VestaCP LE http and nginx as proxy content deliver

#1

My domain is: significado.xyz
My web server is (apache + nginx proxy):
The operating system my web server runs on is: CENTOS 7 64bits
I can login to a root shell on my machine: Yes
I’m using a control panel to manage my site : Vestacp

Months ago i’ve installed vesta then i’ve added some sites with LE all fine with this guide: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-9

2 days ago i buy some domains, and i try to add the domain with command letsencrypt-vesta admin significado.xyz there was an error saying the “The key authorization file from the server did not match”

after searching and even get limit install by the errors, some one says “remove your ipv6 from dns” (oi forgot to tell im using cloudflare, but still the trafffic its direct, with past domain worked just fine)

i check the dns from vesta and cloudflare and i dont see anything relatd to ipv6. even i try to disable ipv6 from vi /etc/sysconfig/network. didnt work either.

then i realized i have apache and nginx for proxy (i didnt cnofigure anything that option is on vestacp) then i just disabled that part and work it.

i just wanna ask how to solve this without disable nginx?

later i just wanna use nginx but that means i will lose https right?

thanks in advance, i mange a vps but theres many things i dont know :stuck_out_tongue:

btw i tried to renew domains with: letsencrypt-vesta -a 90 admin domain and says: atd is not available. Is it installed? Renewals not scheduled.

#2

Hi @raju

it’s possible. But your setup isn’t simple. You have to create correct redirects.

But VestaCP is an integrated solution. So it’s always the best to use that.

And your configuration doesn’t work ( https://check-your-website.server-daten.de/?q=significado.xyz ):

Domainname Http-Status redirect Sec. G
http://significado.xyz/
198.23.133.158 301 https://significado.xyz/ 1.580 A
http://www.significado.xyz/
198.23.133.158 301 https://www.significado.xyz/ 0.563 A
https://www.significado.xyz/
198.23.133.158 301 https://significado.xyz/ 3.524 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://significado.xyz/
198.23.133.158 200 6.966 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://significado.xyz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
198.23.133.158 404 0.284 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.
http://www.significado.xyz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
198.23.133.158 404 0.283 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

There is a self signed certificate.

E=franciscolaiho@gmail.com, CN=ra-ju.com, OU=IT, O=Ra-Ju, L=Zamora, S=Michoacán, C=MX
	27.11.2018
	27.11.2019
expires in 264 days	

So both connections (non-www and www) are insecure.

#3

that error was cause i have a ssl from comodo but its fixed now its using LE (im using letsencrypt vesta ofc). i just wanna know hot to validate and renewal the domains without disable nginx if possible. im pretty sure i did it the first time, but now i couldnt idk why

#4

I don’t know how VestaCP confirms challenges. But if you have such a complicated setup with proxies

you should create correct rules. Something is missing, so your setup doesn’t work.

#5

PS: Rechecked your domain, now one thing is new ( https://check-your-website.server-daten.de/?q=significado.xyz ):

Domainname Http-Status redirect Sec. G
http://significado.xyz/
198.23.133.158 301 https://significado.xyz/ 0.914 A
http://www.significado.xyz/
198.23.133.158 301 https://www.significado.xyz/ 0.586 A
https://www.significado.xyz/
198.23.133.158 301 https://significado.xyz/ 3.480 B
https://significado.xyz/
198.23.133.158 200 7.180 B
http://significado.xyz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
198.23.133.158 200 0.280
Visible Content: check-your-website-dot-server-daten-dot-de.NrYwu0tbG-F6D-yFbUhSN27M1evCdO4noQtRNGR9ui4
http://www.significado.xyz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
198.23.133.158 200 0.277
Visible Content: check-your-website-dot-server-daten-dot-de.NrYwu0tbG-F6D-yFbUhSN27M1evCdO4noQtRNGR9ui4

The two urls Letsencrypt checks (/.well-known/acme-challenge/random-filename) don’t answer with a http status 404.

Instead, they send a http status 200 / ok and the file name, a dot and the hash value of the public key of the account key.

If this account want to create a new certificate, then this is a correct challenge file.

But: Which instance creates that answer? Your nginx? Your VestaCP?

#6

Yes i re-do certificates for all my sites except two banned for limit tries (the ones i started to test the error) lets encrypts started to accept the challengs when disable the nginx thing

the script that creates the certs its https://github.com/interbrite/letsencrypt-vesta

i didnt touch anything just use the features. after disabled nginx proxy all worked. but myproblem its i wanna use it, since a use a pre-configurated option i dont know how to change the rules


i see after diable this option, my web server still needs nginx for my sites to work (i stopped nginx to verify)

my certs are right now? one thing is i wanna know a solution to let LE accept challenge with the nginx nginx and the otheer if the cert already installed its ok, please tell mee. im so noob in this stuff sorry :frowning:

#7

No, now your certificates are bad:

Domainname Http-Status redirect Sec. G
http://significado.xyz/
198.23.133.158 301 https://significado.xyz/ 0.917 A
http://www.significado.xyz/
198.23.133.158 301 https://www.significado.xyz/ 0.567 A
https://www.significado.xyz/
198.23.133.158 301 https://significado.xyz/ 3.490 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://significado.xyz/
198.23.133.158 200 6.954 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://significado.xyz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
198.23.133.158 404 0.284 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.
http://www.significado.xyz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
198.23.133.158 404 0.280 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

Now you use a self signed certificate.

E=franciscolaiho@gmail.com, CN=ra-ju.com, OU=IT, O=Ra-Ju, L=Zamora, S=Michoacán, C=MX
	27.11.2018
	27.11.2019
expires in 262 days	

I have no idea how your configuration works. If you use such an integrated solution, you have only the options of that environment.

PS: The tool to check your domain is online. You can use it, that’s one reason why I’ve created it. It’s difficult to test such things with a browser, too much caching. But such a tool starts always fresh.

#8

for a reason. my cert backs to that one i purchased for another domain. i save it again from vesta panel, and returns for LE certicate

Certificates

|1.|1.|CN=significado.xyz|08.03.2019|06.06.2019

expires in 88 days significado.xyz, www.significado.xyz - 2 entries
Signatur: SHA256 With RSA-Encryption
Serial Number: 0378A98CD6B07BBD0491AECCA4B7C33BE839
Thumbprint: 54A2BCE28F91142F0F1CBCA1110C78AECCD411CC
OCSP - Url: http://ocsp.int-x3.letsencrypt.org
OCSP - must staple: no
Certificate Transparency: yes
2.
expires in 738 days
Signatur: SHA256 With RSA-Encryption
Serial Number: 0A0141420000015385736A0B85ECA708
Thumbprint: E6A3B45B062D509B3382282D196EFE97D5956CCB
OCSP - Url: http://isrg.trustid.ocsp.identrust.com
OCSP - must staple: no
Certificate Transparency: no
3.
expires in 935 days
Signatur: SHA-1 with RSA Encryption
Serial Number: 44AFB080D6A327BA893039862EF8406B
Thumbprint: DAC9024F54D8F6DF94935FB1732638CA6AD77C13
OCSP - Url:
OCSP - must staple: no
Certificate Transparency: no

i will have to reinstall from scratch.

as i said i just used pre-configurated setting i didnt touched anything :confused:

well, thanks for your time

closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.