I did this before on a test domain, but now trying on a production box/domain and it's not working.. Code: [14:59][root@XXXXXXXXXXXXX.linode.com thetruckstop.us]# /root/.acme.sh/acme.sh --force --issue --days 60 -d thetruckstop.us -d www.thetruckstop.us -w /home/nginx/domains/thetruckstop.us/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-thetruckstop.us.log --log-level 2 [Thu Sep 6 15:57:43 CDT 2018] Multi domain='DNS:thetruckstop.us,DNS:www.thetruckstop.us' [Thu Sep 6 15:57:43 CDT 2018] Getting domain auth token for each domain [Thu Sep 6 15:57:43 CDT 2018] Getting webroot for domain='thetruckstop.us' [Thu Sep 6 15:57:43 CDT 2018] Getting new-authz for domain='thetruckstop.us' [Thu Sep 6 15:57:44 CDT 2018] The new-authz request is ok. [Thu Sep 6 15:57:44 CDT 2018] Getting webroot for domain='www.thetruckstop.us' [Thu Sep 6 15:57:44 CDT 2018] Getting new-authz for domain='www.thetruckstop.us' [Thu Sep 6 15:57:44 CDT 2018] The new-authz request is ok. [Thu Sep 6 15:57:44 CDT 2018] Verifying:thetruckstop.us [Thu Sep 6 15:57:47 CDT 2018] thetruckstop.us:Verify error:Invalid response from http://thetruckstop.us/.well-known/acme-challenge/JWtBhoIpchOhQULGNzcW1eJvsii549awa6XUJlh5U10: [Thu Sep 6 15:57:47 CDT 2018] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-thetruckstop.us.log Here is the log file output: [Thu Sep 6 15:57:42 CDT 2018] Lets find script dir. [Thu Sep 6 15:57:42 CDT 2 - Pastebin.com Following this guide: Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates Any help or ideas/pointers would be appreciated!
letsencrypt server domain validation via webroot authentication is hitting a 403 permission denied error from your log output when accessing /.well-known/acme-challenge/* Code (Text): [Thu Sep 6 15:57:47 CDT 2018] response='{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://thetruckstop.us/.well-known/acme-challenge/JWtBhoIpchOhQULGNzcW1eJvsii549awa6XUJlh5U10: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e403 Forbidden\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL) Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com Vhost public web root will be at /home/nginx/domains/newdomain.com/public Vhost log directory will be at /home/nginx/domains/newdomain.com/log Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags) what is output of these commands in ssh Code (Text): curl -I https://domain.com Code (Text): curl -I https://www.domain.com Code (Text): curl -I http://domain.com Code (Text): curl -I http://www.domain.com wrap output in CODE tags
Code: # Centmin Mod Getting Started Guide # must read http://centminmod.com/getstarted.html # redirect from non-www to www # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 server { listen 80; server_name thetruckstop.us; return 301 $scheme://www.thetruckstop.us$request_uri; } server { server_name thetruckstop.us www.thetruckstop.us; access_log /home/nginx/domains/thetruckstop.us/log/access.log combined buffer=256k flush=60m; error_log /home/nginx/domains/thetruckstop.us/log/error.log; root /home/nginx/domains/thetruckstop.us/public; location /{ rewrite ^/(.*) http://www.$server_name/forum/ permanent; } # prevent access to ./directories and files location ~ (?:^|/)\. { deny all; } location /forum/ { index index.php index.html index.htm; try_files $uri $uri/ /forum/index.php?$uri&$args; } location /forum/internal_data/ { internal; allow 127.0.0.1; deny all; } location /forum/library/ { internal; allow 127.0.0.1; deny all; } location ~ \.php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; } Code: [15:57][root@XXXXXXX.linode.com thetruckstop.us]# curl -I https://thetruckstop.us curl: (7) Failed connect to thetruckstop.us:443; Connection refused [16:39][root@XXXXXXX.linode.com thetruckstop.us]# curl -I https://www.thetruckstop.us curl: (7) Failed connect to www.thetruckstop.us:443; Connection refused Code: [16:39][root@XXXXXXX.linode.com thetruckstop.us]# curl -I http://thetruckstop.us HTTP/1.1 301 Moved Permanently Date: Thu, 06 Sep 2018 21:40:24 GMT Content-Type: text/html Content-Length: 178 Connection: keep-alive Location: http://www.thetruckstop.us/ Server: nginx centminmod X-Powered-By: centminmod [16:40][root@XXXXXXX.linode.com thetruckstop.us]# curl -I http://www.thetruckstop.us HTTP/1.1 301 Moved Permanently Date: Thu, 06 Sep 2018 21:40:41 GMT Content-Type: text/html Content-Length: 178 Connection: keep-alive Location: http://www.thetruckstop.us/forum/ Server: nginx centminmod X-Powered-By: centminmod
remove this rule Code (Text): # prevent access to ./directories and files location ~ (?:^|/)\. { deny all; } as it prevents .well-known url access not sure if this one will cause issues too so try one or both rules removed Code (Text): location /{ rewrite ^/(.*) http://www.$server_name/forum/ permanent; } or place before the rewrite rule Code (Text): # prepare for letsencrypt # https://community.centminmod.com/posts/17774/ location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers "Content-Type: text/plain"; } } it's already contained in your vhosts /usr/local/nginx/conf/staticfiles.conf include file but that is further down the order of things
That worked, but I guess I've done something wrong. Code: [17:17][root@XXXXXX.members.linode.com thetruckstop.us]# nginx -t nginx: [emerg] access_log "/home/nginx/domains/thetruckstop.us/log/access.log" already defined with conflicting parameters in /usr/local/nginx/conf/conf.d/thetruckstop.us.ssl.conf:52 nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed [17:17][root@XXXXXXXX.linode.com thetruckstop.us]# Config File: thetruckstop.us.ssl.conf - Pastebin.com
When I rename my file to .OLD and rerun the test, Nginx restarts fine. The file contents are pasted above. So, it doesn't like something in my new ssl.conf file.
access_log direction for flush times differ - old vhost had 60m while new ssl vhost has flush time of 5m. Choose one value for all nginx vhosts. the 123.09beta01 these days defaults to 5m flush though if you have HTTPS, you will eventually be disabling non-HTTPS version
Yep, that was it. Everything seems to be working fine now. I will now start to redirect everyone to HTTPS.