Welcome to Centmin Mod Community
Become a Member

SSL Letsencrypt How can i enable/install dual certs on existing domain?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by pamamolf, May 18, 2019 at 1:40 PM.

  1. pamamolf

    pamamolf Premium Member Premium Member

    3,266
    307
    83
    May 31, 2014
    Ratings:
    +566
    Local Time:
    7:22 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Hello

    1)How can i enable/install dual certs on existing domain with self signed certificate?

    2)How can i enable/install dual certs on existing domain with let’s encrypt certificate?

    Thank you
     
  2. eva2000

    eva2000 Administrator Staff Member

    39,758
    8,769
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,494
    Local Time:
    2:22 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Same method for either of the 2 situations you mentioned if using Centmin Mod 123.09beta01 or newer version. If you want to use dual RSA 2048bit + ECDSA 256bit SSL certificates, ensure your persistent config file /etc/centminmod/custom_config.inc has these 2 set
    Code (Text):
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    

    Then provided your domain is already using Centmin Mod generated Nginx HTTPS/SSL vhost and you have the nginx vhost in format /usr/local/nginx/conf/conf.d/domain.com.ssl.conf, you should be able to use acmetool.sh reissue-only option to reissue Letsencrypt SSL certs in both RSA 2048bit + ECDSA 256bit SSL certificate types.
    Then test domain using SSLlabs tester to verify that your have both RSA 2048bit + ECDSA 256bit Letsencrypt SSL certificates SSL Server Test (Powered by Qualys SSL Labs)
     
    • Informative Informative x 2
  3. pamamolf

    pamamolf Premium Member Premium Member

    3,266
    307
    83
    May 31, 2014
    Ratings:
    +566
    Local Time:
    7:22 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Any ciphers order that needed or anything to adjust as i don't know how it will know that i am using two certificates and use the faster one on supported browsers?
     
  4. eva2000

    eva2000 Administrator Staff Member

    39,758
    8,769
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,494
    Local Time:
    2:22 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    123.09beta01's nginx vhost HTTPS routine these days puts all ssl certs into an include file for your nginx vhost, so when you switch to dual certs, it's only changing contents of that include file without touching your nginx vhost. There's nothing to adjust - but test with ssllabs to ensure it's working.
     
    • Informative Informative x 1
  5. pamamolf

    pamamolf Premium Member Premium Member

    3,266
    307
    83
    May 31, 2014
    Ratings:
    +566
    Local Time:
    7:22 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    No errors but it didn't work :(

    I did first a test for the forums here and i was able to see the two certificates at Qualys and then i add here:

    And then i run without any errors:

    After that i did a check at Qualys and i got only one certificate :(

    Certificate #1: RSA 2048 bits (SHA256withRSA)

    Any ideas?

    Thank you
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    3,266
    307
    83
    May 31, 2014
    Ratings:
    +566
    Local Time:
    7:22 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    I just did an nprestart and now it works :)

    The automated Nginx reload not enough for this?
     
    Last edited: May 20, 2019 at 9:20 AM
  7. eva2000

    eva2000 Administrator Staff Member

    39,758
    8,769
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,494
    Local Time:
    2:22 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    depends if your domain had any php caching in play, then the php-fpm restart might be needed
     
..