Want more timely Centmin Mod News Updates?
Become a Member

Letsencrypt Centmin Mod Letsencrypt Branch testing discussions

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jan 17, 2016.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Update: May 28th, 2016: Existing 123.09beta01le* branch work is being scrapped as I am rewriting the Letsencrypt integration from scratch with a new addon called acmetool.sh. Details at Letsencrypt - Welcome to acmetool.sh - new letsencrypt addon for Centmin Mod LEMP stacks | Centmin Mod Community

    Letsencrypt integration into Centmin Mod is running on a separate experimental github branch - 123.09beta01le* and the latest current branch is 123.09beta01le4. As at Jan 31, 2016, additional 3rd party letsencrypt client support for shell based le client was added Letsencrypt - Centmin Mod Letsencrypt Branch testing discussions | Centmin Mod Community


    You should test on test server with test site for now and not production usage as Letsencrypt is still in public beta since Dec 3, 2015 and their client is still in beta and undergoing development and they have rate limiting in place so you can't obtain too many Letsencrypt SSL certificates at one time. See rate limit details and other notes here.

    123.09beta01le4 created




    Examples



     
    Last edited: May 28, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Notes & Tips



    /usr/bin/nv command line

    With 123.09beta01le3 letsencrypt integration branch, running centmin.sh menu option 2 or 22 or running /usr/bin/nv command line to generate an Nginx vhost can be used to obtain and setup an Nginx HTTP/2 based site with Letsencrypt SSL certificate.

    command options for /usr/bin/nv
    Code:
    nv
    
    Usage: /usr/bin/nv [-d yourdomain.com] [-s y|n|le] [-u ftpusername]
    
      -d  yourdomain.com or subdomain.yourdomain.com
      -s  ssl self-signed create = y or n or le (for letsencrypt ssl certs)
      -u  your FTP username
    
      example:
    
      /usr/bin/nv -d yourdomain.com -s y -u ftpusername
      /usr/bin/nv -d yourdomain.com -s le -u ftpusername
    
    So you can easily via command line generate a new Nginx HTTP/2 site with letsencrypt SSL certificate using the below command:
    Code:
    nv -d le15.http2ssl.xyz -s le -u USERNAME
    output after completion will display relevant paths to nginx vhost and ssl vhost conf files, and paths to both the auto generated self-signed SSL certificates + the Letsencrypt SSL certificate.

    for Nginx HTTP/S SSL vhost
    Code:
    vhost ssl for le15.http2ssl.xyz created successfully
    
    domain: https://le15.http2ssl.xyz
    vhost ssl conf file for le15.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le15.http2ssl.xyz.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le15.http2ssl.xyz/le15.http2ssl.xyz.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/le15.http2ssl.xyz/le15.http2ssl.xyz.key
    SSL CSR File: /usr/local/nginx/conf/ssl/le15.http2ssl.xyz/le15.http2ssl.xyz.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/le15.http2ssl.xyz/le15.http2ssl.xyz-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/le15.http2ssl.xyz/le15.http2ssl.xyz-backup.csr
    
    Letsencrypt SSL Certificate: /etc/letsencrypt/live/le15.http2ssl.xyz/cert.pem
    Letsencrypt SSL Certificate Private Key: /etc/letsencrypt/live/le15.http2ssl.xyz/privkey.pem
    Letsencrypt SSL Certificate Chain: /etc/letsencrypt/live/le15.http2ssl.xyz/chain.pem
    Letsencrypt SSL Certificate Full Chain: /etc/letsencrypt/live/le15.http2ssl.xyz/fullchain.pem
    Letsencrypt le15.http2ssl.xyz cronjob file: /usr/local/nginx/conf/ssl/le15.http2ssl.xyz/letsencrypt-le15.http2ssl.xyz-cron
    
    upload files to /home/nginx/domains/le15.http2ssl.xyz/public
    vhost log files directory is /home/nginx/domains/le15.http2ssl.xyz/log
    auto generated Nginx HTTP/2 based SSL vhost file /usr/local/nginx/conf/conf.d/le15.http2ssl.xyz.ssl.conf contents:
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #   server_name le15.http2ssl.xyz www.le15.http2ssl.xyz;
    #    return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
      server_name le15.http2ssl.xyz www.le15.http2ssl.xyz;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/le15.http2ssl.xyz/dhparam.pem;
      ssl_certificate      /etc/letsencrypt/live/le15.http2ssl.xyz/fullchain.pem;
      ssl_certificate_key  /etc/letsencrypt/live/le15.http2ssl.xyz/privkey.pem;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
      # You'd want to include subdomains if you're using SSL wildcard certificates
      # include subdomain
      #add_header Public-Key-Pins 'pin-sha256="Zy7RMNpe1/u3Mq3prXMvzAWoCY80n2vJ5UmoQycXEO4="; pin-sha256="upuKQf9P0W834U0QQkPXpgHo//Bgqsta4qB05V+IPhY="; max-age=86400; includeSubDomains';
      # exclude subdomains
      #add_header Public-Key-Pins 'pin-sha256="Zy7RMNpe1/u3Mq3prXMvzAWoCY80n2vJ5UmoQycXEO4="; pin-sha256="upuKQf9P0W834U0QQkPXpgHo//Bgqsta4qB05V+IPhY="; max-age=86400';
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      #spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/le15.http2ssl.xyz/fullchain.pem;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/le15.http2ssl.xyz/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/le15.http2ssl.xyz/log/error.log;
    
      root /home/nginx/domains/le15.http2ssl.xyz/public;
    
      location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    pay attention to the paths to the Letsencrypt SSL certificates in the Nginx HTTP/2 based SSL config file
    Code:
      ssl_dhparam /usr/local/nginx/conf/ssl/le15.http2ssl.xyz/dhparam.pem;
      ssl_certificate      /etc/letsencrypt/live/le15.http2ssl.xyz/fullchain.pem;
      ssl_certificate_key  /etc/letsencrypt/live/le15.http2ssl.xyz/privkey.pem;
    
      ssl_trusted_certificate /etc/letsencrypt/live/le15.http2ssl.xyz/fullchain.pem;
    
    • /usr/local/nginx/conf/ssl/le15.http2ssl.xyz/dhparam.pem was generated when auto generating the self-signed SSL certificate section of the routine.
    • /etc/letsencrypt/live/le15.http2ssl.xyz/fullchain.pem - the concatenated Letsencrypt SSL certificate in Letsencrypt's own directory /etc/letsencrypt/live/le15.http2ssl.xyz/
    • /etc/letsencrypt/live/le15.http2ssl.xyz/privkey.pem - the Letsencrypt SSL certificates private key in Letsencrypt's own directory /etc/letsencrypt/live/le15.http2ssl.xyz/
    Auto Renewal of Letsencrypt SSL certificate

    Letsencrypt SSL certificates have 90 day expiry. So you ideally want to renew them around 60 day mark for safe measure. Using Centmin Mod 123.09beta01le3 branch to generate your Nginx HTTP/2 SSL vhost site with Letsencrypt SSL certificate will also setup an automated cronjob to auto renew your certificate when the expiry date falls between 7 to 30 days remaining.

    So for le15.http2ssl.xyz a cronjob was setup with file at /usr/local/nginx/conf/ssl/le15.http2ssl.xyz/letsencrypt-le15.http2ssl.xyz-cron

    listing cronjobs
    Code:
    crontab -l
    10 1 */9 * * sleep 882s ; /bin/bash /usr/local/nginx/conf/ssl/le15.http2ssl.xyz/letsencrypt-le15.http2ssl.xyz-cron > /dev/null 2>&1
    Contents of cronjob file /usr/local/nginx/conf/ssl/le15.http2ssl.xyz/letsencrypt-le15.http2ssl.xyz-cron
    Code:
    EMAIL=$(awk '/email/ {print $3}' /etc/letsencrypt/webroot.ini)
    ERRORLOG=$(tail /var/log/letsencrypt/letsencrypt.log)
    CERT="/etc/letsencrypt/live/le15.http2ssl.xyz/cert.pem"
    
    if [[ -f $CERT ]]; then
      expiry=$(openssl x509 -enddate -noout -in $CERT | cut -d'=' -f2 | awk '{print $2   $1   $4}')
      epochExpirydate=$(date -d${expiry} +%s)
      epochToday=$(date +%s)
      secondsToExpire=$(echo ${epochExpirydate} - ${epochToday} | bc)
      daysToExpire=$(echo ${secondsToExpire} / 60 / 60 / 24 | bc)
      if [ $daysToExpire -lt '30' ]; then
        /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le15.http2ssl.xyz/public -d le15.http2ssl.xyz certonly
        if [ $? -ne 0 ]; then
            sleep 1; echo -e "The Lets Encrypt SSL Certificate for le15.http2ssl.xyz has not been renewed! \n \n" $ERRORLOG | dos2unix | mail -s "Lets Encrypt Cert Alert" $EMAIL
          else
            /usr/bin/ngxreload
        fi
      fi
    fi
    exit 0
    Taking Letsencrypt SSL certificate elsewhere

    As you can see, Letsencrypt SSL certificate is contained in /etc/letsencrypt/live/le15.http2ssl.xyz/ via symlinked files. So technically, if you want to migrate and test this SSL certificate on another server, all you would need to do is download a copy of the contents and files located in /etc/letsencrypt/live/le15.http2ssl.xyz/ - make sure you do not remove or alter the files in /etc/letsencrypt/live/le15.http2ssl.xyz/ as that can break Letsencrypt clients' operations I suspect.
    Code:
    ls -lAh /etc/letsencrypt/live/le15.http2ssl.xyz/
    total 0
    lrwxrwxrwx 1 root root 41 Jan 16 15:52 cert.pem -> ../../archive/le15.http2ssl.xyz/cert1.pem
    lrwxrwxrwx 1 root root 42 Jan 16 15:52 chain.pem -> ../../archive/le15.http2ssl.xyz/chain1.pem
    lrwxrwxrwx 1 root root 46 Jan 16 15:52 fullchain.pem -> ../../archive/le15.http2ssl.xyz/fullchain1.pem
    lrwxrwxrwx 1 root root 44 Jan 16 15:52 privkey.pem -> ../../archive/le15.http2ssl.xyz/privkey1.pem
    Easy way to copy and zip up the files to /home/nginx/domains/le15.http2ssl.xyz/backup/letsencrypt-certs.zip would be via these commands.
    Code:
    cd /etc/letsencrypt/live/le15.http2ssl.xyz/
    zip -r /home/nginx/domains/le15.http2ssl.xyz/backup/letsencrypt-certs.zip *
    Code:
    ls -lAh /home/nginx/domains/le15.http2ssl.xyz/backup/
    total 12K
    -rw-r--r-- 1 root nginx 8.3K Jan 16 16:35 letsencrypt-certs.zip
    Note the Letsencrypt SSL certificate generated has 90 day expiry, so if you're testing on other servers, you'd need to renew and copy over the Letsencrypt SSL certificate before 90 day expiry and pay attention to DNS requirements for Letsencrypt SSL auto renewal.
     
    Last edited: Jan 17, 2016
  3. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    reserved for centmin.sh menu 2
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    reserved for centmin.sh menu 22
     
  5. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    11:18 PM
    1.9.12
    10.0.23
    So in theory I could make one box with LE3 - generate alot of dummy domains only the get those letsencrypt certificates - and then copy off those respective certs to another server hosting the right domain with content?

    One question remains. If I copy off to another server, then my dns is also changed - what happens when the LE3 have to renew those certs?

    Does the update of cert still require the dns a record to point to LE3 server or only when you create the cert for domain first time?
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah technically speaking
    ah indeed that is one of the dilemmas, yes to auto renew the Letsencrypt on the 123.09beta01le3 based LEMP stack server, you need the domain's DNS pointing that server's IP address. There's work on Letsencrypt staging server for DNS type validation instead of file based in my webroot authentication integration. So eventually you should be able to have a DNS record setup to validate the domain so you can use the Letsencrypt SSL certificate on any server. So looking forward to that.
    Yes for webroot authentication the domain DNS has to point to 123.09beta01le3 based server for renewals to validate the domain.
    So suggestion I have right now is just for test site usage and not production :) So if you need to do some testing on a test site for less than 90 days :)
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  8. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Found a bug in 123.09beta01le3 for auto generated cronjob file the CERT variable improperly escaped the ${vhostname} variable

    incorrect
    Code:
    CERT="/etc/letsencrypt/live/${vhostname}/cert.pem"
    correct should the name of the vhost domain that is being renewed ie. le15.http2ssl.xyz
    Code:
    CERT="/etc/letsencrypt/live/le15.http2ssl.xyz/cert.pem"
    If you have already setup some vhosts, check and manually correct the cronjob's CERT variable to the right vhost domain name.

    correct in this commit fix letsencrypt auto cron renewal variables · centminmod/centminmod@160e6c6 · GitHub
     
  9. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    11:18 PM
    1.9.12
    10.0.23
    @eva2000 you wrote..

    Today at job I found one powershell library ebekker/ACMESharp - C# - GitHub on list of List of Client Implementations - Documentation - Let's Encrypt Community Support .. What catch my eyes was this on the quick start found here Quick Start · ebekker/ACMESharp Wiki · GitHub :

    So letsencrypt gurus - does that means, that dns challenge is here or had it been her always?
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  11. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    11:18 PM
    1.9.12
    10.0.23
    If it is not publicly available, how can he then refer to the possibility? - I don't see anywhere in the code, that he is pointing over to the staging server. Okay then - I wait - but just got exited ..
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    there's a command line flag to switch to staging API for tests
    there's actually more than one command flag including --test-cert
    Code:
    --test-cert, --staging
                            Use the staging server to obtain test (invalid) certs;
                            equivalent to --server https://acme-
                            staging.api.letsencrypt.org/directory (default: False)
    Centmin Mod's integration in 123.09beta01le3 uses webroot.ini config file at /etc/letsencrypt/webroot.ini
    Code:
    # Always use the staging/testing server
    #server = https://acme-staging.api.letsencrypt.org/directory
    
    # for beta invitees
    server = https://acme-v01.api.letsencrypt.org/directory
    staging server is commented out and uses live/beta invitees API
     
  13. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    11:18 PM
    1.9.12
    10.0.23
    I think I understand now - the refer to - DNS-1 - is the staging server ..

     
  14. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  15. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    11:18 PM
    1.9.12
    10.0.23
    You don't know that :p But good to read that the Letsencrypt folks is up to speed to get the tools 'complete' ..
     
  16. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    123.09beta01le4 created



     
    Last edited: Jan 21, 2016
  17. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    11:18 PM
    1.9.12
    10.0.23
    Very good - thank you @eva2000 - will make the switch when I'm home from job..
     
  18. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Seems like a new bug turned up in latest letsencrypt client install routine on CentOS 6.x the installer can't find the path to virtualenv
    Code:
    Creating virtual environment...
    ./letsencrypt-auto: line 167: virtualenv: command not found
    setup general /etc/letsencrypt/webroot.ini letsencrypt config file
    touch: cannot touch `/etc/letsencrypt/webroot.ini': No such file or directory
    addons/letsencrypt.sh: line 163: /etc/letsencrypt/webroot.ini: No such file or directory
    grep: /etc/letsencrypt/webroot.ini: No such file or directory
    line 167 there abouts
    Code:
      DeterminePythonVersion
      echo "Creating virtual environment..."
      if [ "$VERBOSE" = 1 ] ; then
        virtualenv --no-site-packages --python $LE_PYTHON $VENV_PATH
      else
        virtualenv --no-site-packages --python $LE_PYTHON $VENV_PATH > /dev/null
      fi
    commited fix to 123.09beta01le4 branch fix letsencrypt client install · centminmod/centminmod@16f4959 · GitHub
     
    Last edited: Jan 28, 2016
  19. eva2000

    eva2000 Administrator Staff Member

    53,208
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:18 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Just added 3rd party shell based simple le https://github.com/Neilpang/le client support to experimental Centmin Mod 123.09beta01le4 branch. It defaults to STAGING ACME API server for test SSL certs for now which are not trusted in web browsers.

    Initial Commits
    simple shell based le client https://github.com/Neilpang/le installled at /usr/local/bin/le and controlled via setting 2 variables which can be set via persistent config file /etc/centminmod/custom_config.inc:

    Code:
    LECLIENT_OFFICIAL='n'
    LECLIENT_LE='y'
    
    This will switch from default official letsencrypt client to 3rd party shell based simple le client outlined at Neilpang/le: Simplest shell script for LetsEncrypt free Certificate client. Both are mutually exclusive so SSL certificate obtained via official letsencrypt client is saved to one directory and SSL certs obtained via 3rd party shell based simple le client are saved elsewhere in /root/.le/${vhostname}/. A nginx vhost created with official letsencrypt client won't work with 3rd party simple shell based le client created nginx vhost and vice versa.

    Example output for centmin.sh menu option 2 for sub.domain.com nginx vhost

    Code:
    Enter vhost domain name to add (without www. prefix): sub.domain.com
    
    Create a self-signed SSL certificate Nginx vhost? [y/n]: y
    
    To get Letsencrypt SSL certificate, you must already have updated intended
    domain vhost name's DNS A record to this server's IP addresss.
    If top level domain, DNS A record is needed also for www. version of domain
    otherwise, Letsencrypt domain name validation will fail.
    
    
    sub.domain.com is not a top level domain
    your server IP address: SERVERIPADDR
    current DNS A record IP address for sub.domain.com is: SERVERIPADDR
    
    Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
    Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 80 days) ? [y/n]: y
    
    Code:
    installing or updating simple shell based le client
    
    Initialized empty Git repository in /root/tools/le/.git/
    Installing to /root/.le
    Installing cron job
    0 0 * * *  WORKING_DIR="/root/.le" "/root/.le"/le.sh cron > /dev/null
    OK
    /usr/local/bin/le
    https://github.com/Neilpang/le
    v1.1.2
    Usage: le.sh  [command] ...[args]....
    Avalible commands:
    
    install:
      Install le.sh to your system.
    issue:
      Issue a cert.
    installcert:
      Install the issued cert to apache/nginx or any other server.
    renew:
      Renew a cert.
    renewAll:
      Renew all the certs.
    uninstall:
      Uninstall le.sh, and uninstall the cron job.
    version:
      Show version info.
    installcronjob:
      Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
    uninstallcronjob:
      Uninstall the cron job. The 'uninstall' command can do this automatically.
    createAccountKey:
      Create an account private key, professional use.
    createDomainKey:
      Create an domain private key, professional use.
    createCSR:
      Create CSR , professional use.
    
    ----------------------------------------------------
    simple shell based le client is installed at:
    /usr/local/bin/le.sh
    Symlinked to:
    /usr/local/bin/le
    ----------------------------------------------------
    
    Code:
    obtaining Letsencrypt SSL certificate via simple shell le webroot authentication...
    
    STAGE=1 FORCE=1 /usr/local/bin/le issue /home/nginx/domains/sub.domain.com/public sub.domain.com no 2048
    Using stage api:https://acme-staging.api.letsencrypt.org
    Creating account key
    Account key exists, skip
    Creating domain key
    Generating RSA private key, 2048 bit long modulus
    .................................................................+++
    .......................................................+++
    e is 65537 (0x10001)
    Creating csr
    Single domain=sub.domain.com
    Registering account
    Already registered
    Verify each domain
    Geting token for domain=sub.domain.com
    Verifying:sub.domain.com
    Success
    Verify finished, start to sign.
    Cert success.
    -----BEGIN CERTIFICATE-----
    MpKYiYGCUqw3EA==
    -----END CERTIFICATE-----
    Your cert is in /root/.le/sub.domain.com/sub.domain.com.cer
    The intermediate CA cert is in /root/.le/sub.domain.com/ca.cer
    
    Code:
    total 28K
    drwxr-xr-x 2 root root 4.0K Jan 31 08:11 .
    drwxr-xr-x 5 root root 4.0K Jan 31 08:11 ..
    -rw-r--r-- 1 root root 1.1K Jan 31 08:11 ca.cer
    -rw-r--r-- 1 root root 1.8K Jan 31 08:11 sub.domain.com.cer
    -rw-r--r-- 1 root root  538 Jan 31 08:11 sub.domain.com.conf
    -rw-r--r-- 1 root root  903 Jan 31 08:11 sub.domain.com.csr
    -rw-r--r-- 1 root root 1.7K Jan 31 08:11 sub.domain.com.key
    
    -rw-r--r-- 1 root root 2.9K Jan 31 08:11 /root/.le/sub.domain.com/sub.domain.com-unified.crt
    
    Code:
    -------------------------------------------------------------
    vhost for sub.domain.com created successfully
    
    domain: http://sub.domain.com
    vhost conf file for sub.domain.com created: /usr/local/nginx/conf/conf.d/sub.domain.com.conf
    
    vhost ssl for sub.domain.com created successfully
    
    domain: https://sub.domain.com
    vhost ssl conf file for sub.domain.com created: /usr/local/nginx/conf/conf.d/sub.domain.com.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/sub.domain.com/sub.domain.com.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/sub.domain.com/sub.domain.com.key
    SSL CSR File: /usr/local/nginx/conf/ssl/sub.domain.com/sub.domain.com.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/sub.domain.com/sub.domain.com-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/sub.domain.com/sub.domain.com-backup.csr
    
    Letsencrypt SSL Certificate: /root/.le/sub.domain.com/sub.domain.com.cer
    Letsencrypt SSL Certificate Private Key: /root/.le/sub.domain.com/sub.domain.com.key
    Letsencrypt SSL Certificate CSR: /root/.le/sub.domain.com/sub.domain.com.csr
    Letsencrypt SSL Certificate Full Chain: /root/.le/sub.domain.com/sub.domain.com-unified.pem
    Letsencrypt SSL simple shell le config: /root/.le/sub.domain.com/sub.domain.com.conf
    
    upload files to /home/nginx/domains/sub.domain.com/public
    vhost log files directory is /home/nginx/domains/sub.domain.com/log
    -------------------------------------------------------------
    
    Edit: revised a few things in the integration code with Jan 31-Feb 1, 2016 commits Commits · centminmod/centminmod · GitHub :)
     
    Last edited: Feb 1, 2016
  20. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    11:18 PM
    1.9.12
    10.0.23
    Thank you @eva2000 - but where are you personal standing between those two options? Do you still prefer the official client or perhaps starting to like the others and being using them?
     
Thread Status:
Not open for further replies.