Letsencrypt certbot letsencrypt ssl certificate install

Derek · Oct 25, 2016

I have a production web server running on my own hardware. When I created it I did not create self-signed SSL certs. Every document I've read on this site pertaining to SSL wants to start by running option 2 to create a new vhost, and then choose to have it create self-signed certs. It is not at all clear if doing so on a running install will overwrite my site, just my site configuration, or simply perform steps not previously chosen.

I've gotten certbot to issue me the cert.pem, chain.pem, fullchain.pem, and privkey.pem files. Now I'm just trying to figure out where to put them and how to change nginx config files so it knows how to find them and how to handle SSL connections, and I haven't found any documentation that starts where I am and goes to that end point.

Where should I look next?

eva2000 · Oct 25, 2016

If you already have your paid ssl cert files or web browser trusted ssl certificates, you don't need to generate the self-signed ssl certificates. The only reason to do centmin.sh menu option 2 run with self-signed ssl cert = yes is so it creates the HTTPS nginx vhost domain.com.ssl.conf config file too for easier switch from self-signed to paid/web browser trusted ssl certificate outlined at Nginx Vhost & NSD DNS Setup.

For for manual setup of SSL certificate, you can follow all steps outlined at Nginx SPDY SSL Configuration which are still valid (exception is you do not need to create the ssl settings themselves as 123.08 stable and higher auto generate those when you answer yes to self-signed ssl creation during centmin.sh menu option 2 otherwise you need to manually create the ssl vhost too) and references HTTP/2 changes needed. You just need to do the unified file and file concatenation of your SSL providers provided files if you said yes to self-signed ssl cert creation. If you answered no, you need to manually setup the HTTPS vhost configuration.

Not applicable to you, but if you want to generate the self-signed ssl cert though, you can regenerate a new self-signed ssl cert and vhost first including the csr file and private key pair. The instructions for such can also be found in vhost generator at http://centminmod.com/vhost.php just enter domain name and select self-signed ssl yes and you should see initial openssl command instructions for recreating them

example for domain.com
Centmin Mod Nginx vhost generated for domain.com

Actual dhparam.pem, domain.com.crt, domain.com.key, domain.com-trusted.crt files are NOT generated. Only centmin.sh menu option 2can auto generate those files or by manual SPDY or HTTP/2 SSL setup outlined here.

However, if you are comfortable with SSH command line you can generate the files using the following commands in SSH as root user:
Code:
mkdir -p /usr/local/nginx/conf/ssl/domain.com
cd /usr/local/nginx/conf/ssl/domain.com
openssl req -new -newkey rsa:2048 -sha256 -nodes -out domain.com.csr -keyout domain.com.key -subj "/C=US/ST=California/L=Los Angeles/O=domain.com/OU=domain.com/CN=domain.com"
openssl x509 -req -days 36500 -sha256 -in domain.com.csr -signkey domain.com.key -out domain.com.crt
openssl dhparam -out dhparam.pem 2048
Click to expand...
then switch from self signed SSL to paid SSL see sections at Nginx Vhost & NSD DNS Setup (including setting for http to https redirect)

SeaTea · Oct 25, 2016

Derek said: ↑

I've gotten certbot to issue me the cert.pem, chain.pem, fullchain.pem, and privkey.pem files. Now I'm just trying to figure out where to put them and how to change nginx config files so it knows how to find them and how to handle SSL connections, and I haven't found any documentation that starts where I am and goes to that end point.
Click to expand...

I am using certbot too. It is very easy to adapt a default self-signed ssl-setup:
- Leave the .pem files where certbot puts them, as they will update automatically there.
- Open your site ssl config file, usually at /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
- Change the following 2 lines with the pem-files location:
Code (Text):
#  ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com.crt;
ssl_certificate      /etc/letsencrypt/live/domain.com/fullchain.pem;
#  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
ssl_certificate_key  /etc/letsencrypt/live/domain.com/privkey.pem;
and restart nginx. That's all.

Then put the following script in 'cron.daily' directory (I named it 'letsencrypt'):
Code (Text):
#!/bin/sh
certbot renew --post-hook "service nginx restart" --quiet
exit 0
Now every night cron starts certbot and if the certificate is valid less than the default renew days it will issue a new version. Nginx will automatically restart after that.

eva2000 · Oct 25, 2016

@SeaTea thanks for sharing I believe @Derek doesn't have the self-signed ssl vhost setup as he answered no so has a few more manual steps to do to get to that point.

Derek · Oct 25, 2016

That's awesome, SeaTea. Thanks. I'm starting to go crosseyed so think I'll attack this first thing in the morning.

Wouldn't it make more sense to do a nginx reload than a restart?

Derek · Oct 26, 2016

OK, got it working. Now to do things like make the CDN links point to https://versions of themselves.

For folks doing this in the future:

I created a new vhost that I'm not going to use, copied the newdomain.com.ssl.conf to the correct name for my site and edited it to change every instance of newdomain.com in it to my domain.

I created the dhparam file as per the instructions given here.

I edited the links to keys in my new .ssl.conf file to point to the new dhparam file and the keys created by Certbot as listed in the above post.

I created the cron.daily task to update the files automagically.

I ran nginx -t to test the config file, and it passed. I assumed this was because I was supposed to include the .ssl.conf file from the main conf file for my domain, but I didn't see anything like that in the files I created for the new vhost.

I crossed my fingers, reloaded the nginx configuration, made sure my host was up, then changed to the https:// version and saw the same thing.

Awesome.

And now when I test it I get this:

Not too shabby! Thanks for all the help, folks. I was really struggling to wrap my head around all this and it wasn't that bad at all.

eva2000 · Oct 26, 2016

Derek said: ↑

I created a new vhost that I'm not going to use, copied the newdomain.com.ssl.conf to the correct name for my site and edited it to change every instance of newdomain.com in it to my domain.
Click to expand...

yeah that's easiest way and why it pays to have a test vps for testing as you could do this on test vps

i.e. setup virtualbox on local pc/laptop with centos guest server and install centmin mod CentOS 7.x - CentOS 7.0 Install on VirtualBOX Guest Server | Centmin Mod Community

this is how centmin mod is tested

1. local virtualbox centos 6 and 7 test servers saved snapshot of virgin os
2. then install centmin mod for various tests
3. then can revert to virgin centos os snapshot if i need to do other tests
4. save snapshots for various test cases etc
5. when ready test on real test vps
6. then test of live vps

You can also regenerate the vhost from the instructions at http://centminmod.com/vhost.php just enter domain name and select self-signed ssl yes and you should see initial openssl command instructions for recreating them

Derek · Jan 7, 2017

Well, I thought this was fixed anyway. My cert isn't renewing, and when I run the cron script manually I receive this:

/etc/cron.daily/letsencrypt
Attempting to renew cert from /etc/letsencrypt/renewal/<mydomain>.conf produced an unexpected error: At least one of the required ports is already taken..
Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/<mydomain>/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Click to expand...

Has anyone else experienced this whose memory of setting up letsencrypt is fresher than mine?

Derek · Jan 7, 2017

I deleted the details. Running certbot from the command line failed too, but the webroot command worked fine. I guess I'll just run the command manually for now...

Edited to add:

If someone else runs into this, the command that worked from the command line with nginx running is this (replace <mydomain> with your details):

certbot certonly --webroot -w /home/nginx/domains/<mydomain>/public/ -d www.<mydomain> -d <mydomain>

eva2000 · Jan 7, 2017

you should be using certbot with webroot authentication as any other standard method requires freeing port 80 or 443 which are both used by nginx webserver so there's a conflict

probably need to ask on certbot forums as I haven't touched the official letsencrypt certbot client in ages as i am using 3rd party acme.sh client via for addons/acmetool.sh

Let's Encrypt Community Support

Issues · certbot/certbot · GitHub

Derek · Jan 7, 2017

Thanks, Eva. We cross-posted. I'm wondering if using the webroot command as I did in the post above yours in the cron script would solve the problem, and still restart the server automagically.

eva2000 · Jan 7, 2017

webroot authentictaion is the way yeah it should fix it

eva2000 · Jan 7, 2017

or switch to acme.sh client

My official nginx vhost generator on my web site at centminmod.com/vhost.php now has instructions for manual use of addons/acmetool.sh and acme.sh for letsencrypt ssl certificates for folks who need more control and want to manually edit their nginx vhosts (one time only for ssl setup) Official Nginx Vhost Generator Add Letsencrypt SSL Support

Log in / Register

Forums

Welcome to Centmin Mod Community

Letsencrypt certbot letsencrypt ssl certificate install

Derek Member

eva2000 Administrator Staff Member

SeaTea Member

eva2000 Administrator Staff Member

Derek Member

Derek Member

eva2000 Administrator Staff Member

Derek Member

Derek Member

eva2000 Administrator Staff Member

Derek Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

Letsencrypt certbot letsencrypt ssl certificate install

Derek Member

eva2000 Administrator Staff Member

SeaTea Member

eva2000 Administrator Staff Member

Derek Member

Derek Member

eva2000 Administrator Staff Member

Derek Member

Derek Member

eva2000 Administrator Staff Member

Derek Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.