:45:01 UTC 2020] _clearupdns
    [Mon Apr 20 00:45:01 UTC 2020] dns_entries
    [Mon Apr 20 00:45:01 UTC 2020] skip dns.
    [Mon Apr 20 00:45:01 UTC 2020] _on_issue_err
    [Mon Apr 20 00:45:01 UTC 2020] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-200420-004414.log
    [Mon Apr 20 00:45:01 UTC 2020] _chk_vlist
    

    Code (Text):
    mail.domain.com is not a top level domain
    your server IPv4 IP address: 78.141.22x.xxx
    current DNS A record IPv4 address for mail.domain.com is: 78.141.22x.xxx
    Do you want to continue [y/n]: y
    


    can't figure out why
    domain entry is correct
    mail.domain.com A 78.141.22x.xxx
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,183
    10,276
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,926
    Local Time:
    7:27 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    did you previously run mail.domain.com nginx vhost creation ? clue is
    Code (Text):
    [Mon Apr 20 00:45:01 UTC 2020] Domain key exists, do you want to overwrite the key?
    [Mon Apr 20 00:45:01 UTC 2020] Add '--force', and try again.
    [Mon Apr 20 00:45:01 UTC 2020] Create domain key error.
    

    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. If you created Centmin Mod 123.09beta01 or higher Nginx site with Letsencrypt via centmin.sh menu option 2, 22 or nv command line, you now also have an automatic letsdebug.net API check log saved at /root/centminlogs/letsdebug-yourdomain.com-${DT}.log where yourdomain.com is domain specified during nginx vhost creation and DT is date/timestamp. Inspecting the /root/centminlogs/letsdebug-yourdomain.com-${DT}.log log will also give you clues as to why letsencrypt SSL certificate issuance failed.

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
  3. eva2000

    eva2000 Administrator Staff Member

    45,183
    10,276
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,926
    Local Time:
    7:27 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    If you using @brijendrasial mail addon at Install Mail Server on Centminmod then it has it's own letsencrypt issuance routine separate from centmin.sh menu option 2, 22 or nv command so may have conflicted with centmin.sh menu option 2, 22 or nv's own letsencrypt. You'd need to sort that out at @brijendrasial thread at Install Mail Server on Centminmod if you are creating mail.domain.com for that mail addon purpose and not use centmin.sh menu option 2, 22 or nv routines for such.