Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:vadim.com.ru
I ran this command: acme.sh --renew -d vadim.com.ru
It produced this output: Renew: 'vadim.com.ru 'https://acme-v02.api.letsencrypt.org/directory
My web server is (include version):nginx-1.18.0
The operating system my web server runs on is (include version):TrueNAS-SCALE-22.02.4
My hosting provider, if applicable, is:self
I can login to a root shell on my machine (yes or no, or I don't know):yes
So https connections fail and old cert is being used
rg305
December 17, 2022, 6:52am
2
Please show:acme.sh --listnginx -T | grep -i ssl
2 Likes
Main_Domain KeyLength SAN_Domains CA Created Renewvadim.com.ru "2048" no LetsEncrypt.org 2022-12-08T09:01:52Z 2023-02-05T09:01:52Z
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
rg305
December 17, 2022, 6:54am
4
Use a capital "T" in:nginx -T | grep -i ssl
2 Likes
rg305
December 17, 2022, 6:58am
7
that's very strange...
try just:nginx -T
That is the latest [valid] cert.crt.sh | vadim.com.ru
2 Likes
Right - it is expired but the system is still using it and that's what the error is about - expired ssl. The question is how to make the system use the new one? Is there an option in acme.sh maybe to force it somehow or delete the expired one?
rg305
December 17, 2022, 7:23am
10
Well, it doesn't seem to have anything to do with nginx.
server_name localhost;
listen 0.0.0.0:81;
listen [::]:81;
One unrelated HTTP server block that is listening on port 81.
Try:ps -ef | grep -Ei 'nginx|http|apache'netstat -pant | grep -E '\:8|\:4'
2 Likes
Output.txt (13.2 KB)
rg305
December 17, 2022, 8:13am
14
Very interesting output
Traefik running:
apps 21212 21162 0 08:25 ? 00:00:05 traefik traefik --global.checknewversion --entryPoints.main.address=:9000/tcp --entryPoints.metrics.address=:9180/tcp --entryPoints.web.address=:80/tcp --entryPoints.websecure.address=:443/tcp --api.dashboard=true --ping=true --metrics.prometheus=true --metrics.prometheus.entrypoint=metrics --providers.kubernetescrd --providers.kubernetesingress --providers.kubernetesingress.ingressendpoint.publishedservice=ix-traefik/traefik-tcp --entrypoints.web.http.redirections.entryPoint.to=:443 --entrypoints.web.http.redirections.entryPoint.scheme=https --entrypoints.websecure.http.tls=true --log.format=common --metrics.prometheus --ping --serverstransport.insecureskipverify=true --providers.kubernetesingress.allowexternalnameservices=true
One Apache running on port 8080:
root 5000 1 0 08:23 ? 00:00:00 /usr/sbin/apache2 -k start
tcp6 0 0 :::8080 :::* LISTEN 5000/apache2
Three nginx running:
root 19808 19762 0 08:25 ? 00:00:00 nginx: master process nginx -g daemon off;
www-data 37559 37521 0 08:30 ? 00:00:00 nginx: master process nginx -g daemon off;
root 124876 1 0 09:16 ? 00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN 124876/nginx: maste
tcp6 0 0 :::81 :::* LISTEN 124876/nginx: maste
And something else... trying to start nextcloud:
www-data 36429 36405 0 08:29 ? 00:00:00 /bin/sh -c /bin/bash <<'EOF' set -m echo "Waiting for notify_push file to be available..." until [ -f /var/www/html/custom_apps/notify_push/bin/x86_64/notify_push ] do sleep 10 echo "Notify_push app not found... waiting..." done echo "Waiting for Nextcloud to start..." until $(curl --output /dev/null --silent --head --fail -H "Host: test.fakedomain.dns" http://127.0.0.1:8080/status.php); do echo "Nextcloud not responding... waiting..." sleep 10 done until $(curl --silent --fail -H "Host: test.fakedomain.dns" http://127.0.0.1:8080/status.php | jq --raw-output '.installed' | grep "true"); do echo "Nextcloud not installed... waiting..." sleep 10 done echo "Nextcloud instance with Notify_push found... Launching High Performance Backend..." /var/www/html/custom_apps/notify_push/bin/x86_64/notify_push /var/www/html/config/config.php & echo "Configuring CLI url..." php /var/www/html/occ config:system:set overwrite.cli.url --value='https://vadim.com.ru/' echo "Executing standard nextcloud version migration scripts to ensure they are actually ran..." php /var/www/html/occ db:add-missing-indices echo "Imaginary High Performance Previews enabled, enabling it on Nextcloud..." php /var/www/html/occ config:system:set preview_imaginary_url --value='http://127.0.0.1:9090' php /var/www/html/occ config:system:set preview_max_x --value='2048' php /var/www/html/occ config:system:set preview_max_y --value='2048' php /var/www/html/occ config:system:set preview_max_memory --value='512' php /var/www/html/occ config:system:set preview_max_filesize_image --value='150' # Remove all preview providers and re-add only selected php /var/www/html/occ config:system:delete enabledPreviewProviders # Add imaginary always # Initialize counter php /var/www/html/occ config:system:set enabledPreviewProviders 0 --value='OC\Preview\Imaginary' php /var/www/html/occ config:system:set enabledPreviewProviders 1 --value='OC\Preview\PNG' php /var/www/html/occ config:system:set enabledPreviewProviders 2 --value='OC\Preview\JPEG' php /var/www/html/occ config:system:set enabledPreviewProviders 3 --value='OC\Preview\GIF' php /var/www/html/occ config:system:set enabledPreviewProviders 4 --value='OC\Preview\BMP' php /var/www/html/occ config:system:set enabledPreviewProviders 5 --value='OC\Preview\XBitmap' php /var/www/html/occ config:system:set enabledPreviewProviders 6 --value='OC\Preview\MP3' php /var/www/html/occ config:system:set enabledPreviewProviders 7 --value='OC\Preview\MarkDown' php /var/www/html/occ config:system:set enabledPreviewProviders 8 --value='OC\Preview\OpenDocument' php /var/www/html/occ config:system:set enabledPreviewProviders 9 --value='OC\Preview\TXT' php /var/www/html/occ config:system:set enabledPreviewProviders 10 --value='OC\Preview\Krita' # Set default phone region php /var/www/html/occ config:system:set default_phone_region --value='US' echo "Configuring High Performance Backend for url: https://vadim.com.ru" php /var/www/html/occ config:app:set notify_push base_endpoint --value='https://vadim.com.ru/push' fg EOF
2 Likes
rg305
December 17, 2022, 8:15am
15
I don't use TrueNAS so I can't say if that is normal and expected OR not.
Seeing Traefik, I would think that is the first place to start troubleshooting/investigating.Apache, I would really think that is a very good place to start troubleshooting/investigating.
2 Likes
I never had apache installed though which tells me I was possibly hacked?
rg305
December 17, 2022, 8:56am
17
Something installed it.apachectl -t -D DUMP_VHOSTS
2 Likes
*:8080 localhost (/etc/apache2/Includes/webdav.conf:2)
Yeah I activated WEbDAV I remember that - actually Nextcloud has it by default I guess
rg305
December 17, 2022, 9:02am
19
Well..nginxApacheTraefik
Did you install acme.sh?
2 Likes
rg305
December 17, 2022, 9:20am
21
What is using it?
2 Likes
I had it initially installed on the system when I renewed it first time on my fresh install of Truenas Scale migrating from trueNAS Core. Shortly after that I had my system hard drive go bad so I reinstalled it from my backup config. By the time I needed to renew there were no acme in the system - gone. So I installed it again and renewd the cert. That's the story. As far as How did you get it to use it? - I have no clue
rg305
December 17, 2022, 9:36am
23
You continue to use the word "system".
I understand it is a TrueNAS device.
2 Likes
