Welcome to Centmin Mod Community
Become a Member

Letsencrypt Centmin Mod Letsencrypt Branch testing discussions

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jan 17, 2016.

Thread Status:
Not open for further replies.
  1. pamamolf

    pamamolf Premium Member Premium Member

    3,456
    331
    83
    May 31, 2014
    Ratings:
    +635
    Local Time:
    3:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    https it will be a must and is better i we have it in Centminmod and not as addon like replacing the self signed with this one or as an extra menu option if it is possible :)
     
  2. Shaiffulnizam Mohamad

    Shaiffulnizam Mohamad New Member

    29
    8
    3
    Jun 6, 2014
    Ratings:
    +9
    Local Time:
    8:58 PM
    1.7.0
    5.5
    yep, thats true, but probably eva is quite busy. don't want to pressure him tho. hehehe
     
  3. eva2000

    eva2000 Administrator Staff Member

    41,388
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,262
    Local Time:
    10:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    the letsencrypt branch 123.09beta01le4 has an accompanying addon in development but like the letsencrypt integration it's only in that branch as work in progress developments. But haven't had time to work on this right now
     
  4. eva2000

    eva2000 Administrator Staff Member

    41,388
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,262
    Local Time:
    10:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    • Winner Winner x 1
  5. pamamolf

    pamamolf Premium Member Premium Member

    3,456
    331
    83
    May 31, 2014
    Ratings:
    +635
    Local Time:
    3:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    The name acme is a bit confusing of what is for :)
     
  6. Revenge

    Revenge Active Member

    442
    92
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +333
    Local Time:
    1:58 PM
    1.9.x
    10.1.x
    certbot 0.7.0 was released.
    Anyone knows what is the Must Staple extension for OCSP?
     
    • Informative Informative x 1
  7. SeaTea

    SeaTea Member

    49
    13
    8
    Feb 20, 2015
    the Netherlands
    Ratings:
    +28
    Local Time:
    2:58 PM
    Nginx:1.11
    MariaDB-10
    Is acmetool.sh already included in the latest 123.09beta01 ?
    I have updated centminmod this morning (from a 123.09beta01 of last week), but I cannot find this script in the addons directory (or anywhere on my server)
     
  8. eva2000

    eva2000 Administrator Staff Member

    41,388
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,262
    Local Time:
    10:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    still doing internal testing right now so not added to 123.09beta01 yet :)
     
  9. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    8:58 AM
    I am using a framework that uses a modified web root.

    In my config file /usr/local/nginx/conf/conf.d/app.example.com.conf

    I change the root to /home/nginx/domains/app.example.com/public/basic/web

    In your description of how the LetsEncrypt client works, you say you are looking at /home/nginx/domains/app.example.com/public as the root.
    Is this the case? or are you looking in the config file and pulling the actual root from there?

    I know using a modified root is probably not the norm, but I expect I am not the only one doing it....

    I am excited to try this out!!!

    -John
     
  10. apidevlab

    apidevlab Member

    91
    33
    18
    Mar 22, 2016
    /dev/null
    Ratings:
    +58
    Local Time:
    1:58 PM
    1.11.1
    5.2.14-122
    A thing of beauty kudos to you :)
     
  11. eva2000

    eva2000 Administrator Staff Member

    41,388
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,262
    Local Time:
    10:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Right now acemetool.sh assumes the default /public as web root as no way to anticipate all different custom web root combination available and its usually done at initial site vhost creation which means you won't have problems as domain validation by letsencrypt would've issued a ssl certificate already so subsequent web root change would be fine up until first renewal which would fail as the webroot acme.sh is looking for changed

    Guess I need to figure out a way to pass a custom webroot to acemetool.sh
     
    Last edited: Jun 3, 2016
  12. tjk

    tjk Member

    76
    16
    8
    Jun 27, 2015
    Ratings:
    +27
    Local Time:
    8:58 AM
    Hey @eva2000, how's the re-write comming? This ready to be used in a prod setup yet do you think?
     
  13. eva2000

    eva2000 Administrator Staff Member

    41,388
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,262
    Local Time:
    10:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    still developing so not ready yet for acmetool.sh :)
     
    • Like Like x 1
  14. Brian King

    Brian King New Member

    5
    1
    3
    Jun 7, 2016
    Chicago, IL
    Ratings:
    +1
    Local Time:
    7:58 AM
    @eva2000 -- Can you please provide me some guidance on how to use Acme.sh or even a service such as SSL For Free (also using LE/Certbot) with Centminmod while you work on acmetool.sh?

    Thanks! Really appreciate all that you and everyone working on the project do.
     
  15. eva2000

    eva2000 Administrator Staff Member

    41,388
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,262
    Local Time:
    10:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    You'd be on your own for that right now. But you'd have to read their documentation and use the webroot authentication method they outline and pass your Centmin Mod Nginx webroot to the command to issue certs which would be /home/nginx/domains/yourdomain.com/public (webroot path) and then script your own cronjob renewal. Acme.sh already installs a cron job for auto renewals so probably a better one to use than Certbot out of the box.

    here's the basic commands, rest is up to you

    edit vhostname=yourdomain.com and ensure DNS A record IP for yourdomain.com already works and points to same server as one you are running acme.sh too from and that nginx vhost is already added for yourdomain.com via centmin.sh menu option 2 or 22 and that you answered yes to self-signed ssl at vhost creation time

    install acme.sh
    Code (Text):
    mkdir -p /root/tools
    cd /root/tools
    git clone https://github.com/Neilpang/acme.sh.git
    cd ./acme.sh
    ./acme.sh --install --days 60
    . "/root/.acme.sh/acme.sh.env"
    

    issue yourdomain.com cert with test staging cert, for live remove --staging flag - vhostname=yourdomain.com
    Code (Text):
    vhostname=yourdomain.com
    LECLIENT_LEKEYLENGTH=2048
    acme.sh --staging --issue -d "${vhostname}" -w /home/nginx/domains/"${vhostname}"/public -k "$LECLIENT_LEKEYLENGTH"
    acme.sh --installcert -d $vhostname --certpath "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.cer" --keypath "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.key" --capath "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.cer" --reloadCmd /usr/bin/ngxreload --fullchainpath "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-fullchain-acme}.key"
    

    update yourdomain.com.ssl.conf with letsencrypt ssl certs
    Code (Text):
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-acme.cer|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-acme.key|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-trusted.crt|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-acme.cer|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
    

    if only using live ssl certs run and enable ocsp stapling, if using test ssl certs --staging, do not run these commands
    Code (Text):
    sed -i "s|#resolver |resolver |" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
    sed -i "s|#resolver_timeout|resolver_timeout|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
    sed -i "s|#ssl_stapling on|ssl_stapling on|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
    sed -i "s|#ssl_stapling_verify|ssl_stapling_verify|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
    sed -i "s|#ssl_trusted_certificate|ssl_trusted_certificate|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
    


    disclaimer, no support or troubleshooting provided by me for this manual method/steps outlined above as acme.sh code may change or break during development by Neil Pang which I have no control over
     
    • Informative Informative x 2
    • Like Like x 1
  16. Brian King

    Brian King New Member

    5
    1
    3
    Jun 7, 2016
    Chicago, IL
    Ratings:
    +1
    Local Time:
    7:58 AM
    @eva2000

    Thank you so much. Can you please clarify where I'm supposed to enter

    Code:
    vhostname=yourdomain.com
    LECLIENT_LEKEYLENGTH=2048
    to identify which domain/vhost the acme.sh script should be executed for?

    This is part of your overall 2nd code block as seen below:

    Code:
    vhostname=yourdomain.com
    LECLIENT_LEKEYLENGTH=2048
    acme.sh --staging --issue -d "${vhostname}" -w /home/nginx/domains/"${vhostname}"/public -k "$LECLIENT_LEKEYLENGTH"
    acme.sh --installcert -d $vhostname --certpath "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.cer" --keypath "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.key" --capath "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.cer" --reloadCmd /usr/bin/ngxreload --fullchainpath "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-fullchain-acme}.key"
    
     
  17. eva2000

    eva2000 Administrator Staff Member

    41,388
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,262
    Local Time:
    10:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Code (Text):
    vhostname=yourdomain.com
    LECLIENT_LEKEYLENGTH=2048

    just change yourdomain.com to your domain name you want to create for the nginx vhost + the ssl certificate for

    leave the other variable as 2048 assigned
     
    • Informative Informative x 1
  18. Brian King

    Brian King New Member

    5
    1
    3
    Jun 7, 2016
    Chicago, IL
    Ratings:
    +1
    Local Time:
    7:58 AM
    @eva2000 I understand that, I just don't understand where you're saying I need to set this. Thanks...
     
  19. eva2000

    eva2000 Administrator Staff Member

    41,388
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,262
    Local Time:
    10:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    when you type it in SSH window, you are creating and setting the variable

    try it typing commands in your SSH window/SSH client - you set VARX and VARY variables and echo'd their output of what value you set
    Code (Text):
    VARX=1
    echo $VARX
    VARY=2
    echo $VARY
    

    same with
    Code (Text):
    vhostname=yourdomain.com
    LECLIENT_LEKEYLENGTH=2048

    so subsequent commands that come after these variables looks for these variables $vhostname and $LECLIENT_LEKEYLENGTH
     
  20. Kyvaith

    Kyvaith New Member

    10
    1
    3
    Jun 14, 2016
    Ratings:
    +2
    Local Time:
    2:58 PM
    eva, sorry for asking about this, but is there any ETA for public beta od centmin mod with Let's encrypt integration? I've tested 'alpha' branch, and LS works well for creating new vhost, but not for WordPress option. Also, you should allow to put user own information needed for generating certificate (like company name). This should be stored somewhere in need for auto regenerate certs after 60 days. The last thing is, when valid certificate has been generated, NGINX should redirect all traffic from HTTP to HTTPS.
     
Thread Status:
Not open for further replies.