Join the community today
Register Now

SSL Letsencrypt Why am I getting this error?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Itworx4me, Jun 30, 2019.

  1. Itworx4me

    Itworx4me Premium Member Premium Member

    180
    18
    18
    Mar 14, 2017
    Ratings:
    +28
    Local Time:
    1:17 PM
    Nginx 1.17.X
    MariaDB 10.3.X
  2. Meirami

    Meirami Member

    130
    17
    18
    Dec 21, 2017
    Ratings:
    +44
    Local Time:
    11:17 PM
    I think the answer is in there -> /root/centminlogs/acmetool.sh-debug-log-insidetopfuel.com.log
     
    • Like Like x 1
  3. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    6:17 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    style="display:inline-block;min-width:400px;max-width:970px;width:95%;height:90px" data-ad-client="ca-pub-6669518204467592" data-ad-slot="4024536743" data-ad-format="auto">
  4. Itworx4me

    Itworx4me Premium Member Premium Member

    180
    18
    18
    Mar 14, 2017
    Ratings:
    +28
    Local Time:
    1:17 PM
    Nginx 1.17.X
    MariaDB 10.3.X
  5. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    6:17 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  6. Itworx4me

    Itworx4me Premium Member Premium Member

    180
    18
    18
    Mar 14, 2017
    Ratings:
    +28
    Local Time:
    1:17 PM
    Nginx 1.17.X
    MariaDB 10.3.X
    Here ya go @eva2000
    -rw-r--r-- 1 root root 13K Jan 31 2018 centminmod_123.09beta01.b013_300118-1 - Pastebin.com

    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    /var/log/cron-20190609:Jun  3 00:19:01 host CROND[32555]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190609:Jun  4 00:19:01 host CROND[17768]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190609:Jun  5 00:19:01 host CROND[3851]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190609:Jun  6 00:19:01 host CROND[22802]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190609:Jun  7 00:19:01 host CROND[9348]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190609:Jun  8 00:19:01 host CROND[27887]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190609:Jun  9 00:19:01 host CROND[25654]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190616:Jun 10 00:19:01 host CROND[12251]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190616:Jun 11 00:19:01 host CROND[31045]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190616:Jun 12 00:19:01 host CROND[17408]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190616:Jun 13 00:19:01 host CROND[3681]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190616:Jun 14 00:19:01 host CROND[22299]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190616:Jun 15 00:19:01 host CROND[8423]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190616:Jun 16 00:19:02 host CROND[26795]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190623:Jun 17 00:19:01 host CROND[14162]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190623:Jun 18 00:19:01 host CROND[16611]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190623:Jun 19 00:19:01 host CROND[31374]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190623:Jun 20 00:19:01 host CROND[13222]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190623:Jun 21 00:19:01 host CROND[28045]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190623:Jun 22 00:19:01 host CROND[9684]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190623:Jun 23 00:19:01 host CROND[23624]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190630:Jun 24 00:19:01 host CROND[5106]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190630:Jun 25 00:19:01 host CROND[19188]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190630:Jun 26 00:19:01 host CROND[518]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190630:Jun 27 00:19:01 host CROND[14197]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190630:Jun 28 00:19:01 host CROND[27972]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190630:Jun 29 00:19:02 host CROND[9355]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    /var/log/cron-20190630:Jun 30 00:19:01 host CROND[19949]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://centminmod.com/acmetool
    -------------------------------------------------
    
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/nitromater.com/nitromater.com-acme.cer
    SHA1 Fingerprint=79BC3F1268BC23798C51B17720521D7BDAD4471C
    certificate expires in 75 days on 14 Sep 2019
    
    /usr/local/nginx/conf/ssl/nostalgia1320.com/nostalgia1320.com-acme.cer
    SHA1 Fingerprint=F99CFEF865308BAADDF0ECE8317855485A20A38D
    certificate expires in 74 days on 13 Sep 2019
    
    /usr/local/nginx/conf/ssl/insidetopfuel.com/insidetopfuel.com-acme.cer
    SHA1 Fingerprint=ECBA87C673C188BB4A41EC914DC27D24CBDB966F
    certificate expires in 5 days on 6 Jul 2019
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/nitromater.com/nitromater.com.cer
    SHA1 Fingerprint=79BC3F1268BC23798C51B17720521D7BDAD4471C
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=79BC3F1268BC23798C51B17720521D7BDAD4471C
    certificate expires in 75 days on 14 Sep 2019
    
    /root/.acme.sh/nostalgia1320.com/nostalgia1320.com.cer
    SHA1 Fingerprint=F99CFEF865308BAADDF0ECE8317855485A20A38D
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=F99CFEF865308BAADDF0ECE8317855485A20A38D
    certificate expires in 74 days on 13 Sep 2019
    
    /root/.acme.sh/insidetopfuel.com/insidetopfuel.com.cer
    SHA1 Fingerprint=ECBA87C673C188BB4A41EC914DC27D24CBDB966F
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=ECBA87C673C188BB4A41EC914DC27D24CBDB966F
    certificate expires in 5 days on 6 Jul 2019


    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    [Sun Jun 30 22:16:15 UTC 2019] ===Starting cron===
    [Sun Jun 30 22:16:15 UTC 2019] Renew: 'insidetopfuel.com'
    [Sun Jun 30 22:16:16 UTC 2019] Multi domain='DNS:insidetopfuel.com,DNS:www.insidetopfuel.com'
    [Sun Jun 30 22:16:16 UTC 2019] Getting domain auth token for each domain
    [Sun Jun 30 22:16:16 UTC 2019] Getting webroot for domain='insidetopfuel.com'
    [Sun Jun 30 22:16:16 UTC 2019] Getting new-authz for domain='insidetopfuel.com'
    [Sun Jun 30 22:16:17 UTC 2019] The new-authz request is ok.
    [Sun Jun 30 22:16:17 UTC 2019] Getting webroot for domain='www.insidetopfuel.com'
    [Sun Jun 30 22:16:17 UTC 2019] Getting new-authz for domain='www.insidetopfuel.com'
    [Sun Jun 30 22:16:18 UTC 2019] The new-authz request is ok.
    [Sun Jun 30 22:16:18 UTC 2019] Verifying:insidetopfuel.com
    [Sun Jun 30 22:16:21 UTC 2019] insidetopfuel.com:Verify error:Invalid response from https://insidetopfuel.com/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30 [209.133.***.***]:
    [Sun Jun 30 22:16:21 UTC 2019] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-insidetopfuel.com.log
    [Sun Jun 30 22:16:22 UTC 2019] Error renew insidetopfuel.com.
    [Sun Jun 30 22:16:22 UTC 2019] Renew: 'nitromater.com'
    [Sun Jun 30 22:16:22 UTC 2019] Skip, Next renewal time is: Fri Aug 16 00:19:19 UTC 2019
    [Sun Jun 30 22:16:22 UTC 2019] Add '--force' to force to renew.
    [Sun Jun 30 22:16:22 UTC 2019] Skipped nitromater.com
    [Sun Jun 30 22:16:22 UTC 2019] Renew: 'nostalgia1320.com'
    [Sun Jun 30 22:16:23 UTC 2019] Skip, Next renewal time is: Thu Aug 15 00:19:19 UTC 2019
    [Sun Jun 30 22:16:23 UTC 2019] Add '--force' to force to renew.
    [Sun Jun 30 22:16:23 UTC 2019] Skipped nostalgia1320.com
    [Sun Jun 30 22:16:23 UTC 2019] ===End cron===


    Code (Text):
     echo | openssl s_client -connect insidetopfuel.com:443
    CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = insidetopfuel.com
    verify return:1
    ---
    Certificate chain
     0 s:/CN=insidetopfuel.com
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIFcDCCBFigAwIBAgISA5Av9wzRTazih1EoIQMdiLHZMA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA0MDcxOTE2NTlaFw0x
    OTA3MDYxOTE2NTlaMBwxGjAYBgNVBAMTEWluc2lkZXRvcGZ1ZWwuY29tMIIBIjAN
    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA11Vr/4vGa9Xi2g4PDdw8sa11AsVM
    KLMWSJBuHaV6i6Bx2BneMuvzpsDKCbbJ5tn7ocSE++qboYRr9Hli7SSm8hstVIJf
    /UOBXZf+SN5COo2bk6B3aNbsk3RpMUldoi7g3OxfSp3mDtpVv9fPwywtuFdUhFQ/
    ypwE9uAWuOc+JOUzJONyOgt42207MQ7lZ/iVSojsThBAbX6q4atRIFdGd0mUsotT
    Ipu2+YYuwZ9lLpVinAaRp0HtxcCIS4qao7KJECPOd0fusJxJJo618/ppKXnQEbL6
    oP8Z3IowWmB3hAt1INvtQW6ochfx7t4RBEmcvbtfTSm4SvmNK1cPVtwAZwIDAQAB
    o4ICfDCCAngwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
    BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTEu8ZlfxQEt8e1eoaFQEbO
    6KGIjjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
    AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
    dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
    dC5vcmcvMDMGA1UdEQQsMCqCEWluc2lkZXRvcGZ1ZWwuY29tghV3d3cuaW5zaWRl
    dG9wZnVlbC5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEw
    KDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgor
    BgEEAdZ5AgQCBIH0BIHxAO8AdQB0ftqDMa0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnm
    EHvMVgAAAWn5cmuTAAAEAwBGMEQCICcQO+ii14kXRyulM3LyaCcBiU7k+U3TMa26
    oqzt4F5YAiB28UQbU89TBg1747HQmbcJZ1rZyFWnHEpR7fgdZRb1ZQB2ACk8UZZU
    yDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABaflybC0AAAQDAEcwRQIhAL0+
    NV5l9cLbV3lhImfvDKeyzNSN/2kmio/Vo0QrHQGeAiBkPlMOeUrf+DxwpZOYLEeD
    Rd4CyvywkvMgR/o7kKpddzANBgkqhkiG9w0BAQsFAAOCAQEAYr6Iul3E5SaZ2TdC
    4ky8FRMZV+boNIKYHiybJu+RKYFpgxj9NQ4QjTBmgCChiujy3DMwrwaYORhujfDH
    jkKcETxu5AEJbSB1E+ASTmPuopZp1zRfc77MF05Rk8D6UAX5/67zi5aFqC90QxmL
    j0CwHPX5iDor4h2Csa5AnrMkrJVR19i+W5kr4jrJHvIbzTWrAFL8GdvOQp6wR4xT
    U9Re2FTL4PN/g4KS/XaacIpZ22yFJT7u6EDHKBrpxI5IvQscRsW2Hm67BkgZkzZC
    LzRrOFveKYTzkimv3NusRHkBlaeIvQI64WljwplJ38l/Evo1mc7gJFfvft533tuS
    lr7P3A==
    -----END CERTIFICATE-----
    subject=/CN=insidetopfuel.com
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 3243 bytes and written 415 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 01458B5786AD046222EA7D3F4BCD6F9C1D624F9553D572738ADC8C0D19ED0EAB
        Session-ID-ctx:
        Master-Key: 64F297581E9D97DBB7A0BF42C7D5F75AE639F74692E6422750C38861C8CE15F2B88F90A0BCFB48A09F5771BA0EC80BC0
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 3600 (seconds)
        TLS session ticket:
        0000 - 38 24 a7 ba 6a 10 73 17-b6 86 9a 22 1f 08 0d 43   8$..j.s...."...C
        0010 - ff 6d 48 ec 99 2e 56 b7-b7 a7 64 5d a0 7b 2e a6   .mH...V...d].{..
        0020 - 00 28 83 4d fe f3 d3 51-7f 4d e9 42 a5 9c 48 03   .(.M...Q.M.B..H.
        0030 - 3c bf ae 13 60 b8 9f f5-5a be 1a c5 6b b0 cc fd   <...`...Z...k...
        0040 - 4d 35 6a 0f 6d 72 44 5e-6c 11 f2 de 5a a9 e8 bb   M5j.mrD^l...Z...
        0050 - 8a 57 12 25 fb 53 e0 4f-b5 cc d2 a8 6d 09 17 9f   .W.%.S.O....m...
        0060 - 11 9d a5 98 1f 6f 40 5a-75 a9 95 91 05 18 bb 24   [email protected]$
        0070 - 60 20 a4 40 7c 22 41 12-be 99 63 10 e9 72 2c 73   ` [email protected]|"A...c..r,s
        0080 - 09 b9 c7 d6 4b 75 57 23-b9 5f 45 3c 45 37 ff 0a   ....KuW#._E<E7..
        0090 - 2f 48 6a 7b 34 19 0e 14-68 51 5f 3b 95 09 42 af   /Hj{4...hQ_;..B.
        00a0 - 09 82 f6 30 d4 d0 25 a2-62 77 fd c8 2b a4 92 6f   ...0..%.bw..+..o
    
        Start Time: 1561933050
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    DONE
     
  7. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    6:17 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags
     
  8. Itworx4me

    Itworx4me Premium Member Premium Member

    180
    18
    18
    Mar 14, 2017
    Ratings:
    +28
    Local Time:
    1:17 PM
    Nginx 1.17.X
    MariaDB 10.3.X
    Code (Text):
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
     server {
       server_name insidetopfuel.com www.insidetopfuel.com;
        return 302 https://insidetopfuel.com$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name insidetopfuel.com www.insidetopfuel.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/insidetopfuel.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/insidetopfuel.com/insidetopfuel.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/insidetopfuel.com/insidetopfuel.com-acme.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # dual cert supported ssl ciphers
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/insidetopfuel.com/insidetopfuel.com-acme.cer;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/insidetopfuel.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/insidetopfuel.com/log/error.log;
    
      root /home/nginx/domains/nitromater.com/public;
    
    location / {
         index index.php index.html index.htm;
         try_files $uri $uri/ /index.php?$uri&$args;
    }
    
    #location /admin.php {
        #auth_basic "Private";
        #auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
            #include /usr/local/nginx/conf/php.conf;
            #allow 127.0.0.1;
            #allow 98.246.126.85;
            #deny all;
    #}
    
    location /install/data/ {
         internal;
    }
    
    location /install/templates/ {
         internal;
    }
    
    location /internal_data/ {
         internal;
    }
     
    # xenforo 2 uncomment / remove hash from next 3 lines
    location /src/ {
         internal;
    }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      #include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }


    Code (Text):
    curl -I https://insidetopfuel.com
    HTTP/1.1 200 OK
    Date: Sun, 30 Jun 2019 22:57:26 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 68340
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Last-Modified: Sun, 30 Jun 2019 22:57:26 GMT
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: private, no-cache, max-age=0
    Set-Cookie: xf_csrf=nPf7eX8XR2stVXJs; path=/; secure
    Server: nginx centminmod
    X-Powered-By: centminmod


    Code (Text):
    curl -I https://insidetopfuel.com
    HTTP/1.1 200 OK
    Date: Sun, 30 Jun 2019 22:57:26 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 68340
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Last-Modified: Sun, 30 Jun 2019 22:57:26 GMT
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: private, no-cache, max-age=0
    Set-Cookie: xf_csrf=nPf7eX8XR2stVXJs; path=/; secure
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    [22:57][[email protected] ~]# curl -I https://www.insidetopfuel.com
    HTTP/1.1 200 OK
    Date: Sun, 30 Jun 2019 22:59:05 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 68356
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Last-Modified: Sun, 30 Jun 2019 22:59:05 GMT
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: private, no-cache, max-age=0
    Set-Cookie: xf_csrf=5fL-9smyRRGKn60D; path=/; secure
    Server: nginx centminmod
    X-Powered-By: centminmod


    Code (Text):
     curl -I http://insidetopfuel.com
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 30 Jun 2019 22:59:45 GMT
    Content-Type: text/html
    Content-Length: 138
    Connection: keep-alive
    Location: https://insidetopfuel.com/
    Server: nginx centminmod
    X-Powered-By: centminmod


    Code (Text):
     curl -I http://www.insidetopfuel.com
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 30 Jun 2019 23:00:29 GMT
    Content-Type: text/html
    Content-Length: 138
    Connection: keep-alive
    Location: https://insidetopfuel.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
     
  9. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    6:17 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    strange not seeing anything in nginx vhost that would cause letsencrypt domain validation to fail

    make sure your include /usr/local/nginx/conf/staticfiles.conf file has the relevant line to allow letsencrypt domain validation at top of the file
    Code (Text):
        # prepare for letsencrypt 
        # https://community.centminmod.com/posts/17774/
        location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }
    

    also output for
    Code (Text):
    nginx -V

    to make sure headers-more nginx module is enabled (should be by default)
     
  10. Itworx4me

    Itworx4me Premium Member Premium Member

    180
    18
    18
    Mar 14, 2017
    Ratings:
    +28
    Local Time:
    1:17 PM
    Nginx 1.17.X
    MariaDB 10.3.X
    Code (Text):
    cat /usr/local/nginx/conf/staticfiles.conf
        # prepare for letsencrypt
        # https://community.centminmod.com/posts/17774/
        location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }
    
        location ~* \.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso)$ {
            gzip_static off;
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      add_header Access-Control-Allow-Origin *;
      add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, stale-while-revalidate=86400, stale-if-error=604800";
            access_log off;
            expires 30d;
            break;
            }
    
        location ~* \.(js)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      add_header Access-Control-Allow-Origin *;
      add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, stale-while-revalidate=86400, stale-if-error=604800";
            access_log off;
            expires 30d;
            break;
            }
    
        location ~* \.(css)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      add_header Access-Control-Allow-Origin *;
      add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, stale-while-revalidate=86400, stale-if-error=604800";
            access_log off;
            expires 30d;
            break;
            }
    
      #  location ~* \.(html|htm|txt)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
            #add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            #access_log off;
            #expires 1d;
            #break;
      #      }
    
        location ~* \.(eot|svg|ttf|woff|woff2)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      add_header Access-Control-Allow-Origin *;
      add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 30d;
            break;
            }

    Code (Text):
    nginx -V
    nginx version: nginx/1.17.1 (290619-155544-centos7)
    built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC)
    built with OpenSSL 1.1.1c  28 May 2019
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=290619-155544-centos7 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_http_geoip2_module --add-dynamic-module=../incubator-pagespeed-ngx-1.13.35.2-stable --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1c
     
  11. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    6:17 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    looks good there but might have found the problem, your web root is pointing to another domain path
    Code (Text):
      access_log /home/nginx/domains/insidetopfuel.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/insidetopfuel.com/log/error.log;
    
      root /home/nginx/domains/nitromater.com/public;
    

    different domain at
    Code (Text):
      root /home/nginx/domains/nitromater.com/public;

    but it shouldn't a different as domain would link to whatever web root you set so insidetopfuel.com/.well-known would look to /home/nginx/domains/nitromater.com/public/.well-known path
     
  12. Itworx4me

    Itworx4me Premium Member Premium Member

    180
    18
    18
    Mar 14, 2017
    Ratings:
    +28
    Local Time:
    1:17 PM
    Nginx 1.17.X
    MariaDB 10.3.X
    Well this might have something to do with it: Domains - Parking Domains with SSL
     
  13. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    6:17 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    indeed though it shouldn't matter as the domain is linked to that as the defined web root path so should work

    you can do a manual dummy test to see if it you can access by creating
    Code (Text):
    /home/nginx/domains/nitromater.com/public/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    

    create using these commands
    Code (Text):
    mkdir -p /home/nginx/domains/nitromater.com/public/.well-known/acme-challenge/
    touch /home/nginx/domains/nitromater.com/public/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    ngxrestart
    

    then do curl header check to see if you can access it
    Code (Text):
    curl -I https://insidetopfuel.com/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    

    Code (Text):
    curl -4I https://insidetopfuel.com/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    

    Code (Text):
    curl -6I https://insidetopfuel.com/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    

    then remove the created directories/files
    Code (Text):
    cd /home/nginx/domains/nitromater.com/public/.well-known
    rm -rf /home/nginx/domains/nitromater.com/public/.well-known/acme-challenge/
    
     
  14. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    6:17 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    indeed though it shouldn't matter as the domain is linked to that as the defined web root path so should work

    you can do a manual dummy test to see if it you can access by creating
    Code (Text):
    /home/nginx/domains/nitromater.com/public/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    

    create using these commands
    Code (Text):
    mkdir -p /home/nginx/domains/nitromater.com/public/.well-known/acme-challenge/
    touch /home/nginx/domains/nitromater.com/public/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    ngxrestart
    

    then do curl header check to see if you can access it
    Code (Text):
    curl -I https://insidetopfuel.com/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    

    Code (Text):
    curl -4I https://insidetopfuel.com/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    

    Code (Text):
    curl -6I https://insidetopfuel.com/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    

    then remove the created directories/files
    Code (Text):
    cd /home/nginx/domains/nitromater.com/public/.well-known
    rm -rf /home/nginx/domains/nitromater.com/public/.well-known/acme-challenge/
    
     
  15. Itworx4me

    Itworx4me Premium Member Premium Member

    180
    18
    18
    Mar 14, 2017
    Ratings:
    +28
    Local Time:
    1:17 PM
    Nginx 1.17.X
    MariaDB 10.3.X
    Code (Text):
     curl -I https://insidetopfuel.com/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    HTTP/1.1 200 OK
    Date: Thu, 04 Jul 2019 17:54:31 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 0
    Last-Modified: Thu, 04 Jul 2019 17:54:12 GMT
    Connection: keep-alive
    ETag: "5d1e3d44-0"
    Server: nginx centminmod
    X-Powered-By: centminmod
    Accept-Ranges: bytes

    Code (Text):
     curl -4I https://insidetopfuel.com/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    HTTP/1.1 200 OK
    Date: Thu, 04 Jul 2019 17:55:30 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 0
    Last-Modified: Thu, 04 Jul 2019 17:54:12 GMT
    Connection: keep-alive
    ETag: "5d1e3d44-0"
    Server: nginx centminmod
    X-Powered-By: centminmod
    Accept-Ranges: bytes

    Code (Text):
    curl -6I https://insidetopfuel.com/.well-known/acme-challenge/Yz2kzwIQUtL6XosptW9yAsJMg2rmM5ISeA4HA9ymA30
    curl: (6) Could not resolve host: insidetopfuel.com; No address associated with hostname
     
  16. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    6:17 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    looks good as long as you don't have IPv6 DNS AAAA record set, letsencrypt should chekc your IPv4 DNS A record

    and the curl dummy check confirms web root modified does link to your domain

    but i see access to
    Code (Text):
    https://insidetopfuel.com/.well-known/

    gives 403 permission denied while i'd expect 404 not found when access is not part of centmin mod's addon/acmetool.sh and acme.sh letsencrypt ssl certificate issuance

    so something in your setup is specifically restricting access