Join the community today
Become a Member

Beta Branch update acmetool.sh 1.0.76

Discussion in 'Centmin Mod Github Commits' started by eva2000, Oct 1, 2021.

  1. eva2000

    eva2000 Administrator Staff Member

    48,899
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    10:25 AM
    Nginx 1.21.x
    MariaDB 10.x
    update acmetool.sh 1.0.76


    - this update is really only for folks you created Centmin Mod Nginx HTTPS sites with Letsencrypt front facing SSL certificates and need for older CentOS 6 OpenSSL/wget/curl clients to be able to connect to those Centmin Mod Nginx HTTPS sites. If you don't have such use, there is no need to do a reissue for the updated preferred chain below
    - update addons/acmetool.sh to 1.0.76 to support configuring the preferred SSL certificate chain for Letsencrypt SSL certificates to switch from default DST Root CA X3 certificate chain to newer ISRG X1 certificate chain https://community.centminmod.com/th...workaround-on-centos-7-x-openssl-1-0-2.21965/. If you switch, you will break older clients ability to connect to your web server i.e. https://letsencrypt.org/docs/certificate-compatibility/ however it will help some clients on server side connect to your server i.e. CentOS 6 OpenSSL 1.0.1, wget, curl. Most modern web browsers will work either previous default or new ISRG chain as modern web browsers can find an alternative path/SSL chain to verify your Centmin Mod Nginx site's SSL chain
    - if you want your existing Centmin Mod Nginx site's Letsencrypt SSL certificates to serve the new ISRG X1 certificate chain, run cmupdate to update local server code for addons/acmetool.sh and then manually run acmetool.sh reissue-only flag for the domain you want to update. Example below for domain.com
    Code (Text):
    cmupdate
    /usr/local/src/centminmod/addons/acmetool.sh reissue-only yourdomain.com live

    - if you want to revert to previous default DST Root CA X3 chain, set in persistent config file /etc/centminmod/custom_config.inc as per https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain the following
    Code (Text):
    ACME_PREFERRED_CHAIN=' --preferred-chain  "DST Root CA X3"'

    Then reissue for your domain
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh reissue-only yourdomain.com live


    Continue reading...

    123.09beta01 branch
     
  2. upgrade81

    upgrade81 Premium Member Premium Member

    281
    17
    18
    Sep 5, 2016
    CH
    Ratings:
    +29
    Local Time:
    2:25 AM
    1.17
    10.3
    Hi, I have performed all the procedure to delete the old expired certificate, and recreate the new one.

    When I reissue a domain, only the ECDSA certificate is created, the Dual-Cert is no longer created. this happens on multiple Vps.

    it's normal?

    -in some domains dedicated to forums, however, this is the situation.

    firefox_sByVUVR42j.jpg
     
    Last edited: Oct 10, 2021
  3. eva2000

    eva2000 Administrator Staff Member

    48,899
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    10:25 AM
    Nginx 1.21.x
    MariaDB 10.x
    can you outline exactly the steps made and commands you ran?

    for dual certs did you persistent config file /etc/centminmod/custom_config.inc have
    Code (Text):
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    

    what's output for this command
    Code (Text):
    egrep -i 'LETSENCRYPT_DETECT|DUALCERTS' /etc/centminmod/custom_config.inc
    

    for posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)

    You're not meant to delete the old certificates, running addons/acmetool.sh reissue-only should take care of it all including dual certs replacement. When you ran acmetool.sh reissue-only command, each time there would be a full log saved at /root/centminlogs/acmesh-reissue-only_XXX.log XXX where it's date time stamped

    This command will list all acmesh-*.log files by ascending date order
    Code (Text):
    find /root/centminlogs/ -type f -name "acmesh-*.log" -print0 | xargs -0 ls -lrt

    example
    Code (Text):
    find /root/centminlogs/ -type f -name "acmesh-*.log" -print0 | xargs -0 ls -lrt
    -rw-r--r-- 1 root root  1759 Jun 18 01:20 /root/centminlogs/acmesh-update_180621-012050.log
    -rw-r--r-- 1 root root  1838 Jun 18 01:22 /root/centminlogs/acmesh-update_180621-012233.log
    -rw-r--r-- 1 root root  6536 Sep 26 00:06 /root/centminlogs/acmesh-issue_260921-000550.log
    -rw-r--r-- 1 root root 17234 Sep 26 00:09 /root/centminlogs/acmesh-issue_260921-000935.log
    -rw-r--r-- 1 root root 16810 Sep 26 00:51 /root/centminlogs/acmesh-issue_260921-005143.log
    -rw-r--r-- 1 root root 18415 Sep 26 00:58 /root/centminlogs/acmesh-issue_260921-005741.log
    -rw-r--r-- 1 root root 23332 Sep 26 01:13 /root/centminlogs/acmesh-issue_260921-011241.log
    -rw-r--r-- 1 root root 21963 Sep 26 01:41 /root/centminlogs/acmesh-issue_260921-014115.log
    -rw-r--r-- 1 root root 17118 Sep 30 23:04 /root/centminlogs/acmesh-issue_300921-230415.log
    -rw-rw-r-- 1 root root 14801 Sep 30 23:10 /root/centminlogs/acmesh-reissue-only_300921-230937.log
    -rw-r--r-- 1 root root  6188 Sep 30 23:39 /root/centminlogs/acmesh-issue_300921-233932.log
    -rw-r--r-- 1 root root 18862 Sep 30 23:41 /root/centminlogs/acmesh-issue_300921-234052.log
    -rw-r--r-- 1 root root 18843 Sep 30 23:44 /root/centminlogs/acmesh-issue_300921-234343.log
    -rw-r--r-- 1 root root 18092 Oct  3 05:17 /root/centminlogs/acmesh-issue_031021-051718.log
    -rw-r--r-- 1 root root 18075 Oct  3 05:26 /root/centminlogs/acmesh-issue_031021-052547.log
    


    How exactly did you delete the old certs? exact commands you ran?

    also check physically if SSL certs at /usr/local/nginx/conf/ssl/yourdomain.com where created
    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/yourdomain.com


    example when DUALCERTS='y' is set
    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/yourdomain.com
    total 80K
    drwxr-xr-x 2 root root 4.0K Oct 10 21:19 .
    drwxr-xr-x 7 root root  150 Oct  3 05:25 ..
    -rw-r--r-- 1 root root  389 Oct 10 21:19 acme-vhost-config.txt
    -rw-r--r-- 1 root root  424 Jun 15  2020 dhparam.pem
    -rw-r--r-- 1 root root 5.5K Oct 10 21:19 yourdomain.com-acme.cer
    -rw-r--r-- 1 root root 5.3K Oct 10 21:19 yourdomain.com-acme-ecc.cer
    -rw-r--r-- 1 root root  227 Oct 10 21:19 yourdomain.com-acme-ecc.key
    -rw-r--r-- 1 root root 1.7K Oct 10 21:19 yourdomain.com-acme.key
    -rw-r--r-- 1 root root 1.7K Sep 30 23:43 yourdomain.com.crt
    -rw-r--r-- 1 root root  835 Oct 10 21:19 yourdomain.com.crt.key.conf
    -rw-r--r-- 1 root root 1.2K Sep 30 23:43 yourdomain.com.csr
    -rw-r--r-- 1 root root  11K Oct 10 21:19 yourdomain.com-dualcert-rsa-ecc.cer
    -rw-r--r-- 1 root root 5.3K Oct 10 21:19 yourdomain.com-fullchain-acme-ecc.key
    -rw-r--r-- 1 root root 5.5K Oct 10 21:19 yourdomain.com-fullchain-acme.key
    -rw-r--r-- 1 root root 1.7K Sep 30 23:43 yourdomain.com.key
    

    If you egrep filter on acmesh-*.log for installcert keyword, you should have 2 acme.sh --installcert commands for RSA + ECDSA SSL cert installation
    Code (Text):
    grep -i 'installcert' /root/centminlogs/acmesh-reissue-only_101021-211915.log

    output
    Code (Text):
    grep -i 'installcert' /root/centminlogs/acmesh-reissue-only_101021-211915.log
    
    /root/.acme.sh/acme.sh --installcert -d yourdomain.com --certpath /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com-acme.key --capath /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com-fullchain-acme.key
    
    /root/.acme.sh/acme.sh --installcert -d yourdomain.com --certpath /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com-acme-ecc.cer --keypath /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com-acme-ecc.key --capath /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com-acme-ecc.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/yourdomain.com/yourdomain.com-fullchain-acme-ecc.key --ecc
    
     
    Last edited: Oct 11, 2021
  4. eva2000

    eva2000 Administrator Staff Member

    48,899
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    10:25 AM
    Nginx 1.21.x
    MariaDB 10.x
  5. upgrade81

    upgrade81 Premium Member Premium Member

    281
    17
    18
    Sep 5, 2016
    CH
    Ratings:
    +29
    Local Time:
    2:25 AM
    1.17
    10.3
    Sorry for the inconvenience by certificate I mean the DST Root.

    after noting that Ssllabs was reporting me expired, i followed your post,
    Dualcert = y is always present on my vps

    however, only the ECC is present

    I have also used:

    Code:
    acme.sh --upgrade
    acme.sh --set-default-chain --preferred-chain "ISRG" --server letsencrypt
    acme.sh --renewAll --force
    here is the log:
    Code:
    grep -i 'installcert' /root/centminlogs/acmesh-reissue-only_101021-035509.log
    /root/.acme.sh/acme.sh --installcert -d xxxxauto.it -d www.xxxxauto.it --certpath /usr/local/nginx/conf/ssl/xxxauto.it/xxxxauto.it-acme-ecc.cer --keypath /usr/local/nginx/conf/ssl/xxxauto.it/xxxxauto.it-acme-ecc.key --capath /usr/local/nginx/conf/ssl/xxxxauto.it/xxxxauto.it-acme-ecc.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/xxxxauto.it/xxxxauto.it-fullchain-acme-ecc.key --ecc

    SecureCRT_rBbNqwV6qa.jpg

    this is another domain i did yesterday on another VM.

    Code:
    /usr/local/src/centminmod/addons/acmetool.sh reissue-only pensioniefisco.it live
    
    ------------------------------------------------------------------------------
    Version Check:
    ------------------------------------------------------------------------------
    !!!  there maybe a newer version of /usr/local/src/centminmod/addons/acmetool.sh available  !!!
    https://community.centminmod.com/posts/34492/
    update using centmin.sh menu option 23 submenu option 2
    
    or via command: cmupdate
    
    Always ensure Current Version is higher or equal to Latest Version
    ------------------------------------------------------------------------------
    Current acmetool.sh Version: 1.0.75
    Latest acmetool.sh Version: 1.0.77
    ------------------------------------------------------------------------------
    
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    Cloning into 'acme.sh'...
    [Sun Oct 10 03:09:39 CEST 2021] Installing to /root/.acme.sh
    [Sun Oct 10 03:09:39 CEST 2021] Installed to /root/.acme.sh/acme.sh
    [Sun Oct 10 03:09:39 CEST 2021] Installing alias to '/root/.bashrc'
    [Sun Oct 10 03:09:39 CEST 2021] OK, Close and reopen your terminal to start using acme.sh
    [Sun Oct 10 03:09:39 CEST 2021] Installing alias to '/root/.cshrc'
    [Sun Oct 10 03:09:39 CEST 2021] Installing alias to '/root/.tcshrc'
    [Sun Oct 10 03:09:39 CEST 2021] Installing cron job
    37 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Sun Oct 10 03:09:39 CEST 2021] Good, bash is found, so change the shebang to use bash as preferred.
    [Sun Oct 10 03:09:40 CEST 2021] OK
    https://github.com/acmesh-official/acme.sh
    v3.0.1
    -----------------------------------------------------
    set default acme.sh CA to letsencrypt:
    acme.sh --set-default-ca --server letsencrypt
    [Sun Oct 10 03:09:40 CEST 2021] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    grep 'root' /usr/local/nginx/conf/conf.d/pensioniefisco.it.ssl.conf
       root /home/nginx/domains/pensioniefisco.it/public;
      root /home/nginx/domains/pensioniefisco.it/public;
    
    -----------------------------------------------------------
    reissue & install letsencrypt ssl certificate for pensioniefisco.it
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --force --createDomainKey -d pensioniefisco.it -d www.pensioniefisco.it -k ec-256 --useragent centminmod-centos7-acmesh-webroot
    [Sun Oct 10 03:09:40 CEST 2021] Creating domain key
    [Sun Oct 10 03:09:40 CEST 2021] The domain key is here: /root/.acme.sh/pensioniefisco.it_ecc/pensioniefisco.it.key
    testcert value = live
    /root/.acme.sh/acme.sh --force --issue -d pensioniefisco.it -d www.pensioniefisco.it --days 60 -w /home/nginx/domains/pensioniefisco.it/public -k ec-256 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-101021-030936.log --log-level 2
    [Sun Oct 10 03:09:41 CEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Sun Oct 10 03:09:41 CEST 2021] Multi domain='DNS:pensioniefisco.it,DNS:www.pensioniefisco.it'
    [Sun Oct 10 03:09:41 CEST 2021] Getting domain auth token for each domain
    [Sun Oct 10 03:09:44 CEST 2021] Getting webroot for domain='pensioniefisco.it'
    [Sun Oct 10 03:09:44 CEST 2021] Getting webroot for domain='www.pensioniefisco.it'
    [Sun Oct 10 03:09:44 CEST 2021] pensioniefisco.it is already verified, skip http-01.
    [Sun Oct 10 03:09:44 CEST 2021] www.pensioniefisco.it is already verified, skip http-01.
    [Sun Oct 10 03:09:44 CEST 2021] Verify finished, start to sign.
    [Sun Oct 10 03:09:44 CEST 2021] Lets finalize the order.
    [Sun Oct 10 03:09:44 CEST 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/113794049/30747847410'
    [Sun Oct 10 03:09:46 CEST 2021] Downloading cert.
    [Sun Oct 10 03:09:46 CEST 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0362de93de8ad2869f0c847255e854d3f676'
    [Sun Oct 10 03:09:46 CEST 2021] Try rel: https://acme-v02.api.letsencrypt.org/acme/cert/0362de93de8ad2869f0c847255e854d3f676/1
    [Sun Oct 10 03:09:47 CEST 2021] Matched issuer in: https://acme-v02.api.letsencrypt.org/acme/cert/0362de93de8ad2869f0c847255e854d3f676/1
    [Sun Oct 10 03:09:47 CEST 2021] Cert success.
    -----BEGIN CERTIFICATE-----
    
    -----END CERTIFICATE-----
    [Sun Oct 10 03:09:47 CEST 2021] Your cert is in: /root/.acme.sh/pensioniefisco.it_ecc/pensioniefisco.it.cer
    [Sun Oct 10 03:09:47 CEST 2021] Your cert key is in: /root/.acme.sh/pensioniefisco.it_ecc/pensioniefisco.it.key
    [Sun Oct 10 03:09:47 CEST 2021] The intermediate CA cert is in: /root/.acme.sh/pensioniefisco.it_ecc/ca.cer
    [Sun Oct 10 03:09:47 CEST 2021] And the full chain certs is there: /root/.acme.sh/pensioniefisco.it_ecc/fullchain.cer
    LECHECK = 0
      ssl_dhparam /usr/local/nginx/conf/ssl/pensioniefisco.it/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/pensioniefisco.it/pensioniefisco.it-acme-ecc.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/pensioniefisco.it/pensioniefisco.it-acme-ecc.key;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/pensioniefisco.it/pensioniefisco.it-acme-ecc.cer; 
    
    -----------------------------------------------------------
    install cert
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --installcert -d pensioniefisco.it -d www.pensioniefisco.it --certpath /usr/local/nginx/conf/ssl/pensioniefisco.it/pensioniefisco.it-acme-ecc.cer --keypath /usr/local/nginx/conf/ssl/pensioniefisco.it/pensioniefisco.it-acme-ecc.key --capath /usr/local/nginx/conf/ssl/pensioniefisco.it/pensioniefisco.it-acme-ecc.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/pensioniefisco.it/pensioniefisco.it-fullchain-acme-ecc.key --ecc
    [Sun Oct 10 03:09:47 CEST 2021] Installing cert to: /usr/local/nginx/conf/ssl/pensioniefisco.it/pensioniefisco.it-acme-ecc.cer
    [Sun Oct 10 03:09:47 CEST 2021] Installing CA to: /usr/local/nginx/conf/ssl/pensioniefisco.it/pensioniefisco.it-acme-ecc.cer
    [Sun Oct 10 03:09:47 CEST 2021] Installing key to: /usr/local/nginx/conf/ssl/pensioniefisco.it/pensioniefisco.it-acme-ecc.key
    [Sun Oct 10 03:09:47 CEST 2021] Installing full chain to: /usr/local/nginx/conf/ssl/pensioniefisco.it/pensioniefisco.it-fullchain-acme-ecc.key
    [Sun Oct 10 03:09:47 CEST 2021] Run reload cmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):  [  OK  ]
    [Sun Oct 10 03:09:47 CEST 2021] Reload success
    
    letsencrypt ssl certificate setup completed
    ssl certs located at: /usr/local/nginx/conf/ssl/pensioniefisco.it
    
    openssl x509 -noout -text < /usr/local/nginx/conf/ssl/pensioniefisco.it/pensioniefisco.it-acme-ecc.cer
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                03:62:de:93:de:8a:d2:86:9f:0c:84:72:55:e8:54:d3:f6:76
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, O=Let's Encrypt, CN=R3
            Validity
                Not Before: Oct 10 00:09:45 2021 GMT
                Not After : Jan  8 00:09:44 2022 GMT
            Subject: CN=pensioniefisco.it
            Subject Public Key Info:
                Public Key Algorithm: id-ecPublicKey
                    Public-Key: (256 bit)
                    pub:
                        04:62:fa:09:6e:c1:1f:59:e4:fe:79:43:a7:6c:ca:
                        4d:ec:b5:ff:d7:ae:fe:56:6f:87:0e:22:bb:73:42:
                        ae:98:e3:f4:a9:79:44:9c:34:b5:2c:fd:c8:6c:cb:
                        ac:1d:91:49:c0:81:e8:5e:2b:54:ca:c9:56:bc:46:
                        06:77:7c:22:04
                    ASN1 OID: prime256v1
                    NIST CURVE: P-256
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Subject Key Identifier:
                    85:53:61:EC:A3:1E:9C:94:F6:5A:DE:66:FC:51:08:06:E9:17:4B:93
                X509v3 Authority Key Identifier:
                    keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
    
                Authority Information Access:
                    OCSP - URI:http://r3.o.lencr.org
                    CA Issuers - URI:http://r3.i.lencr.org/
    
                X509v3 Subject Alternative Name:
                    DNS:pensioniefisco.it, DNS:www.pensioniefisco.it
                X509v3 Certificate Policies:
                    Policy: 2.23.140.1.2.1
                    Policy: 1.3.6.1.4.1.44947.1.1.1
                      CPS: http://cps.letsencrypt.org
    
                CT Precertificate SCTs:
                    Signed Certificate Timestamp:
                        Version   : v1(0)
                        Log ID    : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:
                                    EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
                        Timestamp : Oct 10 01:09:45.341 2021 GMT
                        Extensions: none
                        Signature : ecdsa-with-SHA256
                                    30:46:02:21:00:A6:07:29:97:55:A3:B7:AA:29:1B:00:
                                    EB:64:E8:E1:EC:10:AE:24:FA:BD:04:4B:9E:ED:2A:5C:
                                    D3:2A:45:B1:B6:02:21:00:D8:04:A6:D6:CF:35:AE:7C:
                                    5C:54:85:E5:C8:58:3E:FE:7D:66:E2:C9:1E:A3:99:06:
                                    21:EE:18:A4:54:40:EE:8E
                    Signed Certificate Timestamp:
                        Version   : v1(0)
                        Log ID    : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
                                    11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
                        Timestamp : Oct 10 01:09:45.882 2021 GMT
                        Extensions: none
                        Signature : ecdsa-with-SHA256
                                    30:44:02:20:7B:B3:E0:CA:17:77:07:7E:21:5A:F6:1F:
                                    C9:64:64:61:7B:B4:A8:39:57:96:65:1A:64:BA:80:B9:
                                    E5:3E:B0:58:02:20:3D:D0:24:44:4B:66:A1:A0:54:4D:
                                    AD:BF:30:1D:3A:D7:D9:45:AD:DA:7E:F0:EF:13:36:A5:
                                    49:25:23:99:72:8E
        Signature Algorithm: sha256WithRSAEncryption
             4e:25:95:e7:b1:dc:1c:34:49:c6:36:b2:4f:14:0c:4c:7c:5d:
             ad:76:c5:f3:56:f4:60:ca:41:65:0a:14:eb:28:c1:2f:d5:69:
             7f:16:07:aa:60:5c:2d:93:27:70:66:3c:ce:7d:a9:48:58:96:
             ce:a2:63:3f:7e:51:c7:c4:36:dc:9a:43:da:40:87:1d:cd:d0:
             63:05:ba:28:6f:c1:2f:fc:0e:fb:0d:e1:40:f7:5a:f1:bf:59:
             b9:55:c1:58:d9:27:a8:a9:6d:a8:3f:3e:dc:cc:bb:49:7a:1f:
             f9:fb:43:3b:4d:33:c4:d1:74:14:ee:bd:a3:ef:6b:1c:77:c2:
             95:8e:9e:01:cc:cf:00:17:49:54:04:de:a5:0d:87:f4:0f:01:
             b2:77:8c:79:15:cd:d5:5e:ab:c9:e4:30:db:c9:15:e2:cf:c0:
             c7:0a:e9:56:d2:33:ed:d8:dc:81:f5:93:40:ef:2f:b4:9b:42:
             62:9c:ec:93:94:c1:68:52:18:3f:65:45:c6:81:09:ad:c4:6c:
             e1:fc:48:4b:c9:79:37:8a:a8:ab:fc:8c:00:2f:6d:5e:07:48:
             f9:d6:04:c3:1e:da:9a:e9:62:22:b0:27:49:e8:c0:00:95:63:
             11:f0:b6:5a:0a:42:99:08:ec:84:ef:ae:3f:51:80:4c:cb:62:
             6f:25:c0:2c
    
    log files saved at /root/centminlogs
    -rw-r--r-- 1 root root  61K Oct 10 03:09 acmetool.sh-debug-log-101021-030936.log
    -rw-r--r-- 1 root root  12K Oct 10 03:09 acmesh-reissue-only_101021-030936.log
     
    Last edited: Oct 11, 2021
  6. eva2000

    eva2000 Administrator Staff Member

    48,899
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    10:25 AM
    Nginx 1.21.x
    MariaDB 10.x
    Code (Text):
    Always ensure Current Version is higher or equal to Latest Version
    ------------------------------------------------------------------------------
    Current acmetool.sh Version: 1.0.75
    Latest acmetool.sh Version: 1.0.77
    -----------------------------------

    You're using outdated acmetool.sh as you haven't updated Centmin Mod via cmupdate command yet. Though last 2 updates for acmetool.sh have nothing to do with dual certs routines
     
    Last edited: Oct 11, 2021
  7. upgrade81

    upgrade81 Premium Member Premium Member

    281
    17
    18
    Sep 5, 2016
    CH
    Ratings:
    +29
    Local Time:
    2:25 AM
    1.17
    10.3
    Hi, I just updated (again) but it just keeps recreating the ECC cert
    is there a command to force the creation of both in addition to "reissue-only" Live?
     
  8. eva2000

    eva2000 Administrator Staff Member

    48,899
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    10:25 AM
    Nginx 1.21.x
    MariaDB 10.x
    from above,
    what's output for this command

    Code (Text):
    egrep -i 'LETSENCRYPT_DETECT|DUALCERTS' /etc/centminmod/custom_config.inc

    and

    also check physically if SSL certs at /usr/local/nginx/conf/ssl/yourdomain.com where created

    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/yourdomain.com
     
  9. upgrade81

    upgrade81 Premium Member Premium Member

    281
    17
    18
    Sep 5, 2016
    CH
    Ratings:
    +29
    Local Time:
    2:25 AM
    1.17
    10.3
    here it is...

    Code:
    egrep -i 'LETSENCRYPT_DETECT|DUALCERTS' /etc/centminmod/custom_config.inc
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'  #dual cert RSA + ECDSA
    Code:
    ls -lah /usr/local/nginx/conf/ssl/pensioniefisco.it/
    total 52K
    drwxr-xr-x 2 root root 4.0K Oct 11 15:02 .
    drwxr-xr-x 5 root root 4.0K May 18 00:04 ..
    -rw-r--r-- 1 root root  373 Oct 11 15:02 acme-vhost-config.txt
    -rw-r--r-- 1 root root  424 Feb 24  2021 dhparam.pem
    -rw-r--r-- 1 root root 5.3K Oct 11 15:03 pensioniefisco.it-acme-ecc.cer
    -rw-r--r-- 1 root root  227 Oct 11 15:03 pensioniefisco.it-acme-ecc.key
    -rw-r--r-- 1 root root 1.7K Feb 24  2021 pensioniefisco.it.crt
    -rw-r--r-- 1 root root  373 Oct 11 15:02 pensioniefisco.it.crt.key.conf
    -rw-r--r-- 1 root root 1.2K Feb 24  2021 pensioniefisco.it.csr
    -rw-r--r-- 1 root root 5.3K Oct 11 15:03 pensioniefisco.it-fullchain-acme-ecc.key
    -rw-r--r-- 1 root root 1.7K Feb 24  2021 pensioniefisco.it.key
     
  10. eva2000

    eva2000 Administrator Staff Member

    48,899
    11,189
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,423
    Local Time:
    10:25 AM
    Nginx 1.21.x
    MariaDB 10.x
    strange indeed it is only ECC SSL cert only but there is no routine or option in acmetool.sh that would make that possible without trying RSA SSL cert first

    try something to rule out other variables, backup /etc/centminmod/custom_config.inc and them empty it out with just these 2 values
    Code (Text):
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    and do a
    Code (Text):
    cmupdate
    /usr/local/src/centminmod/addons/acmetool.sh reissue-only yourdomain.com live