Beta Branch acmetool.sh 1.0.17 manual steps mode added

eva2000 · Nov 8, 2016

acmetool.sh 1.0.17 manual steps mode added

Literally a manual steps guide where nothing is automated. So the 3 step guide outlines what you need to do manually command line and nginx vhost setup wise to obtain letsencrypt ssl certificate, copy/set it ssl files at /usr/local/nginx/conf/ssl/yourdomain.com and creating nginx ssl vhost yourdomain.com.ssl.conf and replacing the ssl_certificate, ssl_certificate_key and ssl_trusted_certificate paths with the letsencrypt ssl cert file paths.
Code (Text):
./acmetool.sh manual
Continue reading...

123.09beta01 branch

Branch: https://github.com/centminmod/centminmod/tree/123.09beta01

Commit History: https://github.com/centminmod/centminmod/commits/123.09beta01

eva2000 · Nov 8, 2016

example manual steps run

Code (Text):

./acmetool.sh manual                         

---------------------------------------------------------------------------
acmetool.sh manual mode
---------------------------------------------------------------------------
interactive mode to obtain & install letsencrypt ssl certs
you will need to manually install the ssl certs to your nginx
site ssl vhost yourself as this manual mode only obtains ssl cert
and places them in /usr/local/nginx/conf/ssl/yourdomain.com
directory which you reference in your nginx vhost as outlined
at centminmod.com/nginx_configure_https_ssl_spdy.html
---------------------------------------------------------------------------
the nginx vhost site needs to exist with valid DNS A records
pointing to this server's IP address before continuing...
---------------------------------------------------------------------------

continue ? [y/n]: y

Code (Text):

---------------------------------------------------------------------------
step 1: domain verification
---------------------------------------------------------------------------
type the following manually to get a letsencrypt ssl certificate
replacing -d domain.com -d www.domain.com with yourdomain.com name
at end of output you will be notified if you successfully verified
your domain name and obtained a letsencrypt ssl certificate to
proceed to step 2 which is copying over the ssl certs to nginx
custom directory at /usr/local/nginx/conf/ssl/yourdomain.com
---------------------------------------------------------------------------
2 commands over 2 lines:

addons/acmetool.sh acmeupdate
/root/.acme.sh/acme.sh --force --issue -d domain.com -d www.domain.com -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-081116-031501.log --log-level 2

Code (Text):

---------------------------------------------------------------------------
step 2: copying ssl cert to /usr/local/nginx/conf/ssl/yourdomain.com
---------------------------------------------------------------------------
replacing -d domain.com -d www.domain.com with yourdomain.com name
& replacing all instances of domain.com with yourdomain.com name
a log is created for troubleshooting at:
/root/centminlogs/acmetool.sh-debug-log-081116-031501.log
---------------------------------------------------------------------------
1 command over 1 long line:

/root/.acme.sh/acme.sh --installcert -d domain.com -d www.domain.com --certpath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key --capath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
---------------------------------------------------------------------------

Code (Text):

---------------------------------------------------------------------------
step 3: manually install the ssl certs to your nginx vhost
---------------------------------------------------------------------------
treat ssl cert like any other and install the ssl cert files
as outlined at centminmod.com/nginx_configure_https_ssl_spdy.html
with path to ssl cert files at /usr/local/nginx/conf/ssl/yourdomain.com
note for ssl_trusted_certificate path is same as ssl_certificate for
letsencrypt ssl so no concatenation of files is needed
---------------------------------------------------------------------------
replacing all instances of domain.com with yourdomain.com name
your nginx ssl vhost would have the following lines as well as
other ssl settings outlined at centminmod.com/nginx_configure_https_ssl_spdy.html
---------------------------------------------------------------------------
if you do not currently have your domain.com.ssl.conf file, you can use
vhost generator at centminmod.com/vhost.php enter domain name and select
self-signed ssl yes and you should see initial openssl command instructions
for recreating the self-signed ssl cert and the domain.com.ssl.conf vhost file
/usr/local/nginx/conf/conf.d/domain.com.ssl.conf then replace paths for
ssl_certificate, ssl_certificate_key and ssl_trusted_certificate with below
---------------------------------------------------------------------------

ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;

eva2000 · Nov 8, 2016

Example of manual step method for setting up letsencrypt ssl certificate on a existing domain.com which doesn't have a nginx ssl vhost yet. You only have to do this once afterwards the underlying acme.sh client used by acmetool.sh will auto renew your SSL certificate

Prep steps

Setup domain.com and www version of domain or subdomain's DNS A record so that it points to server's IP address. Use whatsmydns.net to check the A record has globally populated first.
Create the nginx vhost if it doesn't exist already with or without self-signed ssl certificate. This below example is without self-signed ssl certificate and the generated nginx ssl vhost domain.com.ssl.conf file. You create the nginx vhost via one of methods outlined for centmin.sh menu option 2, 22 or /usr/bin/nv command. This will give you the info for the non-https nginx vhost file and public web root and log directory i.e.
Code (Text):
```
vhost for domain.com created successfully

domain: http://domain.com
vhost conf file for domain.com created: /usr/local/nginx/conf/conf.d/domain.com.conf

upload files to /home/nginx/domains/domain.com/public
vhost log files directory is /home/nginx/domains/domain.com/log
```

acmetool.sh manual mode steps

run addons/acmetool.sh manual mode
Code (Text):
```
./acmetool.sh manual
```
and follow the outlined 3 steps and the commands you need to run

Code (Text):

---------------------------------------------------------------------------
step 1: domain verification
---------------------------------------------------------------------------
type the following manually to get a letsencrypt ssl certificate
replacing -d domain.com -d www.domain.com with yourdomain.com name
at end of output you will be notified if you successfully verified
your domain name and obtained a letsencrypt ssl certificate to
proceed to step 2 which is copying over the ssl certs to nginx
custom directory at /usr/local/nginx/conf/ssl/yourdomain.com
---------------------------------------------------------------------------
2 commands over 2 lines:

addons/acmetool.sh acmeupdate
/root/.acme.sh/acme.sh --force --issue -d domain.com -d www.domain.com -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-081116-031501.log --log-level 2

so for step 1, run 2 commands

Code (Text):

./acmetool.sh acmeupdate

Code (Text):

/root/.acme.sh/acme.sh --force --issue -d domain.com -d www.domain.com -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-081116-031501.log --log-level 2

at end of successful run you would of verified domain.com and got output like below. Step 2 is copying those ssl cert files to /usr/local/nginx/conf/ssl/yourdomain.com

Code (Text):

[Tue Nov  8 03:45:59 UTC 2016] Your cert is in  /root/.acme.sh/domain.com/domain.com.cer
[Tue Nov  8 03:45:59 UTC 2016] Your cert key is in  /root/.acme.sh/domain.com/domain.com.key
[Tue Nov  8 03:46:00 UTC 2016] The intermediate CA cert is in  /root/.acme.sh/domain.com/ca.cer
[Tue Nov  8 03:46:00 UTC 2016] And the full chain certs is there:  /root/.acme.sh/domain.com/fullchain.cer

Code (Text):

---------------------------------------------------------------------------
step 2: copying ssl cert to /usr/local/nginx/conf/ssl/yourdomain.com
---------------------------------------------------------------------------
replacing -d domain.com -d www.domain.com with yourdomain.com name
& replacing all instances of domain.com with yourdomain.com name
a log is created for troubleshooting at:
/root/centminlogs/acmetool.sh-debug-log-081116-031501.log
if you do not currently have your domain.com.ssl.conf file, you can use
vhost generator at centminmod.com/vhost.php enter domain name and select
self-signed ssl yes and you should see initial openssl command instructions
for recreating the self-signed ssl cert and the domain.com.ssl.conf vhost file
/usr/local/nginx/conf/conf.d/domain.com.ssl.conf which also creates the required
directory for /usr/local/nginx/conf/ssl/yourdomain.com
---------------------------------------------------------------------------
1 command over 1 long line:

/root/.acme.sh/acme.sh --installcert -d domain.com -d www.domain.com --certpath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key --capath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
---------------------------------------------------------------------------

step 2, run 1 long single line command

Code (Text):

/root/.acme.sh/acme.sh --installcert -d domain.com -d www.domain.com --certpath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key --capath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key

output

Code (Text):

/root/.acme.sh/acme.sh --installcert -d domain.com -d www.domain.com --certpath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key --capath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
[Tue Nov  8 03:57:33 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
[Tue Nov  8 03:57:33 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
[Tue Nov  8 03:57:33 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key
[Tue Nov  8 03:57:33 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
[Tue Nov  8 03:57:33 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl):             [  OK  ]
[Tue Nov  8 03:57:34 UTC 2016] Reload success

Code (Text):

---------------------------------------------------------------------------
step 3: manually install the ssl certs to your nginx vhost
---------------------------------------------------------------------------
treat ssl cert like any other and install the ssl cert files
as outlined at centminmod.com/nginx_configure_https_ssl_spdy.html
with path to ssl cert files at /usr/local/nginx/conf/ssl/yourdomain.com
note for ssl_trusted_certificate path is same as ssl_certificate for
letsencrypt ssl so no concatenation of files is needed
---------------------------------------------------------------------------
replacing all instances of domain.com with yourdomain.com name
your nginx ssl vhost would have the following lines as well as
other ssl settings outlined at centminmod.com/nginx_configure_https_ssl_spdy.html
---------------------------------------------------------------------------
if you do not currently have your domain.com.ssl.conf file, you can use
vhost generator at centminmod.com/vhost.php enter domain name and select
self-signed ssl yes and you should see initial openssl command instructions
for recreating the self-signed ssl cert and the domain.com.ssl.conf vhost file
/usr/local/nginx/conf/conf.d/domain.com.ssl.conf then replace paths for
ssl_certificate, ssl_certificate_key and ssl_trusted_certificate with below
---------------------------------------------------------------------------

ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;

Using vhost generator in step 2 at centminmod.com/vhost.php for self-signed ssl, i manually created the self-signed ssl cert files and /usr/local/nginx/conf/conf.d/domain.com.ssl.conf as follows

Code (Text):

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY or HTTP/2 SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#   server_name domain.com www.domain.com;
#    return 302 https://domain.com$request_uri;
# }

server {
  listen 443 ssl http2;
  server_name domain.com www.domain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # dual cert supported ssl ciphers
  ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
 
  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=60m;
  error_log /home/nginx/domains/domain.com/log/error.log;

  root /home/nginx/domains/domain.com/public;

  location / {

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centminmod.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

then i replace the self-signed ssl paths with letsencrypt ones obtained from step 2 in manual mode

Code (Text):

ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com.crt;
ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;

with

Code (Text):

ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;

You'd also want to uncomment OCSP stapling support in /usr/local/nginx/conf/conf.d/domain.com.ssl.conf

Code (Text):

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;

then restart nginx server

These manual steps are basically what addons/acmetool.sh automated methods do behind the scenes just with more error checks etc for all combinations. The manual steps are just for live letsencrypt ssl certificates.

You only have to do this once afterwards the underlying acme.sh client used by acmetool.sh will auto renew your SSL certificate

Log in / Register

Forums

Welcome to Centmin Mod Community

Beta Branch acmetool.sh 1.0.17 manual steps mode added

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

Beta Branch acmetool.sh 1.0.17 manual steps mode added

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.