Using acmetool.sh based Nginx HTTP/2 HTTPS with free Letsencrypt SSL

Centmin Mod 123.09beta01 and higher has a addon called acmetool.sh which adds free Letsencrypt SSL support which you can enable to create Centmin Mod Nginx HTTP/2 based HTTPS web sites. The acmetool.sh addon has many options which you can read up on here and uses the underlying third party Letsencrypt client, acme.sh for the heavy lifting on the Letsencrypt SSL certificate issuance/renewal side of things.

The below outlined demo guide, is only for one of acmetool.sh's options - that is Letsencrypt SSL certificate issuance for HTTP/2 HTTPS default Nginx vhost site called http2.centminmod.com. If you are looking at switching your existing Centmin Mod Nginx HTTP site to HTTPS vhost site with Letsencrypt SSL certificates, check out the alternate guide here.

While below information is still valid, you will find latest information for Centmin Mod's free SSL certificates support via its Letsencrypt information. If you use Cloudflare in front of your domains, pay attention to section for using the recommended Cloudflare DNS API domain validation method instead of default Letsencrypt webroot domain validation method.

Valid DNS A Record Requirement

For acmetool.sh and underlying acme.sh client, you need for the intended HTTP/2 based HTTPS web site domain to have valid working DNS A records pointing to the server's IP address (or if you're using Cloudflare, Incapsula or Sucuri reverse proxies, then should return their respective public IP address for your site). So for domain.com and www.domain.com would need DNS A record to server IP address configured with your DNS provider (even if you're using Cloudflare, Incapsula or Sucuri reverse proxies). For example domain as it's subdomain, only need DNS A record for it.

If using Cloudflare and your Centmin Mod Nginx server doesn't have IPv6 networking enabled or if you have disabled IPv6 networking, you will also need to enable Cloudflare Pseudo IPv4 compatibility option outlined here and set it to overwrite headers.

You can within SSH session use dig short command to find the DNS A record you set for intended domain name as well as double check DNS propagation worldwide via site at whatsmydns.net.

dig http2.centminmod.com +short
107.170.215.183

Issuing Letsencrypt SSL Cert + Nginx HTTP/2 HTTPS Vhost Creation

For this step, you should NOT have already created a Nginx vhost on Centmin Mod yet as acmetool.sh itself will create and configure the Nginx vhost site including auto generating the pure-ftpd virtual username and password which will be outputted at end of the command run and also saved to log files in /etc/centminlogs.

Right now acmetool.sh is in beta testing so is disabled by default. To enable it, edit or create your persistent config file at /etc/centminmod/custom_config.inc and add the below variable to enable acmetool.sh.

LETSENCRYPT_DETECT='y'

Then use acmetool.sh to install the acme.sh Letsencrypt client and the automated auto Letsencrypt SSL renewal cronjob script which will auto renew your Letsencrypt SSL certificate every 60 days.

cd /usr/local/src/centminmod/addons
./acmetool.sh acmeinstall

Now you can proceed to use acmetool.sh to create the Nginx vhost site http2.centminmod.com + issue a free Letsencrypt SSL certificate via the underlying acme.sh client.

cd /usr/local/src/centminmod/addons
./acmetool.sh issue http2.centminmod.com lived

If you need to force a reissue of Letsencrypt SSL certificate before it's expiry date, use reissue command instead.

cd /usr/local/src/centminmod/addons
./acmetool.sh reissue http2.centminmod.com lived

Below is an example of successfull Letsencrypt SSL certificate issuance and Centmin Mod Nginx HTTP/2 based HTTPS default site creation as well as saved to log files in /etc/centminlogs. You can use https://dev.ssllabs.com/ssltest/ to test the site's HTTPS setup for errors etc. Note, if you're behind Cloudflare and use HTTPS default site setup, you would want to switch from Cloudflare Flexible SSL to Full SSL or Full SSL (strict).

The http2.centminmod.com default Nginx vhost site's index.html place holder page.

Nginx HTTP/2 HTTPS Letsencrypt SSL Index

./acmetool.sh issue http2.centminmod.com lived

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
[Tue Jan 24 07:21:38 UTC 2017] Installing to /root/.acme.sh
[Tue Jan 24 07:21:38 UTC 2017] Installed to /root/.acme.sh/acme.sh
[Tue Jan 24 07:21:38 UTC 2017] Installing alias to '/root/.bashrc'
[Tue Jan 24 07:21:38 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Tue Jan 24 07:21:38 UTC 2017] Installing alias to '/root/.cshrc'
[Tue Jan 24 07:21:38 UTC 2017] Installing alias to '/root/.tcshrc'
[Tue Jan 24 07:21:38 UTC 2017] Installing cron job
59 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Tue Jan 24 07:21:38 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Jan 24 07:21:38 UTC 2017] OK
https://github.com/Neilpang/acme.sh
v2.6.6
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------

http2.centminmod.com nginx vhost + pureftp virtual ftp user setup

/usr/bin/nv -d http2.centminmod.com -s ydle -u *********
---------------------------------------------------------------
Nginx Vhost Setup...
---------------------------------------------------------------

FTP password auto generated: *********

Password: 
Enter it again: 
---------------------------------------------------------------
SSL Vhost Setup...
---------------------------------------------------------------

---------------------------------------------------------------
Generating self signed SSL certificate...
CSR file can also be used to be submitted for paid SSL certificates
If using for paid SSL certificates be sure to keep both private key and CSR safe
creating CSR File: http2.centminmod.com.csr
creating private key: http2.centminmod.com.key
creating self-signed SSL certificate: http2.centminmod.com.crt
Generating a 2048 bit RSA private key
................................................+++
...+++
writing new private key to 'http2.centminmod.com.key'
-----
No value provided for Subject Attribute C, skipped
No value provided for Subject Attribute ST, skipped
No value provided for Subject Attribute L, skipped
Signature ok
subject=/O=http2.centminmod.com/OU=http2.centminmod.com/CN=http2.centminmod.com
Getting Private key

---------------------------------------------------------------
Generating backup CSR and private key for HTTP Public Key Pinning...
creating CSR File: http2.centminmod.com-backup.csr
creating private key: http2.centminmod.com-backup.key
Generating a 2048 bit RSA private key
.................+++
...........................................................................................+++
writing new private key to 'http2.centminmod.com-backup.key'
-----

---------------------------------------------------------------
Generating dhparam.pem file - can take a few minutes...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...++*++*
dhparam file generation time: 106.744755009

-------------------------------------------------------------
/usr/local/src/centminmod/tools/autoprotect.sh
generated nginx include file [same]: /usr/local/nginx/conf/autoprotect/http2.centminmod.com/autoprotect-http2.centminmod.com.conf

autoprotect.sh run completed skipped nginx restart...

Restarting nginx (via systemctl):  [  OK  ]
systemctl restart pure-ftpd.service

-------------------------------------------------------------
FTP hostname : 107.170.215.183
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for http2.centminmod.com : *********
FTP password created for http2.centminmod.com : *********
-------------------------------------------------------------
vhost for http2.centminmod.com created successfully

domain: http://http2.centminmod.com
vhost conf file for http2.centminmod.com created: /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf

vhost ssl for http2.centminmod.com created successfully

domain: https://http2.centminmod.com
vhost ssl conf file for http2.centminmod.com created: /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf
/usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt.key.conf created
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt
SSL Private Key: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.key
SSL CSR File: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-backup.csr

upload files to /home/nginx/domains/http2.centminmod.com/public
vhost log files directory is /home/nginx/domains/http2.centminmod.com/log

-------------------------------------------------------------
Current vhost listing at: /usr/local/nginx/conf/conf.d/

                       
Dec 27  15:58   2.5K   virtual.conf
Jan 24  07:23   2.1K   http2.centminmod.com.conf
Jan 24  07:23   3.2K   http2.centminmod.com.ssl.conf

-------------------------------------------------------------
Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/http2.centminmod.com

                       
Jan 24  07:21   1.7K   http2.centminmod.com.key
Jan 24  07:21   989    http2.centminmod.com.csr
Jan 24  07:21   1.2K   http2.centminmod.com.crt
Jan 24  07:21   1.7K   http2.centminmod.com-backup.key
Jan 24  07:21   989    http2.centminmod.com-backup.csr
Jan 24  07:21   45     hpkp-info-primary-pin.txt
Jan 24  07:21   45     hpkp-info-secondary-pin.txt
Jan 24  07:23   424    dhparam.pem
Jan 24  07:23   374    http2.centminmod.com.crt.key.conf

-------------------------------------------------------------
Commands to remove http2.centminmod.com

 pure-pw userdel *********
 rm -rf /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf
 rm -rf /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf
 rm -rf /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt
 rm -rf /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.key
 rm -rf /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.csr
 rm -rf /usr/local/nginx/conf/ssl/http2.centminmod.com
 rm -rf /home/nginx/domains/http2.centminmod.com
 service nginx restart

-------------------------------------------------------------
vhost for http2.centminmod.com setup successfully
http2.centminmod.com setup info log saved at: 
/root/centminlogs/centminmod_240117-072138_nginx_addvhost_nv.log
-------------------------------------------------------------


backup & remove /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf

[self-signed ssl cert check] required by acmetool.sh

[self-signed ssl] /usr/local/nginx/conf/ssl/http2.centminmod.com/dhparam.pem exists
[self-signed ssl] /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt exists
[self-signed ssl] /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.key exists

[sslvhostsetup] create /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf

[non-wp] backup & remove /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf
cat /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt.key.conf
  ssl_dhparam /usr/local/nginx/conf/ssl/http2.centminmod.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.key;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-trusted.crt;
Reloading nginx configuration (via systemctl):  [  OK  ]
grep 'root' /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf
  root /home/nginx/domains/http2.centminmod.com/public;
grep 'root' /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf
  root /home/nginx/domains/http2.centminmod.com/public;

-----------------------------------------------------------
issue & install letsencrypt ssl certificate for http2.centminmod.com
-----------------------------------------------------------
testcert value = lived
/root/.acme.sh/acme.sh --issue --days 60 -d http2.centminmod.com -w /home/nginx/domains/http2.centminmod.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-240117-072132.log --log-level 2
[Tue Jan 24 07:23:52 UTC 2017] Single domain='http2.centminmod.com'
[Tue Jan 24 07:23:52 UTC 2017] Getting domain auth token for each domain
[Tue Jan 24 07:23:52 UTC 2017] Getting webroot for domain='http2.centminmod.com'
[Tue Jan 24 07:23:52 UTC 2017] _w='/home/nginx/domains/http2.centminmod.com/public'
[Tue Jan 24 07:23:52 UTC 2017] Getting new-authz for domain='http2.centminmod.com'
[Tue Jan 24 07:23:54 UTC 2017] The new-authz request is ok.
[Tue Jan 24 07:23:54 UTC 2017] Verifying:http2.centminmod.com
[Tue Jan 24 07:23:56 UTC 2017] Success
[Tue Jan 24 07:23:56 UTC 2017] Verify finished, start to sign.
[Tue Jan 24 07:23:57 UTC 2017] Cert success.
-----BEGIN CERTIFICATE-----
MIIFDDCCA/SgAwIBAgISA1PXrpSKk854XylKViUSb8TdMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAxMjQwNjI0MDBaFw0x
NzA0MjQwNjI0MDBaMB8xHTAbBgNVBAMTFGh0dHAyLmNlbnRtaW5tb2QuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy3CLTa0ITCPO0ATzSPurBxIT
77z1+UjqgcO0u+Zpwbr1fhNINcmtsfeo3UrNntD42RH8UqZEVdjMFQ0aMxb2WTlm
yLIB67G0N4X0RDl++90EcSzWZv4n60NFFybNGyNmXagtl+0ys5mlP37VhlrXd7c1
Il4mpB9PivYlQgxuAw59FjCy1mizjrJqrA4xZGtwXLoHP+VtAN5EUbc5WXcAJlHn
WcF2hYpTHFgHciyGwreXjEyC+r1r+xc67yghw3daFxdRqKpGVZ6/hf5+LgfuJBSd
X2Gk70CV7fQ6YQRfFy6hSQN+iCOUzVuxMSfRvP70+uWpU2aiIRDQKS58KvO60wID
AQABo4ICFTCCAhEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTWUhSbkoj1Xj2mXOAe
pl7b7IEqgzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBwBggrBgEF
BQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
cnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnLzAfBgNVHREEGDAWghRodHRwMi5jZW50bWlubW9kLmNvbTCB/gYD
VR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyB
m1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVs
eWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2Vy
dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3Jn
L3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBTWRwGwUjnWeaj8ifm7Apg
OZw7L2bRP8EGepjFwnxfHf38EC0GYRyYcv0taF3BuIDpn37ICbUaUkK4dvF/K4VE
pAUpdS0c0ikfAhu2rHqrhF2CR7L87EUke5Df3QFEZib5kjbXRIYBpo7C0gglGaQx
3R6vuqWjMceso9dFfixkGcrdAxeIlN5jrsHJyXpA9yZOj1Krr1lmbPD4B1947wgW
wPuLMqWm1+91zZl08LdvPFHfOsibQL+0UNX/Kh7ijVEn1Y2+kr6TyIOWXcdzUqEW
WOI8wta1FRJLvAlZQ8/X89HHIaQ9JlTZE35RCU0Uh4RX7g7pIIYcoqRUj8P9ESXI
-----END CERTIFICATE-----
[Tue Jan 24 07:23:57 UTC 2017] Your cert is in  /root/.acme.sh/http2.centminmod.com/http2.centminmod.com.cer 
[Tue Jan 24 07:23:57 UTC 2017] Your cert key is in  /root/.acme.sh/http2.centminmod.com/http2.centminmod.com.key 
[Tue Jan 24 07:23:57 UTC 2017] The intermediate CA cert is in  /root/.acme.sh/http2.centminmod.com/ca.cer 
[Tue Jan 24 07:23:57 UTC 2017] And the full chain certs is there:  /root/.acme.sh/http2.centminmod.com/fullchain.cer 

switch to HTTPS default after verification


setting HTTPS default in /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf

sed -i 's|^##x# HTTPS-DEFAULT|#x# HTTPS-DEFAULT|g' /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf

remove /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf

LECHECK = 0
  ssl_dhparam /usr/local/nginx/conf/ssl/http2.centminmod.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.key;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer;

-----------------------------------------------------------
install cert
-----------------------------------------------------------
/root/.acme.sh/acme.sh --installcert -d http2.centminmod.com --certpath /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer --keypath /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.key --capath /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-fullchain-acme.key
[Tue Jan 24 07:23:57 UTC 2017] Installing cert to:/usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer
[Tue Jan 24 07:23:57 UTC 2017] Installing CA to:/usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer
[Tue Jan 24 07:23:57 UTC 2017] Installing key to:/usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.key
[Tue Jan 24 07:23:57 UTC 2017] Installing full chain to:/usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-fullchain-acme.key
[Tue Jan 24 07:23:57 UTC 2017] Run Le_ReloadCmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl):  [  OK  ]
[Tue Jan 24 07:23:58 UTC 2017] Reload success

letsencrypt ssl certificate setup completed
ssl certs located at: /usr/local/nginx/conf/ssl/http2.centminmod.com

openssl x509 -noout -text < /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:53:d7:ae:94:8a:93:ce:78:5f:29:4a:56:25:12:6f:c4:dd
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Jan 24 06:24:00 2017 GMT
            Not After : Apr 24 06:24:00 2017 GMT
        Subject: CN=http2.centminmod.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cb:70:8b:4d:ad:08:4c:23:ce:d0:04:f3:48:fb:
                    ab:07:12:13:ef:bc:f5:f9:48:ea:81:c3:b4:bb:e6:
                    69:c1:ba:f5:7e:13:48:35:c9:ad:b1:f7:a8:dd:4a:
                    cd:9e:d0:f8:d9:11:fc:52:a6:44:55:d8:cc:15:0d:
                    1a:33:16:f6:59:39:66:c8:b2:01:eb:b1:b4:37:85:
                    f4:44:39:7e:fb:dd:04:71:2c:d6:66:fe:27:eb:43:
                    45:17:26:cd:1b:23:66:5d:a8:2d:97:ed:32:b3:99:
                    a5:3f:7e:d5:86:5a:d7:77:b7:35:22:5e:26:a4:1f:
                    4f:8a:f6:25:42:0c:6e:03:0e:7d:16:30:b2:d6:68:
                    b3:8e:b2:6a:ac:0e:31:64:6b:70:5c:ba:07:3f:e5:
                    6d:00:de:44:51:b7:39:59:77:00:26:51:e7:59:c1:
                    76:85:8a:53:1c:58:07:72:2c:86:c2:b7:97:8c:4c:
                    82:fa:bd:6b:fb:17:3a:ef:28:21:c3:77:5a:17:17:
                    51:a8:aa:46:55:9e:bf:85:fe:7e:2e:07:ee:24:14:
                    9d:5f:61:a4:ef:40:95:ed:f4:3a:61:04:5f:17:2e:
                    a1:49:03:7e:88:23:94:cd:5b:b1:31:27:d1:bc:fe:
                    f4:fa:e5:a9:53:66:a2:21:10:d0:29:2e:7c:2a:f3:
                    ba:d3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                D6:52:14:9B:92:88:F5:5E:3D:A6:5C:E0:1E:A6:5E:DB:EC:81:2A:83
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:http2.centminmod.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

    Signature Algorithm: sha256WithRSAEncryption
         53:59:1c:06:c1:48:e7:59:e6:a3:f2:27:e6:ec:0a:60:39:9c:
         3b:2f:66:d1:3f:c1:06:7a:98:c5:c2:7c:5f:1d:fd:fc:10:2d:
         06:61:1c:98:72:fd:2d:68:5d:c1:b8:80:e9:9f:7e:c8:09:b5:
         1a:52:42:b8:76:f1:7f:2b:85:44:a4:05:29:75:2d:1c:d2:29:
         1f:02:1b:b6:ac:7a:ab:84:5d:82:47:b2:fc:ec:45:24:7b:90:
         df:dd:01:44:66:26:f9:92:36:d7:44:86:01:a6:8e:c2:d2:08:
         25:19:a4:31:dd:1e:af:ba:a5:a3:31:c7:ac:a3:d7:45:7e:2c:
         64:19:ca:dd:03:17:88:94:de:63:ae:c1:c9:c9:7a:40:f7:26:
         4e:8f:52:ab:af:59:66:6c:f0:f8:07:5f:78:ef:08:16:c0:fb:
         8b:32:a5:a6:d7:ef:75:cd:99:74:f0:b7:6f:3c:51:df:3a:c8:
         9b:40:bf:b4:50:d5:ff:2a:1e:e2:8d:51:27:d5:8d:be:92:be:
         93:c8:83:96:5d:c7:73:52:a1:16:58:e2:3c:c2:d6:b5:15:12:
         4b:bc:09:59:43:cf:d7:f3:d1:c7:21:a4:3d:26:54:d9:13:7e:
         51:09:4d:14:87:84:57:ee:0e:e9:20:86:1c:a2:a4:54:8f:c3:
         fd:11:25:c8

log files saved at /root/centminlogs
-rw-r--r-- 1 root root  1.2K Jan 24 07:23 centminmod_240117-072138_nginx_addvhost_nv-remove-cmds-http2.centminmod.com.log
-rw-r--r-- 1 root root   18K Jan 24 07:23 centminmod_240117-072138_nginx_addvhost_nv.log
-rw-r--r-- 1 root root   29K Jan 24 07:23 acmetool.sh-debug-log-240117-072132.log
-rw-r--r-- 1 root root   30K Jan 24 07:23 acmesh-issue_240117-072132.log

The resulting output lists the log files as well:

log files saved at /root/centminlogs
-rw-r--r-- 1 root root  1.2K Jan 24 07:23 centminmod_240117-072138_nginx_addvhost_nv-remove-cmds-http2.centminmod.com.log
-rw-r--r-- 1 root root   18K Jan 24 07:23 centminmod_240117-072138_nginx_addvhost_nv.log
-rw-r--r-- 1 root root   29K Jan 24 07:23 acmetool.sh-debug-log-240117-072132.log
-rw-r--r-- 1 root root   30K Jan 24 07:23 acmesh-issue_240117-072132.log

Part of logged output is also the Nginx vhost site details, path to web root, log file path, self-signed SSL certificate info and pure-ftpd virtual ftp username/password which is generated before Letsencrypt SSL cert.

-------------------------------------------------------------
FTP hostname : 107.170.215.183
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for http2.centminmod.com : *********
FTP password created for http2.centminmod.com : *********
-------------------------------------------------------------
vhost for http2.centminmod.com created successfully

domain: http://http2.centminmod.com
vhost conf file for http2.centminmod.com created: /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf

vhost ssl for http2.centminmod.com created successfully

domain: https://http2.centminmod.com
vhost ssl conf file for http2.centminmod.com created: /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf
/usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt.key.conf created
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt
SSL Private Key: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.key
SSL CSR File: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-backup.csr

upload files to /home/nginx/domains/http2.centminmod.com/public
vhost log files directory is /home/nginx/domains/http2.centminmod.com/log

-------------------------------------------------------------

After Letsencrypt SSL issuance, additional Letsencrypt SSL certificate files are generated at /root/.acme.sh/http2.centminmod.com/

-----END CERTIFICATE-----
[Tue Jan 24 07:23:57 UTC 2017] Your cert is in  /root/.acme.sh/http2.centminmod.com/http2.centminmod.com.cer 
[Tue Jan 24 07:23:57 UTC 2017] Your cert key is in  /root/.acme.sh/http2.centminmod.com/http2.centminmod.com.key 
[Tue Jan 24 07:23:57 UTC 2017] The intermediate CA cert is in  /root/.acme.sh/http2.centminmod.com/ca.cer 
[Tue Jan 24 07:23:57 UTC 2017] And the full chain certs is there:  /root/.acme.sh/http2.centminmod.com/fullchain.cer

Which is that copied from /root/.acme.sh/http2.centminmod.com/ to Nginx site's directory at /usr/local/nginx/conf/ssl/http2.centminmod.com/. And your Nginx vhost /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf is automatically updated for correct paths.

  ssl_dhparam /usr/local/nginx/conf/ssl/http2.centminmod.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.key;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer;

Example of Centmin Mod Nginx HTTP/2 HTTPS vhost auto generated contents with only a 302 temporarily redirect for HTTP to HTTPS. Once you confirm all is working you can change return 302 to permanent 301 redirect return 301:

#x# HTTPS-DEFAULT
server {
  
  server_name http2.centminmod.com www.http2.centminmod.com;
  return 302 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name http2.centminmod.com www.http2.centminmod.com;

  include /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
  
  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/http2.centminmod.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/http2.centminmod.com/log/error.log;

  include /usr/local/nginx/conf/autoprotect/http2.centminmod.com/autoprotect-http2.centminmod.com.conf;
  root /home/nginx/domains/http2.centminmod.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  location / {
  include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centmin.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

Which contains an include file which lists the actual paths to Letsencrypt SSL certificates at /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt.key.conf.

  ssl_dhparam /usr/local/nginx/conf/ssl/http2.centminmod.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.key;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer;