Join the community today
Become a Member

SSL About paid ssl installation and self-signed

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Nelson, Sep 7, 2015.

Tags:
  1. Nelson

    Nelson New Member

    9
    3
    3
    Jun 2, 2014
    Ratings:
    +3
    Local Time:
    5:18 PM
    Hi there.
    I'm testing ssl certificate from comodo (trial 90 days = mydomain_com.crt mydomain_com.ca-bundle)
    I installed centmin 1.2.3-eva2000.08, after in menu console I run the number 22, and self-signed and set (YES)


    For install ssl I do this steps:
    I go to rute:
    /usr/local/nginx/conf/ssl/mydomain.com
    remove this files (files for ssl self-signed ):
    Example:
    mydomain.com.crt
    mydomain.com.key

    I copy the files from comodo to the same rute of ssl self-signed with the same name:
    /usr/local/nginx/conf/ssl/mydomain.com
    mydomain.com.crt
    mydomain.com.key

    The ssl certificate is successfully installed, domain work very well with https (I can see the signature of comodo ssl)

    But I have one problem, via Qualys SSL Labs
    I get this warning:
    See online:
    goo.gl/GomVwT
    Other error in gtmetrix.com
    Note: Please not mentioned the domain here.

    ¿which would be the cause of this error?

    Thanks for your help





    ssl self-signed
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,865
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    8:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If you want to switch out the generated self-signed SSL certificate that was auto generated via centmin.sh menu option 2 or /usr/bin/nv cmd line nginx vhost for a paid SSL certificate, you would still need to follow the same steps outlined at Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS for obtaining and purchasing the paid SSL certificate and concatenating the SSL provider provided files and your private key properly to create the mentioned /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt. Just the paths to those files will specifically be for /usr/local/nginx/conf/ssl/newdomain.com/ssl-unified.crt /usr/local/nginx/conf/ssl/newdomain.com/ssl-trusted.crt.

    The only difference is with the already auto generated self-signed SSL nginx vhost structure, is the actual SPDY SSL vhost itself as it's auto generated at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf and you do not need to manually create the directory at /usr/local/nginx/conf/ssl/newdomain.com or manually create the self-signed SSL certificate files.

    So the nginx vhost /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf file's path for self-signed SSL would change and relevant settings for paid SSL certificates would be enabled by uncommenting (remove hash)

    from

    Code:
     
    ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/ssl.key;
    
    # enable ocsp stapling
    #resolver 8.8.8.8 8.8.4.4 valid=10m;
    #resolver_timeout 10s;
    #ssl_stapling on;
    #ssl_stapling_verify on;
    #ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-trusted.crt;
    
    to

    Code:
      ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/ssl-trusted.crt; 
    where ssl-unified.crt and ssl-trusted.crt are files created via concatenating instructions. Then just a matter of restarting Nginx server.

    Examples of SSL certificate concatenating at SSL - Compiled list of SSL certificate file name bundles | Centmin Mod Community If you're using paid SSL certificate, you might want to post in that thread to contribute the file names your SSL provider emailed you so I can build a database of known paid SSL certificate types and their provided file names.
     
    Last edited: Sep 7, 2015
  3. Nelson

    Nelson New Member

    9
    3
    3
    Jun 2, 2014
    Ratings:
    +3
    Local Time:
    5:18 PM
    Thanks for all explanation, more Later I will make this process.

    Have a good day
     
  4. Nelson

    Nelson New Member

    9
    3
    3
    Jun 2, 2014
    Ratings:
    +3
    Local Time:
    5:18 PM
    Thanks for all explanation, more Later I will make this process.

    Have a good day
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,865
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    8:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+