Get the most out of your Centmin Mod LEMP stack
Become a Member

Beta Branch acmetool.sh 1.0.17 manual steps mode added

Discussion in 'Centmin Mod Github Commits' started by eva2000, Nov 8, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    10:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    acmetool.sh 1.0.17 manual steps mode added

    Literally a manual steps guide where nothing is automated. So the 3 step guide outlines what you need to do manually command line and nginx vhost setup wise to obtain letsencrypt ssl certificate, copy/set it ssl files at /usr/local/nginx/conf/ssl/yourdomain.com and creating nginx ssl vhost yourdomain.com.ssl.conf and replacing the ssl_certificate, ssl_certificate_key and ssl_trusted_certificate paths with the letsencrypt ssl cert file paths.

    Code (Text):
    ./acmetool.sh manual
    


    Continue reading...

    123.09beta01 branch
     
    • Winner Winner x 1
  2. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    10:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    example manual steps run
    Code (Text):
    ./acmetool.sh manual                         
    
    ---------------------------------------------------------------------------
    acmetool.sh manual mode
    ---------------------------------------------------------------------------
    interactive mode to obtain & install letsencrypt ssl certs
    you will need to manually install the ssl certs to your nginx
    site ssl vhost yourself as this manual mode only obtains ssl cert
    and places them in /usr/local/nginx/conf/ssl/yourdomain.com
    directory which you reference in your nginx vhost as outlined
    at centminmod.com/nginx_configure_https_ssl_spdy.html
    ---------------------------------------------------------------------------
    the nginx vhost site needs to exist with valid DNS A records
    pointing to this server's IP address before continuing...
    ---------------------------------------------------------------------------
    
    continue ? [y/n]: y
    

    Code (Text):
    ---------------------------------------------------------------------------
    step 1: domain verification
    ---------------------------------------------------------------------------
    type the following manually to get a letsencrypt ssl certificate
    replacing -d domain.com -d www.domain.com with yourdomain.com name
    at end of output you will be notified if you successfully verified
    your domain name and obtained a letsencrypt ssl certificate to
    proceed to step 2 which is copying over the ssl certs to nginx
    custom directory at /usr/local/nginx/conf/ssl/yourdomain.com
    ---------------------------------------------------------------------------
    2 commands over 2 lines:
    
    addons/acmetool.sh acmeupdate
    /root/.acme.sh/acme.sh --force --issue -d domain.com -d www.domain.com -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-081116-031501.log --log-level 2
    

    Code (Text):
    ---------------------------------------------------------------------------
    step 2: copying ssl cert to /usr/local/nginx/conf/ssl/yourdomain.com
    ---------------------------------------------------------------------------
    replacing -d domain.com -d www.domain.com with yourdomain.com name
    & replacing all instances of domain.com with yourdomain.com name
    a log is created for troubleshooting at:
    /root/centminlogs/acmetool.sh-debug-log-081116-031501.log
    ---------------------------------------------------------------------------
    1 command over 1 long line:
    
    /root/.acme.sh/acme.sh --installcert -d domain.com -d www.domain.com --certpath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key --capath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
    ---------------------------------------------------------------------------
    

    Code (Text):
    ---------------------------------------------------------------------------
    step 3: manually install the ssl certs to your nginx vhost
    ---------------------------------------------------------------------------
    treat ssl cert like any other and install the ssl cert files
    as outlined at centminmod.com/nginx_configure_https_ssl_spdy.html
    with path to ssl cert files at /usr/local/nginx/conf/ssl/yourdomain.com
    note for ssl_trusted_certificate path is same as ssl_certificate for
    letsencrypt ssl so no concatenation of files is needed
    ---------------------------------------------------------------------------
    replacing all instances of domain.com with yourdomain.com name
    your nginx ssl vhost would have the following lines as well as
    other ssl settings outlined at centminmod.com/nginx_configure_https_ssl_spdy.html
    ---------------------------------------------------------------------------
    if you do not currently have your domain.com.ssl.conf file, you can use
    vhost generator at centminmod.com/vhost.php enter domain name and select
    self-signed ssl yes and you should see initial openssl command instructions
    for recreating the self-signed ssl cert and the domain.com.ssl.conf vhost file
    /usr/local/nginx/conf/conf.d/domain.com.ssl.conf then replace paths for
    ssl_certificate, ssl_certificate_key and ssl_trusted_certificate with below
    ---------------------------------------------------------------------------
    
    ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
    
     
    • Winner Winner x 2
  3. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    10:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    Example of manual step method for setting up letsencrypt ssl certificate on a existing domain.com which doesn't have a nginx ssl vhost yet. You only have to do this once afterwards the underlying acme.sh client used by acmetool.sh will auto renew your SSL certificate :)

    Prep steps
    1. Setup domain.com and www version of domain or subdomain's DNS A record so that it points to server's IP address. Use whatsmydns.net to check the A record has globally populated first.
    2. Create the nginx vhost if it doesn't exist already with or without self-signed ssl certificate. This below example is without self-signed ssl certificate and the generated nginx ssl vhost domain.com.ssl.conf file. You create the nginx vhost via one of methods outlined for centmin.sh menu option 2, 22 or /usr/bin/nv command. This will give you the info for the non-https nginx vhost file and public web root and log directory i.e.
      Code (Text):
      vhost for domain.com created successfully
      
      domain: http://domain.com
      vhost conf file for domain.com created: /usr/local/nginx/conf/conf.d/domain.com.conf
      
      upload files to /home/nginx/domains/domain.com/public
      vhost log files directory is /home/nginx/domains/domain.com/log
      
    acmetool.sh manual mode steps
    1. run addons/acmetool.sh manual mode
      Code (Text):
      ./acmetool.sh manual
      and follow the outlined 3 steps and the commands you need to run
    Code (Text):
    ---------------------------------------------------------------------------
    step 1: domain verification
    ---------------------------------------------------------------------------
    type the following manually to get a letsencrypt ssl certificate
    replacing -d domain.com -d www.domain.com with yourdomain.com name
    at end of output you will be notified if you successfully verified
    your domain name and obtained a letsencrypt ssl certificate to
    proceed to step 2 which is copying over the ssl certs to nginx
    custom directory at /usr/local/nginx/conf/ssl/yourdomain.com
    ---------------------------------------------------------------------------
    2 commands over 2 lines:
    
    addons/acmetool.sh acmeupdate
    /root/.acme.sh/acme.sh --force --issue -d domain.com -d www.domain.com -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-081116-031501.log --log-level 2
    

    so for step 1, run 2 commands
    Code (Text):
    ./acmetool.sh acmeupdate
    

    Code (Text):
    /root/.acme.sh/acme.sh --force --issue -d domain.com -d www.domain.com -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-081116-031501.log --log-level 2
    

    at end of successful run you would of verified domain.com and got output like below. Step 2 is copying those ssl cert files to /usr/local/nginx/conf/ssl/yourdomain.com
    Code (Text):
    [Tue Nov  8 03:45:59 UTC 2016] Your cert is in  /root/.acme.sh/domain.com/domain.com.cer
    [Tue Nov  8 03:45:59 UTC 2016] Your cert key is in  /root/.acme.sh/domain.com/domain.com.key
    [Tue Nov  8 03:46:00 UTC 2016] The intermediate CA cert is in  /root/.acme.sh/domain.com/ca.cer
    [Tue Nov  8 03:46:00 UTC 2016] And the full chain certs is there:  /root/.acme.sh/domain.com/fullchain.cer
    

    Code (Text):
    ---------------------------------------------------------------------------
    step 2: copying ssl cert to /usr/local/nginx/conf/ssl/yourdomain.com
    ---------------------------------------------------------------------------
    replacing -d domain.com -d www.domain.com with yourdomain.com name
    & replacing all instances of domain.com with yourdomain.com name
    a log is created for troubleshooting at:
    /root/centminlogs/acmetool.sh-debug-log-081116-031501.log
    if you do not currently have your domain.com.ssl.conf file, you can use
    vhost generator at centminmod.com/vhost.php enter domain name and select
    self-signed ssl yes and you should see initial openssl command instructions
    for recreating the self-signed ssl cert and the domain.com.ssl.conf vhost file
    /usr/local/nginx/conf/conf.d/domain.com.ssl.conf which also creates the required
    directory for /usr/local/nginx/conf/ssl/yourdomain.com
    ---------------------------------------------------------------------------
    1 command over 1 long line:
    
    /root/.acme.sh/acme.sh --installcert -d domain.com -d www.domain.com --certpath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key --capath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
    ---------------------------------------------------------------------------
    

    step 2, run 1 long single line command
    Code (Text):
    /root/.acme.sh/acme.sh --installcert -d domain.com -d www.domain.com --certpath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key --capath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
    

    output
    Code (Text):
    /root/.acme.sh/acme.sh --installcert -d domain.com -d www.domain.com --certpath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key --capath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
    [Tue Nov  8 03:57:33 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
    [Tue Nov  8 03:57:33 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
    [Tue Nov  8 03:57:33 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key
    [Tue Nov  8 03:57:33 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
    [Tue Nov  8 03:57:33 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):             [  OK  ]
    [Tue Nov  8 03:57:34 UTC 2016] Reload success
    


    Code (Text):
    ---------------------------------------------------------------------------
    step 3: manually install the ssl certs to your nginx vhost
    ---------------------------------------------------------------------------
    treat ssl cert like any other and install the ssl cert files
    as outlined at centminmod.com/nginx_configure_https_ssl_spdy.html
    with path to ssl cert files at /usr/local/nginx/conf/ssl/yourdomain.com
    note for ssl_trusted_certificate path is same as ssl_certificate for
    letsencrypt ssl so no concatenation of files is needed
    ---------------------------------------------------------------------------
    replacing all instances of domain.com with yourdomain.com name
    your nginx ssl vhost would have the following lines as well as
    other ssl settings outlined at centminmod.com/nginx_configure_https_ssl_spdy.html
    ---------------------------------------------------------------------------
    if you do not currently have your domain.com.ssl.conf file, you can use
    vhost generator at centminmod.com/vhost.php enter domain name and select
    self-signed ssl yes and you should see initial openssl command instructions
    for recreating the self-signed ssl cert and the domain.com.ssl.conf vhost file
    /usr/local/nginx/conf/conf.d/domain.com.ssl.conf then replace paths for
    ssl_certificate, ssl_certificate_key and ssl_trusted_certificate with below
    ---------------------------------------------------------------------------
    
    ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
    

    Using vhost generator in step 2 at centminmod.com/vhost.php for self-signed ssl, i manually created the self-signed ssl cert files and /usr/local/nginx/conf/conf.d/domain.com.ssl.conf as follows
    Code (Text):
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY or HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #   server_name domain.com www.domain.com;
    #    return 302 https://domain.com$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # dual cert supported ssl ciphers
      ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      root /home/nginx/domains/domain.com/public;
    
      location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    

    then i replace the self-signed ssl paths with letsencrypt ones obtained from step 2 in manual mode
    Code (Text):
    ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com.crt;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;
    

    with
    Code (Text):
    ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
    

    You'd also want to uncomment OCSP stapling support in /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    Code (Text):
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
    

    then restart nginx server

    These manual steps are basically what addons/acmetool.sh automated methods do behind the scenes just with more error checks etc for all combinations. The manual steps are just for live letsencrypt ssl certificates.

    You only have to do this once afterwards the underlying acme.sh client used by acmetool.sh will auto renew your SSL certificate :)
     
    Last edited: Nov 16, 2016