Renouvellement de certificat

sebv · December 17, 2018, 6:05pm

When I test i have this error cloud.hugoclo411.xyz hugoclo411.xyz MISMATCH

sebv · December 17, 2018, 6:07pm

nginx -t
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/nginx/ssl/server.crt"
nginx: [warn] conflicting server name "_" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

rg305 · December 17, 2018, 6:09pm

both are minor problems

This is good news!!!
Try restarting nginx and renewing.

sebv · December 17, 2018, 6:10pm

It's :
acme.sh --issue -d chat.hugoclo411.xyz --pre-hook "systemctl stop nginx" --standalone --post-hook "systemctl start nginx" --ecc --keylength ec-384

rg305 · December 17, 2018, 6:14pm

acme.sh --list

sebv · December 17, 2018, 6:16pm

acme.sh --issue --force -d chat.hugoclo411.xyz --pre-hook “systemctl stop nginx” --standalone --post-hook “systemctl start nginx” --ecc --keylength ec-384
[Mon Dec 17 19:15:40 CET 2018] Run pre hook:‘systemctl stop nginx’
[Mon Dec 17 19:15:40 CET 2018] Standalone mode.
[Mon Dec 17 19:15:40 CET 2018] Single domain=‘chat.hugoclo411.xyz’
[Mon Dec 17 19:15:40 CET 2018] Getting domain auth token for each domain
[Mon Dec 17 19:15:40 CET 2018] Getting webroot for domain=‘chat.hugoclo411.xyz’
[Mon Dec 17 19:15:40 CET 2018] Getting new-authz for domain=‘chat.hugoclo411.xyz’
[Mon Dec 17 19:15:41 CET 2018] The new-authz request is ok.
[Mon Dec 17 19:15:41 CET 2018] chat.hugoclo411.xyz is already verified, skip http-01.
[Mon Dec 17 19:15:41 CET 2018] Verify finished, start to sign.
[Mon Dec 17 19:15:44 CET 2018] Cert success.
-----BEGIN CERTIFICATE-----
MIIErzCCA5egAwIBAgISA4eZk1KK3woILLrltXN2e449MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEyMTcxNzE1NDNaFw0x
OTAzMTcxNzE1NDNaMB4xHDAaBgNVBAMTE2NoYXQuaHVnb2NsbzQxMS54eXowdjAQ
BgcqhkjOPQIBBgUrgQQAIgNiAARxVMvPj91DaVlI5NuZUIlkLdTFVK/E9+cZByK4
5qcnccJYetAucSFB3p3MNmW3DTp/sJdO+09LgRBk73FKDmJndqNOKKmAtAnhkvXs
4Lm/0AzTxA12Wgr7GsIg31hMzAmjggJnMIICYzAOBgNVHQ8BAf8EBAMCB4AwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
BBYEFHw6UO0XxyZ3YeFosFDWIP443TaQMB8GA1UdIwQYMBaAFKhKamMEfd265tE5
t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29j
c3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2Nl
cnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wHgYDVR0RBBcwFYITY2hhdC5odWdv
Y2xvNDExLnh5ejBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAo
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisG
AQQB1nkCBAIEgfQEgfEA7wB1AHR+2oMxrTMQkSGcziVPQnDCv/1eQiAIxjc1eeYQ
e8xWAAABZ71hgWMAAAQDAEYwRAIgEfYf+0FRyQ5JkeNHpEMNwi6JNPdaxgTb7yc7
J3izGi4CIFKzzT4S2VSKwCH9qsnpEQyu6fPmMVRMl2oLzorIWJLxAHYAKTxRllTI
OWW6qlD8WAfUt2+/WHopctykwwz05UVH9HgAAAFnvWGBXQAABAMARzBFAiB0GaLn
gNUnDdwL0HtUkzgt9tu9CjF3ihusKF/acwUSjQIhANgW+VwXR/gZnO2jab3LtNfT
WhodPCl1b8uIVz0mOCAcMA0GCSqGSIb3DQEBCwUAA4IBAQA0NTpkKntArz267kjk
ZpCvWMnVh1uhONoIbBJmwT+rX7CSlQF0gVExdJ/qnC40TwzkZIrWYfhYGU5LIXBK
lEmlce1Tv1XtWp3mMrQvKB36jJWlcietlJFpRjZK/ZHAU9Nh2dw6/CGUwNd5IjeI
MhyLVRSgvx+bKyp+mBmt52tr23fhI+c3rKKaflWjvxrjdB2sakUQPOIvkBVmDX/S
0ItAVXmInrGY7YWE2LshjWmElH+G+8yjcOsckdMR2FUqx4ZasntsRZq82eDG1klB
ag0I42xIFrJnmDfh8OXBfgwciiju7hUQ9g3THGi8yk1fnIuE1VK2vF9gLq/Xsfia
MfZS
-----END CERTIFICATE-----
[Mon Dec 17 19:15:44 CET 2018] Your cert is in /root/.acme.sh/chat.hugoclo411.xyz_ecc/chat.hugoclo411.xyz.cer
[Mon Dec 17 19:15:44 CET 2018] Your cert key is in /root/.acme.sh/chat.hugoclo411.xyz_ecc/chat.hugoclo411.xyz.key
[Mon Dec 17 19:15:44 CET 2018] The intermediate CA cert is in /root/.acme.sh/chat.hugoclo411.xyz_ecc/ca.cer
[Mon Dec 17 19:15:44 CET 2018] And the full chain certs is there: /root/.acme.sh/chat.hugoclo411.xyz_ecc/fullchain.cer
[Mon Dec 17 19:15:44 CET 2018] Run post hook:‘systemctl start nginx’
root@dedi-par-61445op-netcom:/home/hugoclo# acme.sh --install-cert -d chat.hugoclo411.xyz --ecc --cert-file /etc/nginx/acme.sh/chat.hugoclo411.xyz/cert.pem --key-file /etc/nginx/acme.sh/chat.hugoclo411.xyz/key.pem --fullchain-file /etc/nginx/acme.sh/chat.hugoclo411.xyz/fullchain.pem --reloadcmd “systemctl reload nginx.service”
[Mon Dec 17 19:16:06 CET 2018] Installing cert to:/etc/nginx/acme.sh/chat.hugoclo411.xyz/cert.pem
[Mon Dec 17 19:16:06 CET 2018] Installing key to:/etc/nginx/acme.sh/chat.hugoclo411.xyz/key.pem
[Mon Dec 17 19:16:06 CET 2018] Installing full chain to:/etc/nginx/acme.sh/chat.hugoclo411.xyz/fullchain.pem
[Mon Dec 17 19:16:06 CET 2018] Run reload cmd: systemctl reload nginx.service
[Mon Dec 17 19:16:06 CET 2018] Reload success

sebv · December 17, 2018, 6:18pm

acme.sh --list
Main_Domain KeyLength SAN_Domains Created Renew
chat.hugoclo411.xyz "ec-384" no Mon Dec 17 18:15:44 UTC 2018 Fri Feb 15 18:15:44 UTC 2019
cloud.hugoclo411.xyz "ec-384" no Wed Dec 5 18:13:13 UTC 2018 Sun Feb 3 18:13:13 UTC 2019
pyload.hugoclo411.xyz "ec-384" no Thu Nov 1 08:53:29 UTC 2018 Mon Dec 31 08:53:29 UTC 2018

rg305 · December 17, 2018, 6:21pm

OK you can now use that cert (in the right place - configuration file: /etc/nginx/sites-enabled/nextcloud.conf)
change:
ssl_certificate /etc/letsencrypt/live/chat.hugoclo411.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/chat.hugoclo411.xyz/privkey.pem; # managed by Certbot
to:
ssl_certificate /root/.acme.sh/chat.hugoclo411.xyz_ecc/fullchain.cer;
ssl_certificate_key /root/.acme.sh/chat.hugoclo411.xyz_ecc/chat.hugoclo411.xyz.key;

Or you could try issuing it with certbot-auto:
./certbot-auto --nginx -d cloud.hugoclo411.xyz

and as always, restart nginx.

sebv · December 17, 2018, 6:24pm

sure : chat. or cloud.?

rg305 · December 17, 2018, 6:27pm

Sorry got chat and cloud confused…
Use cloud in nextcloud.conf file

sebv · December 17, 2018, 6:29pm

./certbot-auto --nginx -d cloud.hugoclo411.xyz
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud.hugoclo411.xyz
Cleaning up challenges
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/nginx/ssl/server.crt"
nginx: [warn] conflicting server name "_" on 0.0.0.0:443, ignored
nginx: [error] invalid PID number "" in "/var/run/nginx.pid"
An unexpected error occurred:
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 59: ordinal not in range(128)
Please see the logfiles in /var/log/letsencrypt for more details.

rg305 · December 17, 2018, 6:30pm

OMG!!!
Just stick with ACME.SH

sebv · December 17, 2018, 6:33pm

I don't understand "Just stick with ACME.SH"

rg305 · December 17, 2018, 6:34pm

Just use the acme.sh method.

rg305 · December 17, 2018, 6:36pm

Just stick with ACME.SH
Here “stick with” means “stay with” / “be with”

sebv · December 17, 2018, 6:39pm

/home/hugoclo# acme.sh --issue --force -d cloud.hugoclo411.xyz --pre-hook "systemctl stop nginx" --standalone --post-hook "systemctl start nginx" --ecc --keylength ec-384
[Mon Dec 17 19:36:18 CET 2018] Run pre hook:'systemctl stop nginx'
[Mon Dec 17 19:36:18 CET 2018] Standalone mode.
[Mon Dec 17 19:36:18 CET 2018] Single domain='cloud.hugoclo411.xyz'
[Mon Dec 17 19:36:18 CET 2018] Getting domain auth token for each domain
[Mon Dec 17 19:36:18 CET 2018] Getting webroot for domain='cloud.hugoclo411.xyz'
[Mon Dec 17 19:36:18 CET 2018] Getting new-authz for domain='cloud.hugoclo411.xyz'
[Mon Dec 17 19:36:20 CET 2018] The new-authz request is ok.
[Mon Dec 17 19:36:20 CET 2018] cloud.hugoclo411.xyz is already verified, skip http-01.
[Mon Dec 17 19:36:20 CET 2018] Verify finished, start to sign.
[Mon Dec 17 19:36:23 CET 2018] Cert success.
-----BEGIN CERTIFICATE-----
MIIEtDCCA5ygAwIBAgISA8FIkt+uuSPysz3ZQvYbVt74MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEyMTcxNzM2MjFaFw0x
OTAzMTcxNzM2MjFaMB8xHTAbBgNVBAMTFGNsb3VkLmh1Z29jbG80MTEueHl6MHYw
EAYHKoZIzj0CAQYFK4EEACIDYgAEMD0R6F6faurlx4mKo0Gi5IIjlalpMhItTTxx
m+21kgLRqPLFcniY41hfst+DyaciUM8fvbwgsA2RuFuXYKKUy/Fr/112njjWRsND
3ljdkVl77l5JwCEGqQ3C7pnb+5D0o4ICazCCAmcwDgYDVR0PAQH/BAQDAgeAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBS+X5yoYMvwa71KCCRaAZYk04De5TAfBgNVHSMEGDAWgBSoSmpjBH3duubR
ObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9v
Y3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9j
ZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMB8GA1UdEQQYMBaCFGNsb3VkLmh1
Z29jbG80MTEueHl6MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB
MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBgYK
KwYBBAHWeQIEAgSB9wSB9ADyAHcAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV5
5hB7zFYAAAFnvXRpqAAABAMASDBGAiEA/v5Neeqv2g5cAaPrxZExsedWGSZCRAb8
3JTt/pU6Y5UCIQDlZ6fX5BYoH4dMiQ57X92iAx7P0LXnbvjzGix/fgM43wB3ACk8
UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABZ710Z58AAAQDAEgwRgIh
AJKKzQW8pgs6A66HpQftfsKVv4Rf+uzwKsR+3fYsZ9xrAiEAnSYu0vuoJr3/tdss
UR6BYmGhUlbM89foOzd0fh5OVb4wDQYJKoZIhvcNAQELBQADggEBAEgevcncl7fD
ITA1FFUolKB2M+J5viXXBROsx7LEacSlsFCWHqTf8ehHZ81negj0m85avqKtT3T5
pcOZqkX76FpM2QKv7ld5pdDBqAsXhe5aJK2WBMSs3NNtnAMgoHjrM3MUuQsfUH1j
mMET/CDppOBFUk8/QoBdbrEwlksdF3ytN8DSlA+d30uRR6j7ym7C2cRcKB2l9gf7
zV/3UrR6z263Oypt2ZUmQS6AboDNkfwxCkiIABR4zr55hQfkDE0GfQOUxRrvV3fo
LtVSr3NmDfRZ8T7m/gRhExMxVFZVRqGMbhClLB+Xl2hXBNR1ueo6nkxu1/AkUBLs
SFjBZ/5LkpE=
-----END CERTIFICATE-----
[Mon Dec 17 19:36:23 CET 2018] Your cert is in /root/.acme.sh/cloud.hugoclo411.xyz_ecc/cloud.hugoclo411.xyz.cer
[Mon Dec 17 19:36:23 CET 2018] Your cert key is in /root/.acme.sh/cloud.hugoclo411.xyz_ecc/cloud.hugoclo411.xyz.key
[Mon Dec 17 19:36:23 CET 2018] The intermediate CA cert is in /root/.acme.sh/cloud.hugoclo411.xyz_ecc/ca.cer
[Mon Dec 17 19:36:23 CET 2018] And the full chain certs is there: /root/.acme.sh/cloud.hugoclo411.xyz_ecc/fullchain.cer
[Mon Dec 17 19:36:23 CET 2018] Run post hook:'systemctl start nginx'
root@dedi-par-61445op-netcom:/home/hugoclo# systemctl start nginx
root@dedi-par-61445op-netcom:/home/hugoclo# acme.sh --install-cert -d cloud.hugoclo411.xyz --ecc \

--cert-file /etc/nginx/acme.sh/cloud.hugoclo411.xyz/cert.pem
--key-file /etc/nginx/acme.sh/cloud.hugoclo411.xyz/key.pem
--fullchain-file /etc/nginx/acme.sh/cloud.hugoclo411.xyz/fullchain.pem
--reloadcmd "systemctl reload nginx.service"
[Mon Dec 17 19:37:40 CET 2018] Installing cert to:/etc/nginx/acme.sh/cloud.hugoclo411.xyz/cert.pem
/root/.acme.sh/acme.sh: line 4679: /etc/nginx/acme.sh/cloud.hugoclo411.xyz/cert.pem: No such file or directory

rg305 · December 17, 2018, 6:43pm

We are good to here:

We must have missed the "_ecc" in the file name!

rg305 · December 17, 2018, 6:44pm

Should be:
ssl_certificate /root/.acme.sh/cloud.hugoclo411.xyz_ecc/fullchain.cer;
ssl_certificate_key /root/.acme.sh/cloud.hugoclo411.xyz_ecc/cloud.hugoclo411.xyz.key;

rg305 · December 17, 2018, 6:46pm

Where did those files comes from?
/etc/nginx/acme.sh/cloud...???

rg305 · December 17, 2018, 6:49pm

I don't think you need to call acme.sh to install the cert.
We did that manually already.