SSL Install SSL certificate on DigitalOcean VPS

dooma · Nov 6, 2016

How to protect the install and admin folder without using static IP ?

and What is the best method to install my SSL I purchased from namecheap ?

Thanks

eva2000 · Nov 6, 2016

instructions are located further below in section
Protected Xenforo Directories Nginx Rewrites for Xenforo Friendly Urls - CentminMod.com LEMP Nginx web stack for CentOS

There's generally 2 ways of setting up HTTPS SSL certificate for Centmin Mod Nginx HTTP/2 based HTTPS

Method 1. The traditional way via centmin.sh menu option 2, 22 and selecting yes to self-signed ssl certificates first. Then converting the self-signed ssl certificate to paid or free (Letsencrypt) web browser trusted SSL certificates outlined at How to switch self-signed SSL certificate to paid SSL certificate ? You would still need to follow the same steps outlined at Nginx SPDY SSL Configuration for obtaining and purchasing the paid SSL certificate and most important part is the concatenation of the SSL provider provided filesto create the mentioned /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crtfiles referenced in your Nginx SSL vhost config file.

You may need to also decide if you want to enable HTTP to HTTPS redirect outlined at How to force redirect from HTTP:// to HTTPS:// ?

If you didn't answer yes at time of initial nginx vhost creation to self-signed ssl certificates, you can manually setup the self-signed ssl certificate via the vhost generator by checking self-signed ssl box and enter a domain name. This will outline instructions for manually creating and setting up self-signed ssl certificate and nginx vhost settings. Then for web browser trusted ssl certificates you switch follow - How to switch self-signed SSL certificate to paid SSL certificate ?.

Method 2. Using and testing Centmin Mod 123.09beta01's new addons/acmetool.sh addon which is still in beta testing only for integrating Letsencrypt SSL certificates.

dooma · Nov 7, 2016

Hi,
I already have my paid ssl so no need for following this and start with this instructions ? sorry I'm a bit confused.

eva2000 · Nov 7, 2016

dooma said: ↑

Hi,
I already have my paid ssl so no need for following this and start with this instructions ? sorry I'm a bit confused.
Click to expand...

yes this Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS if you have self-signed ssl cert and nginx domain.com.ssl.conf already from when you answered yes to self-signed when initially creating nginx vhost.

dooma · Nov 7, 2016

how can I get the CSR code to active my SSL ? Thanks

eva2000 · Nov 7, 2016

dooma said: ↑

how can I get the CSR code to active my SSL ? Thanks
Click to expand...

see https://centminmod.com/nginx_configure_https_ssl_spdy.html#opensslcsr for CSR file - if you already got ssl certificate, then you would of already generated a CSR file anyway

dooma · Nov 7, 2016

I activated and generated my SSL successfully what should be the next step to activate it at my website ?

Thanks

eva2000 · Nov 7, 2016

All steps are outlined from Setting Up Nginx SSL at Nginx SPDY SSL Configuration and Nginx Vhost & NSD DNS Setup

dooma · Nov 8, 2016

Hello,
Sorry for asking many questions.

According to this one :

1- How can I upload the 2 files of my SSL that I received from my local computer to /usr/local/nginx/conf/ssl/domaincom/ ?

2- Should I follow the steps at both tutorials ?

installing ssl is very confusing!

Thanks

eva2000 · Nov 8, 2016

either sftp as root user or just use linux text editor and create the files from copy and paste of contents.

Easiest way to edit or create any files on your server is via logging into your server via ssh and directly editing them using nano or vim linux text editors.

I started out with pico text editor in Pine so I prefer using it's successor, nano which you can read up more about nano here and here. For vim text editor read here and here.

Also there's numerous online how to use guides for nano and vim you can search for via google

dooma said: ↑

2- Should I follow the steps at both tutorials ?
Click to expand...

Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS redirects you to steps and instructions at Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS so it's one and the same so to speak

dooma · Nov 8, 2016

The site gets down when I tried to restart nginx !

eva2000 · Nov 8, 2016

maybe this renewal guide might give you more ideas as it's the same method for initial ssl setup too SSL - Guide: Renewing & Reinstalling SSL Certificate on Centminmod with GoGetSSL | Centmin Mod Community

as to site down, when you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)

Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf

Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com

Vhost public web root will be at /home/nginx/domains/newdomain.com/public

Vhost log directory will be at /home/nginx/domains/newdomain.com/log

Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

dooma · Nov 8, 2016

Code (Text):

 cat /usr/local/nginx/conf/conf.d/mydomain.com.conf
# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html

# redirect from non-www to www
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
#server {
#            listen   80;
#            server_name mydomain.com;
#            return 301 $scheme://www.mydomain.com$request_uri;
#       }

server {

  server_name mydomain.com www.mydomain.com;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/mydomain.com/log/access.log main_ext buffer=256k flush=60m;
  error_log /home/nginx/domains/mydomain.com/log/error.log;

  include /usr/local/nginx/conf/autoprotect/mydomain.com/autoprotect-mydomain.com.conf;
  root /home/nginx/domains/mydomain.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  # prevent access to ./directories and files
  #location ~ (?:^|/)\. {
  # deny all;
  #}

location / {
           index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
        }

location /internal_data/ {
       internal;
        allow 127.0.0.1;
        #allow my ISP ip;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        #allow my ISP ip;
        deny all;
        }



  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

Code (Text):

cat /usr/local/nginx/conf/conf.d/mydomain.com.ssl.conf
# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#       listen   80;
#       server_name mydomain.com www.mydomain.com;
#       return 302 https://$server_name$request_uri;
# }

server {
  listen 443 ssl http2;
  server_name mydomain.com www.mydomain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/mydomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-trusted.crt;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/mydomain.com/log/access.log main_ext buffer=256k flush=60m;
  error_log /home/nginx/domains/mydomain.com/log/error.log;

  include /usr/local/nginx/conf/autoprotect/mydomain.com/autoprotect-mydomain.com.conf;
  root /home/nginx/domains/mydomain.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  # prevent access to ./directories and files
  #location ~ (?:^|/)\. {
  # deny all;
  #}

  location / {
  include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centminmod.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

Thanks for support

eva2000 · Nov 9, 2016

looks okay except the domain.com.ssl.conf version needs same xenforo config as domain.com.conf for
Code (Text):
location / {
           index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
        }

location /internal_data/ {
       internal;
        allow 127.0.0.1;
        #allow my ISP ip;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        #allow my ISP ip;
        deny all;
        }
dooma said: ↑

The site gets down when I tried to restart nginx !
Click to expand...

Use nginx test check config command to see what's wrong
Code (Text):
nginx -t

dooma · Nov 9, 2016

Here's nginx -t content :

Code (Text):

nginx: [emerg] SSL_CTX_load_verify_locations("/usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-trusted.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-trusted.crt', 'r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

eva2000 · Nov 9, 2016

you didn't create the file loaded in domain.com.ssl.conf for ssl_trusted_certificate at /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-trusted.crt as per instructions at Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS
Code (Text):
  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-trusted.crt;
from Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS says
For /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt
Code (Text):
  cat intermediate.crt root.pem > ssl-trusted.crt
If your SSL provider only provides something like yourdomain_com.crt and yourdomain_com.ca-bundle, then concat them this way:

For ssl-unified.crt
Code (Text):
  cat yourdomain_com.crt yourdomain_com.ca-bundle > ssl-unified.crt
For ssl-trusted.crt
Code (Text):
  cat yourdomain_com.ca-bundle > ssl-trusted.crt
You'll end up with ssl-unified.crt file at /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and ssl-trusted.crt at /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt
Click to expand...

dooma · Nov 9, 2016

I did that and the restart of nginx failed too. please can you look at this :

Code (Text):

# cd /usr/local/nginx/conf/ssl/domain.com/
# cat domainwithoutdotcom_com.crt domain_com.ca-bundle > ssl-unified.crt
# cat domain(withoutdotcom)_com.ca-bundle > ssl-trusted.crt
# cd /usr/local/nginx/conf/ssl/domain.com/
# cat domain_com.crt domain_com.ca-bundle > ssl-unified.crt
# cat domain_com.ca-bundle > ssl-trusted.crt
# ngxrestart
Restarting nginx (via systemctl):  Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
                                                           [FAILED]
# nginx -t
nginx: [emerg] SSL_CTX_load_verify_locations("/usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt', 'r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
# ls /usr/local/nginx/conf/ssl/domain.com
dhparam.pem                  ssl-trusted.crt             domain_com.crt
hpkp-info-primary-pin.txt    ssl-unified.crt             domain.com.crt
hpkp-info-secondary-pin.txt  domain.com-backup.csr  domainname.com.csr
Server01.csr                 domainame-backup.key  domain.com.key
Server01.key                 mydomainname_com.ca-bundle

Thanks a lot for help and sorry for disturbance

eva2000 · Nov 9, 2016

what's output for
Code (Text):
ls -lah /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt

eva2000 · Nov 9, 2016

actually i see you need to change to point to /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt
Code (Text):
ssl_trusted_certificate /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt;

dooma · Nov 9, 2016

do you mean this :
Code (Text):
ls -lah /usr/local/nginx/conf/ssl/mydomain.com/ssl-trusted.crt
-rw-r--r-- 1 root root 4.1K Nov  9 02:07 /usr/local/nginx/conf/ssl/mydomain.com/ssl-trusted.crt
The content of ssl-trusted.crt are 2 certificates (Begin..... and End....)

Log in / Register

Forums

Want more timely Centmin Mod News Updates?

SSL Install SSL certificate on DigitalOcean VPS

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

dooma Active Member

.

Log in / Register

Useful Searches

Want more timely Centmin Mod News Updates?

SSL Install SSL certificate on DigitalOcean VPS

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

dooma Active Member

.