Join the community today
Register Now

Letsencrypt certbot letsencrypt ssl certificate install

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Derek, Oct 25, 2016.

  1. Derek

    Derek New Member

    28
    9
    3
    Aug 5, 2016
    Ratings:
    +16
    Local Time:
    12:20 PM
    I have a production web server running on my own hardware. When I created it I did not create self-signed SSL certs. Every document I've read on this site pertaining to SSL wants to start by running option 2 to create a new vhost, and then choose to have it create self-signed certs. It is not at all clear if doing so on a running install will overwrite my site, just my site configuration, or simply perform steps not previously chosen.

    I've gotten certbot to issue me the cert.pem, chain.pem, fullchain.pem, and privkey.pem files. Now I'm just trying to figure out where to put them and how to change nginx config files so it knows how to find them and how to handle SSL connections, and I haven't found any documentation that starts where I am and goes to that end point.

    Where should I look next?
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,164
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,135
    Local Time:
    2:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    If you already have your paid ssl cert files or web browser trusted ssl certificates, you don't need to generate the self-signed ssl certificates. The only reason to do centmin.sh menu option 2 run with self-signed ssl cert = yes is so it creates the HTTPS nginx vhost domain.com.ssl.conf config file too for easier switch from self-signed to paid/web browser trusted ssl certificate outlined at Nginx Vhost & NSD DNS Setup.

    For for manual setup of SSL certificate, you can follow all steps outlined at Nginx SPDY SSL Configuration which are still valid (exception is you do not need to create the ssl settings themselves as 123.08 stable and higher auto generate those when you answer yes to self-signed ssl creation during centmin.sh menu option 2 otherwise you need to manually create the ssl vhost too) and references HTTP/2 changes needed. You just need to do the unified file and file concatenation of your SSL providers provided files if you said yes to self-signed ssl cert creation. If you answered no, you need to manually setup the HTTPS vhost configuration.

    Not applicable to you, but if you want to generate the self-signed ssl cert though, you can regenerate a new self-signed ssl cert and vhost first including the csr file and private key pair. The instructions for such can also be found in vhost generator at http://centminmod.com/vhost.php just enter domain name and select self-signed ssl yes and you should see initial openssl command instructions for recreating them

    example for domain.com
    then switch from self signed SSL to paid SSL see sections at Nginx Vhost & NSD DNS Setup (including setting for http to https redirect)
     
    Last edited: Oct 25, 2016
  3. SeaTea

    SeaTea Premium Member Premium Member

    49
    13
    8
    Feb 20, 2015
    the Netherlands
    Ratings:
    +28
    Local Time:
    6:20 PM
    Nginx:1.11
    MariaDB-10
    I am using certbot too. It is very easy to adapt a default self-signed ssl-setup:
    - Leave the .pem files where certbot puts them, as they will update automatically there.
    - Open your site ssl config file, usually at /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    - Change the following 2 lines with the pem-files location:
    Code (Text):
    #  ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com.crt;
    ssl_certificate      /etc/letsencrypt/live/domain.com/fullchain.pem;
    #  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
    ssl_certificate_key  /etc/letsencrypt/live/domain.com/privkey.pem;
    


    and restart nginx. That's all.

    Then put the following script in 'cron.daily' directory (I named it 'letsencrypt'):
    Code (Text):
    #!/bin/sh
    certbot renew --post-hook "service nginx restart" --quiet
    exit 0
    


    Now every night cron starts certbot and if the certificate is valid less than the default renew days it will issue a new version. Nginx will automatically restart after that.
     
    • Informative Informative x 1
  4. eva2000

    eva2000 Administrator Staff Member

    30,164
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,135
    Local Time:
    2:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    @SeaTea thanks for sharing :) I believe @Derek doesn't have the self-signed ssl vhost setup as he answered no so has a few more manual steps to do to get to that point.
     
  5. Derek

    Derek New Member

    28
    9
    3
    Aug 5, 2016
    Ratings:
    +16
    Local Time:
    12:20 PM
    That's awesome, SeaTea. Thanks. I'm starting to go crosseyed so think I'll attack this first thing in the morning.

    Wouldn't it make more sense to do a nginx reload than a restart?
     
    • Agree Agree x 1
  6. Derek

    Derek New Member

    28
    9
    3
    Aug 5, 2016
    Ratings:
    +16
    Local Time:
    12:20 PM
    OK, got it working. Now to do things like make the CDN links point to https://versions of themselves.

    For folks doing this in the future:
    • I created a new vhost that I'm not going to use, copied the newdomain.com.ssl.conf to the correct name for my site and edited it to change every instance of newdomain.com in it to my domain.
    • I created the dhparam file as per the instructions given here.
    • I edited the links to keys in my new .ssl.conf file to point to the new dhparam file and the keys created by Certbot as listed in the above post.
    • I created the cron.daily task to update the files automagically.
    • I ran nginx -t to test the config file, and it passed. I assumed this was because I was supposed to include the .ssl.conf file from the main conf file for my domain, but I didn't see anything like that in the files I created for the new vhost.
    • I crossed my fingers, reloaded the nginx configuration, made sure my host was up, then changed to the https:// version and saw the same thing.
    Awesome.

    And now when I test it I get this:

    upload_2016-10-25_16-7-43.png

    Not too shabby! Thanks for all the help, folks. I was really struggling to wrap my head around all this and it wasn't that bad at all. :D
     
    • Informative Informative x 1
  7. eva2000

    eva2000 Administrator Staff Member

    30,164
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,135
    Local Time:
    2:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    yeah that's easiest way and why it pays to have a test vps for testing as you could do this on test vps

    i.e. setup virtualbox on local pc/laptop with centos guest server and install centmin mod CentOS 7.x - CentOS 7.0 Install on VirtualBOX Guest Server | Centmin Mod Community

    this is how centmin mod is tested

    1. local virtualbox centos 6 and 7 test servers saved snapshot of virgin os
    2. then install centmin mod for various tests
    3. then can revert to virgin centos os snapshot if i need to do other tests
    4. save snapshots for various test cases etc
    5. when ready test on real test vps
    6. then test of live vps

    You can also regenerate the vhost from the instructions at http://centminmod.com/vhost.php just enter domain name and select self-signed ssl yes and you should see initial openssl command instructions for recreating them
     
    • Informative Informative x 1
  8. Derek

    Derek New Member

    28
    9
    3
    Aug 5, 2016
    Ratings:
    +16
    Local Time:
    12:20 PM
    Well, I thought this was fixed anyway. My cert isn't renewing, and when I run the cron script manually I receive this:

    Has anyone else experienced this whose memory of setting up letsencrypt is fresher than mine? ;)
     
    Last edited: Jan 7, 2017
  9. Derek

    Derek New Member

    28
    9
    3
    Aug 5, 2016
    Ratings:
    +16
    Local Time:
    12:20 PM
    I deleted the details. Running certbot from the command line failed too, but the webroot command worked fine. I guess I'll just run the command manually for now...

    Edited to add:

    If someone else runs into this, the command that worked from the command line with nginx running is this (replace <mydomain> with your details):

    certbot certonly --webroot -w /home/nginx/domains/<mydomain>/public/ -d www.<mydomain> -d <mydomain>
     
    Last edited: Jan 7, 2017
  10. eva2000

    eva2000 Administrator Staff Member

    30,164
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,135
    Local Time:
    2:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    you should be using certbot with webroot authentication as any other standard method requires freeing port 80 or 443 which are both used by nginx webserver so there's a conflict

    probably need to ask on certbot forums as I haven't touched the official letsencrypt certbot client in ages as i am using 3rd party acme.sh client via for addons/acmetool.sh

     
    • Like Like x 1
  11. Derek

    Derek New Member

    28
    9
    3
    Aug 5, 2016
    Ratings:
    +16
    Local Time:
    12:20 PM
    Thanks, Eva. We cross-posted. I'm wondering if using the webroot command as I did in the post above yours in the cron script would solve the problem, and still restart the server automagically.
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,164
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,135
    Local Time:
    2:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    webroot authentictaion is the way :D yeah it should fix it :)
     
  13. eva2000

    eva2000 Administrator Staff Member

    30,164
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,135
    Local Time:
    2:20 AM
    Nginx 1.13.x
    MariaDB 5.5