Learn about Centmin Mod LEMP Stack today
Register Now

SSL Letsencrypt Unable to create new letsencrypt certificate

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Fernando, Jun 12, 2020.

Tags:
  1. Fernando

    Fernando Member

    71
    12
    8
    Jul 21, 2017
    Ratings:
    +25
    Local Time:
    12:11 PM
    1.13.3
    10.1.25
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit ?
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.19.0
    • PHP Version Installed: 7.4
    • MariaDB MySQL Version Installed: N/A
    • When was last time updated Centmin Mod code base ? : Today (6/11/2020)
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
      Code (Text):
      NGINX_SSLCACHE_ALLOWOVERRIDE='y'
      AUTOHARDTUNE_NGINXBACKLOG='y'
      ZSTD_LOGROTATE_NGINX='y'
      ZSTD_LOGROTATE_PHPFPM='y'
      NGINX_LIBBROTLI='y'
      NGXDYNAMIC_BROTLI='y'
      PHP_PGO='y'
      PHP_BROTLI='y'
      PHP_LZFOUR='y'
      PHP_LZF='y'
      PHP_ZSTD='y'
      LETSENCRYPT_DETECT='y'
      DUALCERTS='y'
      NGINX_IOURING_PATCH_BETA='y'
      MARCH_TARGETNATIVE='n'
      WP_FASTCGI_CACHE='y'
      ACMEDEBUG='y'
      
      

    I'm moving one domain from Server A to Server B, I noticed that on Server A the domain was supposed be renewed on 6/10/2020 but it didn't work, I didn't troubleshoot as I was going to migrate to server B today.

    a) I updated the DNS records to the new server
    b) Let's Debug shows himaxcr.com all green
    c) I was trying to create a new WordPress host in Server B using option 22, then for letsencrypt option#4 live https

    I got the following while getting the certificate:

    Code (Text):
    [Thu Jun 11 14:59:42 UTC 2020] responseHeaders='HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 11 Jun 2020 14:59:42 GMT
    Content-Type: application/json
    Content-Length: 995
    Connection: keep-alive
    Boulder-Requester: 88493011
    Cache-Control: public, max-age=0, no-cache
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Link: <https://acme-v02.api.letsencrypt.org/acme/authz-v3/5163549046>;rel="up"
    Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/5163549046/bg2Diw
    Replay-Nonce: 0002mH7NkB_1BatC6IcRgeMfk6pT9SmOhuO8WWZVw43gzrg
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    '
    [Thu Jun 11 14:59:42 UTC 2020] code='200'
    [Thu Jun 11 14:59:42 UTC 2020] original='{
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://himaxcr.com/.well-known/acme-challenge/ht2OfXfJ4tap3vpbp0gxB1brScIkUmE_U67LClw6O2w [8.6.193.73]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx\u003c/center\u003e\\r\\n\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/5163549046/bg2Diw",
      "token": "ht2OfXfJ4tap3vpbp0gxB1brScIkUmE_U67LClw6O2w",
      "validationRecord": [
        {
          "url": "http://himaxcr.com/.well-known/acme-challenge/ht2OfXfJ4tap3vpbp0gxB1brScIkUmE_U67LClw6O2w",
          "hostname": "himaxcr.com",
          "port": "80",
          "addressesResolved": [
            "8.6.193.73"
          ],
          "addressUsed": "8.6.193.73"
        }
      ]
    }'
    


    Then:

    Code (Text):
    [Thu Jun 11 14:59:42 UTC 2020] responseHeaders='HTTP/1.1 400 Bad Request
    Server: nginx
    Date: Thu, 11 Jun 2020 14:59:42 GMT
    Content-Type: application/problem+json
    Content-Length: 144
    Connection: keep-alive
    Boulder-Requester: 88493011
    Cache-Control: public, max-age=0, no-cache
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: 0002oc5U44T3-IHkZOyhvZ8ezjz6XA3BWfdWHa_0i4Z1vG4
    '
    [Thu Jun 11 14:59:42 UTC 2020] code='400'
    [Thu Jun 11 14:59:42 UTC 2020] original='{
      "type": "urn:ietf:params:acme:error:malformed",
      "detail": "Unable to update challenge :: authorization must be pending",
      "status": 400
    }'
    [Thu Jun 11 14:59:42 UTC 2020] response='{
      "type": "urn:ietf:params:acme:error:malformed",
      "detail": "Unable to update challenge :: authorization must be pending",
      "status": 400
    }'
    


    Full log is here: letsencrypterror - Pastebin.com

    Please let me know if you have any idea what's wrong.

    Thank you,
    Best Regards
     
  2. Fernando

    Fernando Member

    71
    12
    8
    Jul 21, 2017
    Ratings:
    +25
    Local Time:
    12:11 PM
    1.13.3
    10.1.25
    Hi,

    I found the problem, it seems
    WP_FASTCGI_CACHE='y' was causing the problem.

    I ran
    Code:
    curl -vL http://himaxcr.com/.well-known/acme-challenge/ht2OfXfJ4tap3vpbp0gxB1brScIkUmE_U67LClw6O2w
    and I got a 404 same as the letsencrypt log shows, then I verified service nginx and I noticed the following:

    Code:
    Jun 11 15:51:08 webapps01 systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server...
    Jun 11 15:51:08 webapps01 nginx[43645]: Starting nginx: nginx: [emerg] "try_files" directive is duplicate in /usr/local/nginx/conf/conf.d/him...l.conf:90
    I looked at the /usr/local/nginx/conf/conf.d/himaxcr.com.ssl.conf created and noticed this:

    Code:
      # Wordpress fastcgi_cache
        try_files $uri $uri/ /index.php?$args;
    
      # Wordpress Permalinks
       #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      try_files $uri $uri/ /index.php?$args;
    
      }
    As seen above try_files is duplicated with Redis (I'm using option 22 with Redis option)
    I removed /usr/local/nginx/conf/conf.d/himaxcr.com.ssl.conf
    Then removed WP_FASTCGI_CACHE='y'

    Now everything worked as expected.
    Thanks :)
     
  3. eva2000

    eva2000 Administrator Staff Member

    45,433
    10,310
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,990
    Local Time:
    4:11 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Nice detective work (y):cool: