Welcome to Centmin Mod Community
Become a Member

Letsencrypt How to add SSL to a non-SSL vhost?

Discussion in 'Install & Upgrades or Pre-Install Questions' started by Afaq, Dec 23, 2018.

  1. Afaq

    Afaq Member

    81
    3
    8
    Aug 5, 2015
    Ratings:
    +5
    Local Time:
    10:30 PM
    I am using Centminmod 123.09beta01 with CentOS 7. I have been using it for over a year now and when I setup this server I created a non-SSL host. However, now I want to add SSL to it, how do I go about that? I will be using Lets Encrypts free SSL so please let me know if there are any specific instructions.

    Secondly, I am running Magento 1.9.3.4 on this server, so if anyone can please give the Nginx config for SSL setup, that would be great as well. Thanks.
     
  2. eva2000

    eva2000 Administrator Staff Member

    38,681
    8,540
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,123
    Local Time:
    3:30 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    For Magento see the forums at https://community.centminmod.com/forums/ecommerce-shopping-cart-usage.35/ with magento tagged at https://community.centminmod.com/forums/35/?prefix_id=62

    There's generally 3 ways of setting up HTTPS SSL certificate for Centmin Mod Nginx HTTP/2 based HTTPS. For you method 3 way for existing non-HTTPS vhosts is the best way.

    Method 1. The traditional way via centmin.sh menu option 2, 22 and selecting yes to self-signed ssl certificates first. Then converting the self-signed ssl certificate to paid or free (Letsencrypt) web browser trusted SSL certificates outlined at How to switch self-signed SSL certificate to paid SSL certificate ? You would still need to follow the same steps outlined at Nginx SPDY SSL Configuration for obtaining and purchasing the paid SSL certificate and most important part is the concatenation of the SSL provider provided filesto create the mentioned /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crtfiles referenced in your Nginx SSL vhost config file.

    You may need to also decide if you want to enable HTTP to HTTPS redirect outlined at How to force redirect from HTTP:// to HTTPS:// ?

    If you didn't answer yes at time of initial nginx vhost creation to self-signed ssl certificates, you can manually setup the self-signed ssl certificate via the vhost generator by checking self-signed ssl box and enter a domain name. This will outline instructions for manually creating and setting up self-signed ssl certificate and nginx vhost settings. Then for web browser trusted ssl certificates you switch follow - How to switch self-signed SSL certificate to paid SSL certificate ?.

    Method 2. Using and testing Centmin Mod 123.09beta01's new addons/acmetool.sh addon which is still in beta testing only for integrating Letsencrypt SSL certificates. And has both auto and manual methods.

    Method 3. Fully manual method for free Letsencrypt SSL certificates.
    Note:
    • For wordpress auto installer, you actually need a read method 2 to enable LETSENCRYPT_DETECT='y' then run centmin.sh menu option 22 which will detect letsencrypt support and display the additional letsencrypt prompts required to issue free letsencrypt ssl certificates for wordpress auto installer
     
  3. Afaq

    Afaq Member

    81
    3
    8
    Aug 5, 2015
    Ratings:
    +5
    Local Time:
    10:30 PM
  4. eva2000

    eva2000 Administrator Staff Member

    38,681
    8,540
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,123
    Local Time:
    3:30 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    steps outlined from https://centminmod.com/migrating-to-https.html are just an elaborated version of steps outlined at https://centminmod.com/vhost.php
     
  5. Afaq

    Afaq Member

    81
    3
    8
    Aug 5, 2015
    Ratings:
    +5
    Local Time:
    10:30 PM
    Thanks. I just want to confirm one last thing, before I go ahead and do this. Since, I will be doing this one a live server and wont want to have much downtime so I am being extra cautious.

    This is my current non-ssl NGINX config:
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name domain.com;
    #            return 301 $scheme://www.domain.com$request_uri;
    #       }
    
    server {
      listen 80;
      server_name .domain.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      root /home/nginx/domains/domain.com/public;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
       deny all;
      } 
    
      location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      try_files        $uri $uri/ @handler;
      index index.html index.php;
      expires 30d;
    
      }
    
     location @handler {
     rewrite / /index.php;
     }
    
     location ~ .php/ {
       rewrite ^(.*.php)/ $1 last;
     }
    
     location ~ .php$ {
     #if(!-e $request_filename) {
     #  rewrite / /index.php last;
     #}
    
     expires  off;
     fastcgi_pass 127.0.0.1:9000;
     #fastcgi_param HTTPS $fastcgi_https;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_param MAGE_RUN_CODE default;
     fastcgi_param MAGE_RUN_TYPE store;
     include fastcgi_params;
    }
    
     # include /usr/local/nginx/conf/staticfiles.conf;
     # include /usr/local/nginx/conf/php.conf;
     # include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
     # include /usr/local/nginx/conf/vts_server.conf;
    }
    
    According to my understanding after reading this thread: https://community.centminmod.com/threads/configuration-centmin-mod-with-magento.2142/

    and the instructions on vHost Generator, I simply need to add this code to my server block on my current configuration:
    Code:
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # dual cert supported ssl ciphers
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
    And lastly,

    Change this line from my original config:
    Code:
    listen 80;
    to
    Code:
    listen 443 ssl http2;

    Is this correct?
     
  6. eva2000

    eva2000 Administrator Staff Member

    38,681
    8,540
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,123
    Local Time:
    3:30 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yes correct though you'd want to be doing this in domain.com.ssl.conf vhost in final version and not in domain.com.conf (non-HTTPS).
     
  7. Afaq

    Afaq Member

    81
    3
    8
    Aug 5, 2015
    Ratings:
    +5
    Local Time:
    10:30 PM
    Everything is working fine. Thanks a lot.
     
    Last edited: Dec 27, 2018
    • Like Like x 1
  8. eva2000

    eva2000 Administrator Staff Member

    38,681
    8,540
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,123
    Local Time:
    3:30 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Excellent :)
     
  9. Afaq

    Afaq Member

    81
    3
    8
    Aug 5, 2015
    Ratings:
    +5
    Local Time:
    10:30 PM
    One issue has arisen. My magento cronjob has stopped working.

    Code:
    0 */4 * * * /usr/bin/cminfo_updater
    MAILTO="[email protected]"
    */5 * * * * /usr/local/bin/php -f /home/nginx/domains/mydomain.com/public/cron.php
    11 */23 * * * /usr/local/src/centminmod/tools/autoprotect.sh 2>/dev/null
    21 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    It was working before I installed SSL. The only thing added is the last acme.sh line. Rest of it is same as before but its not working. If I open the cron.php URL in browser, the cronjob works.
     
  10. eva2000

    eva2000 Administrator Staff Member

    38,681
    8,540
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,123
    Local Time:
    3:30 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    verify if cronjobs actually ran via the /var/log/cron log you can grep filter the log for 'cron.php'
    Code (Text):
    grep 'cron.php' /var/log/cron | tail -10; date
    

    Then will filter and list last 10 entries with word 'cron.php' in it and then print current server date time and you can see if cronjobs have ran

    if they have ran, then could be your email client/provide logging the emailed wp-cli updates to spam/junk box in which case see Email - Steps to ensure your site/server email doesn't end up in spam inboxes

    also try running crontab -e to edit the cronjob and just exit afterawards from nano editor to re-save cronjobs
     
  11. Afaq

    Afaq Member

    81
    3
    8
    Aug 5, 2015
    Ratings:
    +5
    Local Time:
    10:30 PM
    I checked the logs. The cron.php is running but oddly, Magento is still showing that cron is not running. This time I also checked running cron.php in browser and it didnt work. Magento has another bash script for cron. I ran that from SSH like this:
    Code:
    /bin/bash scheduler_cron.sh
    And it worked. Magento acknowledged that cron ran.

    But putting it in crontab like this:
    Code:
    /bin/bash /home/nginx/domains/domain.com/public/scheduler_cron.sh
    still doesnt work.
    Log shows:
    Code:
    CROND[14563]: (root) CMD (/bin/bash /home/nginx/domains/domain.com/public/scheduler_cron.sh)
     
  12. Afaq

    Afaq Member

    81
    3
    8
    Aug 5, 2015
    Ratings:
    +5
    Local Time:
    10:30 PM
    I just checked my emails. I am getting these emails regarding autoprotect script:
    Code:
    generated nginx include file [same]: /usr/local/nginx/conf/autoprotect/demodomain.com/autoprotect-demodomain.com.conf
    generated nginx include file [same]: /usr/local/nginx/conf/autoprotect/mydomain.com/autoprotect-mydomain.com.conf
    
    autoprotect.sh run completed skipped nginx restart...
    And apart from that I am getting these errors:
    Code:
    which: no php in (/usr/bin:/bin)
    /home/nginx/domains/mydomain.com/public/cron.sh: line 47: /home/nginx/domains/mydomain.com/public/cron.php: Permission denied
    Code:
    which: no php in (/usr/bin:/bin)
    Could not find a binary for php
    I believe the scheduler_cron.sh actually runs cron.sh which runs cron.php.
     
  13. Afaq

    Afaq Member

    81
    3
    8
    Aug 5, 2015
    Ratings:
    +5
    Local Time:
    10:30 PM
    Ok. Its working now. There was some issue with magento's cron.php file. Thanks a lot.
     
    • Like Like x 1
  14. eva2000

    eva2000 Administrator Staff Member

    38,681
    8,540
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,123
    Local Time:
    3:30 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Glad to hear :)
     
..