Learn about Centmin Mod LEMP Stack today
Register Now

SSL Guide: Renewing & Reinstalling SSL Certificate on Centminmod with GoGetSSL

Discussion in 'Domains, DNS, Email & SSL Certificates' started by deltahf, Jan 3, 2016.

Tags:
  1. deltahf

    deltahf Active Member

    216
    104
    43
    Jun 8, 2014
    Ratings:
    +161
    Local Time:
    12:33 AM
    After moving my site to SSL almost a year ago, it was time to renew my certificate. I didn't realize that "renewing" your certificate actually just involved purchasing an entirely new certificate (I naively thought it was like a domain name), which requires you to re-install it on your server.

    All of the guides I found explained how to install a brand new certificate from scratch, but none touched on how to overwrite an old certificate. I now realize how simple this is (and I'm sure some of you experts are LOL'ing at me right now), but I thought it might be useful to put together a quick guide to help anyone else who might be confused by this.

    This guide assumes you are using a paid SSL certificate and followed the official Centminmod Nginx SPDY SSL setup guide. I use a GeoTrust QuickSSL Premium certificate purchased from GoGetSSL.

    Step 1

    After you follow the renewal process with your SSL provider and have your new certificate, download the new .crt file. With GoGetSSL, you do this via the "Download SSL" button on your Certificate Details page (make sure you are downloading the new certificate and not the old one by checking the expiration date). It will have a name similar to www_yourdomain_com.crt.

    Step 2

    Go to your SSL certificate directory (if you followed the Centminmod SSL setup guide, it will be located in /usr/local/nginx/conf/ssl/yourdomain). I would recommend making a copy of your old .crt file, just in case, and give it a different name. Now upload your new .crt file to this directory and make sure it overwrites the old one.

    Step 3

    Now we just need to get the new certificate into the ssl-unified.crt file. We can do this by simply concatenating the new certificate with the SSL provider's intermediate and root certificates. In my case, with GoGetSSL, they provide what is called a "ca-bundle" file that has all that stuff in it, so to create the new ssl-unified.crt file, just do the following:
    Code:
    $ cat www_domain_com.crt www_domain.com.ca-bundle > ssl-unified.crt
    Note that I did not have to download a new ca-bundle file, I just used the old one that I had left there when I first set up SSL on my server.

    Step 4

    Restart nginx with service nginx restart and make sure your site is still working. You should check the certificate in your browser to make sure it has the new expiration date; you can also use this SSL installation checker from GoGetSSL or this one from GeoTrust (I actually like GeoTrust's better) to verify the new date is shown there as well.

    As you can see, it's really simple. Hope this helps someone.
     
    • Winner Winner x 2
    • Like Like x 1
    • Informative Informative x 1
    • Useful Useful x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    3:33 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yup it's that simple ! Thanks for the write up @deltahf (y)
     
    • Like Like x 1
  3. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    6:33 AM
    1.9.12
    10.0.23
    Love your input for all of us.. I have to say - let them LOL as much they wish.. We have all been there more or less.. In my country we have a expression (freely translated.) - You have to crawl before you can walk - and with that - thanks for your guide.
     
    • Like Like x 1
  4. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    1:33 PM
    latest
    latest
    Since namecheap has a black friday special where they're selling positivessl for 0.88 per year. I thought I would extend the renewal date of my SSL certificate.

    Apparently, that's not how it works :D

    You cannot extend the validity of the certificate. Am I right or there's still hope LOL.
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    3:33 PM
    Nginx 1.13.x
    MariaDB 5.5
    Depends on ssl provider you got the original existing ssl cert and when you renew, you still need to generate or provide csr file for the new ssl cert. With Centmin Mod Premium User Membership provided paid ssl certificates, I can extend the validity of my ssl cert so remaining time to expiry + new expiry. I did that for sslspdy.com GGSSL (comodo) wildcard ssl cert I use. But it's still a new ssl cert you need to install just the expiry date is lengthened

    so with my Centmin Mod Premium User Membership provided ssl certs if you bought one with 1yr expiry and you have 3 months left, if you renew for another 1yr, the new ssl cert will have expiry = 3 months + 1yr = 15 months.
     
    • Informative Informative x 1
  6. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    1:33 PM
    latest
    latest
    The first ssl is from gogetssl (GGSSL Domain SSL). I guess I would try and contact them if it's possible.
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    3:33 PM
    Nginx 1.13.x
    MariaDB 5.5
    yeah you should be able to extend it if you renew via GGSSL too
     
  8. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    1:33 PM
    latest
    latest
    gogetssl's response

     
  9. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    3:33 PM
    Nginx 1.13.x
    MariaDB 5.5
    split any ssl ? yeah within 90 days of expiry so that remaining gets added to new ssl renewal expiry length
     
  10. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    1:33 PM
    latest
    latest
    buying ssl certificates from 2 different providers I guess.
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    3:33 PM
    Nginx 1.13.x
    MariaDB 5.5
    Oh in that case yeah won't work for extending existing ssl cert if it was from different provider :)
     
  12. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    1:33 PM
    latest
    latest
    dang I thought it was like domains :D
     
    • Funny Funny x 1
  13. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    1:33 PM
    latest
    latest
    but yeah I tried the OPs tutorial and it worked.

    I was just wondering why only the new crt is needed and we can still use the old ca bundle. Does that mean that all ca-bundles of the same domain are the same?
     
  14. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    3:33 PM
    Nginx 1.13.x
    MariaDB 5.5
    heh that's why I like getting my paid ssl certs via my ssl reseller accounts I can extend on renewal my GGSSL Wildcard SSL certs if they're within 90 days of expiry. Hence, why I order paid ssl certs via Centmin Mod Premium User Membership :)

    CA bundle is the CA root and intermediate and they're all the same for all domain issued by same provider if they're same type, i.e. RSA 2048bit or ECC 256bit ECDSA CA bundles would be most common
     
    • Informative Informative x 1
  15. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    1:33 PM
    latest
    latest
    Ah! I think the cheapest gogetssl is just a white label of Comodo's positive ssl so yes they're basically the same I think. So that's why it still worked even if it's from different providers?
     
  16. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    3:33 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah ssl provider should be ssl issuer so Comodo is ssl issuer and GGSL is ssl provider. As long as ssl issuer is same.
     
    • Informative Informative x 1
  17. deltahf

    deltahf Active Member

    216
    104
    43
    Jun 8, 2014
    Ratings:
    +161
    Local Time:
    12:33 AM
    Almost time to renew my single-domain SSL certificate and I'm thinking of saving some money, replacing my GeoTrust cert ($38/year) with a GoGetSSL cert ($3.22/year). :ROFLMAO:

    I will be sticking with GoGetSSL as the provider of course. Are there any special steps I need to take or be aware of when replacing the certificate? Can I follow my own guide above or will I need to follow the complete installation process for the new cert?
     
    • Like Like x 1
  18. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    3:33 PM
    Nginx 1.13.x
    MariaDB 5.5
    Your guide should be sufficient for renewal too :)
     
    • Informative Informative x 1
  19. deltahf

    deltahf Active Member

    216
    104
    43
    Jun 8, 2014
    Ratings:
    +161
    Local Time:
    12:33 AM
    OK, new certificate installed! After I realized that GoGetSSL's certificates are really just re-branded Comodo certificates (here is why I don't like Comodo), I decided to go with RapidSSL instead (which is GeoTrust's cheap SSL brand). It's not quite as cheap as GoGetSSL's rebranded certs but still a massive savings at just $7.38 per year for three years.

    There were a few problems switching from GeoTrust's QuickSSL Premium to RapidSSL Standard, though. I followed my own guide above and the new certificate worked, but when verifying things with the SSL installation checker from GoGetSSL or this one from GeoTrust, it was reporting problems with the intermediate certificate. When restarting nginx, I was also shown the following warning:

    Code (Text):
    Starting nginx: nginx: [warn] "ssl_stapling" ignored, issuer certificate not found
    


    To fix this I had to download the new ca-bundle which would work with RapidSSL from the new certificate's detail page in my GoGetSSL account. Then I ran the following again to combine the domain's new CRT file with the new ca-bundle and then create an updated ssl-trusted.crt file:

    Code (Text):
    cat www_mydomain_com.crt www_mydomain_com.ca-bundle > ssl-unified.crt;
    cat www_mydomain_com.ca-bundle > ssl-trusted.crt;
    


    After fixing that, there were no more nginx restart warnings and the SSL installation checkers gave me a passing grade.

    However, the GoGetSSL checker said I was vulnerable to Heartbleed, and the GeoTrust checker said I was vulnerable to BEAST (though I think that's expected if I want to maintain support for older browsers, right?). GeoTrust also had the following complaint:
    How does it know this and what file do I need to remove?
     
    • Informative Informative x 1
  20. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    3:33 PM
    Nginx 1.13.x
    MariaDB 5.5
    Nice info. Though GoGetSSL for me is still best priced ssl cert heh

    not all ssl checkers are created equal. You should probably only trust dev version of ssllabs tester at SSL Server Test (Powered by Qualys SSL Labs)
     
    • Informative Informative x 1