/ Register

Want to subscribe to topics you're interested in?
Become a Member

Letsencrypt Is it possible to install letsencrypt without creating a new vhost?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by CarpCharacin, Nov 25, 2016.

Tags:
Previous Thread Next Thread
Loading...
Page 2 of 3
  1. Nov 25, 2016 #21
    CarpCharacin

    CarpCharacin Member

    267
    21
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +34
    Local Time:
    12:34 PM
    1.15.x
    MariaDB 10.1
    I am running the first command for letsencrypt now.
     
  2. Nov 25, 2016 #22
    CarpCharacin

    CarpCharacin Member

    267
    21
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +34
    Local Time:
    12:34 PM
    1.15.x
    MariaDB 10.1
    It says I need to use the tool after this finishes running. How do I install it?
     
  3. Nov 25, 2016 #23
    eva2000

    eva2000 Administrator Staff Member

    58,905
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    4:34 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    it's already in 123.09beta01 just needs running the commands outlined to setup persistent config with LETSENCRYPT_DETECT='y' as per generated page instructions
     
  4. Nov 25, 2016 #24
    CarpCharacin

    CarpCharacin Member

    267
    21
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +34
    Local Time:
    12:34 PM
    1.15.x
    MariaDB 10.1
    Does it matter what I set the admin username and password to in the file? Will I ever need that info?
     
  5. Nov 25, 2016 #25
    CarpCharacin

    CarpCharacin Member

    267
    21
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +34
    Local Time:
    12:34 PM
    1.15.x
    MariaDB 10.1
    I actually just set it to my ssh username and password.
    It says
    Where do I do that? I have done everything up to that point. When I try to access my site through HTTPS, it refuses to connect.
     
  6. Nov 25, 2016 #26
    CarpCharacin

    CarpCharacin Member

    267
    21
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +34
    Local Time:
    12:34 PM
    1.15.x
    MariaDB 10.1
    I have only completed down to setting the username and password. What should I do next?
     
  7. Nov 25, 2016 #27
    CarpCharacin

    CarpCharacin Member

    267
    21
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +34
    Local Time:
    12:34 PM
    1.15.x
    MariaDB 10.1
    It is showing a new vhost on the guide. I didn't want to create a new vhost. I just wanted to add letsencrypt to the existing one.
     
  8. Nov 25, 2016 #28
    CarpCharacin

    CarpCharacin Member

    267
    21
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +34
    Local Time:
    12:34 PM
    1.15.x
    MariaDB 10.1
    Ok I manged to complete all of the steps and it is still refusing to connect. I put this code
    Code:
    # Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#   server_name utahfishkeepers.us www.utahfishkeepers.us;
#    return 302 https://utahfishkeepers.us$request_uri;
# }

server {
  listen 443 ssl http2;
  server_name utahfishkeepers.us www.utahfishkeepers.us;

  ssl_dhparam /usr/local/nginx/conf/ssl/utahfishkeepers.us/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/utahfishkeepers.us/utahfishkeepers.us-acme.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/utahfishkeepers.us/utahfishkeepers.us-acme.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # dual cert supported ssl ciphers
  ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
 
  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/utahfishkeepers.us/utahfishkeepers.us-acme.crt; 

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/utahfishkeepers.us/log/access.log combined buffer=256k flush=60m;
  error_log /home/nginx/domains/utahfishkeepers.us/log/error.log;

  root /home/nginx/domains/utahfishkeepers.us/public;

location /xenforo/ {
     index index.php index.html index.htm;
     try_files $uri $uri/ /xenforo/index.php?$uri&$args;
}

location /xenforo/admin.php {
     auth_basic "Private";
     auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        allow 173.255.217.82;
        deny all;
}

location /xenforo/install/ {
     auth_basic "Private";
     auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        allow 173.255.217.82;
        deny all;
}     

location /xenforo/internal_data/ {
     internal;
     allow 127.0.0.1;
     allow 173.255.217.82;
     deny all;
}

location /xenforo/library/ {
     internal;
     allow 127.0.0.1;
     allow 173.255.217.82;
     deny all;
} 

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}
    in /usr/local/nginx/conf/conf.d/utahfishkeepers.us.ssl.conf and it still won't connect.
     
  9. Nov 25, 2016 #29
    eva2000

    eva2000 Administrator Staff Member

    58,905
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    4:34 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Don't set it to ssh username ! make up a new one - you can just repeat the command to redo user/pass for http authentication
    as explained at post #13 difference between new vhost and vhost file. The commands only create vhost file for ssl not the a new vhost so your site vhost should now have 2 vhost files one for http at /usr/local/nginx/conf/conf.d/utahfishkeepers.us.conf and one for https at /usr/local/nginx/conf/conf.d/utahfishkeepers.us.ssl.conf

    restarting nginx server should work if doesn't restart use nginx test config command to find out why
    Code (Text):
    nginx -t


    ssllabs test SSL Server Test: utahfishkeepers.us (Powered by Qualys SSL Labs) says unable to connect though DNS is okay Global DNS Propagation Checker - What's My DNS?

    header check for http and https at HTTP Header Check with an online CURL tool

    http check shows a redirect to www version
    Code (Text):
    HTTP/1.1 301 Moved Permanently
Date: Fri, 25 Nov 2016 06:49:27 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://www.utahfishkeepers.us/
Server: nginx centminmod
X-Powered-By: centminmod


    https check for for both non-www and www shows host not found ??

    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
     
    Last edited: Nov 25, 2016
  10. Nov 25, 2016 #30
    Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    1:34 PM
    1.21.6
    MariaDB 10.3.36
    Honestly, until you get a lot more comfortable using SSH and the command line, I'd be VERY hesitant about changing up anything in a working environment...
    You want to be sure you can fix it if it gets messed up.

    Manually modifying the vhost is not rocket science, but it does make some assumptions of basic Linux knowledge and nginx configuration.
     
  11. Nov 25, 2016 #31
    eva2000

    eva2000 Administrator Staff Member

    58,905
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    4:34 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    yeah true but best way to learn and remember is through mistakes.. well that's my experience = becoming a pro just means you've made more mistakes than amateurs and learnt from those mistakes :D
     
  12. Nov 25, 2016 #32
    Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    1:34 PM
    1.21.6
    MariaDB 10.3.36
    and this is what bites many of them. They "forget" frequently since it's not something that they do often.
    For someone that doesn't know what exactly you mean when you say CLI can be worrisome - and when they always want to do their file edits via FTP makes me squirm. But I've been playing at the command line since the old DOS & OS/2 days. REXX was my good friend.
    I really wish I still had a copy of my multi-node binkley/maximus2 script that handled FidoNet for a large portion of Dallas when I was Net124 and HUB6000.
    It was a thing of beauty and was passed around by several of the HUB's in Net124 to handle mail (that used Binkley/Maximus2, as most of us did).
     
  13. Nov 25, 2016 #33
    eva2000

    eva2000 Administrator Staff Member

    58,905
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    4:34 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    yeah i should write up a how to learn guide in future

    best way install and setup local vmware/virtualbox and setup guest test centos servers and practice over and over each week the same tasks until you know it well :)

    that's basically what i do outlined at Manage your server | Centmin Mod Community :D
     
  14. Nov 25, 2016 #34
    Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    1:34 PM
    1.21.6
    MariaDB 10.3.36
    That's what I also recommend to folks if they don't have a spare desktop/laptop sitting around.... but all to often that suggestion gets ignored and they want to jump straight in. I've honestly started getting burned out helping folks like that. I don't have a tendency to recommend stuff just because I like to hear the echo of my voice or the keys clicking. :blackeye:
     
  15. Nov 25, 2016 #35
    Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    1:34 PM
    1.21.6
    MariaDB 10.3.36
    @CarpCharacin, you are running under full SSL now. I'd suggest not doing anything to the system until you become a little more comfortable with it. I spent about 2 hours cleaning it up and getting it to work.
    You only have one vhost that serves for both HTTP and HTTPS inbound (the default is one for each but I prefer having it all in one) and also have your IPv6 configured to answer on HTTPS.

    You are welcome.
     
    Last edited: Nov 25, 2016
  16. Nov 26, 2016 #36
    CarpCharacin

    CarpCharacin Member

    267
    21
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +34
    Local Time:
    12:34 PM
    1.15.x
    MariaDB 10.1
    What did you have to clean up? I get a 403 forbidden when I try to access the admincp.
     
  17. Nov 26, 2016 #37
    CarpCharacin

    CarpCharacin Member

    267
    21
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +34
    Local Time:
    12:34 PM
    1.15.x
    MariaDB 10.1
    I know what CLI means and I figured out how to do the file edits with nano.
     
  18. Nov 26, 2016 #38
    CarpCharacin

    CarpCharacin Member

    267
    21
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +34
    Local Time:
    12:34 PM
    1.15.x
    MariaDB 10.1
    I am also banned from accessing /install. How do I unban myself?
     
  19. Nov 26, 2016 #39
    Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    1:34 PM
    1.21.6
    MariaDB 10.3.36
    Odds are it's the vhost definition still pointing at /xenforo (but dont' think so) or you haven't created the htaccess password that it is secured by.

    EDIT:
    And it's the second (and what I figured it was) issue.
    I've commented the appropriate stanza entries out for now for both install and admin.php... but you do need to create your htaccess password file, uncomment those entries and then restart nginx.

    Code:
    location /admin.php {
#     auth_basic "Private";
#     auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
     
  20. Nov 26, 2016 #40
    CarpCharacin

    CarpCharacin Member

    267
    21
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +34
    Local Time:
    12:34 PM
    1.15.x
    MariaDB 10.1
    Why does it need to be different?
    Where do I uncomment them and how will my other admin access admin.php? Couldn't I just have it how it was before without the htaccess password protection? I still can't access the admin panel.
     
Previous Thread Next Thread
Loading...
Page 2 of 3

.