Want more timely Centmin Mod News Updates?
Become a Member

Beta Branch acmetool.sh fix dual cert mode ssl_trusted_certificate concat

Discussion in 'Centmin Mod Github Commits' started by eva2000, Apr 24, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    40,633
    9,019
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,886
    Local Time:
    1:29 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    acmetool.sh fix dual cert mode ssl_trusted_certificate concat

    When testing dual RSA 2048 + ECDSA 256 bit SSL certificate letsencrypt mode when LETSENCRYPT_DETECT='y' + DUALCERTS='y' is set in persistent config file /etc/centminmod/custom_config.inc, the concatenated ssl_trusted_certificate file for live letsencrypt SSL certificates is missing causing the ECDSA 256bit SSL certificate to not register and nginx to fail startup config testing. This update fixes the missing concatenated ssl_trusted_certificate file by concatenating both RSA 2048bit + ECDSA 256bit SSL ssl_trusted_certificate files.

    Continue reading...

    123.09beta01 branch
     
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    40,633
    9,019
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,886
    Local Time:
    1:29 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    For dual RSA + ECDSA SSL certificate mode support SSL - Nginx 1.11.0 introduces dual ECDSA + RSA SSL certificate support !

    With Centmin Mod 123.09beta01 when you have set in persistent config file /etc/centminmod/custom_config.inc LETSENCRYPT_DETECT='y' + DUALCERTS='y', you can use centmin.sh menu option 2, 22 or nv command method to auto generate Nginx HTTP/2 HTTPS vhost with dual RSA + ECDSA Letsencrypt SSL certificates which default to HTTPS with HTTP to HTTPS redirect

    nv command usage
    Code (Text):
    nv
    
    Usage: /bin/nv [-d yourdomain.com] [-s y|n|yd|le|led|lelive|lelived] [-u ftpusername]
    
      -d  yourdomain.com or subdomain.yourdomain.com
      -s  ssl self-signed create = y or n or https only vhost = yd
      -s  le - letsencrypt test cert or led test cert with https default
      -s  lelive - letsencrypt live cert or lelived live cert with https default
      -u  your FTP username
    
      example:
    
      /bin/nv -d yourdomain.com -s y -u ftpusername
      /bin/nv -d yourdomain.com -s n -u ftpusername
      /bin/nv -d yourdomain.com -s yd -u ftpusername
      /bin/nv -d yourdomain.com -s le -u ftpusername
      /bin/nv -d yourdomain.com -s led -u ftpusername
      /bin/nv -d yourdomain.com -s lelive -u ftpusername
      /bin/nv -d yourdomain.com -s lelived -u ftpusername
    

    run nv command with lelived flag for live Letsencrypt SSL certificates defaulting to HTTPS site only to generate domain.com HTTP/2 HTTPS nginx vhost site and random pure-ftp virtual ftp username generated via pwgen
    Code (Text):
    nv -d domain.com -s lelived -u "$(pwgen -1cnys 31)"
    

    Contents of Centmin Mod HTTP/2 HTTPS Nginx vhost utilising both RSA 2048 bit + ECDSA 256bit Letsencrypt SSL certificates at /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
     
       server_name domain.com www.domain.com;
       return 302 https://domain.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    #       listen   80;
    #       server_name domain.com www.domain.com;
    #       return 302 https://$server_name$request_uri;
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    

    contents of include file /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf containing both RSA 2048 bit + ECDSA 256bit Letsencrypt SSL certificates for dual SSL certificate mode
    Code (Text):
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
    
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme-ecc.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme-ecc.key;
     
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme-ecc.cer;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-dualcert-rsa-ecc.cer;
    


    upload_2018-4-24_16-5-53.png

    upload_2018-4-24_16-6-28.png