Let's Encrypt Free SSL Certificates

Free SSL certificates for Nginx HTTP/2 based SSL are coming to Centmin Mod LEMP web stack thanks to Let's Encrypt free and automated domain validated SSL certificate offerings. Centmin Mod also has plans for automatic deployment of commercially paid SSL certificate on Nginx. But for now Let's Encrypt free domain validated SSL certificates will be the first integration scheduled. With Let's Encrypt automation, you will no longer need to do the manual steps required to setup Nginx HTTP/2 based SSL (https) web sites outlined here and here.

Let's Encrypt SSL certificate statistics are publicly available at https://letsencrypt.org/stats/ and status page at https://letsencrypt.status.io/.

Let's Encrypt Centmin Mod Integration

Let's Encrypt client integration work into Centmin Mod's Nginx web server is still in beta testing phase on both CentOS 6.x and CentOS 7.x.

The Let's Encrypt client is written in python and has a variety of authentication plugin modes it can run to validate your intended domain and issue the free domain validated SSL certificate. These plugin modes are outlined in the official documentation and include:

  • standalone - Very stable. Uses port 80 (force by --standalone-supported-challenges http-01) or 443 (force by --standalone-supported-challenges tls-sni-01).
  • apache - Alpha. Automates Apache installation, works fairly well but on Debian-based distributions only for now.
  • webroot - Works with already running webserver, by writing necessary files to the disk (--webroot-path should be pointed to your public_html). Currently, when multiple domains are specified (-d), they must all use the same web root path you will need to now pass multiple -w webrootpaths for each domain.
  • manual - Hidden from standard UI, use with -a manual. Requires to copy and paste commands into a new terminal session. Allows to run client on machine different than target webserver, e.g. your laptop.
  • nginx - Very experimental. Not included in letsencrypt-auto.

Unfortunately, alot of Let's Encrypt client development was only on Ubuntu/Debian so support for other Linux distribution's Nginx and Apache web server implementation are not currently fully supported. However, recently a new plugin for webroot authentication plugin was created and can solve this problem by separating the steps for the automation of the web server configuration from the domain validation and issuance of the SSL certificate. Centmin Mod's integration of Let's Encrypt and auto generation of Nginx https SSL vhost using Let's Encrypt free SSL certificates will be done via the webroot authentication plugin.

What is Letsencrypt Webroot Authentication ?

Authenticator plugin that performs http-01 challenge by saving necessary .well-known uri validation resources (encoded token) to appropriate paths on the file system. It expects that there is some other HTTP server configured to serve all files under specified web root.

It was born out of the awesome work Kuba did with creating the simplefs plugin which was later renamed to webroot authentication. In laymen terms, webroot authentication is an alternate way to obtain letsencrypt SSL certificates for Linux distributions and web servers which are not natively supported by Let's Encrypt client's default automated methods and to pass the http-01 challenge by following these steps:

  1. create a HTTP base site vhost before hand using either apache or nginx - this site will have a public web root. This site domain also needs valid working DNS A record pointing to the server IP
  2. run letsencrypt webroot authentication plugin method and pass your email address AND that site's public web root path to the command you run. This will perform the domain validation step. Automatically running the http-01 challenge / well-known uri creation on the defined web root validating the domain you want the SSL certificate for. A step similar to how folks validate domains added to Google Webmaster Tools or Bing Webmaster Tools.

Letsencrypt client help info for webroot authentication method.

/root/.local/share/letsencrypt/bin/letsencrypt --help webroot
  letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins

optional arguments:
  -h, --help            show this help message and exit
                        config file path (default: None)

  Webroot Authenticator

  -w WEBROOT_PATH, --webroot-path WEBROOT_PATH
                        public_html / webroot path. This can be specified
                        multiple times to handle different domains; each
                        domain will have the webroot path that preceded it.
                        For instance: `-w /var/www/example -d example.com -d
                        www.example.com -w /var/www/thing -d thing.net -d
                        m.thing.net` (default: None)

Letsencrypt Webroot Documentation

The official Letsencrypt Webroot documentation will have the latest information for manually running the client. However, you will generally not need to do this with Centmin Mod's Letsencrypt integration as it's automated via Nginx vhost generator routines as shown below.

Let's Encrypt Centmin Mod Integration Example

The latest example of Let's Encrypt webroot authentication plugin method for obtaining free domain validated SSL certificates is outlined on the community forums here for auto creation of the Nginx vhost for beta invited whitelisted domain le10.http2ssl.xyz.

Invoking centmin.sh menu option 2 to add new nginx vhost le10.http2ssl.xyz

Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
                   Centmin Mod Menu    
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install ioping.sh vbtechsupport.com/1239/
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Re-install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + WP Super Cache
23). Update Centmin Mod Code Base
24). Exit
Enter option [ 1 - 24 ] 2

Prompt for creation of nginx vhost le10.http2ssl.xyz. Selecting yes to self-signed SSL certificate and then Letsencrypt SSL certificate. There's checks for valid DNS for domain and if first time running also MX DNS checks for valid email address to register a Letsencrypt account (one time only task).

Enter vhost domain name to add (without www. prefix): le10.http2ssl.xyz

Create a self-signed SSL certificate Nginx vhost? [y/n]: y

To get Letsencrypt SSL certificate, you must already have updated intended
domain vhost name's DNS A record to this server's IP addresss.
If top level domain, DNS A record is needed also for www. version of domain
otherwise, Letsencrypt domain name validation will fail.

le10.http2ssl.xyz is not a top level domain
your server IP address:
current DNS A record IP address for le10.http2ssl.xyz is:

Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y

Create FTP username for vhost domain (enter username): *********************
Auto generate FTP password (recommended) [y/n]: y

FTP username you entered: *********************
FTP password auto generated: *********************

Installing Letsencrypt client via git clone. Right now each run of centmin.sh menu option 2 will also update letsencrypt client to ensure during the beta and public beta that latest client code is used always.

Actual Letsencrypt webroot command is below where --user-agent centminmod-centos6-webroot is dynamically determined based on CentOS version.

/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le10.http2ssl.xyz/public -d le10.http2ssl.xyz certonly

There's also a cronjob file setup on successfully obtaining Letsencrypt SSL certificate only located at /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron. Contents of /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron

/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le10.http2ssl.xyz/public -d le10.http2ssl.xyz certonly

cronjob has auto email notification of failed auto renewals which are sent to your Letsencrypt account's registered email address at initial setup time and is auto setup to run every 9 days 2 months and now has been updated to check every 9 days if SSL certificate expiry date is less than 30 days. If less than 30 days, the cronjob will auto renew the Letsencrypt SSL certificate(s). There is an added random sleep interval set so if you have many nginx vhosts with Letsencrypt SSL certificates, cronjob auto renewals are not all run simultaneously

10 1 */9 * * sleep 704s ; bash /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron > /dev/null 2>&1

Here's a illustrative example of how the auto generated cronjob file works for auto renewal of Letsencrypt SSL certificate. This example is for le11.http2ssl.xyz domain and it's auto generated cronjob file located at /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/letsencrypt-le11.http2ssl.xyz-cron. This is a manual timed run of the cronjob to auto renew the SSL certificate. Take note of expirydate.sh script reported and changed expiry date for le11.http2ssl.xyz SSL certificate.

Letsencrypt SSL certificate auto renewal cronjob run

on completion of centmin.sh menu option 2 the nginx vhost files and info for your record

vhost for le10.http2ssl.xyz created successfully

domain: http://le10.http2ssl.xyz
vhost conf file for le10.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.conf

vhost ssl for le10.http2ssl.xyz created successfully

domain: https://le10.http2ssl.xyz
vhost ssl conf file for le10.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.ssl.conf
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.crt
SSL Private Key: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.key
SSL CSR File: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz-backup.csr

Letsencrypt SSL Certificate: /etc/letsencrypt/live/le10.http2ssl.xyz/cert.pem
Letsencrypt SSL Certificate Private Key: /etc/letsencrypt/live/le10.http2ssl.xyz/privkey.pem
Letsencrypt SSL Certificate Chain: /etc/letsencrypt/live/le10.http2ssl.xyz/chain.pem
Letsencrypt SSL Certificate Full Chain: /etc/letsencrypt/live/le10.http2ssl.xyz/fullchain.pem
Letsencrypt le10.http2ssl.xyz cronjob file: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron

upload files to /home/nginx/domains/le10.http2ssl.xyz/public
vhost log files directory is /home/nginx/domains/le10.http2ssl.xyz/log

Current vhost listing at: /usr/local/nginx/conf/conf.d/

Nov 5   18:02   1.1K   demodomain.com.conf
Nov 5   18:02   1.6K   ftp.ftpdomain.com.conf
Nov 5   18:02   3.9K   ftp.ftpdomain.com.ssl.conf
Nov 5   18:02   845    ssl.conf
Nov 6   00:13   1.6K   ftp2.domain.com.conf
Nov 6   00:13   3.9K   ftp2.domain.com.ssl.conf
Nov 6   07:15   1.6K   virtual.conf
Nov 15  21:55   1.7K   le10.http2ssl.xyz.conf
Nov 15  21:55   3.9K   le10.http2ssl.xyz.ssl.conf

Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz

Nov 15  21:53   1.7K   le10.http2ssl.xyz.key
Nov 15  21:53   1.1K   le10.http2ssl.xyz.csr
Nov 15  21:53   1.3K   le10.http2ssl.xyz.crt
Nov 15  21:53   1.7K   le10.http2ssl.xyz-backup.key
Nov 15  21:53   1.1K   le10.http2ssl.xyz-backup.csr
Nov 15  21:54   45     hpkp-info-primary-pin.txt
Nov 15  21:54   45     hpkp-info-secondary-pin.txt
Nov 15  21:55   424    dhparam.pem
Nov 15  21:55   205    letsencrypt-le10.http2ssl.xyz-cron

Commands to remove le10.http2ssl.xyz

rm -rf /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.conf
rm -rf /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.ssl.conf
rm -rf /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.crt
rm -rf /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.key
rm -rf /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.csr
rm -rf /usr/local/nginx/conf/ssl/le10.http2ssl.xyz
rm -rf /home/nginx/domains/le10.http2ssl.xyz
service nginx restart

End result

cipherscan command line check

cipherscan le10.http2ssl.xyz:443
Target: le10.http2ssl.xyz:443

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                ECDH,P-256,256bits  prime256v1
2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,2048bits         None
5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,2048bits         None
6     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
8     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
10    DHE-RSA-AES128-SHA256        TLSv1.2                DH,2048bits         None
11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
12    DHE-RSA-AES256-SHA256        TLSv1.2                DH,2048bits         None
13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
14    AES128-GCM-SHA256            TLSv1.2                None                None
15    AES256-GCM-SHA384            TLSv1.2                None                None
16    AES128-SHA256                TLSv1.2                None                None
17    AES256-SHA256                TLSv1.2                None                None
18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: trusted, 2048 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 3600
OCSP stapling: supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes

testssl command line check

testssl le10.http2ssl.xyz:443

    testssl       2.7dev from https://testssl.sh/dev/
    (1.421 2015/11/11 16:49:35)

      This program is free software. Distribution and 
             modification under GPLv2 permitted. 

       Please file bugs @ https://testssl.sh/bugs/


Testing protocols (via sockets except TLS 1.2 and SPDY/NPN) 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   h2, http/1.1 (advertised)

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           not offered (OK)
 High grade encryption        offered (OK)

 Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here 


 Testing server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305, 256 bit ECDH
 Cipher order

 Testing server defaults (Server Hello) 

 TLS server extensions (std)  "renegotiation info" "EC point formats" "session ticket" "status request" "next protocol" 
 Session Tickets RFC 5077     3600 seconds (PFS requires session ticket keys to be rotated <= daily)
 SSL Session ID support       yes
 Server key size              2048 bit
 Signature Algorithm          SHA256 with RSA
 Fingerprint / Serial         SHA1 BC5B23248F4D6A93E95E05CD34D787F88D8DE2EA / 01F7FEE13F03E2E9B79714E1DBC6F4B56BC9
                              SHA256 9D07C63B6364BDA90923E54F76BA41C988F4BD48C84368D376468F1E9C95A7AC
 Common Name (CN)             "le10.http2ssl.xyz" (works w/o SNI)
 subjectAltName (SAN)         "le10.http2ssl.xyz" 
 Issuer                       "Let's Encrypt Authority X1" ("Let's Encrypt" from "US")
 EV cert (experimental)       no 
 Certificate Expiration       >= 60 days (2015-11-15 21:48 --> 2016-02-13 21:48 +0000)
 # of certificates provided   2
 Chain of trust (experim.)    "/usr/bin/etc/*.pem" cannot be found / not readable
 Certificate Revocation List  --
 OCSP URI                     http://ocsp.int-x1.letsencrypt.org/
 OCSP stapling                offered
 TLS timestamp                random values, no fingerprinting possible 

 Testing HTTP header response @ "/" 

 HTTP Status Code             200 OK
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    --
 Public Key Pinning           --
 Server banner                nginx centminmod
 Application banner           --
 Cookie(s)                    (none issued at "/")
 Security headers             --
 Reverse Proxy banner         --

 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK) (no heartbeat extension)
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
 BEAST (CVE-2011-3389)                     TLS1: AES128-SHA DHE-RSA-AES128-SHA
                                                 AES256-SHA DHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)

 Testing all 181 locally available ciphers against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
 xcc13   ECDHE-RSA-CHACHA20-POLY1305    ECDH 256   ChaCha20   256                                                                                     
 xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH 256   AESGCM     256                                                                                     
 xc028   ECDHE-RSA-AES256-SHA384        ECDH 256   AES        256                                                                                     
 xc014   ECDHE-RSA-AES256-SHA           ECDH 256   AES        256                                                                                     
 x9f     DHE-RSA-AES256-GCM-SHA384      DH 2048    AESGCM     256                                                                                     
 x6b     DHE-RSA-AES256-SHA256          DH 2048    AES        256                                                                                     
 x39     DHE-RSA-AES256-SHA             DH 2048    AES        256                                                                                     
 x9d     AES256-GCM-SHA384              RSA        AESGCM     256                                                                                     
 x3d     AES256-SHA256                  RSA        AES        256                                                                                     
 x35     AES256-SHA                     RSA        AES        256                                                                                     
 xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH 256   AESGCM     128                                                                                     
 xc027   ECDHE-RSA-AES128-SHA256        ECDH 256   AES        128                                                                                     
 xc013   ECDHE-RSA-AES128-SHA           ECDH 256   AES        128                                                                                     
 x9e     DHE-RSA-AES128-GCM-SHA256      DH 2048    AESGCM     128                                                                                     
 x67     DHE-RSA-AES128-SHA256          DH 2048    AES        128                                                                                     
 x33     DHE-RSA-AES128-SHA             DH 2048    AES        128                                                                                     
 x9c     AES128-GCM-SHA256              RSA        AESGCM     128                                                                                     
 x3c     AES128-SHA256                  RSA        AES        128                                                                                     
 x2f     AES128-SHA                     RSA        AES        128                                                                                     

Screenshots for another test Nginx vhost domain, le1.http2ssl.xyz on Centmin Mod LEMP web stack.

Letsencrypt free SSL certificate

Letsencrypt free SSL certificate

Geotrust SSL test

Only A not A+ due to disabling HSTS header by default for my test sites as I need to be able to test my sites on both http and https versions. HSTS header allows A+ rating but prevents site testing on non-https version of site.

SSLLabs SSL test