Let's Encrypt Free SSL Certificates

Free SSL certificates for Nginx HTTP/2 based SSL available on Centmin Mod LEMP web stack thanks to Let's Encrypt. If your Centmin Mod Nginx domain is behind Cloudflare orange cloud enabled proxy and you have Cloudflare Full or Full Strict SSL mode enabled, it's recommended you use Cloudflare DNS API domain validation method for issuing Letsencrypt SSL certificates on your Centmin Mod Nginx origin server side.

  1. Letsencrypt Centmin Mod Integration
  2. Letsencrypt Requirements
  3. Enable Letsencrypt Support
  4. Enable Dual RSA 2048bit + ECC 256bit ECDSA Letsencrypt SSL Certificate Support
  5. Switching from Letsencrypt to ZeroSSL SSL Certificates
  6. Letsencrypt Domain DNS Validation



Letsencrypt Centmin Mod Integration

Letsencrypt client integration work into Centmin Mod's Nginx web server started in Centmin Mod 123.09beta01 version and is now available in both Centmin Mod 124.00stable and 130.00beta01 versions. For details of the integration using Centmin Mod's addons/acmetool.sh addon script and underlying acme.sh client, check out official community forum thread available at Centmin Mod Letsencrypt Branch discussions.

Centmin Mod's addons/acmetool.sh addon script and underlying acme.sh client also support other Certificate Authority (CA) providers besides Letsencrypt. As such Centmin Mod also natively supports using SSL certificates provided by both ZeroSSL CA and Google Public CA. Read further below for details.


Letsencrypt Requirements

Domain DNS Requirements

To be able to use Letsencrypt SSL certificate support in Centmin Mod Nginx, ensure you update your domain name's DNS A records for apex domain.com, www.domain.com and/or any subdomain.domain.com to point to Centmin Mod server's IP address. This is required as Letsencrypt needs to validate your domain name to see if resolves and contacts your Centmin Mod Nginx server's domain vhost site. By default, Letsencrypt domain validation is done via web root authentication method where the client automatically generates a challenge file at https://yourdomain.com/.well-known/acme-challenge/*.

Centmin Mod's addons/acmetool.sh addon script and underlying acme.sh client also supports DNS domain validation where the client automatically generates a DNS TXT record via your domain's DNS provider's API and Letsencrypt then reads that generated DNS TXT record to validate your domain for SSL certificate issuance. Read further below for Letsencrypt DNS API validation details.


Enable Letsencrypt Support

Configuring Persistent Configuration File

To enable native Letsencrypt SSL certificate support for Centmin Mod Nginx, you need to set in persistent config file /etc/centminmod/custom_config.inc (create the file if it does not already exist), the following variable LETSENCRYPT_DETECT='y'. This will allow Centmin Mod Nginx's vhost creation routines to use addons/acmetool.sh addon script to obtain free Letsencrypt SSL certificates for the desired Nginx vhost domain name. If this variable isn't set, Nginx vhost generation can optionally default to creating self-signed SSL certificates in it's place which are not web browser trusted SSL certificates so will report as invalid SSL certificates. But this allows you to do developer testing for a HTTPS SSL certificate enabled site without having to issue an actual web browser trusted SSL certificate. Useful if you don't need for web browser trusted SSL certificate during testing which will show up in publicly searchable SSL certificate transparency logs.

LETSENCRYPT_DETECT='y'

With persistent config file /etc/centminmod/custom_config.inc variable set, RSA 2048bit SSL certificates are obtained by default. Centmin Mod Nginx uses OpenSSL 1.1.1 crypto library by default which supports dual RSA 2048bit + ECC 256bit ECDSA SSL certificates if you also set DUALCERTS='y' in persistent config file. You essentially are issued two SSL certificates, one for RSA 2048bit and one for ECC 256bit. This will allow Centmin Mod's addons/acmetool.sh addon script to obtain both RSA 2048bit and ECC 256bit ECDSA SSL certificates and configure Centmin Mod Nginx's vhost configuration to use both SSL certificates. If a web browser supports better performing ECC 256bit ECDSA SSL certificates, Centmin Mod Nginx will server that type of SSL certificate. However, if web browser doesn't support this type, it will automatically fallback and serve the default RSA 2048bit SSL certificates.

LETSENCRYPT_DETECT='y'
DUALCERTS='y'


Switching from Letsencrypt to ZeroSSL SSL Certificates

ZeroSSL Background Information

Originally, switching to ZeroSSL certificates was a workaround for Letsencrypt DST Root CA X3 root certificate expiration on September 30, 2021 as a way of regaining older device compatibility with your Centmin Mod Nginx HTTPS web sites which used Letsencrypt SSL certificates. However, you can choose to use free ZeroSSL SSL certificates instead of free Letsencrypt SSL certificates for everyday use. Or switch between the two CA providers if you wish.

ZeroSSL website lists a side by side comparison with Letsencrypt. The main differences is that ZeroSSL has no rate limits for SSL certificate issuance and has a GUI based management console for issued SSL certificates.

ZeroSSL will in theory allow somewhat older devices to still work with ZeroSSL SSL certificates as they have three CA root certificates that are likely to be in devices’ trust stores – the first two listed are in most modern browsers /devices while the third is the key for older device compatibility – the cross-signed AAA Certificate Services root certificate to support older devices:

  1. USERTrust RSA Certification Authority & USERTrust ECC Certification Authority root
  2. COMODO RSA Certification Authority & COMODO ECC Certification Authority root
  3. AAA Certificate Services root (cross-signed to support older devices)

How to switch from Letsencrypt to ZeroSSL SSL Certificates

ZeroSSL optionally requires you to register an account with at ZeroSSL.com first to obtain the EAB credentials via https://app.zerossl.com/developer that you need to register so that acme.sh client and thus acmetool.sh addon for Centmin Mod’s automated Nginx HTTPS site creation to issue free ZeroSSL SSL certificates instead of Letsencrypt SSL certificates. Or you can just pass your email address on command line to register with ZeroSSL and automatically obtain and register your EAB credentials which end up being saved to the configuration file at /root/.acme.sh/ca/acme.zerossl.com/ca.conf or in newer acme.sh clients at /root/.acme.sh/ca/acme.zerossl.com/v2/DV90/ca.conf.

ls -lah /root/.acme.sh/ca/
total 0
drwxr-xr-x 4 root root  66 Sep 26 00:39 .
drwx------ 9 root root 233 Sep 30 23:43 ..
drwxr-xr-x 3 root root  23 Sep 26 00:06 acme-v02.api.letsencrypt.org
drwxr-xr-x 3 root root  16 Sep 26 00:39 acme.zerossl.com

Steps to switch Centmin Mod 123.09beta01 from using free Letsencrypt SSL certificates to using free ZeroSSL SSL certificates:

Step 1. Register an account at ZeroSSL.com and go to https://app.zerossl.com/developer to obtain the EAB credentials. This signup is actually optional as you can instead just provide your email address on the command line then you can actually skip Step 2:

acme.sh --register-account -m [email protected] --server zerossl

Step 2. SSH login to your Centmin Mod server and register your EAB credentials with acme.sh client via the command line:

acme.sh --register-account --server zerossl --eab-kid xxxxxxxxxxxx --eab-hmac-key xxxxxxxxx

Without the EAB credentials, you may get a message like:

no eab credentials found for zerossl, let’s get one

Step 3. Configure Centmin Mod acmetool.sh addon to use ZeroSSL instead of Letsencrypt as default CA SSL certificate provider via the persistent configuration file /etc/centminmod/custom_config.inc variable you add:

ACME_DEFAULT_CA='zerossl'

If you want to switch back from ZeroSSL to Letsencrypt defaults you can remove that variable from the persistent configuration file /etc/centminmod/custom_config.inc or you can specifically set it to the already default value

ACME_DEFAULT_CA='letsencrypt'

The acmetool.sh addon will pickup whichever setting value you have for the variable set in the persistent configuration file /etc/centminmod/custom_config.inc which will override the default settings.

Step 4. Reissuing existing Nginx site’s SSL certificates using ZeroSSL instead of Letsencrypt as CA provider.

Once you have switched to ZeroSSL defaults from above step 1-3, you will need to reissue your SSL certificates for existing Centmin Mod Nginx sites on your server. You do this via acmetool.sh addon wrapper script’s reissue-only option specifying your existing already created Centmin Mod Nginx site’s domain name (without the www) or subdomain name. Replace yourdomain.com with your Centmin Mod Nginx site’s domain name or subdomain name. The reissue-only option will only touch your existing Centmin Mod Nginx site’s SSL certificate configuration leaving the rest of your Nginx HTTPS vhost configuration intact.

/usr/local/src/centminmod/addons/acmetool.sh reissue-only yourdomain.com live

You can then run acmetool.sh checkdates option to list all SSL certificates issued and configured at Nginx level for the current Centmin Mod server. Example below:

/usr/local/src/centminmod/addons/acmetool.sh checkdates

output

/usr/local/src/centminmod/addons/acmetool.sh checkdates
----------------------------------------------
nginx installed
----------------------------------------------

/usr/local/nginx/conf/ssl/zerossl.domain.com/zerossl.domain.com-acme.cer
SHA1 Fingerprint=06FE84519E09ACB75BBE11EDF26F7D41D0Bxxxxx
certificate expires in 83 days on 25 Dec 2021

/usr/local/nginx/conf/ssl/letsencrypt.domain.com/letsencrypt.domain.com-acme.cer
SHA1 Fingerprint=423A55D99E8BEEBBC4C42C82E2C8683684Cxxxxx
certificate expires in 87 days on 29 Dec 2021

----------------------------------------------
acme.sh obtained
----------------------------------------------

/root/.acme.sh/zerossl.domain.com/zerossl.domain.com.cer
SHA1 Fingerprint=06FE84519E09ACB75BBE11EDF26F7D41D0Bxxxxx
[ below certifcate transparency link is only valid ~1hr after issuance ]
https://crt.sh/?sha1=06FE84519E09ACB75BBE11EDF26F7D41D0Bxxxxx
certificate expires in 83 days on 25 Dec 2021

/root/.acme.sh/letsencrypt.domain.com/letsencrypt.domain.com.cer
SHA1 Fingerprint=423A55D99E8BEEBBC4C42C82E2C8683684Cxxxxx
[ below certifcate transparency link is only valid ~1hr after issuance ]
https://crt.sh/?sha1=423A55D99E8BEEBBC4C42C82E2C8683684Cxxxxx
certificate expires in 87 days on 29 Dec 2021


Letsencrypt Domain DNS Validation

Cloudflare DNS API Validation

Centmin Mod's addons/acmetool.sh addon script and underlying acme.sh client also supports DNS domain validation where the client automatically generates a DNS TXT record via your domain's DNS provider's API and Letsencrypt then reads that generated DNS TXT record to validate your domain for SSL certificate issuance. Currently, only Cloudflare DNS API support is added to addons/acmetool.sh addon script. Other DNS providers will be added in future. You can see an example of using Cloudflare DNS API for Letsencrypt Domain DNS validation on Centmin Mod blog post here and also details on official Centmin Mod community forums.

Instead of default webroot URL authentication, addons/acmetool.sh now supports full Cloudflare DNS API domain validation for Letsencrypt SSL certificate issuance that can be optionally enabled via variables when Cloudflare API Token is set in persistent config file at /etc/centminmod/custom_config.inc. Add these three variables to their persistent config file - create the file if it doesn't already exist. This method is recommended if your Centmin Mod Nginx domain is behind Cloudflare orange cloud enabled proxy and you have Cloudflare Full or Full Strict SSL mode enabled.

CF_DNSAPI_GLOBAL='y'
CF_Token="YOUR_CF_TOKEN"
CF_Account_ID="YOUR_CF_ACCOUNT_ID"

Cloudflare API Tokens, requires you to create your Cloudflare Token API with permissions for read access to Zone.Zone, and edit/write access to Zone.DNS, across all Zones at https://dash.cloudflare.com/profile/api-tokens and to grab your Cloudflare Account ID from any of your Cloudflare domain's main dashboard's right side column listing.

Only one Cloudflare Account is supported, so intended domains need to be within same Cloudflare Account unless you have Cloudflare Account with invited administrator access to other Cloudflare Accounts and you can generate the CF API Token to include access to the other Cloudflare Accounts.