/ Register

Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL Letsencrypt ssl site renewal failed

Discussion in 'Domains, DNS, Email & SSL Certificates' started by gamal, Jul 8, 2019.

Tags:
Previous Thread Next Thread
Loading...
Page 2 of 2
  1. Jul 14, 2019 #21
    gamal

    gamal Member

    99
    8
    8
    Jan 31, 2018
    Ratings:
    +11
    Local Time:
    8:15 PM
    1.13.8
    i have changed to www version as i need it always to redirect to https://www.3alamtaney.com

    Code (Text):
    wp option get siteurl --allow-root

PHP Warning:  PHP Startup: Unable to load dynamic library 'imagick.so' (tried: /usr/local/lib/php/extensions/no-debug-non-zts-20180731/imagick.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731/imagick.so: cannot open shared object file: No such file or directory), /usr/local/lib/php/extensions/no-debug-non-zts-20180731/imagick.so.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731/imagick.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
خطأ Table 'wp25809db_15501.3t_nxs_log' doesn't exist في قاعدة بيانات ووردبريس  للاستعلام SHOW FULL COLUMNS FROM `3t_nxs_log` القادم من include('phar:///usr/bin/wp/php/boot-phar.php'), include('phar:///usr/bin/wp/vendor/wp-cli/wp-cli/php/wp-cli.php'), WP_CLI\bootstrap, WP_CLI\Bootstrap\LaunchRunner->process, WP_CLI\Runner->start, WP_CLI\Runner->load_wordpress, require('wp-settings.php'), do_action('init'), WP_Hook->do_action, WP_Hook->apply_filters, nxs_initSNAP, nxs_SNAP->__construct, nxs_SNAP->getAPOptions, nxs_wpAPIEngine->check, nxs_wpAPIEngine->getRemOpt, nxs_LogIt, nxsLogIt
Error: الموقع يواجه صعوبات تقنية.


    Code (Text):
    wp option get home --allow-root
PHP Warning:  PHP Startup: Unable to load dynamic library 'imagick.so' (tried: /usr/local/lib/php/extensions/no-debug-non-zts-20180731/imagick.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731/imagick.so: cannot open shared object file: No such file or directory), /usr/local/lib/php/extensions/no-debug-non-zts-20180731/imagick.so.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731/imagick.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Error: الموقع يواجه صعوبات تقنية.


    Code (Text):
    curl -I https://3alamtaney.com
HTTP/2 521
date: Sat, 13 Jul 2019 15:34:11 GMT
content-type: text/html; charset=UTF-8
set-cookie: __cfduid=d5d545aa611ad9b8295c7e660915158311563032051; expires=Sun, 12-Jul-20 15:34:11 GMT; path=/; domain=.3alamtaney.com; HttpOnly
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
set-cookie: cf_use_ob=0; path=/; expires=Sat, 13-Jul-19 15:34:41 GMT
expires: Thu, 01 Jan 1970 00:00:01 GMT
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
server: cloudflare
cf-ray: 4f5c51d38c64a95e-SIN


    Code (Text):
     curl -I https://www.3alamtaney.com
HTTP/2 521
date: Sat, 13 Jul 2019 15:35:39 GMT
content-type: text/html; charset=UTF-8
set-cookie: __cfduid=d1883690a096a8d322bdbc1718b9b092a1563032139; expires=Sun, 12-Jul-20 15:35:39 GMT; path=/; domain=.3alamtaney.com; HttpOnly
cf-cache-status: EXPIRED
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
set-cookie: cf_ob_info=521:4f5c53f61eb5c377:SIN; path=/; expires=Sat, 13-Jul-19 15:36:09 GMT
set-cookie: cf_use_ob=443; path=/; expires=Sat, 13-Jul-19 15:36:09 GMT
expires: Thu, 01 Jan 1970 00:00:01 GMT
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
server: cloudflare
cf-ray: 4f5c53f61eb5c377-SIN

    Code (Text):
     curl -I http://3alamtaney.com
HTTP/1.1 521 Origin Down
Date: Sat, 13 Jul 2019 15:36:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=de6609c3b1850a19d096799546aed2c451563032180; expires=Sun, 12-Jul-20 15:36:20 GMT; path=/; domain=.3alamtaney.com; HttpOnly
Set-Cookie: cf_use_ob=0; path=/; expires=Sat, 13-Jul-19 15:36:50 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Server: cloudflare
CF-RAY: 4f5c54f6598da964-SIN

    Code (Text):
    curl -I http://www.3alamtaney.com
HTTP/1.1 521 Origin Down
Date: Sat, 13 Jul 2019 15:37:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=da963ed324f829aafbaa21f3d2e6c4b851563032239; expires=Sun, 12-Jul-20 15:37:19 GMT; path=/; domain=.3alamtaney.com; HttpOnly
Set-Cookie: cf_use_ob=0; path=/; expires=Sat, 13-Jul-19 15:37:50 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Server: cloudflare
CF-RAY: 4f5c566bcc4ac3a4-SIN
     
  2. Jul 14, 2019 #22
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    8:15 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    for imagick php extension error, run centmin.sh menu option 15 to re-add imagick php extension

    as to the curl all seem to be 521 so your Centmin Mod Nginx origin is down or inaccessible Cloudflare Support so essentially that is the problem Cloudflare can't connect with your origin

    Test the curl commands but against your origin server IP bypassing cloudflare as instructed at How do I check my server's response directly without Cloudflare?

    define in ip variable your real server IP, no need to post on forums just in SSH do

    for www https port 443
    Code (Text):
    ip=your_server_real_ip
curl -I --silent --verbose https://www.3alamtaney.com --resolve example.com:443:${ip} --insecure

    for non-www https port 443
    Code (Text):
    ip=your_server_real_ip
curl -I --silent --verbose https://3alamtaney.com --resolve example.com:443:${ip} --insecure

    for www non-https port 80
    Code (Text):
    ip=your_server_real_ip
curl -I --silent --verbose http://www.3alamtaney.com --resolve example.com:80:${ip} --insecure

    for non-www non-https port 80
    Code (Text):
    ip=your_server_real_ip
curl -I --silent --verbose http://3alamtaney.com --resolve example.com:80:${ip} --insecure

    these bypass Cloudflare to test your origin Centmin Mod Nginx server itself.
     
  3. Jul 14, 2019 #23
    gamal

    gamal Member

    99
    8
    8
    Jan 31, 2018
    Ratings:
    +11
    Local Time:
    8:15 PM
    1.13.8
    ok before i do the test i need to say i can't connect through putty anymore, so i run the DO console and run nginx- t

    AwesomeScreenshot-Desktop-screenshot-2019-07-13-19-07-68.png
    ofcourse i can't run thetests now cause i can't copy paste the results through the DO console
     
  4. Jul 14, 2019 #24
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    8:15 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    check if your IP has been blocked in CSF Firewall CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS
    Code (Text):
    csf -g YOUR_ISP_IP

    as per SSL - Cloudflare - Improving Cloudflare Connections To Origin Server - Use ECDSA SSL Certs that should get your https Nginx sites up at least

    The other option is bypassing acmetool.sh/acme.sh's web root domain validation and use acmetool.sh's cloudflare API for DNS mode Cloudflare API Support in DNS Mode

    add to persistent acmetool config file at /etc/centminmod/acmetool-config.ini or /etc/centminmod/custom_config.inc global persistent config file (create file if doesn't exist) and set Cloudflare API key and email before running acmetool.sh where CF_EMAIL is email used for your Cloudflare account
    Code (Text):
    ###############################################################
# Cloudflare DNS API for DNS Mode
# https://github.com/Neilpang/acme.sh/tree/master/dnsapi
# login to your Cloudflare account to get your API Key in
# My Settings section of your account
# to ensure these settings persist DO NOT change them in this
# script but set these variables in persistent config file at
# /etc/centminmod/acmetoool-config.ini
# set to CF_DNSAPI='y' and fill in CF_KEY and CF_EMAIL settings
CF_DNSAPI='y'
CF_KEY=''
CF_EMAIL=''
###############################################################


    run /usr/local/src/centminmod/addons/acmetool.sh certonly-issue CF DNS API mode which validates your domain over Cloudflare DNS API instead of web root /.well-known method
    Code (Text):
    cd /usr/local/src/centminmod/addons/
./acmetool.sh certonly-issue 3alamtaney.com live

    then run acme.sh installcert command to populate /usr/local/nginx/conf/ssl/3alamtaney.com/ with letsencrypt issued ssl certs from certonly-issue mode
    Code (Text):
    /root/.acme.sh/acme.sh --installcert -d 3alamtaney.com --certpath /usr/local/nginx/conf/ssl/3alamtaney.com/3alamtaney.com-acme.cer --keypath /usr/local/nginx/conf/ssl/3alamtaney.com/3alamtaney.com-acme.key --capath /usr/local/nginx/conf/ssl/3alamtaney.com/3alamtaney.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/3alamtaney.com/3alamtaney.com-fullchain-acme.key

    then restart nginx will resolve missing ssl certs
    Code (Text):
    ngxrestart
     
  5. Jul 14, 2019 #25
    gamal

    gamal Member

    99
    8
    8
    Jan 31, 2018
    Ratings:
    +11
    Local Time:
    8:15 PM
    1.13.8
    WooooW. this was a long journey, it worked at last, thanks to you
    the level of support you are providing is really extraordinary, some paid services doesn't provide the same support as you do.

    so to make sure i'm not running into this everytime to renews certificates, should i do cron or is it installed automatically with the commands u provided before ??
     
  6. Jul 14, 2019 #26
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    8:15 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    You're welcome :)

    Yes acme.sh cronjob that is running will auto renew the ssl certificate obtained via acmetool.sh certonly-issue via Cloudflare DNS API as long as you have the CF DNS API settings intact
    Code (Text):
    ###############################################################
# Cloudflare DNS API for DNS Mode
# https://github.com/Neilpang/acme.sh/tree/master/dnsapi
# login to your Cloudflare account to get your API Key in
# My Settings section of your account
# to ensure these settings persist DO NOT change them in this
# script but set these variables in persistent config file at
# /etc/centminmod/acmetoool-config.ini
# set to CF_DNSAPI='y' and fill in CF_KEY and CF_EMAIL settings
CF_DNSAPI='y'
CF_KEY=''
CF_EMAIL=''
###############################################################

    If however, you want to remove CF DNS API method and go back to webroot /.well-known validation you can use acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
./acmetool.sh reissue-only domain.com live

    so for you would be
    Code (Text):
    cd /usr/local/src/centminmod/addons
./acmetool.sh reissue-only 3alamtaney.com live

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf

    Then when that renews properly, you can remove CF_DNSAPI/CF_KEY related settings.
     
  7. Jul 14, 2019 #27
    gamal

    gamal Member

    99
    8
    8
    Jan 31, 2018
    Ratings:
    +11
    Local Time:
    8:15 PM
    1.13.8
    it doesn't matter really for me as long as the website is working and performing well, or one method have better options than another ???
     
  8. Jul 15, 2019 #28
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    8:15 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Both methods work well, just I am usually no comfortable recommending to folks leaving their Cloudflare Global API Token Key on the server in case of compromise of server, they will have access to all sites on a person's Cloudflare account ! Especially folks new to server administration/management who may expose access to their server via various means i.e. not using VPN 24/7 and using unprotected public wifi and having their server root password captured, providing root server access to folks you may not 100% trust, using weak root user passwords etc.

    Cloudflare do have in beta testing role/permission specific API tokens you can generate with restricted permissions similar to Amazon AWS IAM credential features. But that isn't publicly available yet. The feature is awesome, so can't wait for public release so I can integrate Cloudflare API more into Centmin Mod LEMP stack with restricted permission API keys etc.
     
Previous Thread Next Thread
Loading...
Page 2 of 2

.