Want to subscribe to topics you're interested in?
Become a Member

vhost SSL problem

Discussion in 'Install & Upgrades or Pre-Install Questions' started by aidzo, Nov 15, 2018.

  1. aidzo

    aidzo New Member

    Nov 14, 2018
    Local Time:
    12:38 AM
    When setting up a second website with option 2 in centmin.sh with cloudflare dns ssl doesn't seem to work not sure how to fix it tried everything.
    • CentOS Version: Centos 7 64 BITS
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.15.6
    • PHP Version Installed: 7.2.12
    • When was last time updated Centmin Mod code base ? : today

  2. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    9:38 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      Setup full Nginx vhost + Wordpress + WP Plugins
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1

    Centmin Mod Self-Signed SSL Fallback

    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost


    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test

    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.