Learn about Centmin Mod LEMP Stack today
Become a Member

Xenforo API Doesn't work when set website dns as local (etc/hosts)

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by negative, Aug 5, 2020.

  1. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    11:32 PM
    1.9.10
    10.1.11
    Hello. I have interesting problem about between my etc/hosts and nginx configuration i thought.


    When i have "serverip mydomain.com" host specification in my etc/hosts, Xenforo API requests doesn't work in my hosting. (it calls the api locally without problem, but i got errors when i visit the website via browser)

    I have 3 domain in my nginx configuration and they configured as listen 80 both. But something missing for me i thought thats why xenforo api requests doesn't work in this mean. Because it asks to www.mydomain.com/xenforo/api

    If i remove the my domain from /etc/hosts, api working well but slowly because of www.mydomain.com goes lookup over cloudflare etc.

    traceroute www.mydomain.com is 0ms when my domain built in etc/hosts, else about 60ms every query thats why my local website api calls takes long time because of have latency.


    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.19.1
    • PHP Version Installed: 7.3
    • MariaDB MySQL Version Installed: 10.4
    • When was last time updated Centmin Mod code base ? : daily
    • Persistent Config: N/A
     
  2. eva2000

    eva2000 Administrator Staff Member

    47,552
    10,791
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,776
    Local Time:
    7:32 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    You can test in SSH via curl to check headers using the following commands:
    Code (Text):
    curl -Ik http://domain.com/xenforo/api
    

    Code (Text):
    curl -Ik http://www.domain.com/xenforo/api
    

    Code (Text):
    curl -Ik https://domain.com/xenforo/api
    

    Code (Text):
    curl -Ik https://www.domain.com/xenforo/api
    

    test once with /etc/hosts edit and once without /etc/hosts edit to see whether Cloudflare might be why it is/is not working

    for posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)
     
  3. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    11:32 PM
    1.9.10
    10.1.11
    Yes, i found the problem. Thanks
    When i use the api curl url as https prefix it doesn't work after hosts applied.

    I think it related with my configuration, i'm using ssl only between cloudflare and server, my domain at the server is not ssl, thats why i must call the api's starts with http as prefix, instead of https. Because local runs from http.

    So in this case, i must apply the SSL support on server side to this domain for better solution.
    I know the create a new nginx vhost with openssl certificate applied, but how can i turn my current vhost to SSL support for centminmod.
     
  4. eva2000

    eva2000 Administrator Staff Member

    47,552
    10,791
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,776
    Local Time:
    7:32 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    If you are looking at switching your existing Centmin Mod Nginx HTTP site to HTTPS vhost site with Letsencrypt SSL certificates, check out the guide here and you may want to skip step 7 & step 8 for non-https to https redirect if you are doing that at Cloudflare level with 'Always HTTPS'
     
  5. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    11:32 PM
    1.9.10
    10.1.11
    Ok so i will apply the all steps except 7 & 8 for switch to ssl
     
  6. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    11:32 PM
    1.9.10
    10.1.11
    I'm trying to apply the steps but when i run this command, i'm getting error

    Code (Text):
    /root/.acme.sh/acme.sh --force --issue --days 60 -d domain.com -d www.domain.com -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-domain.com.log --log-level 2
    


    Error
    Code (Text):
    [Sat Aug  8 01:02:25 +03 2020] domain.com:Verify error:Invalid response from https://www.domain.com/.well-known/acme-challenge/YYooysMyYiEFnE-e9YccchWhGd-EBhhhiUx_9W32Dxxes [2606:4700:20::681a:56b]:
    [Sat Aug  8 01:02:25 +03 2020] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-domain.com.log


    That may related with cloudflare? because we are using cloudflare ssl certificate currently and website is https already.
     
  7. eva2000

    eva2000 Administrator Staff Member

    47,552
    10,791
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,776
    Local Time:
    7:32 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation.

    Also still helps to have output from post #2 above
     
  8. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    11:32 PM
    1.9.10
    10.1.11
    First result is ;

    WARNING
    The domain domain.com is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.
    End-to-end HTTPS with Cloudflare - Part 3: SSL options


    -Currently i'm using flexible mod because my origin didn't have SSL certificate so cloudflare certificate runs between cloudflare and origin server. But origin is not ssl thats why i'm trying to add self signed ssl vertificate then i will choose the FULL SSL option already

    in this mean, should i select the FULL option while in this steps for now ?
    Normally, if i select the full option, website will break.
     
  9. eva2000

    eva2000 Administrator Staff Member

    47,552
    10,791
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,776
    Local Time:
    7:32 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  10. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    11:32 PM
    1.9.10
    10.1.11
    I've tried but errors are same.
    In acme logs, i see many lines but these lines related with error i thought

    Code (Text):
    [Sat Aug  8 02:18:30 +03 2020] code='400'
    [Sat Aug  8 02:18:30 +03 2020] original='{
      "type": "urn:ietf:params:acme:error:malformed",
      "detail": "Unable to update challenge :: authorization must be pending",
      "status": 400
    }'
    [Sat Aug  8 02:18:30 +03 2020] response='{
      "type": "urn:ietf:params:acme:error:malformed",
      "detail": "Unable to update challenge :: authorization must be pending",
      "status": 400
    
     
  11. eva2000

    eva2000 Administrator Staff Member

    47,552
    10,791
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,776
    Local Time:
    7:32 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    with cloudflare disabled what does testing domain at Let's Debug give ?
     
  12. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    11:32 PM
    1.9.10
    10.1.11
    I've completed to switch the SSL on webserver finally.

    However, i didn't find any info about that should i remove the domain.conf in nginx conf.d folder anymore? because of ssl configuration uses the domain.ssl.conf ?
     
  13. eva2000

    eva2000 Administrator Staff Member

    47,552
    10,791
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,776
    Local Time:
    7:32 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    that would be the skipped step 7 at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates - choice whether to keep domain.conf non-https is up to you (it would be needed for cloudflare flexible ssl) but domain.com.ssl.conf is only needed if you choose cloudflare full ssl.
     
  14. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    11:32 PM
    1.9.10
    10.1.11
    Thank you so much for help, i understood and server running well.

    So, in this case i have no longer need the cloudflare dedicated ssl certificate, right ?
    Any known advantage of it ? So now, double encrypted datas from cloudflare + letsencrypt
     
  15. eva2000

    eva2000 Administrator Staff Member

    47,552
    10,791
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,776
    Local Time:
    7:32 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    you need cloudflare ssl cert for visitors and need letsencrypt origin nginx ssl cert for cloudflare to origin nginx for cloudflare 'full' ssl mode