Get the most out of your Centmin Mod LEMP stack
Become a Member

Letsencrypt Letsencrypt Free SSL certificates with web root authentication method

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Oct 5, 2015.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Update: September 2016 - below guide is no longer valid as Centmin Mod 123.09beta01 has a new addons/acmetool.sh integration outlined at Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01 | Centmin Mod Community

    Letsencrypt plugin, simplefs authentication has been renamed web root authentication - named by yours truly :D Let's test Letsencrypt webroot authentication branch fork/branch SimpleFS plugin (fixes #742) by kuba · Pull Request #757 · letsencrypt/letsencrypt · GitHub. There's also an example for Debian Jessie + Apache.

    Update



    You can jump straight to actual Centmin Mod LEMP integration tests here in this thread.

    Manual Letsencrypt Install



    Note Letsencrypt client removed Python 2.6 support so you need Python 2.7. For CentOS 6.x folks you have Python 2.6 so need to install Python 2.7 via Centmin Mod Addon. For CentOS 7.x folks you have Python 2.7 out of box so no need.

    Updated Oct 24th, 2015 instructions

    For CentOS 7.x run
    Code:
    mkdir -p /root/tools
    cd /root/tools
    rm -rf /root/tools/letsencrypt
    rm -rf /etc/letsencrypt
    rm -rf /var/lib/letsencrypt
    rm -rf /root/.local/share
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    ./letsencrypt-auto --verbose
    
    For CentOS 6.x after install Python 2.7, run (note sed replacement to switch to python2.7 instead of python 2 due to letsencrypt-auto doesn't work with Python 2.6 · Issue #1046 · letsencrypt/letsencrypt · GitHub
    Code:
    mkdir -p /root/tools
    cd /root/tools
    rm -rf /root/tools/letsencrypt
    rm -rf /etc/letsencrypt
    rm -rf /var/lib/letsencrypt
    rm -rf /root/.local/share
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
    ./letsencrypt-auto --verbose
    
    For CentOS 7.x run
    Code:
    mkdir -p /root/tools
    cd /root/tools
    rm -rf /root/tools/letsencrypt
    rm -rf /etc/letsencrypt
    rm -rf /var/lib/letsencrypt
    git clone https://github.com/letsencrypt/letsencrypt
    #git clone -b simplefs https://github.com/kuba/letsencrypt
    cd letsencrypt
    ./bootstrap/centos.sh
    virtualenv --no-site-packages -p python2 venv
    ./venv/bin/pip install -r requirements.txt acme/ . letsencrypt-apache/ letsencrypt-nginx/
    
    For CentOS 6.x after install Python 2.7, run
    Code:
    mkdir -p /root/tools
    cd /root/tools
    rm -rf /root/tools/letsencrypt
    rm -rf /etc/letsencrypt
    rm -rf /var/lib/letsencrypt
    git clone https://github.com/letsencrypt/letsencrypt
    #git clone -b simplefs https://github.com/kuba/letsencrypt
    cd letsencrypt
    ./bootstrap/centos.sh
    virtualenv --no-site-packages -p python2.7 venv
    ./venv/bin/pip install -r requirements.txt acme/ . letsencrypt-apache/ letsencrypt-nginx/
    


    CentOS 6.7 with Centmin Mod stack and Python addons installed

    Code:
    python --version
    Python 2.6.6
    
    python2.7 --version
    Python 2.7.10
    
    python3.4 --version
    Python 3.4.3
    For centminmod.com LEMP stack Nginx server I setup for dedicated Letsencrypt testing, I need to remove existing nginx vhost account and re-setup via nginx vhost auto generator. I am using domain = le1.http2ssl.xyz for testing.

    Code:
    vhostname='le1.http2ssl.xyz'
    rm -rf /usr/local/nginx/conf/conf.d/${vhostname}.conf
    rm -rf /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.crt
    rm -rf /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.key
    rm -rf /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.csr
    rm -rf /usr/local/nginx/conf/ssl/${vhostname}
    rm -rf /home/nginx/domains/${vhostname}
    ngxrestart
    
    for my own records i have several domains setup for testing so need to wipe those too

    Code:
    vhostname='le1.http2ssl.xyz le2.http2ssl.xyz le3.http2ssl.xyz le4.http2ssl.xyz le5.http2ssl.xyz le6.http2ssl.xyz le7.http2ssl.xyz le8.http2ssl.xyz le9.http2ssl.xyz'
    for v in $vhostname; do
    rm -rf /usr/local/nginx/conf/conf.d/${v}.conf
    rm -rf /usr/local/nginx/conf/conf.d/${v}.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/${v}/${v}.crt
    rm -rf /usr/local/nginx/conf/ssl/${v}/${v}.key
    rm -rf /usr/local/nginx/conf/ssl/${v}/${v}.csr
    rm -rf /usr/local/nginx/conf/ssl/${v}
    rm -rf /home/nginx/domains/${v}
    done
    ngxrestart
    
    re-create the nginx vhost on centminmod.com LEMP stack via command line Nginx vhost generator with self-signed ssl certificate and nginx ssl vhost auto generated with pure-ftpd username myftpuser001

    Code:
    vhostname='le1.http2ssl.xyz'
    nv -d ${vhostname} -s y -u myftpuser001
    
    output from auto generated nginx vhost with both http and https self-signed ssl vhost config files auto created

    Code:
    vhostname='le1.http2ssl.xyz'
    nv -d ${vhostname} -s y -u myftpuser001
    ---------------------------------------------------------------
    Nginx Vhost Setup...
    ---------------------------------------------------------------
    
    
    FTP password auto generated: cGv78H2NrKtoo
    
    Password:
    Enter it again:
    ---------------------------------------------------------------
    SSL Vhost Setup...
    ---------------------------------------------------------------
    
    ---------------------------------------------------------------
    Generating self signed SSL certificate...
    CSR file can also be used to be submitted for paid SSL certificates
    If using for paid SSL certificates be sure to keep both private key and CSR safe
    creating CSR File: le1.http2ssl.xyz.csr
    creating private key: le1.http2ssl.xyz.key
    creating self-signed SSL certificate: le1.http2ssl.xyz.crt
    
    Generating a 2048 bit RSA private key
    ...........................................................................+++
    ......+++
    writing new private key to 'le1.http2ssl.xyz.key'
    -----
    No value provided for Subject Attribute C, skipped
    No value provided for Subject Attribute ST, skipped
    No value provided for Subject Attribute L, skipped
    Signature ok
    subject=/O=le1.http2ssl.xyz/OU=le1.http2ssl.xyz/CN=le1.http2ssl.xyz
    Getting Private key
    
    ---------------------------------------------------------------
    Generating backup CSR and private key for HTTP Public Key Pinning...
    creating CSR File: le1.http2ssl.xyz-backup.csr
    creating private key: le1.http2ssl.xyz-backup.key
    Generating a 2048 bit RSA private key
    ........................................+++
    ...................................................................................+++
    writing new private key to 'le1.http2ssl.xyz-backup.key'
    -----
    No value provided for Subject Attribute C, skipped
    No value provided for Subject Attribute ST, skipped
    No value provided for Subject Attribute L, skipped
    
    ---------------------------------------------------------------
    Extracting Base64 encoded information for primary and secondary
    private key's SPKI - Subject Public Key Information
    Primary private key - le1.http2ssl.xyz.key
    Backup private key - le1.http2ssl.xyz-backup.key
    For HPKP - HTTP Public Key Pinning hash generation...
    
    extracting SPKI Base64 encoded hash for primary private key = le1.http2ssl.xyz.key ...
    writing RSA key
    dACBPTdfAUd6dCTuvzrXItheLIJL8Orkwt8Nie2oyQo=
    
    extracting SPKI Base64 encoded hash for backup private key = le1.http2ssl.xyz-backup.key ...
    writing RSA key
    bfk6RI4wMBBjArJpzsvupnhyxl1IBReE1bPa22DzkAQ=
    
    HTTP Public Key Pinning Header for Nginx
    
    for 7 days max-age including subdomains
    
    add_header Public-Key-Pins 'pin-sha256="dACBPTdfAUd6dCTuvzrXItheLIJL8Orkwt8Nie2oyQo="; pin-sha256="bfk6RI4wMBBjArJpzsvupnhyxl1IBReE1bPa22DzkAQ="; max-age=86400; includeSubDomains';
    
    for 7 days max-age excluding subdomains
    
    add_header Public-Key-Pins 'pin-sha256="dACBPTdfAUd6dCTuvzrXItheLIJL8Orkwt8Nie2oyQo="; pin-sha256="bfk6RI4wMBBjArJpzsvupnhyxl1IBReE1bPa22DzkAQ="; max-age=86400';
    
    ---------------------------------------------------------------
    Generating dhparam.pem file - can take a few minutes...
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    .....................+...+.............++*
    dhparam file generation time: 112.624587817
    
    -------------------------------------------------------------
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Stopping nginx:                                            [  OK  ]
    Starting nginx:                                            [  OK  ]
    service pure-ftpd restart
    
    -------------------------------------------------------------
    FTP hostname : SERVERIP
    FTP port : 21
    FTP mode : FTP (explicit SSL)
    FTP Passive (PASV) : ensure is checked/enabled
    FTP username created for le1.http2ssl.xyz : myftpuser001
    FTP password created for le1.http2ssl.xyz : cGv78H2NrKtoo
    -------------------------------------------------------------
    vhost for le1.http2ssl.xyz created successfully
    
    domain: http://le1.http2ssl.xyz
    vhost conf file for le1.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.conf
    
    vhost ssl for le1.http2ssl.xyz created successfully
    
    domain: https://le1.http2ssl.xyz
    vhost ssl conf file for le1.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.key
    SSL CSR File: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-backup.csr
    
    upload files to /home/nginx/domains/le1.http2ssl.xyz/public
    vhost log files directory is /home/nginx/domains/le1.http2ssl.xyz/log
    
    -------------------------------------------------------------
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
    
        
    Aug 29  03:12   1.6K   virtual.conf
    Aug 29  03:12   845    ssl.conf
    Aug 29  03:12   1.1K   demodomain.com.conf
    Aug 29  07:40   3.8K   http2ssl.xyz.ssl.conf
    Aug 29  07:40   1.6K   http2ssl.xyz.conf
    Oct 5   13:17   1.6K   le1.http2ssl.xyz.conf
    Oct 5   13:17   3.9K   le1.http2ssl.xyz.ssl.conf
    
    -------------------------------------------------------------
    Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz
    
        
    Oct 5   13:15   1.7K   le1.http2ssl.xyz.key
    Oct 5   13:15   972    le1.http2ssl.xyz.csr
    Oct 5   13:15   1.2K   le1.http2ssl.xyz.crt
    Oct 5   13:15   1.7K   le1.http2ssl.xyz-backup.key
    Oct 5   13:15   972    le1.http2ssl.xyz-backup.csr
    Oct 5   13:15   45     hpkp-info-secondary-pin.txt
    Oct 5   13:15   45     hpkp-info-primary-pin.txt
    Oct 5   13:17   424    dhparam.pem
    
    -------------------------------------------------------------
    Commands to remove le1.http2ssl.xyz
    
    rm -rf /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.conf
    rm -rf /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.crt
    rm -rf /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.key
    rm -rf /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.csr
    rm -rf /usr/local/nginx/conf/ssl/le1.http2ssl.xyz
    rm -rf /home/nginx/domains/le1.http2ssl.xyz
    service nginx restart
    -------------------------------------------------------------
    
    Specific notes for nginx vhosts are outputted
    Code:
    vhost for le1.http2ssl.xyz created successfully
    
    domain: http://le1.http2ssl.xyz
    vhost conf file for le1.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.conf
    
    vhost ssl for le1.http2ssl.xyz created successfully
    
    domain: https://le1.http2ssl.xyz
    vhost ssl conf file for le1.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.key
    SSL CSR File: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-backup.csr
    
    upload files to /home/nginx/domains/le1.http2ssl.xyz/public
    vhost log files directory is /home/nginx/domains/le1.http2ssl.xyz/log
    the resulting Nginx vhost config files and directories that are auto generated include the Nginx HTTP/2 SSL vhost configuration file setup. Also the letsencrypt required .well-known url with application/jose+json content type header is already taken care of as the header is added into an auto included nginx file.

    Code:
    location ~ /.well-known {
          location ~ /.well-known/acme-challenge/(.*) {
                  more_set_headers    "Content-Type: application/jose+json";
          }
    }
    
    run the letsencrypt client in web root authentication mode passing the auto generated Centmin Mod Nginx vhost's web root path /home/nginx/domains/le1.http2ssl.xyz/public to the --web-root flag

    Update: October 24th, path to letsencrypt binary has changed from /root/tools/letsencrypt/venv/bin/letsencrypt to /root/.local/share/letsencrypt/bin/letsencrypt and options have been removed for --agree-eula

    Code:
    vhostname='le1.http2ssl.xyz'
    /root/.local/share/letsencrypt/bin/letsencrypt --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org --text --agree-tos --agree-dev-preview -d ${vhostname} auth
    
    Look's like Python 2.6 is no longer supported by Letsencrypt client Python 2.6 support removed - Issuance Tech Questions - Let's Encrypt Community Support so if you run CentOS 6.x you will have problems as default Python 2.6.6 is installed whereas CentOS 7.x has Python 2.7.

    Code:
    /root/tools/letsencrypt/venv/lib/python2.6/site-packages/cryptography/__init__.py:25: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python.
      DeprecationWarning
    An unexpected error occurred.
    TypeError: super() argument 1 must be type, not classobj
    Please see the logfile 'letsencrypt.log' for more details.
    You need to install Python 2.7 side by side on CentOS 6 so Centmin Mod LEMP stack has an addon to install Python 2.7 or Python 3.4 in addons/ folder of your Centmin Mod install directory.

    Code:
    ls -lah /usr/local/src/centminmod/addons/
    total 112K
    drwxr-xr-x  2 root root 4.0K Oct  5 12:54 .
    drwxr-xr-x 14 root root 4.0K Oct  5 12:54 ..
    -rwxr-xr-x  1 root root 3.8K Aug 30 13:59 avginstall.sh
    -rwxr-xr-x  1 root root  12K Aug 30 13:59 customcurl.sh
    -rwxr-xr-x  1 root root 8.3K Aug 30 13:59 geoip.sh
    -rwxr-xr-x  1 root root 2.2K Aug 30 13:59 ioncube.sh
    -rwxr-xr-x  1 root root 4.1K Aug 30 13:59 ius-repo.sh
    -rwxr-xr-x  1 root root 5.4K Aug 30 13:59 linfo.sh
    -rwxr-xr-x  1 root root 6.8K Aug 30 13:59 maldet.sh
    -rwxr-xr-x  1 root root  11K Aug 30 13:59 mysqladmin_shell.sh
    -rwxr-xr-x  1 root root 9.6K Oct  5 12:54 passenger.sh
    -rwxr-xr-x  1 root root 5.0K Aug 30 13:59 python27_install.sh
    -rwxr-xr-x  1 root root 4.6K Aug 30 13:59 python34_install.sh
    -rwxr-xr-x  1 root root 4.2K Aug 30 13:59 wpcli.sh
    So run python27_install.sh addon to install python 2.7 side by side with CentOS 6.x's Python 2.6 via IUS Community repo which is backed by Rackspace.com

    Code:
    yum list python27 python27-devel python27-pip python27-setuptools python27-tools python27-virtualenv --enablerepo=ius -q
    Installed Packages
    python27.x86_64                                                                                                               2.7.10-1.ius.centos6                                                                                                    @ius
    python27-devel.x86_64                                                                                                         2.7.10-1.ius.centos6                                                                                                    @ius
    python27-pip.noarch                                                                                                           7.1.0-1.ius.centos6                                                                                                     @ius
    python27-setuptools.noarch                                                                                                    18.1-1.ius.centos6                                                                                                      @ius
    python27-tools.x86_64                                                                                                         2.7.10-1.ius.centos6                                                                                                    @ius
    python27-virtualenv.noarch                                                                                                    13.1.0-1.ius.centos6                                                                                                    @ius
    Available Packages
    python27-pip.noarch                                                                                                           7.1.2-1.ius.centos6                                                                                                     ius
    python27-setuptools.noarch                                                                                                    18.3.1-1.ius.centos6                                                                                                    ius
    python27-virtualenv.noarch                                                                                                    13.1.2-1.ius.centos6                                                                                                    ius
    Then wipe Letsencrypt install and install again this time with Python virtual environment setup for Python 2.7

    For CentOS 6.x after install Python 2.7, run (note sed replacement to switch to python2.7 instead of python 2 due to letsencrypt-auto doesn't work with Python 2.6 · Issue #1046 · letsencrypt/letsencrypt · GitHub
    Code:
    mkdir -p /root/tools
    cd /root/tools
    rm -rf /root/tools/letsencrypt
    rm -rf /etc/letsencrypt
    rm -rf /var/lib/letsencrypt
    rm -rf /root/.local/share
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
    ./letsencrypt-auto --verbose
    
    Run Letsencrypt web root authentication again and now works with Python 2.7


    Code:
    vhostname='le1.http2ssl.xyz'
    /root/.local/share/letsencrypt/bin/letsencrypt --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org  --verbose --text --agree-tos --agree-dev-preview -d ${vhostname} auth
    
    IMPORTANT NOTES:
    - If you lose your account credentials, you can recover through
       e-mails sent to example@example.org.
    - Congratulations! Your certificate has been saved at
       /etc/letsencrypt/live/le1.http2ssl.xyz/cert.pem.
    - Your account credentials have been saved in your Let's Encrypt
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Let's
       Encrypt so making regular backups of this folder is ideal.
    - Automatic renewal and deployment has been enabled for your
       certificate. These settings can be configured in the directories
       under /etc/letsencrypt/renewal.
    Yay free SSL certificate obtained.

    Code:
    ls -lahR /etc/letsencrypt/live/
    /etc/letsencrypt/live/:
    total 12K
    drwx------ 3 root root 4.0K Oct  5 13:37 .
    drwxr-xr-x 8 root root 4.0K Oct  5 13:37 ..
    drwxr-xr-x 2 root root 4.0K Oct  5 13:37 le1.http2ssl.xyz
    
    /etc/letsencrypt/live/le1.http2ssl.xyz:
    total 8.0K
    drwxr-xr-x 2 root root 4.0K Oct  5 13:37 .
    drwx------ 3 root root 4.0K Oct  5 13:37 ..
    lrwxrwxrwx 1 root root   40 Oct  5 13:37 cert.pem -> ../../archive/le1.http2ssl.xyz/cert1.pem
    lrwxrwxrwx 1 root root   41 Oct  5 13:37 chain.pem -> ../../archive/le1.http2ssl.xyz/chain1.pem
    lrwxrwxrwx 1 root root   45 Oct  5 13:37 fullchain.pem -> ../../archive/le1.http2ssl.xyz/fullchain1.pem
    lrwxrwxrwx 1 root root   43 Oct  5 13:37 privkey.pem -> ../../archive/le1.http2ssl.xyz/privkey1.pem
    Backup /etc/letsencrypt

    Code:
    cp -a /etc/letsencrypt /etc/letsencrypt-bak
    Now to put Letsencrypt SSL certificate into Centmin Mod Nginx's auto generated SSL vhost. Using sed replacement for the default auto generated self-signed SSL certificate paths with Letsencrypt's obtained SSL certificates. Once web root authentication plugin is officially merged into master code, I'll automate this step too as part of Centmin Mod Nginx vhost setup routine :)

    Code:
    vhostname='le1.http2ssl.xyz'
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/etc\/letsencrypt\/live\/${vhostname}\/privkey.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    
    End result for the SSL vhost at /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf partial contents now looks like

    Code:
    server {
      listen 443 ssl http2;
      server_name le1.http2ssl.xyz www.le1.http2ssl.xyz;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/dhparam.pem;
      ssl_certificate      /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem;
      ssl_certificate_key  /etc/letsencrypt/live/le1.http2ssl.xyz/privkey.pem;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
    Then restart Nginx server

    Code:
    ngxrestart
    
    Test new https site over HTTP/1.1
    Code:
    curl -Ik https://le1.http2ssl.xyz
    HTTP/1.1 200 OK
    Date: Mon, 05 Oct 2015 13:44:09 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 1372
    Last-Modified: Mon, 05 Oct 2015 13:14:56 GMT
    Connection: keep-alive
    ETag: "561277d0-55c"
    Server: nginx centminmod
    Expires: Tue, 06 Oct 2015 13:44:09 GMT
    Cache-Control: max-age=86400
    Cache-Control: public, must-revalidate, proxy-revalidate
    Accept-Ranges: bytes
    Test new https site over HTTP/2 officially supported in Nginx and enabled out of box with Centmin Mod LEMP stack
    Code:
    curl --http2 -Ik https://le1.http2ssl.xyz
    HTTP/2.0 200
    date:Mon, 05 Oct 2015 13:47:55 GMT
    content-type:text/html; charset=utf-8
    content-length:1372
    last-modified:Mon, 05 Oct 2015 13:14:56 GMT
    etag:"561277d0-55c"
    server:nginx centminmod
    expires:Tue, 06 Oct 2015 13:47:55 GMT
    cache-control:max-age=86400
    cache-control:public, must-revalidate, proxy-revalidate
    accept-ranges:bytes
    upload_2015-10-5_23-50-12.png

    upload_2015-10-5_23-50-38.png

    upload_2015-10-5_23-51-8.png
     
    Last edited: Sep 27, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Good news on 2 fronts

    1. Letsencrypt is re-introducing Python 2.6 and 3.3 support instead of Python 2.7 only Python 2.6 and 3.3+ support by kuba · Pull Request #957 · letsencrypt/letsencrypt · GitHub This will be merged into their code at GA release time not before though. So for beta testing and pre-GA testing still need Python 2.7 to play with Letsencrypt

    2. Letsencrypt web root authentication plugin outlined above is closer to merge into official code i think SimpleFS plugin (fixes #742) by kuba · Pull Request #757 · letsencrypt/letsencrypt · GitHub - fingers crossed :D
     
  3. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI Letsencrypt web root authentication plugin outlined above has been officially merged into master code now --webroot-root -> --webroot-path · letsencrypt/letsencrypt@63c080b · GitHub :D

    at plugins/webroot.py letsencrypt/letsencrypt/plugins at master · letsencrypt/letsencrypt · GitHub

     
  4. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Letsencrypt is now official cross-signed too Let's Encrypt is Trusted

     
  5. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Updated Letsencrypt install instructions and webroot authentication method

    For CentOS 7.x run
    Code:
    mkdir -p /root/tools
    cd /root/tools
    rm -rf /root/tools/letsencrypt
    rm -rf /etc/letsencrypt
    rm -rf /var/lib/letsencrypt
    rm -rf /root/.local/share
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    ./letsencrypt-auto --verbose
    
    For CentOS 6.x after install Python 2.7, run (note sed replacement to switch to python2.7 instead of python 2 due to letsencrypt-auto doesn't work with Python 2.6 · Issue #1046 · letsencrypt/letsencrypt · GitHub
    Code:
    mkdir -p /root/tools
    cd /root/tools
    rm -rf /root/tools/letsencrypt
    rm -rf /etc/letsencrypt
    rm -rf /var/lib/letsencrypt
    rm -rf /root/.local/share
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
    ./letsencrypt-auto --verbose
    
    creating nginx vhost for le1.http2ssl.xyz

    Code:
    vhostname='le1.http2ssl.xyz'
    nv -d ${vhostname} -s y -u MYFTPUSERNAME
    obtaining Letsencrypt free SSL domain validated certificate for le1.http2ssl.xyz

    verbose mode with --verbose
    Code:
    vhostname='le1.http2ssl.xyz'
    /root/.local/share/letsencrypt/bin/letsencrypt --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org --verbose --text --agree-tos --agree-dev-preview -d ${vhostname} auth
    without --verbose
    Code:
    vhostname='le1.http2ssl.xyz'
    /root/.local/share/letsencrypt/bin/letsencrypt --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org --text --agree-tos --agree-dev-preview -d ${vhostname} auth
    replace nginx SSL vhost's self signed SSL certificate that was auto generated with Letsencrypt's obtained SSL certificate and restart Nginx server
    Code:
    vhostname='le1.http2ssl.xyz'
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/etc\/letsencrypt\/live\/${vhostname}\/privkey.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    ngxrestart
    Code:
    curl -Ik https://le1.http2ssl.xyz
    HTTP/1.1 200 OK
    Date: Sat, 24 Oct 2015 03:57:00 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 1372
    Last-Modified: Sat, 24 Oct 2015 03:22:41 GMT
    Connection: keep-alive
    ETag: "562af981-55c"
    Server: nginx centminmod
    Expires: Sun, 25 Oct 2015 03:57:00 GMT
    Cache-Control: max-age=86400
    Cache-Control: public, must-revalidate, proxy-revalidate
    Accept-Ranges: bytes
     
    Last edited: Oct 24, 2015
  6. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Shell script to setup multiple Centmin Mod Nginx SSL vhost domains and obtain multiple Letsencrypt free SSL certificates via web root authentication method
    Code:
        #!/bin/bash
        vhostname='le1.http2ssl.xyz le2.http2ssl.xyz le3.http2ssl.xyz'
        COUNT=0
        for v in $vhostname; do
         COUNT=$((COUNT+1))
         nv -d ${vhostname} -s y -u MYFTPUSERNAME${COUNT}
         /root/.local/share/letsencrypt/bin/letsencrypt --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org --text --agree-tos --agree-dev-preview -d ${vhostname} auth
        done
    
     
    Last edited: Oct 25, 2015
  7. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    My definition of what Letsencrypt Webroot Authentication is:

    See examples of webroot authentication plugin at Using the webroot domain verification method - Server Configuration - Let's Encrypt Community Support and SSL - Letsencrypt Free SSL certificates with web root authentication method

    official definition

    It was born out of the simplefs plugin SimpleFS plugin (fixes #742) by kuba · Pull Request #757 · letsencrypt/letsencrypt · GitHub which was later renamed to webroot authentication. In laymen terms, webroot authentication is an alternate way to obtain letsencrypt ssl certificates and pass the SimpleHTTP challenge by following these steps

    1. create a HTTPS base site before hand using self signed ssl certificate on apache or nginx - this site will have a public web root. This site domain also needs valid working DNS pointing to the server IP
    2. run letsencrypt webroot authentication method and pass your email address AND that site's public web root path to the command you run - this will perform automatically the the .well-known uri creation on the defined web root validating the domain you want the ssl certificate for
     
    Last edited: Oct 26, 2015
  8. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yay got my Letsencrypt beta invite approval email so the domains I requested have been whitelisted for full web browser trusted SSL certificates :D

    Below are steps I used for Centmin Mod LEMP Nginx server + how I setup Letsencrypt Client for beta testing with fully web browser trusted Letsencrypt SSL certificate.

    First clear the previous code and install fresh the Letsencrypt client on CentOS 6.x, I need to separately install Python 2.7 and then sed replace python2 with python2.7 in letsencrypt-auto
    Code:
    mkdir -p /root/tools
    cd /root/tools
    rm -rf /root/tools/letsencrypt
    rm -rf /etc/letsencrypt
    rm -rf /var/lib/letsencrypt
    rm -rf /root/.local/share
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
    ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory
    
    Then setup Centmin Mod Nginx vhost for le1.http2ssl.xyz domain which is one of the Letsencrypt whitelisted domains. This will auto generate the self signed SSL nginx vhost before hand making it easy to use Letsencrypt webroot authentication method to obtain the Letsencrypt browser trusted SSL certificate
    Code:
    vhostname='le1.http2ssl.xyz'
    nv -d ${vhostname} -s y -u MYFTPUSERNAME
    
    Now run Letsencrypt webroot authentication method to obtain the Letsencrypt browser trusted SSL certificate, changing example@example.org to your own email address and being sure to pass the -a webroot --webroot-path /home/nginx/domains/${vhostname}/public variables for Nginx vhost's web root.
    Code:
    vhostname='le1.http2ssl.xyz'
    /root/.local/share/letsencrypt/bin/letsencrypt --server https://acme-v01.api.letsencrypt.org/directory --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org --text --agree-tos --agree-dev-preview -d ${vhostname} auth
    
    Once Letsencrypt webroot authentication is completed, you will get the following message including the path to your Letsencrypt SSL certificate at /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem
    Code:
    IMPORTANT NOTES:
    - If you lose your account credentials, you can recover through
       e-mails sent to example@example.org.
    - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem. Your cert
       will expire on 2016-01-25. To obtain a new version of the
       certificate in the future, simply run Let's Encrypt again.
    - Your account credentials have been saved in your Let's Encrypt
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Let's
       Encrypt so making regular backups of this folder is ideal.
    replace nginx SSL vhost's (/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf) self signed SSL certificate that was auto generated with Letsencrypt's obtained SSL certificate and restart Nginx server
    Code:
    vhostname='le1.http2ssl.xyz'
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/etc\/letsencrypt\/live\/${vhostname}\/privkey.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    ngxrestart
    as this is a fully trusted SSL certificate, a few more sed replacements needed to enable ssl_stapling, ssl_stapling_verify and ssl_trusted_certificate settings in nginx SSL vhost /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf

    Code:
    sed -i "s|#resolver |resolver |" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#resolver_timeout|resolver_timeout|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#ssl_stapling on|ssl_stapling on|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#ssl_stapling_verify|ssl_stapling_verify|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#ssl_trusted_certificate|ssl_trusted_certificate|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-trusted.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    nprestart
    
    so changes in nginx SSL vhost /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf from
    Code:
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-trusted.crt; 
    to

    Code:
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem;
    
    chrome46-00.png
    chrome46-01.png

    Letsencrypt main /etc/letsencrypt folder structure

    Code:
     ls -lAhrt /etc/letsencrypt
    total 24K
    drwx------ 3 root root 4.0K Oct 27 17:17 accounts
    drwx------ 2 root root 4.0K Oct 27 17:17 keys
    drwxr-xr-x 2 root root 4.0K Oct 27 17:17 csr
    drwxr-xr-x 2 root root 4.0K Oct 27 17:17 renewal
    drwx------ 3 root root 4.0K Oct 27 17:17 live
    drwx------ 3 root root 4.0K Oct 27 17:17 archive
    Actual files and SSL certificate
    Code:
    ls -lAhrt /etc/letsencrypt/live/le1.http2ssl.xyz/
    total 0
    lrwxrwxrwx 1 root root 43 Oct 27 17:17 privkey.pem -> ../../archive/le1.http2ssl.xyz/privkey1.pem
    lrwxrwxrwx 1 root root 45 Oct 27 17:17 fullchain.pem -> ../../archive/le1.http2ssl.xyz/fullchain1.pem
    lrwxrwxrwx 1 root root 41 Oct 27 17:17 chain.pem -> ../../archive/le1.http2ssl.xyz/chain1.pem
    lrwxrwxrwx 1 root root 40 Oct 27 17:17 cert.pem -> ../../archive/le1.http2ssl.xyz/cert1.pem
    relevant parts of nginx SSL vhost /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf

    Code:
    server {
      listen 443 ssl http2;
      server_name le1.http2ssl.xyz www.le1.http2ssl.xyz;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/dhparam.pem;
      ssl_certificate      /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem;
      ssl_certificate_key  /etc/letsencrypt/live/le1.http2ssl.xyz/privkey.pem;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem;
    SSLLabs first test. Not A+ as I have HSTS disabled as I test on both http and https usually.

    ssllabs-281015-00.png
    ssllabs-281015-01.png
    ssllabs-281015-02.png
    ssllabs-281015-03.png
    ssllabs-281015-04.png

    Using https://ssltools.geotrust.com/checker/views/certCheck.jsp to check certificate chain order

    geotrust-281015-00.png
    geotrust-281015-01.png

    Nginx 1.9.6 HTTP/2 enabled web server compiled against LibreSSL 2.2.4

     
    Last edited: Oct 28, 2015
  9. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Multi Domain SAN SSL with Letsencrypt Webroot Authentication



    Using Letsencrypt webroot authentication plugin client to setup a multi domain SAN based SSL certificate for le8.http2ssl.xyz and le9.http2ssl.xyz on Centminmod.com LEMP web stack's Nginx server. Method was first outlined here and as Centmin Mod stack already has a default_server listen vhost for main virtual.conf, it was easy to setup. Some minor improvements suggested at multi domain SAN SSL symlink directories ? · Issue #1260 · letsencrypt/letsencrypt · GitHub

    Step 1. Make sure DNS A records for le8.http2ssl.xyz and le9.http2ssl.xyz point to the same server IP

    Step 2. Auto generate the nginx http and https vhosts for le8.http2ssl.xyz and le9.http2ssl.xyz

    Code:
    nv -d le8.http2ssl.xyz -s y -u le8ahewf
    
    Code:
    nv -d le9.http2ssl.xyz -s y -u le9shxkf
    
    Step 3. Create a /etc/letsencrypt/sancli.ini config file User Guide — Let's Encrypt 0.1.0.dev0 documentation used only for SAN based SSL certificates for webroot authentication. Make sure to edit the email address to your email you want to register with Letsencrypt. Then decide if you're using staging server https://acme-staging.api.letsencrypt.org/directory or the beta/live server https://acme-v01.api.letsencrypt.org/directory.

    contents of sancli.ini
    Code:
    # This is sancli.ini for centminmod.com LEMP stack to support webroot authentication
    # with multi domain SAN SSL certificates where webroot-path defaults to /usr/local/nginx/html
    # which already has a main vhost setup at /usr/local/nginx/conf/conf.d/virtual.conf with
    # default_server listen directive enabled and the virtual.conf include
    # /usr/local/nginx/conf/staticfiles.conf already supports LE .well-known uri files
    
    # Use a 4096 bit RSA key instead of 2048
    rsa-key-size = 2048
    
    # Always use the staging/testing server
    # server = https://acme-staging.api.letsencrypt.org/directory
    # for beta invitees
    server = https://acme-v01.api.letsencrypt.org/directory
    
    # Uncomment and update to register with the specified e-mail address
    email = foo@example.com
    
    # Uncomment to use a text interface instead of ncurses
    text = True
    agree-tos = True
    agree-dev-preview = True
    renew-by-default = True
    
    # Uncomment to use the webroot authenticator. Replace webroot-path with the
    # path to the public_html / webroot folder being served by your web server.
    authenticator = webroot
    webroot-path = /usr/local/nginx/html
    
    Step 4. Run Letsencrypt webroot authentication plugin client to obtain a multi domain SAN based SSL certificate for le8.http2ssl.xyz and le9.http2ssl.xyz

    temporarily rename the http vhost files for the 2 domains so that the domains when doing simpleHttp challenge response the web root used goes the virtual.conf set default_server

    Code:
    mv /usr/local/nginx/conf/conf.d/le8.http2ssl.xyz.conf /usr/local/nginx/conf/conf.d/le8.http2ssl.xyz.conf.disable
    mv /usr/local/nginx/conf/conf.d/le9.http2ssl.xyz.conf /usr/local/nginx/conf/conf.d/le9.http2ssl.xyz.conf.disable
    nprestart
    
    Then run webroot authentication passing the config file sancli.ini created in step 3

    Code:
    /root/.local/share/letsencrypt/bin/letsencrypt -c sancli.ini -d le8.http2ssl.xyz -d le9.http2ssl.xyz auth
    
    Output if successful
    Code:
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/le8.http2ssl.xyz/fullchain.pem. Your cert
       will expire on 2016-01-29. To obtain a new version of the
       certificate in the future, simply run Let's Encrypt again.
    
    Step 5. Replace step 2 generated self signed SSL certificates with Letsencrypt obtained multi domain SAN SSL certificate and rename back the vhost conf files done in step 4

    Code:
    mv /usr/local/nginx/conf/conf.d/le8.http2ssl.xyz.conf.disable /usr/local/nginx/conf/conf.d/le8.http2ssl.xyz.conf
    mv /usr/local/nginx/conf/conf.d/le9.http2ssl.xyz.conf.disable /usr/local/nginx/conf/conf.d/le9.http2ssl.xyz.conf
    
    Code:
    vhostname='le8.http2ssl.xyz'
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/etc\/letsencrypt\/live\/${vhostname}\/privkey.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#resolver |resolver |" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#resolver_timeout|resolver_timeout|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#ssl_stapling on|ssl_stapling on|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#ssl_stapling_verify|ssl_stapling_verify|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#ssl_trusted_certificate|ssl_trusted_certificate|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-trusted.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    
    Code:
    vhostname='le9.http2ssl.xyz'
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/etc\/letsencrypt\/live\/${vhostname}\/privkey.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#resolver |resolver |" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#resolver_timeout|resolver_timeout|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#ssl_stapling on|ssl_stapling on|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#ssl_stapling_verify|ssl_stapling_verify|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#ssl_trusted_certificate|ssl_trusted_certificate|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-trusted.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    
    for 2nd and subsequent vhosts in multi domain SAN, the path to the SSL certificate is actually the same as your very first domain setup so for le9.http2ssl.xyz it's not path at /etc/letsencrypt/live/le9.http2ssl.xyz but at /etc/letsencrypt/live/le8.http2ssl.xyz. So need one more sed replacement for /usr/local/nginx/conf/conf.d/le9.http2ssl.xyz.ssl.conf

    Code:
    vhostname='le9.http2ssl.xyz'
    sed -i "s|\/etc\/letsencrypt\/live\/le9.http2ssl.xyz|\/etc\/letsencrypt\/live\/le8.http2ssl.xyz|g" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    nprestart
    
    End result is multi domain SAN based SSL certificate from Letsencrypt :D

    chrome46-00.png chrome46-01.png
    ssllabs-le8-le8-san-ssl-00.png
    ssllabs-le8-le8-san-ssl-01.png
    ssllabs-le8-le8-san-ssl-02.png

    Live directory
    Code:
    ls -lAhrt /etc/letsencrypt/live/le8.http2ssl.xyz/
    total 0
    lrwxrwxrwx 1 root root 43 Oct 31 14:43 privkey.pem -> ../../archive/le8.http2ssl.xyz/privkey1.pem
    lrwxrwxrwx 1 root root 45 Oct 31 14:43 fullchain.pem -> ../../archive/le8.http2ssl.xyz/fullchain1.pem
    lrwxrwxrwx 1 root root 41 Oct 31 14:43 chain.pem -> ../../archive/le8.http2ssl.xyz/chain1.pem
    lrwxrwxrwx 1 root root 40 Oct 31 14:43 cert.pem -> ../../archive/le8.http2ssl.xyz/cert1.pem
     
    Last edited: Nov 1, 2015
  10. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, in last 24hrs there's been major changes to how Letsencrypt validates domains in terms of the expected content-type response that is returned.

    The changes outlined at
    This will require an update on Centmin Mod code side to support the changes as well once I figure it all out. So whenever, the code is updated on Centmin Mod end, you'd need to update Centmin Mod first.

    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:
     
    Last edited: Nov 5, 2015
  11. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For now it seems jose+json content-type still works

    Code:
    cd /root/tools
    rm -rf /root/tools/letsencrypt
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
    ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory
    
    check letsencrypt binary timestamp
    Code:
    ls -lah /root/.local/share/letsencrypt/bin/letsencrypt
    -rwxr-xr-x 1 root root 245 Nov  5 00:37 /root/.local/share/letsencrypt/bin/letsencrypt
    
    Setup new nginx vhost le2.http2ssl.xyz with pure-ftpd user and ssl enabled
    Code:
    nv -d le2.http2ssl.xyz -s y -u le2aahsg66
    
    partial output
    Code:
    vhost for le2.http2ssl.xyz created successfully
    
    domain: http://le2.http2ssl.xyz
    vhost conf file for le2.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le2.http2ssl.xyz.conf
    
    vhost ssl for le2.http2ssl.xyz created successfully
    
    domain: https://le2.http2ssl.xyz
    vhost ssl conf file for le2.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le2.http2ssl.xyz.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le2.http2ssl.xyz/le2.http2ssl.xyz.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/le2.http2ssl.xyz/le2.http2ssl.xyz.key
    SSL CSR File: /usr/local/nginx/conf/ssl/le2.http2ssl.xyz/le2.http2ssl.xyz.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/le2.http2ssl.xyz/le2.http2ssl.xyz-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/le2.http2ssl.xyz/le2.http2ssl.xyz-backup.csr
    
    upload files to /home/nginx/domains/le2.http2ssl.xyz/public
    vhost log files directory is /home/nginx/domains/le2.http2ssl.xyz/log
    
    run letsencrypt webroot authentication no need to pass --email again it's only first time needed Clarify the --email flag requirements? - Issuance Tech Questions - Let's Encrypt Community Support
    Code:
    vhostname='le2.http2ssl.xyz'
    /root/.local/share/letsencrypt/bin/letsencrypt --server https://acme-v01.api.letsencrypt.org/directory --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --text --agree-tos --agree-dev-preview -d ${vhostname} auth
    
    output
    Code:
    /root/.local/share/letsencrypt/bin/letsencrypt --server https://acme-v01.api.letsencrypt.org/directory --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --text --agree-tos --agree-dev-preview -d ${vhostname} auth
    
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/le2.http2ssl.xyz/fullchain.pem. Your cert
       will expire on 2016-02-02. To obtain a new version of the
       certificate in the future, simply run Let's Encrypt again.
    
    sed replacements for replacing auto generated self signed ssl certificate with Letsencrypt obtained one
    Code:
    vhostname='le2.http2ssl.xyz'
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/etc\/letsencrypt\/live\/${vhostname}\/privkey.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#resolver |resolver |" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#resolver_timeout|resolver_timeout|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#ssl_stapling on|ssl_stapling on|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#ssl_stapling_verify|ssl_stapling_verify|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|#ssl_trusted_certificate|ssl_trusted_certificate|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-trusted.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    nprestart
    
    obtained Letsencrypt SSL certificate
    Code:
    ls -lAhrt /etc/letsencrypt/live/le2.http2ssl.xyz/
    total 0
    lrwxrwxrwx 1 root root 43 Nov  5 00:41 privkey.pem -> ../../archive/le2.http2ssl.xyz/privkey1.pem
    lrwxrwxrwx 1 root root 45 Nov  5 00:41 fullchain.pem -> ../../archive/le2.http2ssl.xyz/fullchain1.pem
    lrwxrwxrwx 1 root root 41 Nov  5 00:41 chain.pem -> ../../archive/le2.http2ssl.xyz/chain1.pem
    lrwxrwxrwx 1 root root 40 Nov  5 00:41 cert.pem -> ../../archive/le2.http2ssl.xyz/cert1.pem
    
    relevant parts of nginx SSL vhost /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    Code:
    server {
      listen 443 ssl http2;
      server_name le2.http2ssl.xyz www.le2.http2ssl.xyz;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/le2.http2ssl.xyz/dhparam.pem;
      ssl_certificate      /etc/letsencrypt/live/le2.http2ssl.xyz/fullchain.pem;
      ssl_certificate_key  /etc/letsencrypt/live/le2.http2ssl.xyz/privkey.pem;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/le2.http2ssl.xyz/fullchain.pem;
    
    upload_2015-11-5_10-53-29.png


    However, I've updated both Centmin Mod 123.08stable and 123.09beta01 builds for latest Letsencrypt supported content-type outlined at SSL - Letsencrypt Free SSL certificates with web root authentication method | Centmin Mod Community

    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:
    Once updated, run centmin.sh once to allow auto syncing of the changes to your existing server configuration.
     
    Last edited: Nov 5, 2015
  12. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Centmin Mod 123.09beta01le Letsencrypt Integration Tests



    Setup a separate 123.09beta01le branch of Centmin Mod where I am testing and integrating Letsencrypt client into centmin.sh menu option 2 first for adding the initial Nginx vhost domain.

    This is an example which includes prompt for updating intended domain's DNS A record before continuing so that Letsencrypt domain validation can proceed.

    Code:
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu                 
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + WP Super Cache
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 2
    --------------------------------------------------------
    
    Using dummy domain = domain1.com for new Nginx vhost for testing so there will be no valid DNS A record. Letsencrypt SSL relies on self-signed SSL setup prior, so answered yes when prompted. If you answer yes to Letsencrypt SSL, it will auto set self signed SSL certificate vhost routine to yes too anyway.

    This is example of aborting Nginx vhost setup at prompt, allowing end user time to update their intended domain's DNS A record first
    Code:
    ---------------------------------------------
    Enter vhost domain name to add (without www. prefix): domain1.com
    
    Create a self-signed SSL certificate Nginx vhost? [y/n]: y
    
    To get Letsencrypt SSL certificate, you must already have updated intended
    domain vhost name's DNS A record to this server's IP addresss otherwise
    Letsencrypt domain name validation will fail.
    
    current DNS A record IP address for domain1.com is:
    
    Abort this Nginx vhost domain setup to setup proper DNS A record first? [y/n]: y
     
    Last edited: Nov 7, 2015
  14. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Centmin Mod 123.09beta01le Letsencrypt Test Part 2



    This example is of Letsencrypt webroot authentication proceeding instead of aborting. The 1st time you run, you need to specify a valid email address to register a Letsencrypt account. This email address is auto populated in a created /etc/letsencrypt/webroot.ini config file Centmin Mod auto creates and used on Centmin Mod automation end only.

    Letsencrypt client itself records this email address itself on ACME server remote end + locally according to Clarify purpose of --email · Issue #1310 · letsencrypt/letsencrypt · GitHub at
    Code:
    /etc/letsencrypt/accounts/<server_url>/directory/<hash>/regr.json
    
    However, currently there is no way to update or change the registered email address that Letsencrypt account records initially see Clarify the --email flag requirements? - Issuance Tech Questions - Let's Encrypt Community Support and Allow contact information updates · Issue #30 · ietf-wg-acme/acme · GitHub Which could be problematic if end users want to update their email addresses and where Letsencrypt email notifications and auto renewal notifications are sent to ! So you better make sure the email address you use has a solid email service and uptime. It's why for Centmin Mod LEMP stacks I highly recommend more reliable 3rd party @yourdomain email providers instead of trying to host your email on the same server.

    Unfortunately, Letsencrypt client won't be getting updated to support email registration changes at GA public release time Clarify the --email flag requirements? - Issuance Tech Questions - Let's Encrypt Community Support :(

    The below example is of a failed registration, as I gave a dummy email address for testing.

    Code:
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + WP Super Cache
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 2
    --------------------------------------------------------
    
    Code:
    ---------------------------------------------
    Enter vhost domain name to add (without www. prefix): domain1.com
    
    Create a self-signed SSL certificate Nginx vhost? [y/n]: y
    
    To get Letsencrypt SSL certificate, you must already have updated intended
    domain vhost name's DNS A record to this server's IP addresss otherwise
    Letsencrypt domain name validation will fail.
    
    current DNS A record IP address for domain1.com is:
    
    Abort this Nginx vhost domain setup to setup proper DNS A record first? [y/n]: n
    Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y
    
    Create FTP username for vhost domain (enter username): d1ftp1
    Auto generate FTP password (recommended) [y/n]: y
    
    FTP username you entered: ************************
    FTP password auto generated: ************************
    
    Password:
    Enter it again:
    
    Code:
    ---------------------------------------------------------------
    SSL Vhost Setup...
    ---------------------------------------------------------------
    
    ---------------------------------------------------------------
    Generating self signed SSL certificate...
    CSR file can also be used to be submitted for paid SSL certificates
    If using for paid SSL certificates be sure to keep both private key and CSR safe
    creating CSR File: domain1.com.csr
    creating private key: domain1.com.key
    creating self-signed SSL certificate: domain1.com.crt
    Generating a 2048 bit RSA private key
    ...........................+++
    ....................................................................................................................................................+++
    writing new private key to 'domain1.com.key'
    -----
    Signature ok
    subject=/C=US/ST=California/L=Los Angeles/O=domain1.com/OU=domain1.com/CN=domain1.com
    Getting Private key
    
    ---------------------------------------------------------------
    Generating backup CSR and private key for HTTP Public Key Pinning...
    creating CSR File: domain1.com-backup.csr
    creating private key: domain1.com-backup.key
    Generating a 2048 bit RSA private key
    ............................................................................................+++
    .......................+++
    writing new private key to 'domain1.com-backup.key'
    -----
    
    ---------------------------------------------------------------
    Extracting Base64 encoded information for primary and secondary
    private key's SPKI - Subject Public Key Information
    Primary private key - domain1.com.key
    Backup private key - domain1.com-backup.key
    For HPKP - HTTP Public Key Pinning hash generation...
    
    extracting SPKI Base64 encoded hash for primary private key = domain1.com.key ...
    writing RSA key
    DLpC3MuHsp6vc364h2lDCt754dmVVP6OJ4VIyJD4wj0=
    
    extracting SPKI Base64 encoded hash for backup private key = domain1.com-backup.key ...
    writing RSA key
    sOZ5Xoqf9dF/x8PBGmTyAjL0sZ3nOMbakQqSMMo5nhs=
    
    HTTP Public Key Pinning Header for Nginx
    
    for 7 days max-age including subdomains
    
    add_header Public-Key-Pins 'pin-sha256="DLpC3MuHsp6vc364h2lDCt754dmVVP6OJ4VIyJD4wj0="; pin-sha256="sOZ5Xoqf9dF/x8PBGmTyAjL0sZ3nOMbakQqSMMo5nhs="; max-age=86400; includeSubDomains';
    
    for 7 days max-age excluding subdomains
    
    add_header Public-Key-Pins 'pin-sha256="DLpC3MuHsp6vc364h2lDCt754dmVVP6OJ4VIyJD4wj0="; pin-sha256="sOZ5Xoqf9dF/x8PBGmTyAjL0sZ3nOMbakQqSMMo5nhs="; max-age=86400';
    
    ---------------------------------------------------------------
    Generating dhparam.pem file - can take a few minutes...
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    ........................................................................................................+...................+...................................................................................................+.............................................................................................+...+.........+............................................................................................................................................................................................................................................................................+..........................................................................................................................................+.................................+.......................+..................................+..............+...+..........................................................+.....................................+..............................................+.......................................................................................................................+...................................+.......................................................................................................+.......................................+.....................................................................................................................................+.............................................+...............................................................+....................................................................................................+.............................+............................................................................................................+...........................................................................+....................................................................+.....................................................+..................+.....+..............................................................................................................................................................+....................................................+...+........................................+..................+.......+................................................................................................................................+.........................................................................................................................+...........+...............................................................................................................++*++*
    dhparam file generation time: 25.214688545
    
    -------------------------------------------------------------
    service nginx reload
    Reloading nginx configuration (via systemctl):  [  OK  ]
    systemctl restart pure-ftpd.service
    
    Actual first time install for Letsencrypt client itself - for testing purposes, the client is updated everytime it's run right now due to so many changes being made to the code during beta stage testing. If CentOS 6.x is detected it auto runs the Centmin Mod addon at /usr/local/src/centminmod/addons/python27_install.sh to install Python 2.7 at /usr/bin/python2.7, otherwise if CentOS 7.x detected it just runs.
    Code:
    installing or updating letsencrypt client
    
    Cloning into 'letsencrypt'...
    Bootstrapping dependencies for RedHat-based OSes...
    yum is /usr/bin/yum
    Loaded plugins: fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    * base: mirror.optus.net
    * epel: fedora.mirror.serversaustralia.com.au
    * extras: mirror.optus.net
    * rpmforge: mirror.ventraip.net.au
    * updates: mirror.optus.net
    187 packages excluded due to repository priority protections
    Package git-1.8.3.1-4.el7.x86_64 already installed and latest version
    Package python-2.7.5-18.el7_1.1.x86_64 already installed and latest version
    Package gcc-4.8.3-9.el7.x86_64 already installed and latest version
    Package 1:openssl-devel-1.0.1e-42.el7.9.x86_64 already installed and latest version
    Package ca-certificates-2015.2.4-70.0.el7_1.noarch already installed and latest version
    Resolving Dependencies
    --> Running transaction check
    ---> Package augeas-libs.x86_64 0:1.1.0-17.el7 will be installed
    ---> Package dialog.x86_64 0:1.2-4.20130523.el7 will be installed
    ---> Package libffi-devel.x86_64 0:3.0.13-11.el7 will be installed
    ---> Package python-devel.x86_64 0:2.7.5-18.el7_1.1 will be installed
    ---> Package python-virtualenv.noarch 0:1.10.1-2.el7 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================
    Package                Arch        Version                  Repository    Size
    ================================================================================
    Installing:
    augeas-libs            x86_64      1.1.0-17.el7             base         332 k
    dialog                 x86_64      1.2-4.20130523.el7       base         208 k
    libffi-devel           x86_64      3.0.13-11.el7            base          22 k
    python-devel           x86_64      2.7.5-18.el7_1.1         updates      389 k
    python-virtualenv      noarch      1.10.1-2.el7             base         1.2 M
    
    Transaction Summary
    ================================================================================
    Install  5 Packages
    
    Total download size: 2.2 M
    Installed size: 4.1 M
    Downloading packages:
    --------------------------------------------------------------------------------
    Total                                              2.0 MB/s | 2.2 MB  00:01
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : python-devel-2.7.5-18.el7_1.1.x86_64                         1/5
      Installing : python-virtualenv-1.10.1-2.el7.noarch                        2/5
      Installing : augeas-libs-1.1.0-17.el7.x86_64                              3/5
      Installing : dialog-1.2-4.20130523.el7.x86_64                             4/5
      Installing : libffi-devel-3.0.13-11.el7.x86_64                            5/5
      Verifying  : libffi-devel-3.0.13-11.el7.x86_64                            1/5
      Verifying  : dialog-1.2-4.20130523.el7.x86_64                             2/5
      Verifying  : python-devel-2.7.5-18.el7_1.1.x86_64                         3/5
      Verifying  : augeas-libs-1.1.0-17.el7.x86_64                              4/5
      Verifying  : python-virtualenv-1.10.1-2.el7.noarch                        5/5
    
    Installed:
      augeas-libs.x86_64 0:1.1.0-17.el7                         
      dialog.x86_64 0:1.2-4.20130523.el7                        
      libffi-devel.x86_64 0:3.0.13-11.el7                       
      python-devel.x86_64 0:2.7.5-18.el7_1.1                    
      python-virtualenv.noarch 0:1.10.1-2.el7                   
    
    Complete!
    Creating virtual environment...
    Updating letsencrypt and virtual environment dependencies.....Collecting ConfigArgParse from git+https://github.com/kuba/ConfigArgParse.git@python2.6-0.9.3#egg=ConfigArgParse (from -r py26reqs.txt (line 1))
      Cloning https://github.com/kuba/ConfigArgParse.git (to python2.6-0.9.3) to /tmp/pip-build-9JMUjC/ConfigArgParse
    Installing collected packages: ConfigArgParse
      Running setup.py install for ConfigArgParse
    Successfully installed ConfigArgParse-0.9.3
    /root/.local/share/letsencrypt/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
      InsecurePlatformWarning
    ./root/.local/share/letsencrypt/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
      InsecurePlatformWarning
    .
    Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --agree-dev-preview --server https://acme-staging.api.letsencrypt.org/directory
    No installers are available on your OS yet; try running "letsencrypt-auto certonly" to get a cert you can install manually
    
    Letsencrypt webroot authentication failed as the email address registered was invalid. As such the original self-signed SSL certificates created are left in place. I added an error detection routine, so that only when Letsencrypt webroot authentication succeeds, will the Letsencrypt obtained SSL certificates replace the ones contained in the https SSL nginx vhost at /usr/local/nginx/conf/conf.d/domain1.com.ssl.conf
    Code:
    setup general /etc/letsencrypt/webroot.ini letsencrypt config file
    
    Registering an account with Letsencrypt
    You only do this once, so that Letsencrypt can notify &
    contact you via email regarding your SSL certificates
    Enter your email address to setup Letsencrypt account: myemail@mydomainxzy.com
    
    
    obtaining Letsencrypt SSL certificate via webroot authentication...
    
    An unexpected error occurred.
    Error: malformed :: The request message was malformed :: Error creating new registration :: No MX record for domain mydomainxzy.com
    Please see the logfiles in /var/log/letsencrypt for more details.
    
    -------------------------------------------------------------
    FTP hostname : IPADDRESS
    FTP port : 21
    FTP mode : FTP (explicit SSL)
    FTP Passive (PASV) : ensure is checked/enabled
    FTP username created for domain1.com : **************
    FTP password created for domain1.com : ***************************
    -------------------------------------------------------------
    
    Code:
    vhost for domain1.com created successfully
    
    domain: http://domain1.com
    vhost conf file for domain1.com created: /usr/local/nginx/conf/conf.d/domain1.com.conf
    
    vhost ssl for domain1.com created successfully
    
    domain: https://domain1.com
    vhost ssl conf file for domain1.com created: /usr/local/nginx/conf/conf.d/domain1.com.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/domain1.com/domain1.com.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/domain1.com/domain1.com.key
    SSL CSR File: /usr/local/nginx/conf/ssl/domain1.com/domain1.com.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/domain1.com/domain1.com-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/domain1.com/domain1.com-backup.csr
    
    upload files to /home/nginx/domains/domain1.com/public
    vhost log files directory is /home/nginx/domains/domain1.com/log
    
    -------------------------------------------------------------
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
    
       
    Nov 5   19:33   1.1K   demodomain.com.conf
    Nov 5   19:33   845    ssl.conf
    Nov 6   05:40   1.6K   virtual.conf
    Nov 7   03:41   1.6K   domain1.com.conf
    Nov 7   03:41   3.9K   domain1.com.ssl.conf
    
    -------------------------------------------------------------
    Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/domain1.com
    
       
    Nov 7   03:41   1.7K   domain1.com.key
    Nov 7   03:41   1.1K   domain1.com.csr
    Nov 7   03:41   1.3K   domain1.com.crt
    Nov 7   03:41   1.7K   domain1.com-backup.key
    Nov 7   03:41   1.1K   domain1.com-backup.csr
    Nov 7   03:41   45     hpkp-info-primary-pin.txt
    Nov 7   03:41   45     hpkp-info-secondary-pin.txt
    Nov 7   03:41   424    dhparam.pem
    
    -------------------------------------------------------------
    Commands to remove domain1.com
    
    rm -rf /usr/local/nginx/conf/conf.d/domain1.com.conf
    rm -rf /usr/local/nginx/conf/conf.d/domain1.com.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/domain1.com/domain1.com.crt
    rm -rf /usr/local/nginx/conf/ssl/domain1.com/domain1.com.key
    rm -rf /usr/local/nginx/conf/ssl/domain1.com/domain1.com.csr
    rm -rf /usr/local/nginx/conf/ssl/domain1.com
    rm -rf /home/nginx/domains/domain1.com
    service nginx restart
    -------------------------------------------------------------
    Contents of /etc/letsencrypt/webroot.ini
    Code:
    # webroot.ini general config ini
    
    rsa-key-size = 2048
    
    # Always use the staging/testing server
    server = https://acme-staging.api.letsencrypt.org/directory
    
    # for beta invitees
    # server = https://acme-v01.api.letsencrypt.org/directory
    
    # Uncomment and update to register with the specified e-mail address
    email = myemail@mydomainxzy.com
    
    # Uncomment to use a text interface instead of ncurses
    text = True
    agree-tos = True
    agree-dev-preview = True
    renew-by-default = True
    
    authenticator = webroot
    
    No locally saved json email address at /etc/letsencrypt/accounts/<server_url>/directory/<hash>/regr.json as the dummy email address failed to register.
    Code:
    ls -lah /etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/
    total 0
    drwx------ 2 root root  6 Nov  7 03:43 .
    drwx------ 3 root root 22 Nov  7 03:43 ..

    Email Address MX record check



    Seems Letsencrypt client also checks if email address domain has MX records attached to them, so I updated Centmin Mod routine to check for it when you enter an email address so it fails earlier so you can correct it.

    Now when you enter an email address and do not have an MX record on domain or if you have empty email address you will get an error and prompt to re-enter a valid email address

    Code:
    setup general /etc/letsencrypt/webroot.ini letsencrypt config file
    
    Registering an account with Letsencrypt
    You only do this once, so that Letsencrypt can notify &
    contact you via email regarding your SSL certificates
    Enter your email address to setup Letsencrypt account: myemail@mydomainxzy.com
    
    You are registering myemail@mydomainxzy.com address for Letsencrypt
    
    !! Error: myemail@mydomainxzy.com does not have a DNS MX record !!
    
    Re-Enter your email address to setup Letsencrypt account:
    
    !! Error: email address is empty
    
    !! Error: email address is empty
    
    Re-Enter your email address to setup Letsencrypt account:
    If you enter a valid email address it will proceed with Letsencrypt account registration and you will get Notes notifying that your email address and Letsencrypt account has been setup and saved to /etc/letsencrypt.

    Code:
    Re-Enter your email address to setup Letsencrypt account: valid@validemailaddy.com
    
    You are registering valid@validemailaddy.com address for Letsencrypt
    
    obtaining Letsencrypt SSL certificate via webroot authentication...
    
    An unexpected error occurred.
    Error: serverInternal :: The server experienced an internal error :: Error creating new authz
    Please see the logfiles in /var/log/letsencrypt for more details.
    IMPORTANT NOTES:
    - If you lose your account credentials, you can recover through
       e-mails sent to valid@validemailaddy.com.
    - Your account credentials have been saved in your Let's Encrypt
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Let's
       Encrypt so making regular backups of this folder is ideal.
    
    However, error still exists for domain1.com as obviously domain1.com dummy domain has invalid DNS A record so failed Letsencrypt's domain validation when running webroot authentication.
    Code:
    An unexpected error occurred.
    Error: serverInternal :: The server experienced an internal error :: Error creating new authz
    Contents of /etc/letsencrypt/webroot.ini
    Code:
    # webroot.ini general config ini
    
    rsa-key-size = 2048
    
    # Always use the staging/testing server
    server = https://acme-staging.api.letsencrypt.org/directory
    
    # for beta invitees
    # server = https://acme-v01.api.letsencrypt.org/directory
    
    # Uncomment and update to register with the specified e-mail address
    email = valid@validemailaddy.com
    
    # Uncomment to use a text interface instead of ncurses
    text = True
    agree-tos = True
    agree-dev-preview = True
    renew-by-default = True
    
    authenticator = webroot
    
    Confirming email address for Letsencrypt account registration is setup in /etc/letsencrypt/accounts/<server_url>/directory/<hash>/regr.json

    Code:
    ls -lah /etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/db6d74bb15afc01abdf5ea8338f5fdaf/
    total 12K
    drwx------ 2 root root   61 Nov  7 06:11 .
    drwx------ 3 root root   45 Nov  7 06:11 ..
    -rw-r--r-- 1 root root   79 Nov  7 06:11 meta.json
    -r-------- 1 root root 1.6K Nov  7 06:11 private_key.json
    -rw-r--r-- 1 root root  760 Nov  7 06:11 regr.json
    Code:
    grep -Ro 'valid@validemailaddy.com' /etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/db6d74bb15afc01abdf5ea8338f5fdaf/regr.json
    valid@validemailaddy.com

    Further DNS record checks



    Added more DNS record checks and top level domain checks, so that Letsencrypt client can cover top level domain's www version under a single multi-domain SAN SSL certificate i.e. SSL to cover domain.com and www.domain.com.

    Code:
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu            
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + WP Super Cache
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 2
    --------------------------------------------------------
    As domain1.com is invalid DNS wise, it gives an error earlier on before it got to Letsencrypt client running stage. Gives you an opportunity to abort nginx vhost domain setup, so you can correct or update the domain's DNS settings.
    Code:
    Enter vhost domain name to add (without www. prefix): domain1.com
    
    Create a self-signed SSL certificate Nginx vhost? [y/n]: y
    
    To get Letsencrypt SSL certificate, you must already have updated intended
    domain vhost name's DNS A record to this server's IP addresss.
    If top level domain, DNS A record is needed also for www. version of domain
    otherwise, Letsencrypt domain name validation will fail.
    
    
    !! Error: domain1.com DNS records not found or setup properly yet or domain1.com invalid
    
    Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: y
    If using a valid top level domain i.e. http2ssl.xyz
    Code:
    Enter vhost domain name to add (without www. prefix): http2ssl.xyz
    
    Create a self-signed SSL certificate Nginx vhost? [y/n]: y
    
    To get Letsencrypt SSL certificate, you must already have updated intended
    domain vhost name's DNS A record to this server's IP addresss.
    If top level domain, DNS A record is needed also for www. version of domain
    otherwise, Letsencrypt domain name validation will fail.
    
    
    http2ssl.xyz is a top level domain
    current DNS A record IP address for http2ssl.xyz is: 23.92.216.163
    current DNS A record IP address for www.http2ssl.xyz is: 23.92.216.163
    
    Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: 
    If continuing on the setup with valid top level domain http2ssl.xyz
    Code:
    Enter vhost domain name to add (without www. prefix): http2ssl.xyz
    
    Create a self-signed SSL certificate Nginx vhost? [y/n]: y
    
    To get Letsencrypt SSL certificate, you must already have updated intended
    domain vhost name's DNS A record to this server's IP addresss.
    If top level domain, DNS A record is needed also for www. version of domain
    otherwise, Letsencrypt domain name validation will fail.
    
    
    http2ssl.xyz is a top level domain
    current DNS A record IP address for http2ssl.xyz is: 23.92.216.163
    current DNS A record IP address for www.http2ssl.xyz is: 23.92.216.163
    
    Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
    Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y
    
    Create FTP username for vhost domain (enter username): *****************
    Auto generate FTP password (recommended) [y/n]: y
    
    FTP username you entered: **********************
    FTP password auto generated: **********************
    
    Code:
    ---------------------------------------------------------------
    SSL Vhost Setup...
    ---------------------------------------------------------------
    
    ---------------------------------------------------------------
    Generating self signed SSL certificate...
    CSR file can also be used to be submitted for paid SSL certificates
    If using for paid SSL certificates be sure to keep both private key and CSR safe
    creating CSR File: http2ssl.xyz.csr
    creating private key: http2ssl.xyz.key
    creating self-signed SSL certificate: http2ssl.xyz.crt
    Generating a 2048 bit RSA private key
    .......+++
    .............+++
    writing new private key to 'http2ssl.xyz.key'
    -----
    Signature ok
    subject=/C=US/ST=California/L=Los Angeles/O=http2ssl.xyz/OU=http2ssl.xyz/CN=http2ssl.xyz
    Getting Private key
    
    Code:
    installing or updating letsencrypt client
    
    setup general /etc/letsencrypt/webroot.ini letsencrypt config file
    
    Registering an account with Letsencrypt
    You only do this once, so that Letsencrypt can notify &
    contact you via email regarding your SSL certificates
    Enter your email address to setup Letsencrypt account: valid@validemailaddy.com
    
    You are registering valid@validemailaddy.com address for Letsencrypt
    
    obtaining Letsencrypt SSL certificate via webroot authentication...
    
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --webroot-path /home/nginx/domains/http2ssl.xyz/public -d http2ssl.xyz -d www.http2ssl.xyz auth
    Failed authorization procedure. http2ssl.xyz (http-01): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://http2ssl.xyz/.well-known/acme-challenge/xfoy_qPd-oOTcRfs4xNltTA42xyZHzitksIIM0_wYLg [23.92.216.163]: 404, www.http2ssl.xyz (http-01): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.http2ssl.xyz/.well-known/acme-challenge/q4bx3Ub3Y_NImehn8-0wuLILGFWA1RE3eKTM-6JFxBg [23.92.216.163]: 404
    IMPORTANT NOTES:
    - If you lose your account credentials, you can recover through
       e-mails sent to valid@validemailaddy.com.
    - The following 'unauthorized' errors were reported by the server:
    
       Domains: http2ssl.xyz, www.http2ssl.xyz
       Error: The client lacks sufficient authorization
    
       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A record(s) for that domain
       contain(s) the right IP address.
    - Your account credentials have been saved in your Let's Encrypt
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Let's
       Encrypt so making regular backups of this folder is ideal.
    
    Notice above error in Letsencrypt webroot authentication it didn't validate the domain via http-01 verification method as http2ssl.xyz A record IP pointed to a server other than the existing server's IP address. The domain's DNS A record and for top level domains the www DNS A record must point to the IP of the server you're running on.
    Code:
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --webroot-path /home/nginx/domains/http2ssl.xyz/public -d http2ssl.xyz -d www.http2ssl.xyz auth
    
    Failed authorization procedure. http2ssl.xyz (http-01): unauthorized ::
    The client lacks sufficient authorization :: Invalid response from http://http2ssl.xyz/.well-known/acme-challenge/xfoy_qPd-oOTcRfs4xNltTA42xyZHzitksIIM0_wYLg [23.92.216.163]: 404,
    www.http2ssl.xyz (http-01): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.http2ssl.xyz/.well-known/acme-challenge/q4bx3Ub3Y_NImehn8-0wuLILGFWA1RE3eKTM-6JFxBg [23.92.216.163]: 404
    
     
    Last edited: Nov 12, 2015
  15. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Letsencrypt enters public beta December 3, 2015

     
  16. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Letsencrypt Webroot Authentication Plugin Integration - Live Run



    Update: added official site page at http://centminmod.com/letsencrypt-freessl.html

    The first test of beta invited whitelisted domain le10.http2ssl.xyz Nginx vhost creation routine with Letsencrypt free domain validated SSL certificate on Centmin Mod 123.09beta01le experimental branch which was forked from official 123.09beta01 branch. The latest code includes passing the --user-agent flag to Letsencrypt client for identification.

    This is full run from start to finish via centmin.sh menu option 2 which is the only place currently were Letsencrypt client integration has been added (once menu option routine for LE is working fully, will add routines to /usr/bin/nv command line method of Nginx vhost auto generation :) ). The end result will be Nginx vhosts auto generated for both http and https sides of the web site with Letsencrypt domain validated SSL certificate in place on https side.
    • vhost conf file for le10.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.conf
    • vhost ssl conf file for le10.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.ssl.conf
    Invoking centmin.sh menu option 2 to add new nginx vhost le10.http2ssl.xyz
    Code:
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu  
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + WP Super Cache
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 2
    --------------------------------------------------------
    
    Prompt for creation of nginx vhost le10.http2ssl.xyz. Selecting yes to self-signed SSL certificate and then Letsencrypt SSL certificate. There's checks for valid DNS for domain and if first time running also MX DNS checks for valid email address to register a Letsencrypt account (one time only task).
    Code:
    Enter vhost domain name to add (without www. prefix): le10.http2ssl.xyz
    
    Create a self-signed SSL certificate Nginx vhost? [y/n]: y
    
    To get Letsencrypt SSL certificate, you must already have updated intended
    domain vhost name's DNS A record to this server's IP addresss.
    If top level domain, DNS A record is needed also for www. version of domain
    otherwise, Letsencrypt domain name validation will fail.
    
    
    le10.http2ssl.xyz is not a top level domain
    your server IP address: 104.152.214.220
    current DNS A record IP address for le10.http2ssl.xyz is: 104.152.214.220
    
    Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
    Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y
    
    Create FTP username for vhost domain (enter username): *********************
    Auto generate FTP password (recommended) [y/n]: y
    
    FTP username you entered: *********************
    FTP password auto generated: *********************
    
    SSL nginx vhost setup stage - 1st part is for self-signed SSL certificate generation and dhparam file generation.
    Code:
    ---------------------------------------------------------------
    SSL Vhost Setup...
    ---------------------------------------------------------------
    
    ---------------------------------------------------------------
    Generating self signed SSL certificate...
    CSR file can also be used to be submitted for paid SSL certificates
    If using for paid SSL certificates be sure to keep both private key and CSR safe
    creating CSR File: le10.http2ssl.xyz.csr
    creating private key: le10.http2ssl.xyz.key
    creating self-signed SSL certificate: le10.http2ssl.xyz.crt
    Generating a 2048 bit RSA private key
    .................................................+++
    ......+++
    writing new private key to 'le10.http2ssl.xyz.key'
    -----
    Signature ok
    subject=/C=US/ST=California/L=Los Angeles/O=le10.http2ssl.xyz/OU=le10.http2ssl.xyz/CN=le10.http2ssl.xyz
    Getting Private key
    
    ---------------------------------------------------------------
    Generating backup CSR and private key for HTTP Public Key Pinning...
    creating CSR File: le10.http2ssl.xyz-backup.csr
    creating private key: le10.http2ssl.xyz-backup.key
    Generating a 2048 bit RSA private key
    ..........................+++
    ................................................+++
    writing new private key to 'le10.http2ssl.xyz-backup.key'
    -----
    ---------------------------------------------------------------
    Generating dhparam.pem file - can take a few minutes...
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    ..............++*++*
    dhparam file generation time: 79.957781154
    
    -------------------------------------------------------------
    
    Installing Letsencrypt client via git clone. Right now each run of centmin.sh menu option 2 will also update letsencrypt client to ensure during the beta and public beta that latest client code is used always.

    Actual Letsencrypt webroot command is below where --user-agent centminmod-centos6-webroot is dynamically determined based on CentOS version.
    Code:
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le10.http2ssl.xyz/public -d le10.http2ssl.xyz auth
    Code:
    installing or updating letsencrypt client
    
    Initialized empty Git repository in /root/tools/letsencrypt/.git/
    Updating letsencrypt and virtual environment dependencies.......
    Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --agree-dev-preview --server https://acme-staging.api.letsencrypt.org/directory
    Version: 1.1-20080819
    Version: 1.1-20080819
    No installers are available on your OS yet; try running "letsencrypt-auto certonly" to get a cert you can install manually
    
    obtaining Letsencrypt SSL certificate via webroot authentication...
    
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le10.http2ssl.xyz/public -d le10.http2ssl.xyz auth
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/le10.http2ssl.xyz/fullchain.pem. Your cert
       will expire on 2016-02-13. To obtain a new version of the
       certificate in the future, simply run Let's Encrypt again.
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le10.http2ssl.xyz/public -d le10.http2ssl.xyz auth
    
    setup cronjob for /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron
    0 */4 * * * /usr/bin/cminfo_updater
    15 1 1 */2 * sleep 704s ; bash /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron > /dev/null 2>&1
    service nginx restart
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Stopping nginx:                                            [  OK  ]
    Starting nginx:                                            [  OK  ]
    
    -------------------------------------------------------------
    FTP hostname : 104.152.214.220
    FTP port : 21
    FTP mode : FTP (explicit SSL)
    FTP Passive (PASV) : ensure is checked/enabled
    FTP username created for le10.http2ssl.xyz : *********************
    FTP password created for le10.http2ssl.xyz : *********************
    -------------------------------------------------------------
    
    There's also a cronjob file setup on successfully obtaining Letsencrypt SSL certificate only at /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron. Contents of /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron

    Code:
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le10.http2ssl.xyz/public -d le10.http2ssl.xyz auth
    /usr/bin/nprestart
    cronjob is auto setup to run every 2 months with random sleep interval set so if you have many nginx vhosts with Letsencrypt SSL certificates, cronjob auto renewals are not all run simultaneously :)
    Code:
    15 1 1 */2 * sleep 704s ; bash /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron > /dev/null 2>&1
    on completion of centmin.sh menu option 2 the nginx vhost files and info for your record
    Code:
    vhost for le10.http2ssl.xyz created successfully
    
    domain: http://le10.http2ssl.xyz
    vhost conf file for le10.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.conf
    
    vhost ssl for le10.http2ssl.xyz created successfully
    
    domain: https://le10.http2ssl.xyz
    vhost ssl conf file for le10.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.key
    SSL CSR File: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz-backup.csr
    
    Letsencrypt SSL Certificate: /etc/letsencrypt/live/le10.http2ssl.xyz/cert.pem
    Letsencrypt SSL Certificate Private Key: /etc/letsencrypt/live/le10.http2ssl.xyz/privkey.pem
    Letsencrypt SSL Certificate Chain: /etc/letsencrypt/live/le10.http2ssl.xyz/chain.pem
    Letsencrypt SSL Certificate Full Chain: /etc/letsencrypt/live/le10.http2ssl.xyz/fullchain.pem
    Letsencrypt le10.http2ssl.xyz cronjob file: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron
    
    upload files to /home/nginx/domains/le10.http2ssl.xyz/public
    vhost log files directory is /home/nginx/domains/le10.http2ssl.xyz/log
    
    -------------------------------------------------------------
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
    
          
    Nov 5   18:02   1.1K   demodomain.com.conf
    Nov 5   18:02   1.6K   ftp.ftpdomain.com.conf
    Nov 5   18:02   3.9K   ftp.ftpdomain.com.ssl.conf
    Nov 5   18:02   845    ssl.conf
    Nov 6   00:13   1.6K   ftp2.domain.com.conf
    Nov 6   00:13   3.9K   ftp2.domain.com.ssl.conf
    Nov 6   07:15   1.6K   virtual.conf
    Nov 15  21:55   1.7K   le10.http2ssl.xyz.conf
    Nov 15  21:55   3.9K   le10.http2ssl.xyz.ssl.conf
    
    -------------------------------------------------------------
    Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz
    
          
    Nov 15  21:53   1.7K   le10.http2ssl.xyz.key
    Nov 15  21:53   1.1K   le10.http2ssl.xyz.csr
    Nov 15  21:53   1.3K   le10.http2ssl.xyz.crt
    Nov 15  21:53   1.7K   le10.http2ssl.xyz-backup.key
    Nov 15  21:53   1.1K   le10.http2ssl.xyz-backup.csr
    Nov 15  21:54   45     hpkp-info-primary-pin.txt
    Nov 15  21:54   45     hpkp-info-secondary-pin.txt
    Nov 15  21:55   424    dhparam.pem
    Nov 15  21:55   205    letsencrypt-le10.http2ssl.xyz-cron
    
    -------------------------------------------------------------
    Commands to remove le10.http2ssl.xyz
    
    rm -rf /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.conf
    rm -rf /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.crt
    rm -rf /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.key
    rm -rf /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.csr
    rm -rf /usr/local/nginx/conf/ssl/le10.http2ssl.xyz
    rm -rf /home/nginx/domains/le10.http2ssl.xyz
    service nginx restart
    -------------------------------------------------------------
    
    chrome-le.png

    If you manually ran the letsencrypt cronjob to renew SSL certificate
    Code:
    bash /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron
    
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/le10.http2ssl.xyz/fullchain.pem. Your cert
       will expire on 2016-02-13. To obtain a new version of the
       certificate in the future, simply run Let's Encrypt again.
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Stopping nginx:                                            [  OK  ]
    Starting nginx:                                            [  OK  ]
    Gracefully shutting down php-fpm . done
    Starting php-fpm  done
    Code:
    ls -lah /etc/letsencrypt/live/le10.http2ssl.xyz/
    total 8.0K
    drwxr-xr-x 2 root root 4.0K Nov 15 22:34 .
    drwx------ 3 root root 4.0K Nov 15 21:55 ..
    lrwxrwxrwx 1 root root   41 Nov 15 22:34 cert.pem -> ../../archive/le10.http2ssl.xyz/cert2.pem
    lrwxrwxrwx 1 root root   42 Nov 15 22:34 chain.pem -> ../../archive/le10.http2ssl.xyz/chain2.pem
    lrwxrwxrwx 1 root root   46 Nov 15 22:34 fullchain.pem -> ../../archive/le10.http2ssl.xyz/fullchain2.pem
    lrwxrwxrwx 1 root root   44 Nov 15 22:34 privkey.pem -> ../../archive/le10.http2ssl.xyz/privkey2.pem

    Service Monitoring: crond



    As crond service is critical for auto renewals, probably need to monitor and auto restart such services. I've been working on monit support for Centmin Mod and several dozen monit services' configuration profiles for ages now with CentOS 6 support - only started adding CentOS 7 support as well so to monitor and auto restart all Centmin Mod LEMP stack's services.

    Then I deliberately stopped crond service so that monit can detect crond service as being down and auto restart it. The current default is to wait 120 seconds before reporting a service as being down and auto restart and send email notifications.

    Code:
    tail -50 /var/log/monit.log
    [UTC Nov 16 20:17:21] info     : Generated unique Monit id 9a71505590331e4d3fb1558db4491b04 and stored to '/root/.monit.id'
    [UTC Nov 16 20:17:21] info     : Starting Monit 5.14 daemon with http interface at [localhost]:2812
    [UTC Nov 16 20:17:21] info     : Monit start delay set -- pause for 240s
    [UTC Nov 16 20:18:18] info     : Monit daemon with pid [4226] stopped
    [UTC Nov 16 20:18:18] info     : 'centos7.localdomain' Monit 5.14 stopped
    [UTC Nov 16 20:18:29] info     : Starting Monit 5.14 daemon with http interface at [localhost]:2812
    [UTC Nov 16 20:18:29] info     : Monit start delay set -- pause for 240s
    [UTC Nov 16 20:22:29] info     : Starting Monit HTTP server at [localhost]:2812
    [UTC Nov 16 20:22:29] info     : Monit HTTP server started
    [UTC Nov 16 20:22:29] info     : 'centos7.localdomain' Monit 5.14 started
    
    [UTC Nov 16 20:23:00] error    : 'cron' process is not running
    [UTC Nov 16 20:23:00] info     : 'cron' trying to restart
    [UTC Nov 16 20:23:00] info     : 'cron' start: /usr/bin/systemctl
    
    Then checked crond service and see monit auto restarted the service :)

    Code:
    service crond status
    Redirecting to /bin/systemctl status  crond.service
    crond.service - Command Scheduler
       Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled)
       Active: active (running) since Mon 2015-11-16 20:23:00 UTC; 3min 1s ago
    Main PID: 4362 (crond)
       CGroup: /system.slice/crond.service
               └─4362 /usr/sbin/crond -n
    
    Nov 16 20:23:00 centos7.localdomain systemd[1]: Started Command Scheduler.
    Nov 16 20:23:00 centos7.localdomain crond[4362]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 91% if used.)
    Nov 16 20:23:00 centos7.localdomain crond[4362]: (CRON) INFO (running with inotify support)
    Nov 16 20:23:00 centos7.localdomain crond[4362]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
    monit email notifications which are configured to set on monit events

    Code:
    Does not exist Service cron
    
            Date:        Mon, 16 Nov 2015 20:23:00
            Action:      restart
            Host:        centos7.localdomain
            Description: process is not running
    
    Code:
    Exists Service cron
    
            Date:        Mon, 16 Nov 2015 20:25:30
            Action:      alert
            Host:        centos7.localdomain
            Description: process is running with pid 4362
    Monit command line status

    Code:
    monit status
    The Monit daemon 5.14 uptime: 2m
    
    Process 'sshd'
      status                            Running
      monitoring status                 Monitored
      pid                               1001
      parent pid                        1
      uid                               0
      effective uid                     0
      gid                               0
      uptime                            3h 33m
      children                          4
      memory                            3.5 MB
      memory total                      16.0 MB
      memory percent                    0.1%
      memory percent total              0.8%
      cpu percent                       0.0%
      cpu percent total                 0.0%
      port response time                0.009s to [127.0.0.1]:22 type TCP/IP protocol SSH
      data collected                    Mon, 16 Nov 2015 22:14:36
    
    Process 'postfix'
      status                            Running
      monitoring status                 Monitored
      pid                               2010
      parent pid                        1
      uid                               0
      effective uid                     0
      gid                               0
      uptime                            3h 33m
      children                          8
      memory                            2.2 MB
      memory total                      37.3 MB
      memory percent                    0.1%
      memory percent total              2.0%
      cpu percent                       0.0%
      cpu percent total                 0.0%
      data collected                    Mon, 16 Nov 2015 22:14:36
    
    Process 'php-fpm'
      status                            Running
      monitoring status                 Monitored
      pid                               6263
      parent pid                        1
      uid                               0
      effective uid                     0
      gid                               0
      uptime                            23m
      children                          0
      memory                            16.5 MB
      memory total                      16.5 MB
      memory percent                    0.8%
      memory percent total              0.8%
      cpu percent                       0.0%
      cpu percent total                 0.0%
      port response time                0.000s to [localhost]:9000 type TCP/IP protocol DEFAULT
      data collected                    Mon, 16 Nov 2015 22:14:36
    
    Process 'nsd'
      status                            Running
      monitoring status                 Monitored
      pid                               1252
      parent pid                        1
      uid                               1001
      effective uid                     1001
      gid                               1001
      uptime                            3h 33m
      children                          2
      memory                            944.0 kB
      memory total                      6.2 MB
      memory percent                    0.0%
      memory percent total              0.3%
      cpu percent                       0.0%
      cpu percent total                 0.0%
      data collected                    Mon, 16 Nov 2015 22:14:36
    
    Process 'nginx'
      status                            Running
      monitoring status                 Monitored
      pid                               2508
      parent pid                        1
      uid                               0
      effective uid                     0
      gid                               0
      uptime                            3h 33m
      children                          2
      memory                            28.0 MB
      memory total                      92.5 MB
      memory percent                    1.5%
      memory percent total              5.0%
      cpu percent                       0.0%
      cpu percent total                 0.0%
      data collected                    Mon, 16 Nov 2015 22:14:36
    
    Process 'mysql'
      status                            Not monitored
      monitoring status                 Not monitored
      data collected                    Mon, 16 Nov 2015 22:13:36
    
    Process 'memcached'
      status                            Running
      monitoring status                 Monitored
      pid                               2493
      parent pid                        1
      uid                               99
      effective uid                     99
      gid                               99
      uptime                            3h 33m
      children                          0
      memory                            1.1 MB
      memory total                      1.1 MB
      memory percent                    0.0%
      memory percent total              0.0%
      cpu percent                       0.0%
      cpu percent total                 0.0%
      port response time                0.000s to [localhost]:11211 type TCP/IP protocol DEFAULT
      data collected                    Mon, 16 Nov 2015 22:14:36
    
    Process 'lfd'
      status                            Running
      monitoring status                 Monitored
      pid                               5260
      parent pid                        1
      uid                               0
      effective uid                     0
      gid                               0
      uptime                            1h 5m
      children                          0
      memory                            22.6 MB
      memory total                      22.6 MB
      memory percent                    1.2%
      memory percent total              1.2%
      cpu percent                       0.0%
      cpu percent total                 0.0%
      data collected                    Mon, 16 Nov 2015 22:14:36
    
    Process 'cron'
      status                            Running
      monitoring status                 Monitored
      pid                               4362
      parent pid                        1
      uid                               0
      effective uid                     0
      gid                               0
      uptime                            1h 51m
      children                          0
      memory                            1.5 MB
      memory total                      1.5 MB
      memory percent                    0.0%
      memory percent total              0.0%
      cpu percent                       0.0%
      cpu percent total                 0.0%
      data collected                    Mon, 16 Nov 2015 22:14:36
    
    System 'centos7.localdomain'
      status                            Running
      monitoring status                 Monitored
      load average                      [0.01] [0.02] [0.05]
      cpu                               0.0%us 0.0%sy 0.0%wa
      memory usage                      368.1 MB [20.0%]
      swap usage                        0 B [0.0%]
      data collected                    Mon, 16 Nov 2015 22:14:36
    Monit web gui

    monit-admin-00.png

    monit-admin-01.png
     
    Last edited: Nov 20, 2015
  17. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Working on a companion script to report every Letsencrypt SSL certificates' expiry dates in number of days :)

    Code:
    ./expirydate.sh 
    
    /etc/letsencrypt/live/le2.http2ssl.xyz/cert.pem
    certificate expires in 74 days on 2 Feb 2016
    
    /etc/letsencrypt/live/le8.http2ssl.xyz/cert.pem
    certificate expires in 70 days on 29 Jan 2016
    
    /etc/letsencrypt/live/le1.http2ssl.xyz/cert.pem
    certificate expires in 66 days on 25 Jan 2016
    
    /etc/letsencrypt/live/http2ssl.xyz/cert.pem
    certificate expires in 66 days on 25 Jan 2016
     
    Last edited: Nov 19, 2015
  18. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  19. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    tools/nv.sh and /usr/bin/nv Letsencrypt integration



    So far have been only working on shell based menu LE integration into centmin.sh menu option 2. Now that this is more polished, working on Letsencrypt integration into the command line version of Centmin Mod's auto generator for Nginx vhost domains - tools/nv.sh and /usr/bin/nv commands.

    /usr/bin/nv command has added a new flag option for -s le specifically for auto generation of an Nginx vhost with Letsencrypt SSL certificates. If you use the regular -s y flag option it just auto generates Nginx vhost with self-signed SSL certificate instead.

    Code:
    nv -h
    
    Usage: /usr/bin/nv [-d yourdomain.com] [-s y|n|le] [-u ftpusername]
    
      -d  yourdomain.com or subdomain.yourdomain.com
      -s  ssl self-signed create = y or n or le (for letsencrypt ssl certs)
      -u  your FTP username
    
      example:
    
      /usr/bin/nv -d yourdomain.com -s y -u ftpusername
      /usr/bin/nv -d yourdomain.com -s le -u ftpusername
    
    Example run below is done in virtualbox test CentOS 7 server, so the final authorisation for Letsencrypt will fail as DNS A record for le11.http2ssl.xyz domain isn't pointing to my virtualbox server local IP.

    Run nv command with -s le flag for Letsencrypt and pass pure-ftpd virtual ftp username you want to use for Nginx vhost domain.
    Code:
    nv -d le11.http2ssl.xyz -s le -u **********
    Code:
    nv -d le11.http2ssl.xyz -s le -u **********
    ---------------------------------------------------------------
    Nginx Vhost Setup...
    ---------------------------------------------------------------
    
    
    To get Letsencrypt SSL certificate, you must already have updated intended
    domain vhost name's DNS A record to this server's IP addresss.
    If top level domain, DNS A record is needed also for www. version of domain
    otherwise, Letsencrypt domain name validation will fail.
    
    
    le11.http2ssl.xyz is not a top level domain
    your server IP address: *************
    current DNS A record IP address for le11.http2ssl.xyz is: 104.152.214.220
    
    Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
    Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y
    
    FTP password auto generated: *************
    
    Code:
    ---------------------------------------------------------------
    SSL Vhost Setup...
    ---------------------------------------------------------------
    
    ---------------------------------------------------------------
    Generating self signed SSL certificate...
    CSR file can also be used to be submitted for paid SSL certificates
    If using for paid SSL certificates be sure to keep both private key and CSR safe
    creating CSR File: le11.http2ssl.xyz.csr
    creating private key: le11.http2ssl.xyz.key
    creating self-signed SSL certificate: le11.http2ssl.xyz.crt
    Generating a 2048 bit RSA private key
    ......................+++
    ...........+++
    writing new private key to 'le11.http2ssl.xyz.key'
    -----
    No value provided for Subject Attribute C, skipped
    No value provided for Subject Attribute ST, skipped
    No value provided for Subject Attribute L, skipped
    Signature ok
    subject=/O=le11.http2ssl.xyz/OU=le11.http2ssl.xyz/CN=le11.http2ssl.xyz
    Getting Private key
    
    ---------------------------------------------------------------
    Generating backup CSR and private key for HTTP Public Key Pinning...
    creating CSR File: le11.http2ssl.xyz-backup.csr
    creating private key: le11.http2ssl.xyz-backup.key
    Generating a 2048 bit RSA private key
    ...........................................................................+++
    ....+++
    writing new private key to 'le11.http2ssl.xyz-backup.key'
    -----
    ---------------------------------------------------------------
    Generating dhparam.pem file - can take a few minutes...
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    .............................................................................++*++*
    dhparam file generation time: 28.509509484
    
    -------------------------------------------------------------
    Restarting nginx (via systemctl):  [  OK  ]
    systemctl restart pure-ftpd.service
    
    installing or updating letsencrypt client
    Code:
    setup general /etc/letsencrypt/webroot.ini letsencrypt config file
    
    Registering an account with Letsencrypt
    You only do this once, so that Letsencrypt can notify &
    contact you via email regarding your SSL certificates
    Enter your email address to setup Letsencrypt account: validemail@addy.com
    
    You are registering validemail@addy.com address for Letsencrypt
    
    obtaining Letsencrypt SSL certificate via webroot authentication...
    
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos7-webroot --webroot-path /home/nginx/domains/le11.http2ssl.xyz/public -d le11.http2ssl.xyz certonly
    Failed authorization procedure. le11.http2ssl.xyz (http-01): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://le11.http2ssl.xyz/.well-known/acme-challenge/iyJehKV8_TJZ9u95KjRNn8ZOWg5jUbOggIUf0aZB4gk [104.152.214.220]: 404
    IMPORTANT NOTES:
    - If you lose your account credentials, you can recover through
       e-mails sent to validemail@addy.com.
    - The following 'unauthorized' errors were reported by the server:
    
       Domains: le11.http2ssl.xyz
       Error: The client lacks sufficient authorization
    
       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A record(s) for that domain
       contain(s) the right IP address.
    - Your account credentials have been saved in your Let's Encrypt
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Let's
       Encrypt so making regular backups of this folder is ideal.
    
    -------------------------------------------------------------
    Code:
    -------------------------------------------------------------
    vhost for le11.http2ssl.xyz created successfully
    
    domain: http://le11.http2ssl.xyz
    vhost conf file for le11.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le11.http2ssl.xyz.conf
    
    vhost ssl for le11.http2ssl.xyz created successfully
    
    domain: https://le11.http2ssl.xyz
    vhost ssl conf file for le11.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le11.http2ssl.xyz.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz.key
    SSL CSR File: /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz-backup.csr
    
    upload files to /home/nginx/domains/le11.http2ssl.xyz/public
    vhost log files directory is /home/nginx/domains/le11.http2ssl.xyz/log
    
    -------------------------------------------------------------
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
    
                     
    Nov 5   19:33   1.1K   demodomain.com.conf
    Nov 5   19:33   845    ssl.conf
    Nov 6   05:40   1.6K   virtual.conf
    Nov 20  03:31   1.6K   le11.http2ssl.xyz.conf
    Nov 20  03:31   3.9K   le11.http2ssl.xyz.ssl.conf
    
    -------------------------------------------------------------
    Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/le11.http2ssl.xyz
    
                     
    Nov 20  03:31   1.7K   le11.http2ssl.xyz.key
    Nov 20  03:31   976    le11.http2ssl.xyz.csr
    Nov 20  03:31   1.2K   le11.http2ssl.xyz.crt
    Nov 20  03:31   1.7K   le11.http2ssl.xyz-backup.key
    Nov 20  03:31   976    le11.http2ssl.xyz-backup.csr
    Nov 20  03:31   45     hpkp-info-primary-pin.txt
    Nov 20  03:31   45     hpkp-info-secondary-pin.txt
    Nov 20  03:31   424    dhparam.pem
    
    -------------------------------------------------------------
    Commands to remove le11.http2ssl.xyz
    
    rm -rf /usr/local/nginx/conf/conf.d/le11.http2ssl.xyz.conf
    rm -rf /usr/local/nginx/conf/conf.d/le11.http2ssl.xyz.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz.crt
    rm -rf /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz.key
    rm -rf /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz.csr
    rm -rf /usr/local/nginx/conf/ssl/le11.http2ssl.xyz
    rm -rf /home/nginx/domains/le11.http2ssl.xyz
    service nginx restart
    -------------------------------------------------------------
    Then doing same test on live VPS server

    Code:
    nv -d le11.http2ssl.xyz -s le -u **********
    Code:
    obtaining Letsencrypt SSL certificate via webroot authentication...
    
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le11.http2ssl.xyz/public -d le11.http2ssl.xyz certonly
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/le11.http2ssl.xyz/fullchain.pem. Your cert
       will expire on 2016-02-18. To obtain a new version of the
       certificate in the future, simply run Let's Encrypt again.
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le11.http2ssl.xyz/public -d le11.http2ssl.xyz certonly
    /usr/bin/nprestart
    
    setup cronjob for /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/letsencrypt-le11.http2ssl.xyz-cron
    0 */4 * * * /usr/bin/cminfo_updater
    15 1 1 */2 * sleep 704s ; bash /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron > /dev/null 2>&1
    15 1 1 */2 * sleep 624s ; bash /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/letsencrypt-le11.http2ssl.xyz-cron > /dev/null 2>&1
    service nginx restart
    Code:
    ls -lAht /etc/letsencrypt/live/le11.http2ssl.xyz/
    total 0
    lrwxrwxrwx 1 root root 41 Nov 20 08:19 cert.pem -> ../../archive/le11.http2ssl.xyz/cert1.pem
    lrwxrwxrwx 1 root root 42 Nov 20 08:19 chain.pem -> ../../archive/le11.http2ssl.xyz/chain1.pem
    lrwxrwxrwx 1 root root 46 Nov 20 08:19 fullchain.pem -> ../../archive/le11.http2ssl.xyz/fullchain1.pem
    lrwxrwxrwx 1 root root 44 Nov 20 08:19 privkey.pem -> ../../archive/le11.http2ssl.xyz/privkey1.pem
    Code:
    ./expirydate.sh
    
    /etc/letsencrypt/live/le10.http2ssl.xyz/cert.pem
    certificate expires in 84 days on 13 Feb 2016
    
    /etc/letsencrypt/live/le11.http2ssl.xyz/cert.pem
    certificate expires in 89 days on 18 Feb 2016
     
    Last edited: Nov 20, 2015
  20. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    4:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Centmin Mod Auto Renewal of Letsencrypt SSL Certificate



    An illustrative example of running the auto renewal cronjob file has been updated at centminmod.com/letsencrypt-freessl.html#autocron. Only takes 7.8 seconds to renew the Letsencrypt SSL certificate :D

    cronjob-autonew-ssl-certificate.gif

    Auto Renewal Cron Error and Email Notifications



    Also updated cronfile with error detection and email notification on failed LE SSL certificate auto renewal and changed to just nginx reload command :)

    Using le12.http2ssl.xyz as an example via nv command line auto generation of Nginx vhost + SSL vhost and LE SSL certificate deployment
    Code (Text):
    nv -d le12.http2ssl.xyz -s le -u ***************
    ---------------------------------------------------------------
    Nginx Vhost Setup...
    ---------------------------------------------------------------
    
    To get Letsencrypt SSL certificate, you must already have updated intended
    domain vhost name's DNS A record to this server's IP addresss.
    If top level domain, DNS A record is needed also for www. version of domain
    otherwise, Letsencrypt domain name validation will fail.
    
    le12.http2ssl.xyz is not a top level domain
    your server IP address: 104.152.214.220
    current DNS A record IP address for le12.http2ssl.xyz is: 104.152.214.220
    
    Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
    Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y
    
    FTP password auto generated: ***************


    Code (Text):
    obtaining Letsencrypt SSL certificate via webroot authentication...
    
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le12.http2ssl.xyz/public -d le12.http2ssl.xyz certonly
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/le12.http2ssl.xyz/fullchain.pem. Your cert
       will expire on 2016-02-24. To obtain a new version of the
       certificate in the future, simply run Let's Encrypt again.
    

    /usr/local/nginx/conf/ssl/le12.http2ssl.xyz/letsencrypt-le12.http2ssl.xyz-cron contents:
    Code (Text):
    EMAIL=$(awk '/email/ {print $3}' /etc/letsencrypt/webroot.ini)
    ERRORLOG=$(tail /var/log/letsencrypt/letsencrypt.log)
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le12.http2ssl.xyz/public -d le12.http2ssl.xyz certonly
    if [ $? -ne 0 ]; then
        sleep 1; echo -e "The Lets Encrypt SSL Certificate for le12.http2ssl.xyz has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" $EMAIL
      else
        /usr/bin/ngxreload
    fi
    exit 0
    

    cronjobs with auto inserted random sleep intervals to ensure not all LE SSL cron files run simultaneously
    Code (Text):
    setup cronjob for /usr/local/nginx/conf/ssl/le12.http2ssl.xyz/letsencrypt-le12.http2ssl.xyz-cron
    0 */4 * * * /usr/bin/cminfo_updater
    15 1 1 */2 * sleep 704s ; bash /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron > /dev/null 2>&1
    15 1 1 */2 * sleep 624s ; bash /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/letsencrypt-le11.http2ssl.xyz-cron > /dev/null 2>&1
    15 1 1 */2 * sleep 896s ; bash /usr/local/nginx/conf/ssl/le12.http2ssl.xyz/letsencrypt-le12.http2ssl.xyz-cron > /dev/null 2>&1
    

    basically cron file's EMAIL field is dynamically obtained from /etc/letsencrypt/webroot.ini listed email field so that if you change the email address, it's automatically updated.

    expiry dates
    Code (Text):
    ./expirydate.sh
    
    /etc/letsencrypt/live/le10.http2ssl.xyz/cert.pem
    certificate expires in 78 days on 13 Feb 2016
    
    /etc/letsencrypt/live/le11.http2ssl.xyz/cert.pem
    certificate expires in 88 days on 23 Feb 2016
    
    /etc/letsencrypt/live/le12.http2ssl.xyz/cert.pem
    certificate expires in 89 days on 24 Feb 2016

    Testing manual run of cronfile auto renewal - 4.9 seconds to renew SSL certificate :D
    Code (Text):
    time bash /usr/local/nginx/conf/ssl/le12.http2ssl.xyz/letsencrypt-le12.http2ssl.xyz-cron
    
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/le12.http2ssl.xyz/fullchain.pem. Your cert
       will expire on 2016-02-24. To obtain a new version of the
       certificate in the future, simply run Let's Encrypt again.
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Reloading nginx:                                           [  OK  ]
    
    real    0m4.903s
    user    0m0.850s
    sys     0m0.120s
     
    Last edited: Nov 26, 2015
Thread Status:
Not open for further replies.