Letsencrypt Centmin Mod Letsencrypt Branch testing discussions

the letsencrypt branch 123.09beta01le4 has an accompanying addon in development but like the letsencrypt integration it's only in that branch as work in progress developments. But haven't had time to work on this right now

 

Update: May 28th, 2016: Existing 123.09beta01le* branch work is being scrapped as I am rewriting the Letsencrypt integration from scratch with a new addon called acmetool.sh. Details at Letsencrypt - Welcome to acmetool.sh - new letsencrypt addon for Centmin Mod LEMP stacks | Centmin Mod Community

 

still doing internal testing right now so not added to 123.09beta01 yet

 

Right now acemetool.sh assumes the default /public as web root as no way to anticipate all different custom web root combination available and its usually done at initial site vhost creation which means you won't have problems as domain validation by letsencrypt would've issued a ssl certificate already so subsequent web root change would be fine up until first renewal which would fail as the webroot acme.sh is looking for changed

Guess I need to figure out a way to pass a custom webroot to acemetool.sh

 

still developing so not ready yet for acmetool.sh

 

You'd be on your own for that right now. But you'd have to read their documentation and use the webroot authentication method they outline and pass your Centmin Mod Nginx webroot to the command to issue certs which would be /home/nginx/domains/yourdomain.com/public (webroot path) and then script your own cronjob renewal. Acme.sh already installs a cron job for auto renewals so probably a better one to use than Certbot out of the box.

here's the basic commands, rest is up to you

edit vhostname=yourdomain.com and ensure DNS A record IP for yourdomain.com already works and points to same server as one you are running acme.sh too from and that nginx vhost is already added for yourdomain.com via centmin.sh menu option 2 or 22 and that you answered yes to self-signed ssl at vhost creation time

install acme.sh

Code (Text):

mkdir -p /root/tools
cd /root/tools
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install --days 60
. "/root/.acme.sh/acme.sh.env"

issue yourdomain.com cert with test staging cert, for live remove --staging flag - vhostname=yourdomain.com

Code (Text):

vhostname=yourdomain.com
LECLIENT_LEKEYLENGTH=2048
acme.sh --staging --issue -d "${vhostname}" -w /home/nginx/domains/"${vhostname}"/public -k "$LECLIENT_LEKEYLENGTH"
acme.sh --installcert -d $vhostname --certpath "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.cer" --keypath "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.key" --capath "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.cer" --reloadCmd /usr/bin/ngxreload --fullchainpath "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-fullchain-acme}.key"

update yourdomain.com.ssl.conf with letsencrypt ssl certs

Code (Text):

sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-acme.cer|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-acme.key|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-trusted.crt|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-acme.cer|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"

if only using live ssl certs run and enable ocsp stapling, if using test ssl certs --staging, do not run these commands

Code (Text):

sed -i "s|#resolver |resolver |" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
sed -i "s|#resolver_timeout|resolver_timeout|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
sed -i "s|#ssl_stapling on|ssl_stapling on|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
sed -i "s|#ssl_stapling_verify|ssl_stapling_verify|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
sed -i "s|#ssl_trusted_certificate|ssl_trusted_certificate|" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"

disclaimer, no support or troubleshooting provided by me for this manual method/steps outlined above as acme.sh code may change or break during development by Neil Pang which I have no control over

 

Code (Text):

vhostname=yourdomain.com
LECLIENT_LEKEYLENGTH=2048

just change yourdomain.com to your domain name you want to create for the nginx vhost + the ssl certificate for

leave the other variable as 2048 assigned

 

when you type it in SSH window, you are creating and setting the variable

try it typing commands in your SSH window/SSH client - you set VARX and VARY variables and echo'd their output of what value you set

Code (Text):

VARX=1
echo $VARX
VARY=2
echo $VARY

same with

Code (Text):

vhostname=yourdomain.com
LECLIENT_LEKEYLENGTH=2048

so subsequent commands that come after these variables looks for these variables $vhostname and $LECLIENT_LEKEYLENGTH