/ Register

Discover Centmin Mod today
Register Now

Cloudflare SSL CloudFlare Origin Certificates

Discussion in 'Domains, DNS, Email & SSL Certificates' started by BobbyWibowo, Jun 21, 2016.

Previous Thread Next Thread
Loading...
  1. Jun 21, 2016 #1
    BobbyWibowo

    BobbyWibowo Active Member

    197
    42
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +71
    Local Time:
    3:32 PM
    1.17.x
    10.3.x
    Anyone have tried using CloudFlare Origin CA? Read more about it here: CloudFlare Origin CA

    I've tried using it on my site:
    cloudflare_origin_certificates.png
    After creating the certificate, I could use the same certificate and private key for all my domains which were sub-domains of my root domain.
    Another benefit of using this, you can finally choose Full (strict) encryption:
    cloudflare_origin_certificates_strict.png
    Previously, you could only choose Full encryption (not strict) if you used locally generated certificate, but now, not anymore :D

    There's no change with Qualys' SSL Labs result since it's behind CloudFlare (so only the the CloudFlare's side is visible to the tester), but I'm sure it's more secure now :)
     
  2. Jun 21, 2016 #2
    eva2000

    eva2000 Administrator Staff Member

    55,237
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    6:32 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    wow looks interesting

    haven't tried it yet but will.. thanks for heads up!
     
  3. Jun 29, 2023 #3
    MaximilianKohler

    MaximilianKohler Member

    201
    8
    18
    Jun 23, 2023
    Ratings:
    +35
    Local Time:
    1:32 AM
    Could you specify how exactly to implement that in CMM? I found these guides, but none of them point to the correct CMM folders & files, and they give conflicting specific code to add:
    For example, I think this is the right location:
    /usr/local/nginx/conf/conf.d

    Is "sub.mydomain.com.ssl.conf" the right file?

    I added these lines:
    Then ran "nginx -t && service nginx reload" and got multiple errors:
    EDIT: Oh, also, I think those files & locations would only enable it for one of my vhosts right? And ideally it should be enabled for everything?
     
    Last edited: Jun 29, 2023
  4. Jun 29, 2023 #4
    eva2000

    eva2000 Administrator Staff Member

    55,237
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    6:32 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @MaximilianKohler any reason you want to use Cloudflare Origin CA cert and not Letsencrypt SSL certs? Centmin Mod automates this Letsencrypt Free SSL Certificates and if you use Cloudflare, you can also use Cloudflare DNS API for trouble free domain validation Letsencrypt Free SSL Certificates. Then your origin SSL setup will work if Cloudflare proxy is enabled or disabled. While Cloudflare Origin CA cert does not work without Cloudflare proxy being enabled
     
  5. Jun 29, 2023 #5
    MaximilianKohler

    MaximilianKohler Member

    201
    8
    18
    Jun 23, 2023
    Ratings:
    +35
    Local Time:
    1:32 AM
    I didn't really understand the differences, but I read that Letsencrypt might publish your origin IP, so Cloudflare Origin CA cert might be more secure.

    Also, I've been having trouble getting a server up and running (not with CMM, CMM has been easy), and thus I've hit the limit for requesting Letsencrypt certs https://letsencrypt.org/docs/duplicate-certificate-limit.

    Also, I'm not sure if this is related to the Letsencrypt limit I hit but I currently have two subdomains with CMM -- the setup.domain.com and the forum.domain.com, and on my Cloudflare "SSL/TLS Overview" page if I switch it from "flexible" to "full" the setup.domain shows the forum.domain page, and if I set it to "Full (strict)" then neither will load right now, presumably due to the missing Letsencrypt cert.
    Oh wow, that seems like a major reason not to use it. I guess I'll just wait for my Letsencrypt limit to expire.
     
  6. Jun 29, 2023 #6
    eva2000

    eva2000 Administrator Staff Member

    55,237
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    6:32 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Letsencrypt SSL can be installed on Centmin Mod Nginx side and without Cloudflare orange cloud proxy enabled, yes your server IP is revealed. But if you enable Cloudflare orange cloud proxy, then any SSL cert installed on Centmin Mod Nginx side server has it's server IP hidden by default regardless if Cloudflare Origin CA, Letsencrypt etc are installed on Centmin Mod Nginx side.

    If you hit Letsencrypt rate limit, you can switch to a different free SSL certificate provider like ZeroSSL that Centmin Mod supports see Letsencrypt Free SSL Certificates. Specifcally = Switching from Letsencrypt to ZeroSSL SSL Certificates

     
  7. Jun 29, 2023 #7
    MaximilianKohler

    MaximilianKohler Member

    201
    8
    18
    Jun 23, 2023
    Ratings:
    +35
    Local Time:
    1:32 AM
    I think that page needs to be updated with info on how to request an SSL cert (IE: in my case where I created the vhost with option 2, but I need to request a new cert only now). "Centmin option 2" won't let me redo the automated process since the vhost already exists.

    I did some searching and found Issuing a Letsencrypt SSL Certificate via Command Line. But when I run:
    and
    I thought it's because I need to install the addon, but didn't see it listed here https://community.centminmod.com/threads/official-centmin-mod-addons.6/ or here https://community.centminmod.com/forums/add-ons.10.

    and What is addons/acmetool.sh ? suggests it's something that's already integrated.
     
  8. Jun 30, 2023 #8
    eva2000

    eva2000 Administrator Staff Member

    55,237
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    6:32 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah alot of the info changes over time as expected on a forum heh.

    acmetool.sh resides in addons directory which resides in /usr/local/src/centminmod

    so /usr/local/src/centminmod/addons/acmetool.sh

    If you created nginx vhost doesn't have any data, you can just delete it and recreate it

    To properly remove an Nginx vhost the instructions are on official site at How to delete Nginx vhost account for existing domain/subdomain ? as well as on each Nginx vhost creation's ending output too lists the commands.

    You also get a log file for each Nginx vhost created which also lists the commands in 123.09beta01 and higher example for http2.domain.com remove log at /root/centminlogs/centminmod_140218-021218_nginx_addvhost_nv-remove-cmds-http2.domain.com.log
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep remove
-rw-r--r--   1 root root 1.3K Feb 14 02:12 centminmod_140218-021218_nginx_addvhost_nv-remove-cmds-http2.domain.com.log


    or manually get the SSL cert only via method 3

    There's generally 3 ways of setting up HTTPS SSL certificate for Centmin Mod Nginx HTTP/2 based HTTPS

    Method 1. The traditional way via centmin.sh menu option 2, 22 but ensuring you set LETSENCRYPT_DETECT='y' in persistent config file created at /etc/centminmod/custom_config.inc before you run centmin.sh menu option 2 or 22 for wordpress. You can do that using command below - only need to do this step once and every subsequent run of centmin.sh menu option 2 or 22 will have letsencrypt ssl certificate support enabled
    Code (Text):
    # enable letsencrypt ssl certificate integration https://centminmod.com/acmetool/
touch /etc/centminmod/custom_config.inc
echo "LETSENCRYPT_DETECT='y'" >> /etc/centminmod/custom_config.inc


    Method 2. Using and testing Centmin Mod 123.09beta01's new addons/acmetool.sh addon which is still in beta testing only for integrating Letsencrypt SSL certificates. And has both auto and manual methods.

    Method 3. Fully manual method for free Letsencrypt SSL certificates.
     
Previous Thread Next Thread
Loading...

.