acmetool.sh 1.0.14 fix for certonly-issue DNS mode renew routine addons/acmetool.sh DNS mode issuance for letsencrypt ssl certificates needed a minor fix for when you are issuing staging test ssl certs as it requires passing --staging flag to the --renew command in underlying acme.sh tool which acmetool.sh uses Continue reading... 123.09beta01 branch Branch: https://github.com/centminmod/centminmod/tree/123.09beta01 Commit History: https://github.com/centminmod/centminmod/commits/123.09beta01
test run of DNS mode via certonly-issue for acmedns1.domain.com and acmedns2.domain.com where i ran DNS mode issuance of staging test letsencrypt ssl certificate for just acmedns1.domain.com first and added the appropriate DNS TXT verification record and issued staging test letsencrypt ssl certificate. Code (Text): cd /usr/local/src/centminmod addons/acmetool.sh certonly-issue acmedns1.domain.com then re-ran it again to add acmedns2.domain.com to the same acmedns1.domain.com certificate for a SANs multi domain staging test letsencrypt ssl certificate Code (Text): cd /usr/local/src/centminmod addons/acmetool.sh certonly-issue acmedns1.domain.com,acmedns2.domain.com output for the re-run Code (Text): addons/acmetool.sh certonly-issue acmedns1.domain.com,acmedns2.domain.com ----------------------------------------------------- updating acme.sh client... ----------------------------------------------------- [Wed Oct 26 03:22:51 UTC 2016] Installing to /root/.acme.sh [Wed Oct 26 03:22:51 UTC 2016] Installed to /root/.acme.sh/acme.sh [Wed Oct 26 03:22:52 UTC 2016] Installing alias to '/root/.bashrc' [Wed Oct 26 03:22:52 UTC 2016] OK, Close and reopen your terminal to start using acme.sh [Wed Oct 26 03:22:52 UTC 2016] Installing alias to '/root/.cshrc' [Wed Oct 26 03:22:52 UTC 2016] Installing alias to '/root/.tcshrc' [Wed Oct 26 03:22:52 UTC 2016] Installing cron job 0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null [Wed Oct 26 03:22:52 UTC 2016] Good, bash is found, so change the shebang to use bash as prefered. [Wed Oct 26 03:22:52 UTC 2016] OK https://github.com/Neilpang/acme.sh v2.6.2 ----------------------------------------------------- acme.sh updated ----------------------------------------------------- acmedns1.domain.com,acmedns2.domain.com Code (Text): ----------------------------------------------------------- [DNS mode] issue & install letsencrypt ssl certificate for acmedns1.domain.com ----------------------------------------------------------- testcert value = /root/.acme.sh/acme.sh --staging --issue --force --dns -d acmedns1.domain.com -d acmedns2.domain.com -k 2048 --useragent centminmod-centos7-acmesh-dns --log /root/centminlogs/acmetool.sh-debug-log-261016-032248.log --log-level 2 [Wed Oct 26 03:22:53 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org [Wed Oct 26 03:22:57 UTC 2016] Registering account [Wed Oct 26 03:23:05 UTC 2016] Already registered [Wed Oct 26 03:23:12 UTC 2016] Update success. [Wed Oct 26 03:23:12 UTC 2016] Multi domain='DNS:acmedns2.domain.com' [Wed Oct 26 03:23:12 UTC 2016] Verify each domain [Wed Oct 26 03:23:12 UTC 2016] Getting webroot for domain='acmedns1.domain.com' [Wed Oct 26 03:23:12 UTC 2016] _w='dns' [Wed Oct 26 03:23:12 UTC 2016] Getting new-authz for domain='acmedns1.domain.com' [Wed Oct 26 03:23:21 UTC 2016] acmedns1.domain.com is already verified, skip. [Wed Oct 26 03:23:21 UTC 2016] Getting webroot for domain='acmedns2.domain.com' [Wed Oct 26 03:23:21 UTC 2016] _w='dns' [Wed Oct 26 03:23:21 UTC 2016] Getting new-authz for domain='acmedns2.domain.com' [Wed Oct 26 03:23:29 UTC 2016] acmedns1.domain.com is already verified, skip dns-01. [Wed Oct 26 03:23:29 UTC 2016] Add the following TXT record: [Wed Oct 26 03:23:29 UTC 2016] Domain: '_acme-challenge.acmedns2.domain.com' [Wed Oct 26 03:23:29 UTC 2016] TXT value: 'CzmNS456s8mQu9cnWnOcRL4TEnChJl9ssyBRipmZubY' [Wed Oct 26 03:23:29 UTC 2016] Please be aware that you prepend _acme-challenge. before your domain [Wed Oct 26 03:23:29 UTC 2016] so the resulting subdomain will be: _acme-challenge.acmedns2.domain.com [Wed Oct 26 03:23:29 UTC 2016] Please add the TXT records to the domains, and retry again. [Wed Oct 26 03:23:29 UTC 2016] Dns not added, skip. [Wed Oct 26 03:23:29 UTC 2016] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-261016-032248.log Code (Text): --------------------------------- DNS mode requires manual steps below --------------------------------- Add the following TXT record: Domain: '_acme-challenge.acmedns2.domain.com' TXT value: 'CzmNS456s8mQu9cnWnOcRL4TEnChJl9ssyBRipmZubY' Please be aware that you prepend _acme-challenge. before your domain Dns not added, skip. Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-261016-032248.log Once DNS updated for acmedns1.domain.com, run SSH command: --------------------------------- /root/.acme.sh/acme.sh --force --renew --staging -d acmedns1.domain.com -d acmedns2.domain.com --------------------------------- SSL certs will be located : /root/.acme.sh/acmedns1.domain.com If want to install cert into Nginx vhost, run SSH command: --------------------------------- /root/.acme.sh/acme.sh --installcert -d acmedns1.domain.com -d acmedns2.domain.com --certpath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.key --capath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-fullchain-acme. key --------------------------------- SSL certs will be installed at : /usr/local/nginx/conf/ssl/acmedns1.domain.com/ notice acmedns1.domain.com already verified from previous dns verification and is valid for 90 days so can be skipped Code (Text): [Wed Oct 26 03:23:21 UTC 2016] acmedns1.domain.com is already verified, skip. so only acmedns2.domain.com needed adding a TXT DNS verification record once added and TXT DNS propagated, do 2nd step of issuing ssl cert as instructed in above text Code (Text): Once DNS updated for acmedns1.domain.com, run SSH command: --------------------------------- /root/.acme.sh/acme.sh --force --renew --staging -d acmedns1.domain.com -d acmedns2.domain.com and output Code (Text): /root/.acme.sh/acme.sh --force --renew --staging -d acmedns1.domain.com -d acmedns2.domain.com [Wed Oct 26 03:24:31 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org [Wed Oct 26 03:24:31 UTC 2016] Renew: 'acmedns1.domain.com' [Wed Oct 26 03:24:36 UTC 2016] Registering account [Wed Oct 26 03:24:42 UTC 2016] Already registered [Wed Oct 26 03:24:50 UTC 2016] Update success. [Wed Oct 26 03:24:50 UTC 2016] Multi domain='DNS:acmedns2.domain.com' [Wed Oct 26 03:24:50 UTC 2016] Verify each domain [Wed Oct 26 03:24:50 UTC 2016] acmedns1.domain.com is already verified, skip dns-01. [Wed Oct 26 03:24:50 UTC 2016] Verifying:acmedns2.domain.com [Wed Oct 26 03:25:03 UTC 2016] Success [Wed Oct 26 03:25:03 UTC 2016] Dns not added, skip. [Wed Oct 26 03:25:03 UTC 2016] Verify finished, start to sign. [Wed Oct 26 03:25:13 UTC 2016] Cert success. Code (Text): -----BEGIN CERTIFICATE----- MIIFEjCCA/qgAwIBAgITAPr/ma3iGnBEZcJ5Ue7MwtZOzjANBgkqhkiG9w0BAQsF ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjEwMjYw MjI1MDBaFw0xNzAxMjQwMjI1MDBaMCQxIjAgBgNVBAMTGWFjbWV0b29sZG5zMS5o dHRwMnNzbC54eXowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBeE81 7SgQPmcZN1NZ5Tuv6RHPWn/ezS3+rKiuYh8bcCxkGYpkjQFCLI367VBuNHaQHdiW sBV4vAO6pXV/XqraFbyRU/UswjG0uB6NyDkliEXBabcyKJXAkPLz+j2AT9ldWoh9 SrM6DV0GwG0YvkZbulVocVdHeQom2yI89bs2xzMNQwKDrUpXv0l7L+EEBWfLmDu+ SHQ0lOq+wqOEIwD4GPj1H94l9d4LxjnfoeVg7Y3UhTMVAcC5doSapIO/wghG5jfK EmW2zvtr4VSxJ21sKh6VsKBwyZ1imzih90sBbesrwqPeVBEPvRxO/3K9Fet9sW3B A4laxCenxq/g4PgRAgMBAAGjggI9MIICOTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE FLXscKI40fsxyoljkahs7hanxklHHkhsknaxujakshaAFMDMA0a5WCDMXHJw8+Eu yyCm9Wg6MHgGCCsGAQUFBwEBBGwwajAzBggrBgEFBQcwAYYnaHR0cDovL29jc3Au c3RnLWludC14MS5sZXRzZW5jcnlwdC5vcmcvMDMGCCsGAQUFBzAChidodHRwOi8v KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0 aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5 cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBlHXsgil0JbbVy IxdeFErYOn9RXjqB7BymXXmrIY/0Np6C7G6VRp9mSqxgfaUJKS30Wmb45LDOIIQ2 4BNOBQ5MS8OE56p85f0SOCFhE9/KKALOk5je3UPdkFvcsFJCXQ1DMbsKhxmFjYOT 2acjmmIG5DsgV6DawkuY8Ilbrlc4mDwdeMLsUlHolcljzysgaAy6B36blL6WwaDA i042AHTR4dMj9wnsH+si8VQpSfDiB6heHGuCsXq8jy9DQaVE8h6HQ/4InKtIbI1P +ZQ8zy9i -----END CERTIFICATE----- [Wed Oct 26 03:25:13 UTC 2016] Your cert is in /root/.acme.sh/acmedns1.domain.com/acmedns1.domain.com.cer [Wed Oct 26 03:25:13 UTC 2016] Your cert key is in /root/.acme.sh/acmedns1.domain.com/acmedns1.domain.com.key [Wed Oct 26 03:25:15 UTC 2016] The intermediate CA cert is in /root/.acme.sh/acmedns1.domain.com/ca.cer [Wed Oct 26 03:25:15 UTC 2016] And the full chain certs is there: /root/.acme.sh/acmedns1.domain.com/fullchain.cer so ssl cert available at /root/.acme.sh/acmedns1.domain.com/acmedns1.domain.com.cer ssl cert private key at /root/.acme.sh/acmedns1.domain.com/acmedns1.domain.com.key fullchain.cer for nginx at /root/.acme.sh/acmedns1.domain.com/fullchain.cer
notice in initial certonly-issue run the instructions if you want to install the issued ssl cert to nginx vhost Code (Text): If want to install cert into Nginx vhost, run SSH command: --------------------------------- /root/.acme.sh/acme.sh --installcert -d acmedns1.domain.com -d acmedns2.domain.com --certpath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.key --capath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-fullchain-acme. key --------------------------------- SSL certs will be installed at : /usr/local/nginx/conf/ssl/acmedns1.domain.com/ The nginx vhost = acmedns1.domain.com has to exist before you can run that --installcert command. You can use centmin.sh menu option 2 or /usr/bin/nv command line to create acmedns1.domain.com first as outlined at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS using nv command is easy in SSH type with -s y flag for self-signed ssl cert and https vhost generation Code (Text): nv -d acmedns1.domain.com -s -y -u YOURDESIRED_FTPUSERNAME or via centmin.sh menu option 2 and making sure to answer yes to self-signed ssl cert as that auto generates the https nginx vhost config file too Code (Text): -------------------------------------------------------- Centmin Mod Menu 123.09beta01 centminmod.com -------------------------------------------------------- 1). Centmin Install 2). Add Nginx vhost domain 3). NSD setup domain name DNS 4). Nginx Upgrade / Downgrade 5). PHP Upgrade / Downgrade 6). XCache Re-install 7). APC Cache Re-install 8). XCache Install 9). APC Cache Install 10). Memcached Server Re-install 11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu 12). Zend OpCache Install/Re-install 13). Install/Reinstall Redis PHP Extension 14). SELinux disable 15). Install/Reinstall ImagicK PHP Extension 16). Change SSHD Port Number 17). Multi-thread compression: pigz,pbzip2,lbzip2... 18). Suhosin PHP Extension install 19). Install FFMPEG and FFMPEG PHP Extension 20). NSD Install/Re-Install 21). Update - Nginx + PHP-FPM + Siege 22). Add Wordpress Nginx vhost + Cache Plugin 23). Update Centmin Mod Code Base 24). Exit -------------------------------------------------------- Enter option [ 1 - 24 ] one nginx vhost created, you can run the instructed command to install the DNS mode obtained letsencrypt ssl certificate Code (Text): /root/.acme.sh/acme.sh --installcert -d acmedns1.domain.com -d acmedns2.domain.com --certpath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.key --capath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-fullchain-acme. key this will install the letsencrypt ssl certificate files to /usr/local/nginx/conf/ssl/acmedns1.domain.com/ directory and you will need to edit your acmedns1.domain.com.ssl.conf vhost for these 3 lines which are the default generated self-signed ssl cert Code (Text): ssl_certificate /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com.key; # enable ocsp stapling #resolver 8.8.8.8 8.8.4.4 valid=10m; #resolver_timeout 10s; #ssl_stapling on; #ssl_stapling_verify on; #ssl_trusted_certificate /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-trusted.crt; to Code (Text): ssl_certificate /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer; ssl_certificate_key /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.key; # enable ocsp stapling #resolver 8.8.8.8 8.8.4.4 valid=10m; #resolver_timeout 10s; #ssl_stapling on; #ssl_stapling_verify on; #ssl_trusted_certificate /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer; then restart nginx You can uncomment the last 4 lines if using live letsencrypt ssl certificate but leave commented out if using staging test letsencrypt ssl certs as OCSP stapling isn't supported for test staging ssl certs. Code (Text): resolver 8.8.8.8 8.8.4.4 valid=10m; resolver_timeout 10s; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /usr/local/nginx/conf/ssl/acmedns1.domain.com/acmedns1.domain.com-acme.cer;