Using acmetool.sh based Nginx HTTP/2 HTTPS with free Letsencrypt SSL
Centmin Mod 123.09beta01 and higher has a addon called acmetool.sh which adds free Letsencrypt SSL support which you can enable to create Centmin Mod Nginx HTTP/2 based HTTPS web sites. The acmetool.sh addon has many options which you can read up on here and uses the underlying third party Letsencrypt client, acme.sh for the heavy lifting on the Letsencrypt SSL certificate issuance/renewal side of things.
The below outlined demo guide, is only for one of acmetool.sh's options - that is Letsencrypt SSL certificate issuance for HTTP/2 HTTPS default Nginx vhost site called http2.centminmod.com
. If you are looking at switching your existing Centmin Mod Nginx HTTP site to HTTPS vhost site with Letsencrypt SSL certificates, check out the alternate guide here.
While below information is still valid, you will find latest information for Centmin Mod's free SSL certificates support via its Letsencrypt information. If you use Cloudflare in front of your domains, pay attention to section for using the recommended Cloudflare DNS API domain validation method instead of default Letsencrypt webroot domain validation method.
Valid DNS A Record Requirement
For acmetool.sh and underlying acme.sh client, you need for the intended HTTP/2 based HTTPS web site domain to have valid working DNS A records pointing to the server's IP address (or if you're using Cloudflare, Incapsula or Sucuri reverse proxies, then should return their respective public IP address for your site). So for domain.com and www.domain.com would need DNS A record to server IP address configured with your DNS provider (even if you're using Cloudflare, Incapsula or Sucuri reverse proxies). For example domain as it's subdomain, only need DNS A record for it.
If using Cloudflare and your Centmin Mod Nginx server doesn't have IPv6 networking enabled or if you have disabled IPv6 networking, you will also need to enable Cloudflare Pseudo IPv4 compatibility option outlined here and set it to overwrite headers.
You can within SSH session use dig short command to find the DNS A record you set for intended domain name as well as double check DNS propagation worldwide via site at whatsmydns.net.
dig http2.centminmod.com +short 107.170.215.183
Issuing Letsencrypt SSL Cert + Nginx HTTP/2 HTTPS Vhost Creation
For this step, you should NOT have already created a Nginx vhost on Centmin Mod yet as acmetool.sh
itself will create and configure the Nginx vhost site including auto generating the pure-ftpd virtual username and password which will be outputted at end of the command run and also saved to log files in /etc/centminlogs
.
Right now acmetool.sh
is in beta testing so is disabled by default. To enable it, edit or create your persistent config file at /etc/centminmod/custom_config.inc
and add the below variable to enable acmetool.sh.
LETSENCRYPT_DETECT='y'
Then use acmetool.sh
to install the acme.sh Letsencrypt client and the automated auto Letsencrypt SSL renewal cronjob script which will auto renew your Letsencrypt SSL certificate every 60 days.
cd /usr/local/src/centminmod/addons ./acmetool.sh acmeinstall
Now you can proceed to use acmetool.sh
to create the Nginx vhost site http2.centminmod.com
+ issue a free Letsencrypt SSL certificate via the underlying acme.sh client.
cd /usr/local/src/centminmod/addons ./acmetool.sh issue http2.centminmod.com lived
If you need to force a reissue of Letsencrypt SSL certificate before it's expiry date, use reissue
command instead.
cd /usr/local/src/centminmod/addons ./acmetool.sh reissue http2.centminmod.com lived
Below is an example of successfull Letsencrypt SSL certificate issuance and Centmin Mod Nginx HTTP/2 based HTTPS default site creation as well as saved to log files in /etc/centminlogs
. You can use https://dev.ssllabs.com/ssltest/ to test the site's HTTPS setup for errors etc. Note, if you're behind Cloudflare and use HTTPS default site setup, you would want to switch from Cloudflare Flexible SSL to Full SSL or Full SSL (strict).
The http2.centminmod.com
default Nginx vhost site's index.html place holder page.
./acmetool.sh issue http2.centminmod.com lived ----------------------------------------------------- updating acme.sh client... ----------------------------------------------------- [Tue Jan 24 07:21:38 UTC 2017] Installing to /root/.acme.sh [Tue Jan 24 07:21:38 UTC 2017] Installed to /root/.acme.sh/acme.sh [Tue Jan 24 07:21:38 UTC 2017] Installing alias to '/root/.bashrc' [Tue Jan 24 07:21:38 UTC 2017] OK, Close and reopen your terminal to start using acme.sh [Tue Jan 24 07:21:38 UTC 2017] Installing alias to '/root/.cshrc' [Tue Jan 24 07:21:38 UTC 2017] Installing alias to '/root/.tcshrc' [Tue Jan 24 07:21:38 UTC 2017] Installing cron job 59 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null [Tue Jan 24 07:21:38 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred. [Tue Jan 24 07:21:38 UTC 2017] OK https://github.com/Neilpang/acme.sh v2.6.6 ----------------------------------------------------- acme.sh updated ----------------------------------------------------- http2.centminmod.com nginx vhost + pureftp virtual ftp user setup /usr/bin/nv -d http2.centminmod.com -s ydle -u ********* --------------------------------------------------------------- Nginx Vhost Setup... --------------------------------------------------------------- FTP password auto generated: ********* Password: Enter it again: --------------------------------------------------------------- SSL Vhost Setup... --------------------------------------------------------------- --------------------------------------------------------------- Generating self signed SSL certificate... CSR file can also be used to be submitted for paid SSL certificates If using for paid SSL certificates be sure to keep both private key and CSR safe creating CSR File: http2.centminmod.com.csr creating private key: http2.centminmod.com.key creating self-signed SSL certificate: http2.centminmod.com.crt Generating a 2048 bit RSA private key ................................................+++ ...+++ writing new private key to 'http2.centminmod.com.key' ----- No value provided for Subject Attribute C, skipped No value provided for Subject Attribute ST, skipped No value provided for Subject Attribute L, skipped Signature ok subject=/O=http2.centminmod.com/OU=http2.centminmod.com/CN=http2.centminmod.com Getting Private key --------------------------------------------------------------- Generating backup CSR and private key for HTTP Public Key Pinning... creating CSR File: http2.centminmod.com-backup.csr creating private key: http2.centminmod.com-backup.key Generating a 2048 bit RSA private key .................+++ ...........................................................................................+++ writing new private key to 'http2.centminmod.com-backup.key' ----- --------------------------------------------------------------- Generating dhparam.pem file - can take a few minutes... Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...++*++* dhparam file generation time: 106.744755009 ------------------------------------------------------------- /usr/local/src/centminmod/tools/autoprotect.sh generated nginx include file [same]: /usr/local/nginx/conf/autoprotect/http2.centminmod.com/autoprotect-http2.centminmod.com.conf autoprotect.sh run completed skipped nginx restart... Restarting nginx (via systemctl): [ OK ] systemctl restart pure-ftpd.service ------------------------------------------------------------- FTP hostname : 107.170.215.183 FTP port : 21 FTP mode : FTP (explicit SSL) FTP Passive (PASV) : ensure is checked/enabled FTP username created for http2.centminmod.com : ********* FTP password created for http2.centminmod.com : ********* ------------------------------------------------------------- vhost for http2.centminmod.com created successfully domain: http://http2.centminmod.com vhost conf file for http2.centminmod.com created: /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf vhost ssl for http2.centminmod.com created successfully domain: https://http2.centminmod.com vhost ssl conf file for http2.centminmod.com created: /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt.key.conf created /usr/local/nginx/conf/ssl_include.conf created Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt SSL Private Key: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.key SSL CSR File: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.csr Backup SSL Private Key: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-backup.key Backup SSL CSR File: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-backup.csr upload files to /home/nginx/domains/http2.centminmod.com/public vhost log files directory is /home/nginx/domains/http2.centminmod.com/log ------------------------------------------------------------- Current vhost listing at: /usr/local/nginx/conf/conf.d/ Dec 27 15:58 2.5K virtual.conf Jan 24 07:23 2.1K http2.centminmod.com.conf Jan 24 07:23 3.2K http2.centminmod.com.ssl.conf ------------------------------------------------------------- Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/http2.centminmod.com Jan 24 07:21 1.7K http2.centminmod.com.key Jan 24 07:21 989 http2.centminmod.com.csr Jan 24 07:21 1.2K http2.centminmod.com.crt Jan 24 07:21 1.7K http2.centminmod.com-backup.key Jan 24 07:21 989 http2.centminmod.com-backup.csr Jan 24 07:21 45 hpkp-info-primary-pin.txt Jan 24 07:21 45 hpkp-info-secondary-pin.txt Jan 24 07:23 424 dhparam.pem Jan 24 07:23 374 http2.centminmod.com.crt.key.conf ------------------------------------------------------------- Commands to remove http2.centminmod.com pure-pw userdel ********* rm -rf /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf rm -rf /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf rm -rf /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt rm -rf /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.key rm -rf /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.csr rm -rf /usr/local/nginx/conf/ssl/http2.centminmod.com rm -rf /home/nginx/domains/http2.centminmod.com service nginx restart ------------------------------------------------------------- vhost for http2.centminmod.com setup successfully http2.centminmod.com setup info log saved at: /root/centminlogs/centminmod_240117-072138_nginx_addvhost_nv.log ------------------------------------------------------------- backup & remove /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf [self-signed ssl cert check] required by acmetool.sh [self-signed ssl] /usr/local/nginx/conf/ssl/http2.centminmod.com/dhparam.pem exists [self-signed ssl] /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt exists [self-signed ssl] /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.key exists [sslvhostsetup] create /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf [non-wp] backup & remove /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf cat /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt.key.conf ssl_dhparam /usr/local/nginx/conf/ssl/http2.centminmod.com/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.key; #ssl_trusted_certificate /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-trusted.crt; Reloading nginx configuration (via systemctl): [ OK ] grep 'root' /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf root /home/nginx/domains/http2.centminmod.com/public; grep 'root' /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf root /home/nginx/domains/http2.centminmod.com/public; ----------------------------------------------------------- issue & install letsencrypt ssl certificate for http2.centminmod.com ----------------------------------------------------------- testcert value = lived /root/.acme.sh/acme.sh --issue --days 60 -d http2.centminmod.com -w /home/nginx/domains/http2.centminmod.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-240117-072132.log --log-level 2 [Tue Jan 24 07:23:52 UTC 2017] Single domain='http2.centminmod.com' [Tue Jan 24 07:23:52 UTC 2017] Getting domain auth token for each domain [Tue Jan 24 07:23:52 UTC 2017] Getting webroot for domain='http2.centminmod.com' [Tue Jan 24 07:23:52 UTC 2017] _w='/home/nginx/domains/http2.centminmod.com/public' [Tue Jan 24 07:23:52 UTC 2017] Getting new-authz for domain='http2.centminmod.com' [Tue Jan 24 07:23:54 UTC 2017] The new-authz request is ok. [Tue Jan 24 07:23:54 UTC 2017] Verifying:http2.centminmod.com [Tue Jan 24 07:23:56 UTC 2017] Success [Tue Jan 24 07:23:56 UTC 2017] Verify finished, start to sign. [Tue Jan 24 07:23:57 UTC 2017] Cert success. -----BEGIN CERTIFICATE----- MIIFDDCCA/SgAwIBAgISA1PXrpSKk854XylKViUSb8TdMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAxMjQwNjI0MDBaFw0x NzA0MjQwNjI0MDBaMB8xHTAbBgNVBAMTFGh0dHAyLmNlbnRtaW5tb2QuY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy3CLTa0ITCPO0ATzSPurBxIT 77z1+UjqgcO0u+Zpwbr1fhNINcmtsfeo3UrNntD42RH8UqZEVdjMFQ0aMxb2WTlm yLIB67G0N4X0RDl++90EcSzWZv4n60NFFybNGyNmXagtl+0ys5mlP37VhlrXd7c1 Il4mpB9PivYlQgxuAw59FjCy1mizjrJqrA4xZGtwXLoHP+VtAN5EUbc5WXcAJlHn WcF2hYpTHFgHciyGwreXjEyC+r1r+xc67yghw3daFxdRqKpGVZ6/hf5+LgfuJBSd X2Gk70CV7fQ6YQRfFy6hSQN+iCOUzVuxMSfRvP70+uWpU2aiIRDQKS58KvO60wID AQABo4ICFTCCAhEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTWUhSbkoj1Xj2mXOAe pl7b7IEqgzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBwBggrBgEF BQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j cnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2Vu Y3J5cHQub3JnLzAfBgNVHREEGDAWghRodHRwMi5jZW50bWlubW9kLmNvbTCB/gYD VR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUH AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyB m1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVs eWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2Vy dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3Jn L3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBTWRwGwUjnWeaj8ifm7Apg OZw7L2bRP8EGepjFwnxfHf38EC0GYRyYcv0taF3BuIDpn37ICbUaUkK4dvF/K4VE pAUpdS0c0ikfAhu2rHqrhF2CR7L87EUke5Df3QFEZib5kjbXRIYBpo7C0gglGaQx 3R6vuqWjMceso9dFfixkGcrdAxeIlN5jrsHJyXpA9yZOj1Krr1lmbPD4B1947wgW wPuLMqWm1+91zZl08LdvPFHfOsibQL+0UNX/Kh7ijVEn1Y2+kr6TyIOWXcdzUqEW WOI8wta1FRJLvAlZQ8/X89HHIaQ9JlTZE35RCU0Uh4RX7g7pIIYcoqRUj8P9ESXI -----END CERTIFICATE----- [Tue Jan 24 07:23:57 UTC 2017] Your cert is in /root/.acme.sh/http2.centminmod.com/http2.centminmod.com.cer [Tue Jan 24 07:23:57 UTC 2017] Your cert key is in /root/.acme.sh/http2.centminmod.com/http2.centminmod.com.key [Tue Jan 24 07:23:57 UTC 2017] The intermediate CA cert is in /root/.acme.sh/http2.centminmod.com/ca.cer [Tue Jan 24 07:23:57 UTC 2017] And the full chain certs is there: /root/.acme.sh/http2.centminmod.com/fullchain.cer switch to HTTPS default after verification setting HTTPS default in /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf sed -i 's|^##x# HTTPS-DEFAULT|#x# HTTPS-DEFAULT|g' /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf remove /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf LECHECK = 0 ssl_dhparam /usr/local/nginx/conf/ssl/http2.centminmod.com/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer; ssl_certificate_key /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.key; ssl_trusted_certificate /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer; ----------------------------------------------------------- install cert ----------------------------------------------------------- /root/.acme.sh/acme.sh --installcert -d http2.centminmod.com --certpath /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer --keypath /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.key --capath /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-fullchain-acme.key [Tue Jan 24 07:23:57 UTC 2017] Installing cert to:/usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer [Tue Jan 24 07:23:57 UTC 2017] Installing CA to:/usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer [Tue Jan 24 07:23:57 UTC 2017] Installing key to:/usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.key [Tue Jan 24 07:23:57 UTC 2017] Installing full chain to:/usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-fullchain-acme.key [Tue Jan 24 07:23:57 UTC 2017] Run Le_ReloadCmd: /usr/bin/ngxreload Reloading nginx configuration (via systemctl): [ OK ] [Tue Jan 24 07:23:58 UTC 2017] Reload success letsencrypt ssl certificate setup completed ssl certs located at: /usr/local/nginx/conf/ssl/http2.centminmod.com openssl x509 -noout -text < /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer Certificate: Data: Version: 3 (0x2) Serial Number: 03:53:d7:ae:94:8a:93:ce:78:5f:29:4a:56:25:12:6f:c4:dd Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Jan 24 06:24:00 2017 GMT Not After : Apr 24 06:24:00 2017 GMT Subject: CN=http2.centminmod.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cb:70:8b:4d:ad:08:4c:23:ce:d0:04:f3:48:fb: ab:07:12:13:ef:bc:f5:f9:48:ea:81:c3:b4:bb:e6: 69:c1:ba:f5:7e:13:48:35:c9:ad:b1:f7:a8:dd:4a: cd:9e:d0:f8:d9:11:fc:52:a6:44:55:d8:cc:15:0d: 1a:33:16:f6:59:39:66:c8:b2:01:eb:b1:b4:37:85: f4:44:39:7e:fb:dd:04:71:2c:d6:66:fe:27:eb:43: 45:17:26:cd:1b:23:66:5d:a8:2d:97:ed:32:b3:99: a5:3f:7e:d5:86:5a:d7:77:b7:35:22:5e:26:a4:1f: 4f:8a:f6:25:42:0c:6e:03:0e:7d:16:30:b2:d6:68: b3:8e:b2:6a:ac:0e:31:64:6b:70:5c:ba:07:3f:e5: 6d:00:de:44:51:b7:39:59:77:00:26:51:e7:59:c1: 76:85:8a:53:1c:58:07:72:2c:86:c2:b7:97:8c:4c: 82:fa:bd:6b:fb:17:3a:ef:28:21:c3:77:5a:17:17: 51:a8:aa:46:55:9e:bf:85:fe:7e:2e:07:ee:24:14: 9d:5f:61:a4:ef:40:95:ed:f4:3a:61:04:5f:17:2e: a1:49:03:7e:88:23:94:cd:5b:b1:31:27:d1:bc:fe: f4:fa:e5:a9:53:66:a2:21:10:d0:29:2e:7c:2a:f3: ba:d3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: D6:52:14:9B:92:88:F5:5E:3D:A6:5C:E0:1E:A6:5E:DB:EC:81:2A:83 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org/ CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:http2.centminmod.com X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org User Notice: Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/ Signature Algorithm: sha256WithRSAEncryption 53:59:1c:06:c1:48:e7:59:e6:a3:f2:27:e6:ec:0a:60:39:9c: 3b:2f:66:d1:3f:c1:06:7a:98:c5:c2:7c:5f:1d:fd:fc:10:2d: 06:61:1c:98:72:fd:2d:68:5d:c1:b8:80:e9:9f:7e:c8:09:b5: 1a:52:42:b8:76:f1:7f:2b:85:44:a4:05:29:75:2d:1c:d2:29: 1f:02:1b:b6:ac:7a:ab:84:5d:82:47:b2:fc:ec:45:24:7b:90: df:dd:01:44:66:26:f9:92:36:d7:44:86:01:a6:8e:c2:d2:08: 25:19:a4:31:dd:1e:af:ba:a5:a3:31:c7:ac:a3:d7:45:7e:2c: 64:19:ca:dd:03:17:88:94:de:63:ae:c1:c9:c9:7a:40:f7:26: 4e:8f:52:ab:af:59:66:6c:f0:f8:07:5f:78:ef:08:16:c0:fb: 8b:32:a5:a6:d7:ef:75:cd:99:74:f0:b7:6f:3c:51:df:3a:c8: 9b:40:bf:b4:50:d5:ff:2a:1e:e2:8d:51:27:d5:8d:be:92:be: 93:c8:83:96:5d:c7:73:52:a1:16:58:e2:3c:c2:d6:b5:15:12: 4b:bc:09:59:43:cf:d7:f3:d1:c7:21:a4:3d:26:54:d9:13:7e: 51:09:4d:14:87:84:57:ee:0e:e9:20:86:1c:a2:a4:54:8f:c3: fd:11:25:c8 log files saved at /root/centminlogs -rw-r--r-- 1 root root 1.2K Jan 24 07:23 centminmod_240117-072138_nginx_addvhost_nv-remove-cmds-http2.centminmod.com.log -rw-r--r-- 1 root root 18K Jan 24 07:23 centminmod_240117-072138_nginx_addvhost_nv.log -rw-r--r-- 1 root root 29K Jan 24 07:23 acmetool.sh-debug-log-240117-072132.log -rw-r--r-- 1 root root 30K Jan 24 07:23 acmesh-issue_240117-072132.log
The resulting output lists the log files as well:
log files saved at /root/centminlogs -rw-r--r-- 1 root root 1.2K Jan 24 07:23 centminmod_240117-072138_nginx_addvhost_nv-remove-cmds-http2.centminmod.com.log -rw-r--r-- 1 root root 18K Jan 24 07:23 centminmod_240117-072138_nginx_addvhost_nv.log -rw-r--r-- 1 root root 29K Jan 24 07:23 acmetool.sh-debug-log-240117-072132.log -rw-r--r-- 1 root root 30K Jan 24 07:23 acmesh-issue_240117-072132.log
Part of logged output is also the Nginx vhost site details, path to web root, log file path, self-signed SSL certificate info and pure-ftpd virtual ftp username/password which is generated before Letsencrypt SSL cert.
------------------------------------------------------------- FTP hostname : 107.170.215.183 FTP port : 21 FTP mode : FTP (explicit SSL) FTP Passive (PASV) : ensure is checked/enabled FTP username created for http2.centminmod.com : ********* FTP password created for http2.centminmod.com : ********* ------------------------------------------------------------- vhost for http2.centminmod.com created successfully domain: http://http2.centminmod.com vhost conf file for http2.centminmod.com created: /usr/local/nginx/conf/conf.d/http2.centminmod.com.conf vhost ssl for http2.centminmod.com created successfully domain: https://http2.centminmod.com vhost ssl conf file for http2.centminmod.com created: /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt.key.conf created /usr/local/nginx/conf/ssl_include.conf created Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt SSL Private Key: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.key SSL CSR File: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.csr Backup SSL Private Key: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-backup.key Backup SSL CSR File: /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-backup.csr upload files to /home/nginx/domains/http2.centminmod.com/public vhost log files directory is /home/nginx/domains/http2.centminmod.com/log -------------------------------------------------------------
After Letsencrypt SSL issuance, additional Letsencrypt SSL certificate files are generated at /root/.acme.sh/http2.centminmod.com/
-----END CERTIFICATE----- [Tue Jan 24 07:23:57 UTC 2017] Your cert is in /root/.acme.sh/http2.centminmod.com/http2.centminmod.com.cer [Tue Jan 24 07:23:57 UTC 2017] Your cert key is in /root/.acme.sh/http2.centminmod.com/http2.centminmod.com.key [Tue Jan 24 07:23:57 UTC 2017] The intermediate CA cert is in /root/.acme.sh/http2.centminmod.com/ca.cer [Tue Jan 24 07:23:57 UTC 2017] And the full chain certs is there: /root/.acme.sh/http2.centminmod.com/fullchain.cer
Which is that copied from /root/.acme.sh/http2.centminmod.com/
to Nginx site's directory at /usr/local/nginx/conf/ssl/http2.centminmod.com/
. And your Nginx vhost /usr/local/nginx/conf/conf.d/http2.centminmod.com.ssl.conf
is automatically updated for correct paths.
ssl_dhparam /usr/local/nginx/conf/ssl/http2.centminmod.com/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer; ssl_certificate_key /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.key; ssl_trusted_certificate /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer;
Example of Centmin Mod Nginx HTTP/2 HTTPS vhost auto generated contents with only a 302 temporarily redirect for HTTP to HTTPS. Once you confirm all is working you can change return 302
to permanent 301 redirect return 301
:
#x# HTTPS-DEFAULT server { server_name http2.centminmod.com www.http2.centminmod.com; return 302 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name http2.centminmod.com www.http2.centminmod.com; include /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt.key.conf; include /usr/local/nginx/conf/ssl_include.conf; http2_max_field_size 16k; http2_max_header_size 32k; # mozilla recommended ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; ssl_prefer_server_ciphers on; #add_header Alternate-Protocol 443:npn-spdy/3; # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; #add_header X-Frame-Options SAMEORIGIN; #add_header X-Xss-Protection "1; mode=block" always; #add_header X-Content-Type-Options "nosniff" always; #spdy_headers_comp 5; ssl_buffer_size 1369; ssl_session_tickets on; # enable ocsp stapling resolver 8.8.8.8 8.8.4.4 valid=10m; resolver_timeout 10s; ssl_stapling on; ssl_stapling_verify on; # ngx_pagespeed & ngx_pagespeed handler #include /usr/local/nginx/conf/pagespeed.conf; #include /usr/local/nginx/conf/pagespeedhandler.conf; #include /usr/local/nginx/conf/pagespeedstatslog.conf; # limit_conn limit_per_ip 16; # ssi on; access_log /home/nginx/domains/http2.centminmod.com/log/access.log combined buffer=256k flush=5m; error_log /home/nginx/domains/http2.centminmod.com/log/error.log; include /usr/local/nginx/conf/autoprotect/http2.centminmod.com/autoprotect-http2.centminmod.com.conf; root /home/nginx/domains/http2.centminmod.com/public; # uncomment cloudflare.conf include if using cloudflare for # server and/or vhost site #include /usr/local/nginx/conf/cloudflare.conf; include /usr/local/nginx/conf/503include-main.conf; location / { include /usr/local/nginx/conf/503include-only.conf; # block common exploits, sql injections etc #include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found #autoindex on; # Shows file listing times as local time #autoindex_localtime on; # Enable for vBulletin usage WITHOUT vbSEO installed # More example Nginx vhost configurations at # http://centmin.com/nginx_configure.html #try_files $uri $uri/ /index.php; } include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; }
Which contains an include file which lists the actual paths to Letsencrypt SSL certificates at /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com.crt.key.conf
.
ssl_dhparam /usr/local/nginx/conf/ssl/http2.centminmod.com/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer; ssl_certificate_key /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.key; ssl_trusted_certificate /usr/local/nginx/conf/ssl/http2.centminmod.com/http2.centminmod.com-acme.cer;