Want more timely Centmin Mod News Updates?
Become a Member

Wordpress Install with letsEncrypt Alma 8.7

Discussion in 'AlmaLinux 8 & Rocky Linux 8 Beta Testing' started by cloud9, Dec 8, 2022.

  1. cloud9

    cloud9 Premium Member Premium Member

    435
    118
    43
    Oct 6, 2015
    England
    Ratings:
    +218
    Local Time:
    12:13 PM
    1.25.3
    10.6.x
    The following test environment information is needed relevant to your EL8 server installation. Please provide the info in BBCODE CODE/CODEB tags for better formatting.

    1. Hetzner CX21

    cminfo versions

    1st:
    130.00beta01.b246 #Thu Nov 17 21:43:33 UTC 2022
    ..
    last 10:
    130.00beta01.b251 #Mon Dec 5 16:19:16 UTC 2022
    130.00beta01.b251 #Wed Dec 7 12:16:30 UTC 2022
    130.00beta01.b251 #Wed Dec 7 12:18:26 UTC 2022
    130.00beta01.b251 #Wed Dec 7 12:22:27 UTC 2022
    130.00beta01.b251 #Wed Dec 7 12:34:16 UTC 2022
    130.00beta01.b251 #Wed Dec 7 12:35:45 UTC 2022
    130.00beta01.b251 #Wed Dec 7 12:47:13 UTC 2022
    130.00beta01.b251 #Wed Dec 7 13:22:08 UTC 2022
    130.00beta01.b251 #Wed Dec 7 13:27:57 UTC 2022
    130.00beta01.b251 #Wed Dec 7 17:49:20 UTC 2022


    lscpu
    Architecture: x86_64
    CPU op-mode(s): 32-bit, 64-bit
    Byte Order: Little Endian
    CPU(s): 2
    On-line CPU(s) list: 0,1
    Thread(s) per core: 1
    Core(s) per socket: 2
    Socket(s): 1
    NUMA node(s): 1
    Vendor ID: GenuineIntel
    BIOS Vendor ID: QEMU
    CPU family: 6
    Model: 85
    Model name: Intel Xeon Processor (Skylake, IBRS)
    BIOS Model name: Not Specified
    Stepping: 4
    CPU MHz: 2099.998
    BogoMIPS: 4199.99
    Hypervisor vendor: KVM
    Virtualization type: full
    L1d cache: 32K
    L1i cache: 32K
    L2 cache: 4096K
    L3 cache: 16384K
    NUMA node0 CPU(s): 0,1
    Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb fsgsbase bmi1 hle avx2 smep bmi2 erms invpcid rtm avx512f avx512dq rdseed adx smap clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat pku ospke md_clear

    free -mlt

    total used free shared buff/cache available
    Mem: 3635 585 1752 8 1298 2799
    Low: 3635 1883 1752
    High: 0 0 0
    Swap: 1023 0 1023
    Total: 4659 585 2776


    df -hT
    Filesystem Type Size Used Avail Use% Mounted on
    devtmpfs devtmpfs 1.8G 0 1.8G 0% /dev
    tmpfs tmpfs 1.8G 0 1.8G 0% /dev/shm
    tmpfs tmpfs 1.8G 8.6M 1.8G 1% /run
    tmpfs tmpfs 1.8G 0 1.8G 0% /sys/fs/cgroup
    /dev/sda1 ext4 38G 9.2G 27G 26% /
    /dev/loop0 ext4 3.9G 112K 3.7G 1% /tmp
    /dev/sda14 vfat 64M 5.8M 59M 10% /boot/efi
    tmpfs tmpfs 364M 0 364M 0% /run/user/0


    All set up and installed WP on option 22

    Looks like Letsencrypt failed as have no https, also not ever done a WP option 22 install the following

    my domain.co.uk goes to a CMM install page
    Nothing else works I https or www or wp-login

    Code:
    -----------------------------------------------------------
    
    issue & install letsencrypt ssl certificate for mydomain.co.uk
    -----------------------------------------------------------
    testcert value = wplived
    wp routine detected use reissue instead via --force
    /root/.acme.sh/acme.sh --force --issue -d mydomain.co.uk -d www.mydomain.co.uk --days 60 -w /home/nginx/domains/mydomain.co.uk/public -k 2048 --useragent centminmod--acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-071222-175410.log --log-level 2 --preferred-chain  "ISRG"
    [Wed Dec  7 17:54:17 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Wed Dec  7 17:54:17 UTC 2022] Create account key ok.
    [Wed Dec  7 17:54:17 UTC 2022] Registering account: https://acme-v02.api.letsencrypt.org/directory
    [Wed Dec  7 17:54:19 UTC 2022] Registered
    [Wed Dec  7 17:54:19 UTC 2022] ACCOUNT_THUMBPRINT='OR2eW1oFzjwgp-P2pS8y5zJAVKbPK0EDEvcGO6jMyHE'
    [Wed Dec  7 17:54:19 UTC 2022] Creating domain key
    [Wed Dec  7 17:54:19 UTC 2022] The domain key is here: /root/.acme.sh/mydomain.co.uk/mydomain.co.uk.key
    [Wed Dec  7 17:54:19 UTC 2022] Multi domain='DNS:mydomain.co.uk,DNS:www.mydomain.co.uk'
    [Wed Dec  7 17:54:19 UTC 2022] Getting domain auth token for each domain
    [Wed Dec  7 17:54:21 UTC 2022] Getting webroot for domain='mydomain.co.uk'
    [Wed Dec  7 17:54:22 UTC 2022] Getting webroot for domain='www.mydomain.co.uk'
    [Wed Dec  7 17:54:22 UTC 2022] Verifying: mydomain.co.uk
    [Wed Dec  7 17:54:23 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
    [Wed Dec  7 17:54:25 UTC 2022] mydomain.co.uk:Verify error:157.90.160.221: Fetching http://mydomain.co.uk/.well-known/acme-challenge/pNS_4lWXLc3hQ6yVDfx5etFxDNVwulIC9xcdkyHeHjQ: Connection refused
    [Wed Dec  7 17:54:26 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-071222-175410.log
    LECHECK = 1

    config file

    Code:
    #### Installed by Centminmod##############
    CENTOS_ALPHATEST='y'
    NGINX_VERSION='1.23.2'
    NGINX_ONETWOTHREE_COMPAT='y'
    DEVTOOLSETTEN='n'
    DEVTOOLSETELEVEN='y'
    SELFSIGNEDSSL_ECDSA='y'
    PHPFINFO='y'
    
    MARCH_TARGETNATIVE='n'
    ##########################################
    
    #####################################################
    # CSF FIREWALL
    # PORTFLOOD Configuration
    # https://community.centminmod.com/threads/14708/
    # Setting CSFPORTFLOOD_OVERRIDE='y' allows you to
    # override default CSF Firewall PORTFLOOD values set
    # by Centmin Mod initial install. If end user made
    # custom changes to PORTFLOOD values, the override
    # will not work. Override only works if end user has
    # not made custom changes to PORTFLOOD values to ensure
    # end users customisations do not get overwritten
    CSFPORTFLOOD_OVERRIDE='y'
    # max hit count value allowed is 20
    PORTFLOOD_COUNT=20
    # lowering interval in seconds allows for more
    # port flood hits against default TCP port 21
    PORTFLOOD_INTERVAL=300
    #####################################################
    
    # enable letsencrypt ssl certificate + dual RSA+ECDSA ssl certs https://centminmod.com/acmetool/
    # https://community.centminmod.com/threads/official-acmetool-sh-testing-thread-for-centmin-mod-123-09beta01.8290/
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    
    # Add custom curl to update curl to 8.x latest
    # https://community.centminmod.com/threads/update-addons-customcurl-sh-custom_curlrpm-y-routine-in-123-09beta01.17503/
    CUSTOM_CURLRPM=y
    
    # Force SSL to only using TLSv1.2 or TLSv1.2 + TLSv1.3 (when using OpenSSL 1.1.1 or BoringsSSL)
    #https://community.centminmod.com/threads/add-ssl_protocol_modern-variable-in-123-09beta01.19715/#post-83781
    SSL_PROTOCOL_MODERN='y'
    
    # Enable Rclone and Dropbox to enable sharing Logs
    #https://community.centminmod.com/threads/centmin-mod-nginx-1-21-5-pcre2-beta-testing.22326/#post-91386
    #RCLONE_ENABLE='y'
    #DROPBOX_SEND='y'
    
    #replace older PCRE2 8.x library with 10.x library
    #https://community.centminmod.com/threads/centmin-mod-nginx-1-21-5-pcre2-beta-testing.22326/#post-91354
    NGINX_PCRE_TWO='y'
    
    # dynamically tune nginx ssl_session_cache in /usr/local/nginx/conf/ssl_include.conf based on system detected memory
    # https://community.centminmod.com/posts/76615/
    NGINX_SSLCACHE_ALLOWOVERRIDE='y'
    
    # override Nginx default OCSP response cache refresh time 1h (3600 seconds) to 24hrs (86400 seconds)
    # https://community.centminmod.com/threads/19515/
    #NGINX_STAPLE_CACHE_OVERRIDE='y'
    #NGINX_STAPLE_CACHE_TTL='86400'
    
    # SET_DEFAULT_MYSQLCHARSET='utf8mb4' to override MariaDB MySQL
    # default characterset and collation from default utf8 to utf8mb4
    # https://community.centminmod.com/threads/17949/
    # SET_DEFAULT_MYSQLCHARSET='utf8mb4'
    
    # enable nginx backlog override https://community.centminmod.com/threads/17620/
    #AUTOHARDTUNE_NGINXBACKLOG='y'
    
    # enable zstd compressed logrotation for nginx & php-fpm https://community.centminmod.com/threads/16374/
    ZSTD_LOGROTATE_NGINX='y'
    ZSTD_LOGROTATE_PHPFPM='y'
    
    # enable ECC 256bit ECDSA self-signed SSL certificate generation https://community.centminmod.com/posts/82177/
    #SELFSIGNEDSSL_ECDSA='y'
    
    # COMMENTED OUT DEFAULT - enable nginx zero downtime on the fly nginx binary upgrades https://community.centminmod.com/threads/8000/
    # NGINX_ZERODT='y'
    
    # COMMENTED OUT - REQUIRES CENTOS KERNEL 5.1 or ABOVE - CHECK VERSION FIRST WITH uname -r
    # CARE WHEN UPGRADING KERNEL - BEST NOT TO DO ON A LIVE SERVER
    # SEE https://community.centminmod.com/threads/add-nginx_iouring_patch-variable-support-in-123-09beta01.18075/#post-76552
    #NGINX_IOURING_PATCH='y'
    
    # enable brotli compression https://community.centminmod.com/threads/10688/
    NGXDYNAMIC_BROTLI='y'
    NGINX_LIBBROTLI='y'
    NGINX_BROTLIDEP_UPDATE='y'
    
    # enable IPv6 Detection for the server https://community.centminmod.com/threads/invitation-to-test-native-nginx-ipv6-vhost-config-support-in-130-00beta01.23463/#post-95207
    VPS_IPSIX_CHECK_DISABLE='n'
    VPS_IPSIX_CHECK_DISABLE_DEBUG='y'
    
    #enable MariaDB 10.4,5 & 6
    ENABLE_MARIADBTENFOURUPGRADE='y'
    ENABLE_MARIADBTENFIVEUPGRADE='y'
    ENABLE_MARIADBTENSIXUPGRADE='y'
    
    # boost PHP 7 performance by enabling Profile Guided Optimisation flag
    # https://centminmod.com/perf/
    # will dramatically increase PHP-FPM compile/install times but result in
    # 5-20% faster PHP 7+ performance. PHP_PGO='y' only works with servers with
    # 2+ or more cpu threads. However, you can force PHP PGO optimisations with
    # 1 cpu thread servers via PHP_PGO_ALWAYS='y'
    #PHP_PGO_ALWAYS='y'
    #PHP_PGO='y'
    
    # php compression extensions https://community.centminmod.com/posts/70777/
    #PHP_BROTLI='y'
    #PHP_LZFOUR='y'
    #PHP_LZF='y'
    #PHP_ZSTD='y'
    
    # php file info
    #PHPFINFO='y'
    
    # enable centmin.sh menu option 22 WordPress Cache Enabler Query String inclusions
    # https://community.centminmod.com/posts/85927/
    # WPCLI_CE_QUERYSTRING_INCLUDED='y'
    
    # Set PHP version
    # PHP versions - https://www.php.net/downloads.php
    # https://community.centminmod.com/threads/php-8-0-0-ga-stable-release.20739/#post-87309
    #PHP_VERSION='8.1.7'
    
    # PHP version checks
    # https://community.centminmod.com/threads/add-optional-php-version-check-in-123-09beta01.19334/
    DMOTD_PHPCHECK='y'
    
    # Enable VHost Stats
    # see https://community.centminmod.com/threads/add-ngxdynamic_vhoststats-option-support-for-nginx-module-vts-module.12913/#post-54842
    #NGINX_VHOSTSTATS=y
    
    #Enable Max Mind GeoIP
    #see https://community.centminmod.com/threads/how-to-enable-geoip-2-lite-nginx-module-support.17165/
    MM_LICENSE_KEY='licensekeyhere'
    NGINX_GEOIPTWOLITE='y'
    NGXDYNAMIC_GEOIPTWOLITE='y'
    
    #Cloudflare SSL Options
    #https://centminmod.com/letsencrypt-freessl.html#dns
    #CF_DNSAPI_GLOBAL='y'
    #CF_Token="xxxxxxxxxxx"
    #CF_Account_ID="xxxxxxxxxxx"
     
  2. cloud9

    cloud9 Premium Member Premium Member

    435
    118
    43
    Oct 6, 2015
    England
    Ratings:
    +218
    Local Time:
    12:13 PM
    1.25.3
    10.6.x
  3. cloud9

    cloud9 Premium Member Premium Member

    435
    118
    43
    Oct 6, 2015
    England
    Ratings:
    +218
    Local Time:
    12:13 PM
    1.25.3
    10.6.x
    Ok looks like the the IPv6

    reading Tracy Perrys post here #12

    Hetzner server needs the ipv6 set up manually according to the docs

    nano /etc/sysconfig/network-scripts/ifcfg-eth0

    Code:
    # Created by cloud-init on instance boot automatically, do not edit.
    #
    BOOTPROTO=dhcp
    DEFROUTE=yes
    DEVICE=eth0
    DNS1=2a01:4ff:ff00::add:1
    DNS2=2a01:4ff:ff00::add:2
    HWADDR=96:00:01:ad:03:35
    IPV6ADDR=2aXX:4fX:1cXX:a4XX::1/64
    IPV6INIT=yes
    IPV6_AUTOCONF=no
    IPV6_DEFAULTGW=fe80::1
    IPV6_FORCE_ACCEPT_RA=no
    ONBOOT=yes
    TYPE=Ethernet
    USERCTL=no
    So looks like as Tracy said a /64 range

    But knowing naff all about IPv6 what do I set that to ?
     
  4. cloud9

    cloud9 Premium Member Premium Member

    435
    118
    43
    Oct 6, 2015
    England
    Ratings:
    +218
    Local Time:
    12:13 PM
    1.25.3
    10.6.x
    Sorted IPv6 but disabled it and still no joy

    However one issue I have just noticed Nginx isnt happy

    Code:
    nginx -t
    nginx: [emerg] dlopen() "/usr/local/nginx/modules/ngx_http_geoip2_module.so" failed (/usr/local/nginx/modules/ngx_http_geoip2_module.so: cannot open shared object file: No such file ordirectory) in /usr/local/nginx/conf/dynamic-modules.conf:12
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    If I comment out the GeoIP in custom config - recompile nginx - it still fails

    Code:
    cd /usr/local/nginx/modules/
    ls -lah
    total 9.1M
    drwxr-xr-x.  2 root root 4.0K Dec  5 16:14 .
    drwxr-xr-x. 11 root root 4.0K Dec  4 19:55 ..
    -rwxr-xr-x   1 root root 107K Dec  4 19:55 ndk_http_module.so
    -rwxr-xr-x   1 root root 7.4M Dec  4 19:55 ngx_http_brotli_filter_module.so
    -rwxr-xr-x   1 root root  77K Dec  4 19:55 ngx_http_brotli_static_module.so
    -rwxr-xr-x   1 root root 525K Dec  4 19:55 ngx_http_echo_module.so
    -rwxr-xr-x   1 root root 124K Dec  4 19:55 ngx_http_fancyindex_module.so
    -rwxr-xr-x   1 root root 233K Dec  4 19:55 ngx_http_headers_more_filter_module.so
    -rwxr-xr-x   1 root root 128K Dec  4 19:55 ngx_http_image_filter_module.so
    -rwxr-xr-x   1 root root 577K Dec  4 19:55 ngx_http_set_misc_module.so
     
  5. wmtech

    wmtech Active Member

    175
    44
    28
    Jul 22, 2017
    Ratings:
    +132
    Local Time:
    1:13 PM
    All you would have to do is to delete the AAA DNS record of your mydomain.co.uk host entry before trying to get an LE certificate.

    You can recreate the AAA record after successful issue of cert and also adapt the vhost conf with the ipv6 address.

    Also: Your server uses just a single IPv6 address out of the /64. If you need more ipv6 addresses, you can manually add them (out of your /64 network).
     
  6. eva2000

    eva2000 Administrator Staff Member

    55,223
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,831
    Local Time:
    9:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    What @wmtech stated.

    Noticed you had Cloudflare DNS API Letsencrypt disabled
    Letsencrypt Free SSL Certificates. Is that because domain isn't behind Cloudflare? As using Cloudflare DNS API for letsencrypt is easiest way to get around this IPv6 issue when your server isn't properly configured for IPv6 out of the box i.e. Hetzner
     
  7. cloud9

    cloud9 Premium Member Premium Member

    435
    118
    43
    Oct 6, 2015
    England
    Ratings:
    +218
    Local Time:
    12:13 PM
    1.25.3
    10.6.x
    Its not behind cloudflare

    Done that - still not issuing a lets encrypt - however it may be something to do with Nginx not running due to the GEOip issue

    See above as Nginx wont run as its got a geoip issue post 4 above
     
  8. eva2000

    eva2000 Administrator Staff Member

    55,223
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,831
    Local Time:
    9:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Try running cmupdate and then centmin.sh menu option 4 to recompile Nginx
     
  9. cloud9

    cloud9 Premium Member Premium Member

    435
    118
    43
    Oct 6, 2015
    England
    Ratings:
    +218
    Local Time:
    12:13 PM
    1.25.3
    10.6.x
    Have you fixed something, just did that and now all working, could swear blind I did that late last night and still had the nginx error for geoip......

    Thanks
     
  10. cloud9

    cloud9 Premium Member Premium Member

    435
    118
    43
    Oct 6, 2015
    England
    Ratings:
    +218
    Local Time:
    12:13 PM
    1.25.3
    10.6.x
    Yes thanks @eva2000 and @wmtech

    Site all installed and running with letsencrypt - just got to reenable ipv6 now and add it to dns
     
  11. eva2000

    eva2000 Administrator Staff Member

    55,223
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,831
    Local Time:
    9:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    A few updates did happen https://community.centminmod.com/forums/centmin-mod-github-commits.41/ but not directly related to geoip 2 lite nginx module.

    Usually, if you want to dig into nginx compile errors, you can dig into nginx upgrade logs which automatically are saved each centmin.sh menu option 4 run https://community.centminmod.com/threads/how-to-troubleshoot-nginx-installs-upgrades.17778/