Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL Install SSL certificate on DigitalOcean VPS

Discussion in 'Domains, DNS, Email & SSL Certificates' started by dooma, Nov 6, 2016.

  1. dooma

    dooma Member

    226
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    2:27 AM
    How to protect the install and admin folder without using static IP ?

    and What is the best method to install my SSL I purchased from namecheap ?


    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,835
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:27 AM
    Nginx 1.13.x
    MariaDB 5.5
    instructions are located further below in section
    Protected Xenforo Directories Nginx Rewrites for Xenforo Friendly Urls - CentminMod.com LEMP Nginx web stack for CentOS

    There's generally 2 ways of setting up HTTPS SSL certificate for Centmin Mod Nginx HTTP/2 based HTTPS

    Method 1. The traditional way via centmin.sh menu option 2, 22 and selecting yes to self-signed ssl certificates first. Then converting the self-signed ssl certificate to paid or free (Letsencrypt) web browser trusted SSL certificates outlined at How to switch self-signed SSL certificate to paid SSL certificate ? You would still need to follow the same steps outlined at Nginx SPDY SSL Configuration for obtaining and purchasing the paid SSL certificate and most important part is the concatenation of the SSL provider provided filesto create the mentioned /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crtfiles referenced in your Nginx SSL vhost config file.

    You may need to also decide if you want to enable HTTP to HTTPS redirect outlined at How to force redirect from HTTP:// to HTTPS:// ?

    If you didn't answer yes at time of initial nginx vhost creation to self-signed ssl certificates, you can manually setup the self-signed ssl certificate via the vhost generator by checking self-signed ssl box and enter a domain name. This will outline instructions for manually creating and setting up self-signed ssl certificate and nginx vhost settings. Then for web browser trusted ssl certificates you switch follow - How to switch self-signed SSL certificate to paid SSL certificate ?.

    Method 2. Using and testing Centmin Mod 123.09beta01's new addons/acmetool.sh addon which is still in beta testing only for integrating Letsencrypt SSL certificates.
     
  3. dooma

    dooma Member

    226
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    2:27 AM
    Hi,
    I already have my paid ssl so no need for following this and start with this instructions ? sorry I'm a bit confused.
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,835
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:27 AM
    Nginx 1.13.x
    MariaDB 5.5
  5. dooma

    dooma Member

    226
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    2:27 AM
    how can I get the CSR code to active my SSL ? Thanks
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,835
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:27 AM
    Nginx 1.13.x
    MariaDB 5.5
  7. dooma

    dooma Member

    226
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    2:27 AM
    I activated and generated my SSL successfully what should be the next step to activate it at my website ?

    Thanks
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,835
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:27 AM
    Nginx 1.13.x
    MariaDB 5.5
  9. dooma

    dooma Member

    226
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    2:27 AM
    Hello,
    Sorry for asking many questions.

    According to this one :

    1- How can I upload the 2 files of my SSL that I received from my local computer to /usr/local/nginx/conf/ssl/domaincom/ ?

    2- Should I follow the steps at both tutorials ?

    installing ssl is very confusing!

    Thanks
     
  10. eva2000

    eva2000 Administrator Staff Member

    30,835
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:27 AM
    Nginx 1.13.x
    MariaDB 5.5
    either sftp as root user or just use linux text editor and create the files from copy and paste of contents.

    Easiest way to edit or create any files on your server is via logging into your server via ssh and directly editing them using nano or vim linux text editors.

    I started out with pico text editor in Pine so I prefer using it's successor, nano which you can read up more about nano here and here. For vim text editor read here and here.

    Also there's numerous online how to use guides for nano and vim you can search for via google :)

    Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS redirects you to steps and instructions at Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS so it's one and the same so to speak
     
  11. dooma

    dooma Member

    226
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    2:27 AM
    The site gets down when I tried to restart nginx !
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,835
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:27 AM
    Nginx 1.13.x
    MariaDB 5.5
    maybe this renewal guide might give you more ideas as it's the same method for initial ssl setup too SSL - Guide: Renewing & Reinstalling SSL Certificate on Centminmod with GoGetSSL | Centmin Mod Community

    as to site down, when you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
     
  13. dooma

    dooma Member

    226
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    2:27 AM
    Code (Text):
     cat /usr/local/nginx/conf/conf.d/mydomain.com.conf
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name mydomain.com;
    #            return 301 $scheme://www.mydomain.com$request_uri;
    #       }
    
    server {
    
      server_name mydomain.com www.mydomain.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/mydomain.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/mydomain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/mydomain.com/autoprotect-mydomain.com.conf;
      root /home/nginx/domains/mydomain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
    location / {
               index index.php index.html index.htm;
                try_files $uri $uri/ /index.php?$uri&$args;
            }
    
    location /internal_data/ {
           internal;
            allow 127.0.0.1;
            #allow my ISP ip;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            #allow my ISP ip;
            deny all;
            }
    
    
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    


    Code (Text):
    cat /usr/local/nginx/conf/conf.d/mydomain.com.ssl.conf
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #       listen   80;
    #       server_name mydomain.com www.mydomain.com;
    #       return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
      server_name mydomain.com www.mydomain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/mydomain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/mydomain.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/mydomain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/mydomain.com/autoprotect-mydomain.com.conf;
      root /home/nginx/domains/mydomain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    


    Thanks for support :)
     
  14. eva2000

    eva2000 Administrator Staff Member

    30,835
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:27 AM
    Nginx 1.13.x
    MariaDB 5.5
    looks okay except the domain.com.ssl.conf version needs same xenforo config as domain.com.conf for
    Code (Text):
    location / {
               index index.php index.html index.htm;
                try_files $uri $uri/ /index.php?$uri&$args;
            }
    
    location /internal_data/ {
           internal;
            allow 127.0.0.1;
            #allow my ISP ip;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            #allow my ISP ip;
            deny all;
            }
    

    Use nginx test check config command to see what's wrong
    Code (Text):
    nginx -t
     
  15. dooma

    dooma Member

    226
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    2:27 AM
    Here's nginx -t content :

    Code (Text):
    nginx: [emerg] SSL_CTX_load_verify_locations("/usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-trusted.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-trusted.crt', 'r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    
     
  16. eva2000

    eva2000 Administrator Staff Member

    30,835
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:27 AM
    Nginx 1.13.x
    MariaDB 5.5
    you didn't create the file loaded in domain.com.ssl.conf for ssl_trusted_certificate at /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-trusted.crt as per instructions at Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS
    Code (Text):
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-trusted.crt;


    from Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS says
     
  17. dooma

    dooma Member

    226
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    2:27 AM
    I did that and the restart of nginx failed too. please can you look at this :
    Code (Text):
    # cd /usr/local/nginx/conf/ssl/domain.com/
    # cat domainwithoutdotcom_com.crt domain_com.ca-bundle > ssl-unified.crt
    # cat domain(withoutdotcom)_com.ca-bundle > ssl-trusted.crt
    # cd /usr/local/nginx/conf/ssl/domain.com/
    # cat domain_com.crt domain_com.ca-bundle > ssl-unified.crt
    # cat domain_com.ca-bundle > ssl-trusted.crt
    # ngxrestart
    Restarting nginx (via systemctl):  Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
                                                               [FAILED]
    # nginx -t
    nginx: [emerg] SSL_CTX_load_verify_locations("/usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt', 'r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    # ls /usr/local/nginx/conf/ssl/domain.com
    dhparam.pem                  ssl-trusted.crt             domain_com.crt
    hpkp-info-primary-pin.txt    ssl-unified.crt             domain.com.crt
    hpkp-info-secondary-pin.txt  domain.com-backup.csr  domainname.com.csr
    Server01.csr                 domainame-backup.key  domain.com.key
    Server01.key                 mydomainname_com.ca-bundle
    


    Thanks a lot for help and sorry for disturbance :)
     
  18. eva2000

    eva2000 Administrator Staff Member

    30,835
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:27 AM
    Nginx 1.13.x
    MariaDB 5.5
    what's output for
    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt
     
  19. eva2000

    eva2000 Administrator Staff Member

    30,835
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:27 AM
    Nginx 1.13.x
    MariaDB 5.5
    actually i see you need to change to point to /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt
    Code (Text):
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt;
     
  20. dooma

    dooma Member

    226
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    2:27 AM
    do you mean this :

    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/mydomain.com/ssl-trusted.crt
    -rw-r--r-- 1 root root 4.1K Nov  9 02:07 /usr/local/nginx/conf/ssl/mydomain.com/ssl-trusted.crt
    


    The content of ssl-trusted.crt are 2 certificates (Begin..... and End....)