Reinstall Wildcard after error in settings and removal of keys and files


#1

Dear, good afternoon!

I missed a configuration on my Centos 7 / Nginx server and to try to fix it, I removed all issued (and valid) certificates and cleaned all the files. But now, after trying to reinstall, I get the warning of issued certificate limits.
Is there any way I can reinstall the same certificates that already existed, or after removing the keys, it was already and I will have to wait for the term to be able to reinstall?
Thanks for any help. And if you have any link with guidelines, thank you too.

Thankful.

Luiz De Paula
Brazil

PS: I’m sorry for the translation via Google Translate! ;O/

My domain is:
maridoperfeito.com.br

I ran this command:
sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.maridoperfeito.com.br

It produced this output:
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: *.maridoperfeito.com.br: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
Centos 7 whit Nginx version 1.14.0

The operating system my web server runs on is (include version):
Centos 7

My hosting provider, if applicable, is:
Cloud Google Computer

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#2

Hi @maridoperfeito,

If you have removed the private keys and you don’t have a nbackup there is no way to recover them.

As you have reached the 5 duplicated certificates per 7 days limit you could get a new cert right now if you add one domain to your cert.

sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.maridoperfeito.com.br' -d maridoperfeito.com.br

So you would get a certificate covering *.maridoperfeito.com.br and the base domain maridoperfeito.com.br.

Keep in mind that you will need to create 2 TXT records for _acme-challenge.maridoperfeito.com.br at the same time to validate the domains.

Good luck,
sahsanu


#3

Many thanks for the support, sahsanu

I’ll try this alternative.

And grateful for taking the time to help others like me.

Long life!

Hugs!


#4

I returned!

The installation of certificates was successful, but there is no nginx configuration that will make my sites work again.
Does anyone use the combination Centos 7 + Nginx + Wordpress Multisite + Lets Encrypt Wildcard, with dynamic mode so you do not have to tinker with files when creating sub domains?

My Website: maridoperfeito.com.br

Etc / nginx / nginx.conf Settings

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    gzip  on;

    include /etc/nginx/conf.d/*.conf;

server {
     listen 80;
     server_name maridoperfeito.com.br;
     return 301 https://$server_name$request_uri;
  }

  server {
      listen     443 ssl;
      server_name  maridoperfeito.com.br;

      ssl_certificate /etc/letsencrypt/live/maridoperfeito.com.br/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/maridoperfeito.com.br/privkey.pem;
      ssl_session_cache shared:SSL:1m;
      ssl_session_timeout  10m;
      ssl_ciphers HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers on;
      ssl_dhparam /etc/ssl/certs/dhparam.pem;

      location / {
          proxy_set_header Host    $host;
          proxy_set_header X-Real-IP  $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass http://localhost:8080;
      }

  }
}

#5

Hi @maridoperfeito,

In your server blocks, both (for port 80 and port 443) change this:

server_name maridoperfeito.com.br;

to this:

server_name .maridoperfeito.com.br;

Adding a dot in front of your domain name will tell nginx that the server name is maridoperfeito.com.br or *.maridoperfeito.com.br. Remember to restart your nginx.

Regarding WordPress MultiSite I don’t use it so I’ve no idea whether you need to change the conf or whether it will work out of the box.

Cheers,
sahsanu


#6

hello sahsanu

I was able to put the site online again and reconfigure the certificates. Only thing I do not hit yet, is redirected to https. As an example, if you enter only test.maridoperfeito.com.br, it will return the 404 error, but if you type https://test.maridoperfeito.com.br, the site loads normally.

I’ll leave my new config files for friends to take a look at and tell me where I’m still missing.

Thank you all!

File maridoperfeito.conf

server {
        server_name maridoperfeito.com.br www.maridoperfeito.com.br *.maridoperfeito.com.br;
        client_max_body_size 64m;
        access_log /usr/share/nginx/html/maridoperfeito.com.br/logs/access.log;
        error_log /usr/share/nginx/html/maridoperfeito.com.br/logs/error.log;

location / {
        root /usr/share/nginx/html/maridoperfeito.com.br;
        index index.php index.html index.htm;

if (-f $request_filename) {
        expires 30d;
        break;
}

if (!-e $request_filename) {
        rewrite ^(.+)$ /index.php?q=$1 last;
        }
}

location ~ .php$ {
        fastcgi_pass   localhost:9000;  # port where FastCGI processes were spawned
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME   /usr/share/nginx/html/maridoperfeito.com.br$fastcgi_script_name;  # same $
        fastcgi_param PATH_INFO               $fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/maridoperfeito.com.br-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/maridoperfeito.com.br-0001/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = maridoperfeito.com.br) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = www.maridoperfeito.com.br) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = *.maridoperfeito.com.br) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name .maridoperfeito.com.br;
    return 404; # managed by Certbot
}

=================================
File nginx.conf

user  nginx;
worker_processes  4;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    gzip  on;

    include /etc/nginx/conf.d/*.conf;

}

#7

Hi @maridoperfeito,

That should be:

if ($host ~ .*.maridoperfeito.com.br) {
    return 301 https://$host$request_uri;
} # managed by Certbot

The problem is that you are using the nginx plugin to modify your conf and I don’t know what would be the effects of modify these statements but indeed, all this block:

server {
    if ($host = maridoperfeito.com.br) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = www.maridoperfeito.com.br) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = *.maridoperfeito.com.br) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name .maridoperfeito.com.br;
    return 404; # managed by Certbot
}

Should be just like this:

server {
    listen 80;
    server_name .maridoperfeito.com.br;
    return 301 https://$host$request_uri;
}

I’ve never used certbot with nginx installer so I don’t know what will happen the next time you try to renew your cert, don’t know whether certbot will add again the redirections or just simply ignore it, maybe @schoen or @joohoi could give you a better advice.

Cheers,
sahsanu


#8

Great sahsanu!

Thanks so much for the help you gave me, and I hope it helps other people too.
The tips worked perfectly, both main domain and sub domains, loading with https!

Many, many thanks!
Big and strong hug!


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.