Learn about Centmin Mod LEMP Stack today
Register Now

SSL How to install ssl certificate on Centminmod?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by pamamolf, Oct 12, 2014.

Tags:
  1. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    8:07 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Hi

    I want to ask please if we have a topic here with a tutorial on how to install an ssl certificate on Centminmod ?

    Also if i want to use the certificate at www. mydomain and not at mydomain.com should i get a wildcard certificate?

    Any free one to test on my vps?

    Why here on the forum you don't have the green bar for ssl?


    Thanks :)
     
    Last edited: Oct 12, 2014
  2. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:07 PM
    Mainline
    10.2
  3. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:07 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  4. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    1:07 PM
    1.9.5
    10.0.21
    Another question about SSL by the way; I'd like to set up my own self signed ssl for my ip address, not domain, how can I do it?
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:07 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    3rd post, 1st link it is same as ssl certificate is tied to domain / subdomain not ip
     
  6. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    1:07 PM
    1.9.5
    10.0.21
  7. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:07 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    just setup domain dns pointing to the ip and then ip can use https and as it's self signed it will have untrusted warning either way
     
  8. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    1:07 PM
    1.9.5
    10.0.21
    Just noticed that Nginx HTTPS / SSL Google SPDY configuration have minor typo in
    "ssl_certificate /usr/local/nginx/conf/ssl/domain.com/yourdomain_com.crt". I think there is no dot here from your previous intruction.
     
  9. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    1:07 PM
    1.9.5
    10.0.21
    Done my test on local host, worked well ;), checked spdy 3.1 with spdy indicator extension from Chrome:
    [​IMG]
     
    Last edited: Oct 13, 2014
  10. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:07 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  11. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    1:07 PM
    1.9.5
    10.0.21
    By the way I had message from nginx config rewrite:
    [1013/061346:INFO:google_message_handler.cc(35)] No threading detected. Own threads: 1 Rewrite, 1 Expensive Rewrite.

    Not sure what is it from? My config file is:
    Code:
    server {
      server_name test1.com www.test1.com;
      return 301 https://$server_name$request_uri;
    }
    
    server {
      listen  443 ssl spdy;
    
      access_log off;
      error_log off;
    
      index index.php index.html index.htm;
      server_name test1.com www.test1.com;
      ssl_certificate  /usr/local/nginx/conf/ssl/test1com/test1_com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/test1com/bangkey.key;
      ssl_session_cache  shared:SSL:10m;
      ssl_session_timeout  10m;
    
      ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
      # mozilla recommended
      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kEDH:!EDH:!CAMELLIA;
    
      ssl_prefer_server_ciphers  on;
      add_header Alternate-Protocol  443:npn-spdy/3;
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/test1com/domain.com-trusted.crt;
    # ngx_pagespeed & ngx_pagespeed handler
    include /usr/local/nginx/conf/pagespeed.conf;
    include /usr/local/nginx/conf/pagespeedhandler.conf;
    include /usr/local/nginx/conf/pagespeedstatslog.conf;
    include /usr/local/nginx/conf/wordpress/general.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      root /home/nginx/domains/test1.com/public;
    
      location /home/nginx/domains/test1.com/public {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      #try_files  $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
    
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:07 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    8:07 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    But is this normal to display this even ngx_pagespeed is disabled?
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:07 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes as long as ngx_pagespeed is integrated into nginx even if disabled will show up that info message notice
     
  15. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    1:07 PM
    1.9.5
    10.0.21
    FYI; if you would like to redirect 404 error to customer page we have to add " error_page 404 = /404.html; " under
    https SSL SPDY vhost. For example my code:
    Code:
    server {
      server_name test1.com www.test1.com;
      return 301 https://$server_name$request_uri;
    
    }
    
    # https SSL SPDY vhost
    server {
      listen 443 ssl spdy;
      server_name test1.com;
      access_log off;
      error_log off;
      index index.php index.html index.htm;
      error_page  404 = /404.html;
    
      ssl_certificate  /usr/local/nginx/conf/ssl/test1com/test1_com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/test1com/bangkey.key;
      ssl_session_cache  shared:SSL:10m;
      ssl_session_timeout  10m;
    .............................
    
    Hi @eva2000; I wonder why you did not create nginx .conf template with error_page included (comment #) in vhost. However; you created these .html files in directory?
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:07 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    left that to end user to do :)
     
  17. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    1:07 PM
    1.9.5
    10.0.21
    Hi @eva2000; I had another question, I built 2 vhost test1.com and test2.com with different SSL. Both sites running SSL fine.
    However; these sites running under one IP address. When I tried to enter https://1.2.3.4 for example, browser always uses SSL of test1.com, not test2.com.
    How can I define to make default SSL when user enters IP address with https?
    Thank you very much ;)
     
  18. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:07 PM
    Mainline
    10.2
    Modify virtual.conf
     
  19. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    1:07 PM
    1.9.5
    10.0.21
    Thanks @RoldanLT, I tried and it worked, my virtual.conf sample:
    Code:
    server {
    #  listen  80;
      listen  80 default_server backlog=2048;
      server_name 192.168.150.129;
      return 301 https://$server_name$request_uri;
      root  html;
    }
    
    server {
      listen 443 default_server ssl spdy;
      server_name 192.168.150.129;
    
      ssl_certificate  /usr/local/nginx/conf/ssl/test3com/test3_com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/test3com/test3_com.key;
      ssl_session_cache  shared:SSL:10m;
      ssl_session_timeout  10m;
    
      ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
      # mozilla recommended
      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    
      ssl_prefer_server_ciphers  on;
      add_header Alternate-Protocol  443:npn-spdy/3;
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/test3.com/test3.com-trusted.crt;
      access_log  /var/log/nginx/localhost.access.log  main buffer=32k;
      error_log  /var/log/nginx/localhost.error.log  error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
      location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #  Enables directory listings when index file not found
    #  autoindex  on;
    
    #  Shows file listing times as local time
    #  autoindex_localtime on;
    
    #  Enable for vBulletin usage WITHOUT vbSEO installed
    #  try_files  $uri $uri/ /index.php;
    
      }
    
      # example nginx-http-concat
      # /csstest/??one.css,two.css
      #location /csstest {
      #concat on;
      #concat_max_files 20;
      #}
    
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    
      }
    
     
  20. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:07 PM
    Mainline
    10.2
    I think you must put your host name also.