Letsencrypt Letsencrypt Free SSL certificates with web root authentication method

Update: September 2016 - below guide is no longer valid as Centmin Mod 123.09beta01 has a new addons/acmetool.sh integration outlined at Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01 | Centmin Mod Community

Letsencrypt plugin, simplefs authentication has been renamed web root authentication - named by yours truly Let's test Letsencrypt webroot authentication branch fork/branch SimpleFS plugin (fixes #742) by kuba · Pull Request #757 · letsencrypt/letsencrypt · GitHub. There's also an example for Debian Jessie + Apache.

Update

You can jump straight to actual Centmin Mod LEMP integration tests here in this thread.

Manual Letsencrypt Install

Note Letsencrypt client removed Python 2.6 support so you need Python 2.7. For CentOS 6.x folks you have Python 2.6 so need to install Python 2.7 via Centmin Mod Addon. For CentOS 7.x folks you have Python 2.7 out of box so no need.

Updated Oct 24th, 2015 instructions

For CentOS 7.x run

Code:

mkdir -p /root/tools
cd /root/tools
rm -rf /root/tools/letsencrypt
rm -rf /etc/letsencrypt
rm -rf /var/lib/letsencrypt
rm -rf /root/.local/share
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --verbose

For CentOS 6.x after install Python 2.7, run (note sed replacement to switch to python2.7 instead of python 2 due to letsencrypt-auto doesn't work with Python 2.6 · Issue #1046 · letsencrypt/letsencrypt · GitHub

Code:

mkdir -p /root/tools
cd /root/tools
rm -rf /root/tools/letsencrypt
rm -rf /etc/letsencrypt
rm -rf /var/lib/letsencrypt
rm -rf /root/.local/share
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
./letsencrypt-auto --verbose

For CentOS 7.x run

Code:

mkdir -p /root/tools
cd /root/tools
rm -rf /root/tools/letsencrypt
rm -rf /etc/letsencrypt
rm -rf /var/lib/letsencrypt
git clone https://github.com/letsencrypt/letsencrypt
#git clone -b simplefs https://github.com/kuba/letsencrypt
cd letsencrypt
./bootstrap/centos.sh
virtualenv --no-site-packages -p python2 venv
./venv/bin/pip install -r requirements.txt acme/ . letsencrypt-apache/ letsencrypt-nginx/

For CentOS 6.x after install Python 2.7, run

Code:

mkdir -p /root/tools
cd /root/tools
rm -rf /root/tools/letsencrypt
rm -rf /etc/letsencrypt
rm -rf /var/lib/letsencrypt
git clone https://github.com/letsencrypt/letsencrypt
#git clone -b simplefs https://github.com/kuba/letsencrypt
cd letsencrypt
./bootstrap/centos.sh
virtualenv --no-site-packages -p python2.7 venv
./venv/bin/pip install -r requirements.txt acme/ . letsencrypt-apache/ letsencrypt-nginx/

CentOS 6.7 with Centmin Mod stack and Python addons installed

---

Code:

python --version
Python 2.6.6

python2.7 --version
Python 2.7.10

python3.4 --version
Python 3.4.3

For centminmod.com LEMP stack Nginx server I setup for dedicated Letsencrypt testing, I need to remove existing nginx vhost account and re-setup via nginx vhost auto generator. I am using domain = le1.http2ssl.xyz for testing.

Code:

vhostname='le1.http2ssl.xyz'
rm -rf /usr/local/nginx/conf/conf.d/${vhostname}.conf
rm -rf /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
rm -rf /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.crt
rm -rf /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.key
rm -rf /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.csr
rm -rf /usr/local/nginx/conf/ssl/${vhostname}
rm -rf /home/nginx/domains/${vhostname}
ngxrestart

for my own records i have several domains setup for testing so need to wipe those too

Code:

vhostname='le1.http2ssl.xyz le2.http2ssl.xyz le3.http2ssl.xyz le4.http2ssl.xyz le5.http2ssl.xyz le6.http2ssl.xyz le7.http2ssl.xyz le8.http2ssl.xyz le9.http2ssl.xyz'
for v in $vhostname; do
rm -rf /usr/local/nginx/conf/conf.d/${v}.conf
rm -rf /usr/local/nginx/conf/conf.d/${v}.ssl.conf
rm -rf /usr/local/nginx/conf/ssl/${v}/${v}.crt
rm -rf /usr/local/nginx/conf/ssl/${v}/${v}.key
rm -rf /usr/local/nginx/conf/ssl/${v}/${v}.csr
rm -rf /usr/local/nginx/conf/ssl/${v}
rm -rf /home/nginx/domains/${v}
done
ngxrestart

re-create the nginx vhost on centminmod.com LEMP stack via command line Nginx vhost generator with self-signed ssl certificate and nginx ssl vhost auto generated with pure-ftpd username myftpuser001

Code:

vhostname='le1.http2ssl.xyz'
nv -d ${vhostname} -s y -u myftpuser001

output from auto generated nginx vhost with both http and https self-signed ssl vhost config files auto created

Code:

vhostname='le1.http2ssl.xyz'
nv -d ${vhostname} -s y -u myftpuser001
---------------------------------------------------------------
Nginx Vhost Setup...
---------------------------------------------------------------


FTP password auto generated: cGv78H2NrKtoo

Password:
Enter it again:
---------------------------------------------------------------
SSL Vhost Setup...
---------------------------------------------------------------

---------------------------------------------------------------
Generating self signed SSL certificate...
CSR file can also be used to be submitted for paid SSL certificates
If using for paid SSL certificates be sure to keep both private key and CSR safe
creating CSR File: le1.http2ssl.xyz.csr
creating private key: le1.http2ssl.xyz.key
creating self-signed SSL certificate: le1.http2ssl.xyz.crt

Generating a 2048 bit RSA private key
...........................................................................+++
......+++
writing new private key to 'le1.http2ssl.xyz.key'
-----
No value provided for Subject Attribute C, skipped
No value provided for Subject Attribute ST, skipped
No value provided for Subject Attribute L, skipped
Signature ok
subject=/O=le1.http2ssl.xyz/OU=le1.http2ssl.xyz/CN=le1.http2ssl.xyz
Getting Private key

---------------------------------------------------------------
Generating backup CSR and private key for HTTP Public Key Pinning...
creating CSR File: le1.http2ssl.xyz-backup.csr
creating private key: le1.http2ssl.xyz-backup.key
Generating a 2048 bit RSA private key
........................................+++
...................................................................................+++
writing new private key to 'le1.http2ssl.xyz-backup.key'
-----
No value provided for Subject Attribute C, skipped
No value provided for Subject Attribute ST, skipped
No value provided for Subject Attribute L, skipped

---------------------------------------------------------------
Extracting Base64 encoded information for primary and secondary
private key's SPKI - Subject Public Key Information
Primary private key - le1.http2ssl.xyz.key
Backup private key - le1.http2ssl.xyz-backup.key
For HPKP - HTTP Public Key Pinning hash generation...

extracting SPKI Base64 encoded hash for primary private key = le1.http2ssl.xyz.key ...
writing RSA key
dACBPTdfAUd6dCTuvzrXItheLIJL8Orkwt8Nie2oyQo=

extracting SPKI Base64 encoded hash for backup private key = le1.http2ssl.xyz-backup.key ...
writing RSA key
bfk6RI4wMBBjArJpzsvupnhyxl1IBReE1bPa22DzkAQ=

HTTP Public Key Pinning Header for Nginx

for 7 days max-age including subdomains

add_header Public-Key-Pins 'pin-sha256="dACBPTdfAUd6dCTuvzrXItheLIJL8Orkwt8Nie2oyQo="; pin-sha256="bfk6RI4wMBBjArJpzsvupnhyxl1IBReE1bPa22DzkAQ="; max-age=86400; includeSubDomains';

for 7 days max-age excluding subdomains

add_header Public-Key-Pins 'pin-sha256="dACBPTdfAUd6dCTuvzrXItheLIJL8Orkwt8Nie2oyQo="; pin-sha256="bfk6RI4wMBBjArJpzsvupnhyxl1IBReE1bPa22DzkAQ="; max-age=86400';

---------------------------------------------------------------
Generating dhparam.pem file - can take a few minutes...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....................+...+.............++*
dhparam file generation time: 112.624587817

-------------------------------------------------------------
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]
service pure-ftpd restart

-------------------------------------------------------------
FTP hostname : SERVERIP
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for le1.http2ssl.xyz : myftpuser001
FTP password created for le1.http2ssl.xyz : cGv78H2NrKtoo
-------------------------------------------------------------
vhost for le1.http2ssl.xyz created successfully

domain: http://le1.http2ssl.xyz
vhost conf file for le1.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.conf

vhost ssl for le1.http2ssl.xyz created successfully

domain: https://le1.http2ssl.xyz
vhost ssl conf file for le1.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.crt
SSL Private Key: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.key
SSL CSR File: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-backup.csr

upload files to /home/nginx/domains/le1.http2ssl.xyz/public
vhost log files directory is /home/nginx/domains/le1.http2ssl.xyz/log

-------------------------------------------------------------
Current vhost listing at: /usr/local/nginx/conf/conf.d/

    
Aug 29  03:12   1.6K   virtual.conf
Aug 29  03:12   845    ssl.conf
Aug 29  03:12   1.1K   demodomain.com.conf
Aug 29  07:40   3.8K   http2ssl.xyz.ssl.conf
Aug 29  07:40   1.6K   http2ssl.xyz.conf
Oct 5   13:17   1.6K   le1.http2ssl.xyz.conf
Oct 5   13:17   3.9K   le1.http2ssl.xyz.ssl.conf

-------------------------------------------------------------
Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz

    
Oct 5   13:15   1.7K   le1.http2ssl.xyz.key
Oct 5   13:15   972    le1.http2ssl.xyz.csr
Oct 5   13:15   1.2K   le1.http2ssl.xyz.crt
Oct 5   13:15   1.7K   le1.http2ssl.xyz-backup.key
Oct 5   13:15   972    le1.http2ssl.xyz-backup.csr
Oct 5   13:15   45     hpkp-info-secondary-pin.txt
Oct 5   13:15   45     hpkp-info-primary-pin.txt
Oct 5   13:17   424    dhparam.pem

-------------------------------------------------------------
Commands to remove le1.http2ssl.xyz

rm -rf /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.conf
rm -rf /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf
rm -rf /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.crt
rm -rf /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.key
rm -rf /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.csr
rm -rf /usr/local/nginx/conf/ssl/le1.http2ssl.xyz
rm -rf /home/nginx/domains/le1.http2ssl.xyz
service nginx restart
-------------------------------------------------------------

Specific notes for nginx vhosts are outputted

Code:

vhost for le1.http2ssl.xyz created successfully

domain: http://le1.http2ssl.xyz
vhost conf file for le1.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.conf

vhost ssl for le1.http2ssl.xyz created successfully

domain: https://le1.http2ssl.xyz
vhost ssl conf file for le1.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.crt
SSL Private Key: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.key
SSL CSR File: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-backup.csr

upload files to /home/nginx/domains/le1.http2ssl.xyz/public
vhost log files directory is /home/nginx/domains/le1.http2ssl.xyz/log

the resulting Nginx vhost config files and directories that are auto generated include the Nginx HTTP/2 SSL vhost configuration file setup. Also the letsencrypt required .well-known url with application/jose+json content type header is already taken care of as the header is added into an auto included nginx file.

Code:

location ~ /.well-known {
      location ~ /.well-known/acme-challenge/(.*) {
              more_set_headers    "Content-Type: application/jose+json";
      }
}

run the letsencrypt client in web root authentication mode passing the auto generated Centmin Mod Nginx vhost's web root path /home/nginx/domains/le1.http2ssl.xyz/public to the --web-root flag

Update: October 24th, path to letsencrypt binary has changed from /root/tools/letsencrypt/venv/bin/letsencrypt to /root/.local/share/letsencrypt/bin/letsencrypt and options have been removed for --agree-eula

Code:

vhostname='le1.http2ssl.xyz'
/root/.local/share/letsencrypt/bin/letsencrypt --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org --text --agree-tos --agree-dev-preview -d ${vhostname} auth

Look's like Python 2.6 is no longer supported by Letsencrypt client Python 2.6 support removed - Issuance Tech Questions - Let's Encrypt Community Support so if you run CentOS 6.x you will have problems as default Python 2.6.6 is installed whereas CentOS 7.x has Python 2.7.

Code:

/root/tools/letsencrypt/venv/lib/python2.6/site-packages/cryptography/__init__.py:25: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python.
  DeprecationWarning
An unexpected error occurred.
TypeError: super() argument 1 must be type, not classobj
Please see the logfile 'letsencrypt.log' for more details.

You need to install Python 2.7 side by side on CentOS 6 so Centmin Mod LEMP stack has an addon to install Python 2.7 or Python 3.4 in addons/ folder of your Centmin Mod install directory.

Code:

ls -lah /usr/local/src/centminmod/addons/
total 112K
drwxr-xr-x  2 root root 4.0K Oct  5 12:54 .
drwxr-xr-x 14 root root 4.0K Oct  5 12:54 ..
-rwxr-xr-x  1 root root 3.8K Aug 30 13:59 avginstall.sh
-rwxr-xr-x  1 root root  12K Aug 30 13:59 customcurl.sh
-rwxr-xr-x  1 root root 8.3K Aug 30 13:59 geoip.sh
-rwxr-xr-x  1 root root 2.2K Aug 30 13:59 ioncube.sh
-rwxr-xr-x  1 root root 4.1K Aug 30 13:59 ius-repo.sh
-rwxr-xr-x  1 root root 5.4K Aug 30 13:59 linfo.sh
-rwxr-xr-x  1 root root 6.8K Aug 30 13:59 maldet.sh
-rwxr-xr-x  1 root root  11K Aug 30 13:59 mysqladmin_shell.sh
-rwxr-xr-x  1 root root 9.6K Oct  5 12:54 passenger.sh
-rwxr-xr-x  1 root root 5.0K Aug 30 13:59 python27_install.sh
-rwxr-xr-x  1 root root 4.6K Aug 30 13:59 python34_install.sh
-rwxr-xr-x  1 root root 4.2K Aug 30 13:59 wpcli.sh

So run python27_install.sh addon to install python 2.7 side by side with CentOS 6.x's Python 2.6 via IUS Community repo which is backed by Rackspace.com

Code:

yum list python27 python27-devel python27-pip python27-setuptools python27-tools python27-virtualenv --enablerepo=ius -q
Installed Packages
python27.x86_64                                                                                                               2.7.10-1.ius.centos6                                                                                                    @ius
python27-devel.x86_64                                                                                                         2.7.10-1.ius.centos6                                                                                                    @ius
python27-pip.noarch                                                                                                           7.1.0-1.ius.centos6                                                                                                     @ius
python27-setuptools.noarch                                                                                                    18.1-1.ius.centos6                                                                                                      @ius
python27-tools.x86_64                                                                                                         2.7.10-1.ius.centos6                                                                                                    @ius
python27-virtualenv.noarch                                                                                                    13.1.0-1.ius.centos6                                                                                                    @ius
Available Packages
python27-pip.noarch                                                                                                           7.1.2-1.ius.centos6                                                                                                     ius
python27-setuptools.noarch                                                                                                    18.3.1-1.ius.centos6                                                                                                    ius
python27-virtualenv.noarch                                                                                                    13.1.2-1.ius.centos6                                                                                                    ius

Then wipe Letsencrypt install and install again this time with Python virtual environment setup for Python 2.7

For CentOS 6.x after install Python 2.7, run (note sed replacement to switch to python2.7 instead of python 2 due to letsencrypt-auto doesn't work with Python 2.6 · Issue #1046 · letsencrypt/letsencrypt · GitHub

Code:

mkdir -p /root/tools
cd /root/tools
rm -rf /root/tools/letsencrypt
rm -rf /etc/letsencrypt
rm -rf /var/lib/letsencrypt
rm -rf /root/.local/share
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
./letsencrypt-auto --verbose

Run Letsencrypt web root authentication again and now works with Python 2.7

Code:

vhostname='le1.http2ssl.xyz'
/root/.local/share/letsencrypt/bin/letsencrypt --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org  --verbose --text --agree-tos --agree-dev-preview -d ${vhostname} auth

IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
   e-mails sent to example@example.org.
- Congratulations! Your certificate has been saved at
   /etc/letsencrypt/live/le1.http2ssl.xyz/cert.pem.
- Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
- Automatic renewal and deployment has been enabled for your
   certificate. These settings can be configured in the directories
   under /etc/letsencrypt/renewal.

Yay free SSL certificate obtained.

Code:

ls -lahR /etc/letsencrypt/live/
/etc/letsencrypt/live/:
total 12K
drwx------ 3 root root 4.0K Oct  5 13:37 .
drwxr-xr-x 8 root root 4.0K Oct  5 13:37 ..
drwxr-xr-x 2 root root 4.0K Oct  5 13:37 le1.http2ssl.xyz

/etc/letsencrypt/live/le1.http2ssl.xyz:
total 8.0K
drwxr-xr-x 2 root root 4.0K Oct  5 13:37 .
drwx------ 3 root root 4.0K Oct  5 13:37 ..
lrwxrwxrwx 1 root root   40 Oct  5 13:37 cert.pem -> ../../archive/le1.http2ssl.xyz/cert1.pem
lrwxrwxrwx 1 root root   41 Oct  5 13:37 chain.pem -> ../../archive/le1.http2ssl.xyz/chain1.pem
lrwxrwxrwx 1 root root   45 Oct  5 13:37 fullchain.pem -> ../../archive/le1.http2ssl.xyz/fullchain1.pem
lrwxrwxrwx 1 root root   43 Oct  5 13:37 privkey.pem -> ../../archive/le1.http2ssl.xyz/privkey1.pem

Backup /etc/letsencrypt

Code:

cp -a /etc/letsencrypt /etc/letsencrypt-bak

Now to put Letsencrypt SSL certificate into Centmin Mod Nginx's auto generated SSL vhost. Using sed replacement for the default auto generated self-signed SSL certificate paths with Letsencrypt's obtained SSL certificates. Once web root authentication plugin is officially merged into master code, I'll automate this step too as part of Centmin Mod Nginx vhost setup routine

Code:

vhostname='le1.http2ssl.xyz'
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/etc\/letsencrypt\/live\/${vhostname}\/privkey.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf

End result for the SSL vhost at /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf partial contents now looks like

Code:

server {
  listen 443 ssl http2;
  server_name le1.http2ssl.xyz www.le1.http2ssl.xyz;

  ssl_dhparam /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/dhparam.pem;
  ssl_certificate      /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/le1.http2ssl.xyz/privkey.pem;
  include /usr/local/nginx/conf/ssl_include.conf;

  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
  ssl_prefer_server_ciphers   on;

Then restart Nginx server

Code:

ngxrestart

Test new https site over HTTP/1.1

Code:

curl -Ik https://le1.http2ssl.xyz
HTTP/1.1 200 OK
Date: Mon, 05 Oct 2015 13:44:09 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1372
Last-Modified: Mon, 05 Oct 2015 13:14:56 GMT
Connection: keep-alive
ETag: "561277d0-55c"
Server: nginx centminmod
Expires: Tue, 06 Oct 2015 13:44:09 GMT
Cache-Control: max-age=86400
Cache-Control: public, must-revalidate, proxy-revalidate
Accept-Ranges: bytes

Test new https site over HTTP/2 officially supported in Nginx and enabled out of box with Centmin Mod LEMP stack

Code:

curl --http2 -Ik https://le1.http2ssl.xyz
HTTP/2.0 200
date:Mon, 05 Oct 2015 13:47:55 GMT
content-type:text/html; charset=utf-8
content-length:1372
last-modified:Mon, 05 Oct 2015 13:14:56 GMT
etag:"561277d0-55c"
server:nginx centminmod
expires:Tue, 06 Oct 2015 13:47:55 GMT
cache-control:max-age=86400
cache-control:public, must-revalidate, proxy-revalidate
accept-ranges:bytes

 

Good news on 2 fronts

1. Letsencrypt is re-introducing Python 2.6 and 3.3 support instead of Python 2.7 only Python 2.6 and 3.3+ support by kuba · Pull Request #957 · letsencrypt/letsencrypt · GitHub This will be merged into their code at GA release time not before though. So for beta testing and pre-GA testing still need Python 2.7 to play with Letsencrypt

2. Letsencrypt web root authentication plugin outlined above is closer to merge into official code i think SimpleFS plugin (fixes #742) by kuba · Pull Request #757 · letsencrypt/letsencrypt · GitHub - fingers crossed

 

FYI Letsencrypt web root authentication plugin outlined above has been officially merged into master code now --webroot-root -> --webroot-path · letsencrypt/letsencrypt@63c080b · GitHub

at plugins/webroot.py letsencrypt/letsencrypt/plugins at master · letsencrypt/letsencrypt · GitHub

 

Letsencrypt is now official cross-signed too Let's Encrypt is Trusted

 

Updated Letsencrypt install instructions and webroot authentication method

For CentOS 7.x run

Code:

mkdir -p /root/tools
cd /root/tools
rm -rf /root/tools/letsencrypt
rm -rf /etc/letsencrypt
rm -rf /var/lib/letsencrypt
rm -rf /root/.local/share
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --verbose

For CentOS 6.x after install Python 2.7, run (note sed replacement to switch to python2.7 instead of python 2 due to letsencrypt-auto doesn't work with Python 2.6 · Issue #1046 · letsencrypt/letsencrypt · GitHub

Code:

mkdir -p /root/tools
cd /root/tools
rm -rf /root/tools/letsencrypt
rm -rf /etc/letsencrypt
rm -rf /var/lib/letsencrypt
rm -rf /root/.local/share
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
./letsencrypt-auto --verbose

creating nginx vhost for le1.http2ssl.xyz

Code:

vhostname='le1.http2ssl.xyz'
nv -d ${vhostname} -s y -u MYFTPUSERNAME

obtaining Letsencrypt free SSL domain validated certificate for le1.http2ssl.xyz

verbose mode with --verbose

Code:

vhostname='le1.http2ssl.xyz'
/root/.local/share/letsencrypt/bin/letsencrypt --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org --verbose --text --agree-tos --agree-dev-preview -d ${vhostname} auth

without --verbose

Code:

vhostname='le1.http2ssl.xyz'
/root/.local/share/letsencrypt/bin/letsencrypt --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org --text --agree-tos --agree-dev-preview -d ${vhostname} auth

replace nginx SSL vhost's self signed SSL certificate that was auto generated with Letsencrypt's obtained SSL certificate and restart Nginx server

Code:

vhostname='le1.http2ssl.xyz'
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/etc\/letsencrypt\/live\/${vhostname}\/privkey.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
ngxrestart

Code:

curl -Ik https://le1.http2ssl.xyz
HTTP/1.1 200 OK
Date: Sat, 24 Oct 2015 03:57:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1372
Last-Modified: Sat, 24 Oct 2015 03:22:41 GMT
Connection: keep-alive
ETag: "562af981-55c"
Server: nginx centminmod
Expires: Sun, 25 Oct 2015 03:57:00 GMT
Cache-Control: max-age=86400
Cache-Control: public, must-revalidate, proxy-revalidate
Accept-Ranges: bytes

 

Shell script to setup multiple Centmin Mod Nginx SSL vhost domains and obtain multiple Letsencrypt free SSL certificates via web root authentication method

Code:

    #!/bin/bash
    vhostname='le1.http2ssl.xyz le2.http2ssl.xyz le3.http2ssl.xyz'
    COUNT=0
    for v in $vhostname; do
     COUNT=$((COUNT+1))
     nv -d ${vhostname} -s y -u MYFTPUSERNAME${COUNT}
     /root/.local/share/letsencrypt/bin/letsencrypt --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org --text --agree-tos --agree-dev-preview -d ${vhostname} auth
    done

 

My definition of what Letsencrypt Webroot Authentication is:

See examples of webroot authentication plugin at Using the webroot domain verification method - Server Configuration - Let's Encrypt Community Support and SSL - Letsencrypt Free SSL certificates with web root authentication method

official definition

It was born out of the simplefs plugin SimpleFS plugin (fixes #742) by kuba · Pull Request #757 · letsencrypt/letsencrypt · GitHub which was later renamed to webroot authentication. In laymen terms, webroot authentication is an alternate way to obtain letsencrypt ssl certificates and pass the SimpleHTTP challenge by following these steps

1. create a HTTPS base site before hand using self signed ssl certificate on apache or nginx - this site will have a public web root. This site domain also needs valid working DNS pointing to the server IP
2. run letsencrypt webroot authentication method and pass your email address AND that site's public web root path to the command you run - this will perform automatically the the .well-known uri creation on the defined web root validating the domain you want the ssl certificate for

 

Yay got my Letsencrypt beta invite approval email so the domains I requested have been whitelisted for full web browser trusted SSL certificates

Below are steps I used for Centmin Mod LEMP Nginx server + how I setup Letsencrypt Client for beta testing with fully web browser trusted Letsencrypt SSL certificate.

First clear the previous code and install fresh the Letsencrypt client on CentOS 6.x, I need to separately install Python 2.7 and then sed replace python2 with python2.7 in letsencrypt-auto

Code:

mkdir -p /root/tools
cd /root/tools
rm -rf /root/tools/letsencrypt
rm -rf /etc/letsencrypt
rm -rf /var/lib/letsencrypt
rm -rf /root/.local/share
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory

Then setup Centmin Mod Nginx vhost for le1.http2ssl.xyz domain which is one of the Letsencrypt whitelisted domains. This will auto generate the self signed SSL nginx vhost before hand making it easy to use Letsencrypt webroot authentication method to obtain the Letsencrypt browser trusted SSL certificate

Code:

vhostname='le1.http2ssl.xyz'
nv -d ${vhostname} -s y -u MYFTPUSERNAME

Now run Letsencrypt webroot authentication method to obtain the Letsencrypt browser trusted SSL certificate, changing example@example.org to your own email address and being sure to pass the -a webroot --webroot-path /home/nginx/domains/${vhostname}/public variables for Nginx vhost's web root.

Code:

vhostname='le1.http2ssl.xyz'
/root/.local/share/letsencrypt/bin/letsencrypt --server https://acme-v01.api.letsencrypt.org/directory --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org --text --agree-tos --agree-dev-preview -d ${vhostname} auth

Once Letsencrypt webroot authentication is completed, you will get the following message including the path to your Letsencrypt SSL certificate at /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem

Code:

IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
   e-mails sent to example@example.org.
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem. Your cert
   will expire on 2016-01-25. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.

replace nginx SSL vhost's (/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf) self signed SSL certificate that was auto generated with Letsencrypt's obtained SSL certificate and restart Nginx server

Code:

vhostname='le1.http2ssl.xyz'
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/etc\/letsencrypt\/live\/${vhostname}\/privkey.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
ngxrestart

as this is a fully trusted SSL certificate, a few more sed replacements needed to enable ssl_stapling, ssl_stapling_verify and ssl_trusted_certificate settings in nginx SSL vhost /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf

Code:

sed -i "s|#resolver |resolver |" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#resolver_timeout|resolver_timeout|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#ssl_stapling on|ssl_stapling on|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#ssl_stapling_verify|ssl_stapling_verify|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#ssl_trusted_certificate|ssl_trusted_certificate|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-trusted.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
nprestart

so changes in nginx SSL vhost /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf from

Code:

  #resolver 8.8.8.8 8.8.4.4 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-trusted.crt; 

to

Code:

  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem;

Letsencrypt main /etc/letsencrypt folder structure

Code:

 ls -lAhrt /etc/letsencrypt
total 24K
drwx------ 3 root root 4.0K Oct 27 17:17 accounts
drwx------ 2 root root 4.0K Oct 27 17:17 keys
drwxr-xr-x 2 root root 4.0K Oct 27 17:17 csr
drwxr-xr-x 2 root root 4.0K Oct 27 17:17 renewal
drwx------ 3 root root 4.0K Oct 27 17:17 live
drwx------ 3 root root 4.0K Oct 27 17:17 archive

Actual files and SSL certificate

Code:

ls -lAhrt /etc/letsencrypt/live/le1.http2ssl.xyz/
total 0
lrwxrwxrwx 1 root root 43 Oct 27 17:17 privkey.pem -> ../../archive/le1.http2ssl.xyz/privkey1.pem
lrwxrwxrwx 1 root root 45 Oct 27 17:17 fullchain.pem -> ../../archive/le1.http2ssl.xyz/fullchain1.pem
lrwxrwxrwx 1 root root 41 Oct 27 17:17 chain.pem -> ../../archive/le1.http2ssl.xyz/chain1.pem
lrwxrwxrwx 1 root root 40 Oct 27 17:17 cert.pem -> ../../archive/le1.http2ssl.xyz/cert1.pem

relevant parts of nginx SSL vhost /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf

Code:

server {
  listen 443 ssl http2;
  server_name le1.http2ssl.xyz www.le1.http2ssl.xyz;

  ssl_dhparam /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/dhparam.pem;
  ssl_certificate      /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/le1.http2ssl.xyz/privkey.pem;
  include /usr/local/nginx/conf/ssl_include.conf;

  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
  ssl_prefer_server_ciphers   on;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header  X-Content-Type-Options "nosniff";
  #add_header X-Frame-Options DENY;
  ssl_buffer_size 1400;
  ssl_session_tickets on;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem;

SSLLabs first test. Not A+ as I have HSTS disabled as I test on both http and https usually.







Using https://ssltools.geotrust.com/checker/views/certCheck.jsp to check certificate chain order




Nginx 1.9.6 HTTP/2 enabled web server compiled against LibreSSL 2.2.4

 

Multi Domain SAN SSL with Letsencrypt Webroot Authentication

Using Letsencrypt webroot authentication plugin client to setup a multi domain SAN based SSL certificate for le8.http2ssl.xyz and le9.http2ssl.xyz on Centminmod.com LEMP web stack's Nginx server. Method was first outlined here and as Centmin Mod stack already has a default_server listen vhost for main virtual.conf, it was easy to setup. Some minor improvements suggested at multi domain SAN SSL symlink directories ? · Issue #1260 · letsencrypt/letsencrypt · GitHub

Step 1. Make sure DNS A records for le8.http2ssl.xyz and le9.http2ssl.xyz point to the same server IP

Step 2. Auto generate the nginx http and https vhosts for le8.http2ssl.xyz and le9.http2ssl.xyz

Code:

nv -d le8.http2ssl.xyz -s y -u le8ahewf

Code:

nv -d le9.http2ssl.xyz -s y -u le9shxkf

Step 3. Create a /etc/letsencrypt/sancli.ini config file User Guide — Let's Encrypt 0.1.0.dev0 documentation used only for SAN based SSL certificates for webroot authentication. Make sure to edit the email address to your email you want to register with Letsencrypt. Then decide if you're using staging server https://acme-staging.api.letsencrypt.org/directory or the beta/live server https://acme-v01.api.letsencrypt.org/directory.

contents of sancli.ini

Code:

# This is sancli.ini for centminmod.com LEMP stack to support webroot authentication
# with multi domain SAN SSL certificates where webroot-path defaults to /usr/local/nginx/html
# which already has a main vhost setup at /usr/local/nginx/conf/conf.d/virtual.conf with
# default_server listen directive enabled and the virtual.conf include
# /usr/local/nginx/conf/staticfiles.conf already supports LE .well-known uri files

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 2048

# Always use the staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# for beta invitees
server = https://acme-v01.api.letsencrypt.org/directory

# Uncomment and update to register with the specified e-mail address
email = foo@example.com

# Uncomment to use a text interface instead of ncurses
text = True
agree-tos = True
agree-dev-preview = True
renew-by-default = True

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
authenticator = webroot
webroot-path = /usr/local/nginx/html

Step 4. Run Letsencrypt webroot authentication plugin client to obtain a multi domain SAN based SSL certificate for le8.http2ssl.xyz and le9.http2ssl.xyz

temporarily rename the http vhost files for the 2 domains so that the domains when doing simpleHttp challenge response the web root used goes the virtual.conf set default_server

Code:

mv /usr/local/nginx/conf/conf.d/le8.http2ssl.xyz.conf /usr/local/nginx/conf/conf.d/le8.http2ssl.xyz.conf.disable
mv /usr/local/nginx/conf/conf.d/le9.http2ssl.xyz.conf /usr/local/nginx/conf/conf.d/le9.http2ssl.xyz.conf.disable
nprestart

Then run webroot authentication passing the config file sancli.ini created in step 3

Code:

/root/.local/share/letsencrypt/bin/letsencrypt -c sancli.ini -d le8.http2ssl.xyz -d le9.http2ssl.xyz auth

Output if successful

Code:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/le8.http2ssl.xyz/fullchain.pem. Your cert
   will expire on 2016-01-29. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.

Step 5. Replace step 2 generated self signed SSL certificates with Letsencrypt obtained multi domain SAN SSL certificate and rename back the vhost conf files done in step 4

Code:

mv /usr/local/nginx/conf/conf.d/le8.http2ssl.xyz.conf.disable /usr/local/nginx/conf/conf.d/le8.http2ssl.xyz.conf
mv /usr/local/nginx/conf/conf.d/le9.http2ssl.xyz.conf.disable /usr/local/nginx/conf/conf.d/le9.http2ssl.xyz.conf

Code:

vhostname='le8.http2ssl.xyz'
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/etc\/letsencrypt\/live\/${vhostname}\/privkey.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#resolver |resolver |" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#resolver_timeout|resolver_timeout|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#ssl_stapling on|ssl_stapling on|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#ssl_stapling_verify|ssl_stapling_verify|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#ssl_trusted_certificate|ssl_trusted_certificate|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-trusted.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf

Code:

vhostname='le9.http2ssl.xyz'
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/etc\/letsencrypt\/live\/${vhostname}\/privkey.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#resolver |resolver |" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#resolver_timeout|resolver_timeout|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#ssl_stapling on|ssl_stapling on|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#ssl_stapling_verify|ssl_stapling_verify|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#ssl_trusted_certificate|ssl_trusted_certificate|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-trusted.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf

for 2nd and subsequent vhosts in multi domain SAN, the path to the SSL certificate is actually the same as your very first domain setup so for le9.http2ssl.xyz it's not path at /etc/letsencrypt/live/le9.http2ssl.xyz but at /etc/letsencrypt/live/le8.http2ssl.xyz. So need one more sed replacement for /usr/local/nginx/conf/conf.d/le9.http2ssl.xyz.ssl.conf

Code:

vhostname='le9.http2ssl.xyz'
sed -i "s|\/etc\/letsencrypt\/live\/le9.http2ssl.xyz|\/etc\/letsencrypt\/live\/le8.http2ssl.xyz|g" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
nprestart

End result is multi domain SAN based SSL certificate from Letsencrypt






Live directory

Code:

ls -lAhrt /etc/letsencrypt/live/le8.http2ssl.xyz/
total 0
lrwxrwxrwx 1 root root 43 Oct 31 14:43 privkey.pem -> ../../archive/le8.http2ssl.xyz/privkey1.pem
lrwxrwxrwx 1 root root 45 Oct 31 14:43 fullchain.pem -> ../../archive/le8.http2ssl.xyz/fullchain1.pem
lrwxrwxrwx 1 root root 41 Oct 31 14:43 chain.pem -> ../../archive/le8.http2ssl.xyz/chain1.pem
lrwxrwxrwx 1 root root 40 Oct 31 14:43 cert.pem -> ../../archive/le8.http2ssl.xyz/cert1.pem

 

FYI, in last 24hrs there's been major changes to how Letsencrypt validates domains in terms of the expected content-type response that is returned.

The changes outlined at

• Using the webroot domain verification method - Server Configuration - Let's Encrypt Community Support
• Using the webroot domain verification method - Server Configuration - Let's Encrypt Community Support

This will require an update on Centmin Mod code side to support the changes as well once I figure it all out. So whenever, the code is updated on Centmin Mod end, you'd need to update Centmin Mod first.

To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:

• Centmin Mod 1.2.3-eva2000.08 stable install & update thread
• Centmin Mod 123.09beta thread

 

For now it seems jose+json content-type still works

Code:

cd /root/tools
rm -rf /root/tools/letsencrypt
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory

check letsencrypt binary timestamp

Code:

ls -lah /root/.local/share/letsencrypt/bin/letsencrypt
-rwxr-xr-x 1 root root 245 Nov  5 00:37 /root/.local/share/letsencrypt/bin/letsencrypt

Setup new nginx vhost le2.http2ssl.xyz with pure-ftpd user and ssl enabled

Code:

nv -d le2.http2ssl.xyz -s y -u le2aahsg66

partial output

Code:

vhost for le2.http2ssl.xyz created successfully

domain: http://le2.http2ssl.xyz
vhost conf file for le2.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le2.http2ssl.xyz.conf

vhost ssl for le2.http2ssl.xyz created successfully

domain: https://le2.http2ssl.xyz
vhost ssl conf file for le2.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le2.http2ssl.xyz.ssl.conf
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le2.http2ssl.xyz/le2.http2ssl.xyz.crt
SSL Private Key: /usr/local/nginx/conf/ssl/le2.http2ssl.xyz/le2.http2ssl.xyz.key
SSL CSR File: /usr/local/nginx/conf/ssl/le2.http2ssl.xyz/le2.http2ssl.xyz.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/le2.http2ssl.xyz/le2.http2ssl.xyz-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/le2.http2ssl.xyz/le2.http2ssl.xyz-backup.csr

upload files to /home/nginx/domains/le2.http2ssl.xyz/public
vhost log files directory is /home/nginx/domains/le2.http2ssl.xyz/log

run letsencrypt webroot authentication no need to pass --email again it's only first time needed Clarify the --email flag requirements? - Issuance Tech Questions - Let's Encrypt Community Support

Code:

vhostname='le2.http2ssl.xyz'
/root/.local/share/letsencrypt/bin/letsencrypt --server https://acme-v01.api.letsencrypt.org/directory --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --text --agree-tos --agree-dev-preview -d ${vhostname} auth

output

Code:

/root/.local/share/letsencrypt/bin/letsencrypt --server https://acme-v01.api.letsencrypt.org/directory --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --text --agree-tos --agree-dev-preview -d ${vhostname} auth

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/le2.http2ssl.xyz/fullchain.pem. Your cert
   will expire on 2016-02-02. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.

sed replacements for replacing auto generated self signed ssl certificate with Letsencrypt obtained one

Code:

vhostname='le2.http2ssl.xyz'
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}.key|\/etc\/letsencrypt\/live\/${vhostname}\/privkey.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#resolver |resolver |" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#resolver_timeout|resolver_timeout|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#ssl_stapling on|ssl_stapling on|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#ssl_stapling_verify|ssl_stapling_verify|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|#ssl_trusted_certificate|ssl_trusted_certificate|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
sed -i "s|\/usr\/local\/nginx\/conf\/ssl\/${vhostname}\/${vhostname}-trusted.crt|\/etc\/letsencrypt\/live\/${vhostname}\/fullchain.pem|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
nprestart

obtained Letsencrypt SSL certificate

Code:

ls -lAhrt /etc/letsencrypt/live/le2.http2ssl.xyz/
total 0
lrwxrwxrwx 1 root root 43 Nov  5 00:41 privkey.pem -> ../../archive/le2.http2ssl.xyz/privkey1.pem
lrwxrwxrwx 1 root root 45 Nov  5 00:41 fullchain.pem -> ../../archive/le2.http2ssl.xyz/fullchain1.pem
lrwxrwxrwx 1 root root 41 Nov  5 00:41 chain.pem -> ../../archive/le2.http2ssl.xyz/chain1.pem
lrwxrwxrwx 1 root root 40 Nov  5 00:41 cert.pem -> ../../archive/le2.http2ssl.xyz/cert1.pem

relevant parts of nginx SSL vhost /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf

Code:

server {
  listen 443 ssl http2;
  server_name le2.http2ssl.xyz www.le2.http2ssl.xyz;

  ssl_dhparam /usr/local/nginx/conf/ssl/le2.http2ssl.xyz/dhparam.pem;
  ssl_certificate      /etc/letsencrypt/live/le2.http2ssl.xyz/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/le2.http2ssl.xyz/privkey.pem;
  include /usr/local/nginx/conf/ssl_include.conf;

  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
  ssl_prefer_server_ciphers   on;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header  X-Content-Type-Options "nosniff";
  #add_header X-Frame-Options DENY;
  ssl_buffer_size 1400;
  ssl_session_tickets on;
  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/letsencrypt/live/le2.http2ssl.xyz/fullchain.pem;

However, I've updated both Centmin Mod 123.08stable and 123.09beta01 builds for latest Letsencrypt supported content-type outlined at SSL - Letsencrypt Free SSL certificates with web root authentication method | Centmin Mod Community

To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:

• Centmin Mod 1.2.3-eva2000.08 stable install & update thread
• Centmin Mod 123.09beta thread

Once updated, run centmin.sh once to allow auto syncing of the changes to your existing server configuration.

 

Oooh Letsencrypt has stats up Let's Encrypt Stats

 

Centmin Mod 123.09beta01le Letsencrypt Integration Tests

Setup a separate 123.09beta01le branch of Centmin Mod where I am testing and integrating Letsencrypt client into centmin.sh menu option 2 first for adding the initial Nginx vhost domain.

This is an example which includes prompt for updating intended domain's DNS A record before continuing so that Letsencrypt domain validation can proceed.

Code:

--------------------------------------------------------
Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
--------------------------------------------------------
                   Centmin Mod Menu                 
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install ioping.sh vbtechsupport.com/1239/
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Re-install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + WP Super Cache
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 2
--------------------------------------------------------

Using dummy domain = domain1.com for new Nginx vhost for testing so there will be no valid DNS A record. Letsencrypt SSL relies on self-signed SSL setup prior, so answered yes when prompted. If you answer yes to Letsencrypt SSL, it will auto set self signed SSL certificate vhost routine to yes too anyway.

This is example of aborting Nginx vhost setup at prompt, allowing end user time to update their intended domain's DNS A record first

Code:

---------------------------------------------
Enter vhost domain name to add (without www. prefix): domain1.com

Create a self-signed SSL certificate Nginx vhost? [y/n]: y

To get Letsencrypt SSL certificate, you must already have updated intended
domain vhost name's DNS A record to this server's IP addresss otherwise
Letsencrypt domain name validation will fail.

current DNS A record IP address for domain1.com is:

Abort this Nginx vhost domain setup to setup proper DNS A record first? [y/n]: y

 

Centmin Mod 123.09beta01le Letsencrypt Test Part 2

This example is of Letsencrypt webroot authentication proceeding instead of aborting. The 1st time you run, you need to specify a valid email address to register a Letsencrypt account. This email address is auto populated in a created /etc/letsencrypt/webroot.ini config file Centmin Mod auto creates and used on Centmin Mod automation end only.

Letsencrypt client itself records this email address itself on ACME server remote end + locally according to Clarify purpose of --email · Issue #1310 · letsencrypt/letsencrypt · GitHub at

Code:

/etc/letsencrypt/accounts/<server_url>/directory/<hash>/regr.json

However, currently there is no way to update or change the registered email address that Letsencrypt account records initially see Clarify the --email flag requirements? - Issuance Tech Questions - Let's Encrypt Community Support and Allow contact information updates · Issue #30 · ietf-wg-acme/acme · GitHub Which could be problematic if end users want to update their email addresses and where Letsencrypt email notifications and auto renewal notifications are sent to ! So you better make sure the email address you use has a solid email service and uptime. It's why for Centmin Mod LEMP stacks I highly recommend more reliable 3rd party @yourdomain email providers instead of trying to host your email on the same server.

Unfortunately, Letsencrypt client won't be getting updated to support email registration changes at GA public release time Clarify the --email flag requirements? - Issuance Tech Questions - Let's Encrypt Community Support

The below example is of a failed registration, as I gave a dummy email address for testing.

Code:

--------------------------------------------------------
Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
--------------------------------------------------------
                   Centmin Mod Menu
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install ioping.sh vbtechsupport.com/1239/
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Re-install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + WP Super Cache
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 2
--------------------------------------------------------

Code:

---------------------------------------------
Enter vhost domain name to add (without www. prefix): domain1.com

Create a self-signed SSL certificate Nginx vhost? [y/n]: y

To get Letsencrypt SSL certificate, you must already have updated intended
domain vhost name's DNS A record to this server's IP addresss otherwise
Letsencrypt domain name validation will fail.

current DNS A record IP address for domain1.com is:

Abort this Nginx vhost domain setup to setup proper DNS A record first? [y/n]: n
Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y

Create FTP username for vhost domain (enter username): d1ftp1
Auto generate FTP password (recommended) [y/n]: y

FTP username you entered: ************************
FTP password auto generated: ************************

Password:
Enter it again:

Code:

---------------------------------------------------------------
SSL Vhost Setup...
---------------------------------------------------------------

---------------------------------------------------------------
Generating self signed SSL certificate...
CSR file can also be used to be submitted for paid SSL certificates
If using for paid SSL certificates be sure to keep both private key and CSR safe
creating CSR File: domain1.com.csr
creating private key: domain1.com.key
creating self-signed SSL certificate: domain1.com.crt
Generating a 2048 bit RSA private key
...........................+++
....................................................................................................................................................+++
writing new private key to 'domain1.com.key'
-----
Signature ok
subject=/C=US/ST=California/L=Los Angeles/O=domain1.com/OU=domain1.com/CN=domain1.com
Getting Private key

---------------------------------------------------------------
Generating backup CSR and private key for HTTP Public Key Pinning...
creating CSR File: domain1.com-backup.csr
creating private key: domain1.com-backup.key
Generating a 2048 bit RSA private key
............................................................................................+++
.......................+++
writing new private key to 'domain1.com-backup.key'
-----

---------------------------------------------------------------
Extracting Base64 encoded information for primary and secondary
private key's SPKI - Subject Public Key Information
Primary private key - domain1.com.key
Backup private key - domain1.com-backup.key
For HPKP - HTTP Public Key Pinning hash generation...

extracting SPKI Base64 encoded hash for primary private key = domain1.com.key ...
writing RSA key
DLpC3MuHsp6vc364h2lDCt754dmVVP6OJ4VIyJD4wj0=

extracting SPKI Base64 encoded hash for backup private key = domain1.com-backup.key ...
writing RSA key
sOZ5Xoqf9dF/x8PBGmTyAjL0sZ3nOMbakQqSMMo5nhs=

HTTP Public Key Pinning Header for Nginx

for 7 days max-age including subdomains

add_header Public-Key-Pins 'pin-sha256="DLpC3MuHsp6vc364h2lDCt754dmVVP6OJ4VIyJD4wj0="; pin-sha256="sOZ5Xoqf9dF/x8PBGmTyAjL0sZ3nOMbakQqSMMo5nhs="; max-age=86400; includeSubDomains';

for 7 days max-age excluding subdomains

add_header Public-Key-Pins 'pin-sha256="DLpC3MuHsp6vc364h2lDCt754dmVVP6OJ4VIyJD4wj0="; pin-sha256="sOZ5Xoqf9dF/x8PBGmTyAjL0sZ3nOMbakQqSMMo5nhs="; max-age=86400';

---------------------------------------------------------------
Generating dhparam.pem file - can take a few minutes...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
........................................................................................................+...................+...................................................................................................+.............................................................................................+...+.........+............................................................................................................................................................................................................................................................................+..........................................................................................................................................+.................................+.......................+..................................+..............+...+..........................................................+.....................................+..............................................+.......................................................................................................................+...................................+.......................................................................................................+.......................................+.....................................................................................................................................+.............................................+...............................................................+....................................................................................................+.............................+............................................................................................................+...........................................................................+....................................................................+.....................................................+..................+.....+..............................................................................................................................................................+....................................................+...+........................................+..................+.......+................................................................................................................................+.........................................................................................................................+...........+...............................................................................................................++*++*
dhparam file generation time: 25.214688545

-------------------------------------------------------------
service nginx reload
Reloading nginx configuration (via systemctl):  [  OK  ]
systemctl restart pure-ftpd.service

Actual first time install for Letsencrypt client itself - for testing purposes, the client is updated everytime it's run right now due to so many changes being made to the code during beta stage testing. If CentOS 6.x is detected it auto runs the Centmin Mod addon at /usr/local/src/centminmod/addons/python27_install.sh to install Python 2.7 at /usr/bin/python2.7, otherwise if CentOS 7.x detected it just runs.

Code:

installing or updating letsencrypt client

Cloning into 'letsencrypt'...
Bootstrapping dependencies for RedHat-based OSes...
yum is /usr/bin/yum
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
* base: mirror.optus.net
* epel: fedora.mirror.serversaustralia.com.au
* extras: mirror.optus.net
* rpmforge: mirror.ventraip.net.au
* updates: mirror.optus.net
187 packages excluded due to repository priority protections
Package git-1.8.3.1-4.el7.x86_64 already installed and latest version
Package python-2.7.5-18.el7_1.1.x86_64 already installed and latest version
Package gcc-4.8.3-9.el7.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.1e-42.el7.9.x86_64 already installed and latest version
Package ca-certificates-2015.2.4-70.0.el7_1.noarch already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package augeas-libs.x86_64 0:1.1.0-17.el7 will be installed
---> Package dialog.x86_64 0:1.2-4.20130523.el7 will be installed
---> Package libffi-devel.x86_64 0:3.0.13-11.el7 will be installed
---> Package python-devel.x86_64 0:2.7.5-18.el7_1.1 will be installed
---> Package python-virtualenv.noarch 0:1.10.1-2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package                Arch        Version                  Repository    Size
================================================================================
Installing:
augeas-libs            x86_64      1.1.0-17.el7             base         332 k
dialog                 x86_64      1.2-4.20130523.el7       base         208 k
libffi-devel           x86_64      3.0.13-11.el7            base          22 k
python-devel           x86_64      2.7.5-18.el7_1.1         updates      389 k
python-virtualenv      noarch      1.10.1-2.el7             base         1.2 M

Transaction Summary
================================================================================
Install  5 Packages

Total download size: 2.2 M
Installed size: 4.1 M
Downloading packages:
--------------------------------------------------------------------------------
Total                                              2.0 MB/s | 2.2 MB  00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python-devel-2.7.5-18.el7_1.1.x86_64                         1/5
  Installing : python-virtualenv-1.10.1-2.el7.noarch                        2/5
  Installing : augeas-libs-1.1.0-17.el7.x86_64                              3/5
  Installing : dialog-1.2-4.20130523.el7.x86_64                             4/5
  Installing : libffi-devel-3.0.13-11.el7.x86_64                            5/5
  Verifying  : libffi-devel-3.0.13-11.el7.x86_64                            1/5
  Verifying  : dialog-1.2-4.20130523.el7.x86_64                             2/5
  Verifying  : python-devel-2.7.5-18.el7_1.1.x86_64                         3/5
  Verifying  : augeas-libs-1.1.0-17.el7.x86_64                              4/5
  Verifying  : python-virtualenv-1.10.1-2.el7.noarch                        5/5

Installed:
  augeas-libs.x86_64 0:1.1.0-17.el7                         
  dialog.x86_64 0:1.2-4.20130523.el7                        
  libffi-devel.x86_64 0:3.0.13-11.el7                       
  python-devel.x86_64 0:2.7.5-18.el7_1.1                    
  python-virtualenv.noarch 0:1.10.1-2.el7                   

Complete!
Creating virtual environment...
Updating letsencrypt and virtual environment dependencies.....Collecting ConfigArgParse from git+https://github.com/kuba/ConfigArgParse.git@python2.6-0.9.3#egg=ConfigArgParse (from -r py26reqs.txt (line 1))
  Cloning https://github.com/kuba/ConfigArgParse.git (to python2.6-0.9.3) to /tmp/pip-build-9JMUjC/ConfigArgParse
Installing collected packages: ConfigArgParse
  Running setup.py install for ConfigArgParse
Successfully installed ConfigArgParse-0.9.3
/root/.local/share/letsencrypt/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
./root/.local/share/letsencrypt/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
.
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --agree-dev-preview --server https://acme-staging.api.letsencrypt.org/directory
No installers are available on your OS yet; try running "letsencrypt-auto certonly" to get a cert you can install manually

Letsencrypt webroot authentication failed as the email address registered was invalid. As such the original self-signed SSL certificates created are left in place. I added an error detection routine, so that only when Letsencrypt webroot authentication succeeds, will the Letsencrypt obtained SSL certificates replace the ones contained in the https SSL nginx vhost at /usr/local/nginx/conf/conf.d/domain1.com.ssl.conf

Code:

setup general /etc/letsencrypt/webroot.ini letsencrypt config file

Registering an account with Letsencrypt
You only do this once, so that Letsencrypt can notify &
contact you via email regarding your SSL certificates
Enter your email address to setup Letsencrypt account: myemail@mydomainxzy.com


obtaining Letsencrypt SSL certificate via webroot authentication...

An unexpected error occurred.
Error: malformed :: The request message was malformed :: Error creating new registration :: No MX record for domain mydomainxzy.com
Please see the logfiles in /var/log/letsencrypt for more details.

-------------------------------------------------------------
FTP hostname : IPADDRESS
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for domain1.com : **************
FTP password created for domain1.com : ***************************
-------------------------------------------------------------

Code:

vhost for domain1.com created successfully

domain: http://domain1.com
vhost conf file for domain1.com created: /usr/local/nginx/conf/conf.d/domain1.com.conf

vhost ssl for domain1.com created successfully

domain: https://domain1.com
vhost ssl conf file for domain1.com created: /usr/local/nginx/conf/conf.d/domain1.com.ssl.conf
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/domain1.com/domain1.com.crt
SSL Private Key: /usr/local/nginx/conf/ssl/domain1.com/domain1.com.key
SSL CSR File: /usr/local/nginx/conf/ssl/domain1.com/domain1.com.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/domain1.com/domain1.com-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/domain1.com/domain1.com-backup.csr

upload files to /home/nginx/domains/domain1.com/public
vhost log files directory is /home/nginx/domains/domain1.com/log

-------------------------------------------------------------
Current vhost listing at: /usr/local/nginx/conf/conf.d/

   
Nov 5   19:33   1.1K   demodomain.com.conf
Nov 5   19:33   845    ssl.conf
Nov 6   05:40   1.6K   virtual.conf
Nov 7   03:41   1.6K   domain1.com.conf
Nov 7   03:41   3.9K   domain1.com.ssl.conf

-------------------------------------------------------------
Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/domain1.com

   
Nov 7   03:41   1.7K   domain1.com.key
Nov 7   03:41   1.1K   domain1.com.csr
Nov 7   03:41   1.3K   domain1.com.crt
Nov 7   03:41   1.7K   domain1.com-backup.key
Nov 7   03:41   1.1K   domain1.com-backup.csr
Nov 7   03:41   45     hpkp-info-primary-pin.txt
Nov 7   03:41   45     hpkp-info-secondary-pin.txt
Nov 7   03:41   424    dhparam.pem

-------------------------------------------------------------
Commands to remove domain1.com

rm -rf /usr/local/nginx/conf/conf.d/domain1.com.conf
rm -rf /usr/local/nginx/conf/conf.d/domain1.com.ssl.conf
rm -rf /usr/local/nginx/conf/ssl/domain1.com/domain1.com.crt
rm -rf /usr/local/nginx/conf/ssl/domain1.com/domain1.com.key
rm -rf /usr/local/nginx/conf/ssl/domain1.com/domain1.com.csr
rm -rf /usr/local/nginx/conf/ssl/domain1.com
rm -rf /home/nginx/domains/domain1.com
service nginx restart
-------------------------------------------------------------

Contents of /etc/letsencrypt/webroot.ini

Code:

# webroot.ini general config ini

rsa-key-size = 2048

# Always use the staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory

# for beta invitees
# server = https://acme-v01.api.letsencrypt.org/directory

# Uncomment and update to register with the specified e-mail address
email = myemail@mydomainxzy.com

# Uncomment to use a text interface instead of ncurses
text = True
agree-tos = True
agree-dev-preview = True
renew-by-default = True

authenticator = webroot

No locally saved json email address at /etc/letsencrypt/accounts/<server_url>/directory/<hash>/regr.json as the dummy email address failed to register.

Code:

ls -lah /etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/
total 0
drwx------ 2 root root  6 Nov  7 03:43 .
drwx------ 3 root root 22 Nov  7 03:43 ..

Email Address MX record check

Seems Letsencrypt client also checks if email address domain has MX records attached to them, so I updated Centmin Mod routine to check for it when you enter an email address so it fails earlier so you can correct it.

Now when you enter an email address and do not have an MX record on domain or if you have empty email address you will get an error and prompt to re-enter a valid email address

Code:

setup general /etc/letsencrypt/webroot.ini letsencrypt config file

Registering an account with Letsencrypt
You only do this once, so that Letsencrypt can notify &
contact you via email regarding your SSL certificates
Enter your email address to setup Letsencrypt account: myemail@mydomainxzy.com

You are registering myemail@mydomainxzy.com address for Letsencrypt

!! Error: myemail@mydomainxzy.com does not have a DNS MX record !!

Re-Enter your email address to setup Letsencrypt account:

!! Error: email address is empty

!! Error: email address is empty

Re-Enter your email address to setup Letsencrypt account:

If you enter a valid email address it will proceed with Letsencrypt account registration and you will get Notes notifying that your email address and Letsencrypt account has been setup and saved to /etc/letsencrypt.

Code:

Re-Enter your email address to setup Letsencrypt account: valid@validemailaddy.com

You are registering valid@validemailaddy.com address for Letsencrypt

obtaining Letsencrypt SSL certificate via webroot authentication...

An unexpected error occurred.
Error: serverInternal :: The server experienced an internal error :: Error creating new authz
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
   e-mails sent to valid@validemailaddy.com.
- Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.

However, error still exists for domain1.com as obviously domain1.com dummy domain has invalid DNS A record so failed Letsencrypt's domain validation when running webroot authentication.

Code:

An unexpected error occurred.
Error: serverInternal :: The server experienced an internal error :: Error creating new authz

Contents of /etc/letsencrypt/webroot.ini

Code:

# webroot.ini general config ini

rsa-key-size = 2048

# Always use the staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory

# for beta invitees
# server = https://acme-v01.api.letsencrypt.org/directory

# Uncomment and update to register with the specified e-mail address
email = valid@validemailaddy.com

# Uncomment to use a text interface instead of ncurses
text = True
agree-tos = True
agree-dev-preview = True
renew-by-default = True

authenticator = webroot

Confirming email address for Letsencrypt account registration is setup in /etc/letsencrypt/accounts/<server_url>/directory/<hash>/regr.json

Code:

ls -lah /etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/db6d74bb15afc01abdf5ea8338f5fdaf/
total 12K
drwx------ 2 root root   61 Nov  7 06:11 .
drwx------ 3 root root   45 Nov  7 06:11 ..
-rw-r--r-- 1 root root   79 Nov  7 06:11 meta.json
-r-------- 1 root root 1.6K Nov  7 06:11 private_key.json
-rw-r--r-- 1 root root  760 Nov  7 06:11 regr.json

Code:

grep -Ro 'valid@validemailaddy.com' /etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/db6d74bb15afc01abdf5ea8338f5fdaf/regr.json
valid@validemailaddy.com

Further DNS record checks

Added more DNS record checks and top level domain checks, so that Letsencrypt client can cover top level domain's www version under a single multi-domain SAN SSL certificate i.e. SSL to cover domain.com and www.domain.com.

Code:

--------------------------------------------------------
Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
--------------------------------------------------------
                   Centmin Mod Menu            
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install ioping.sh vbtechsupport.com/1239/
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Re-install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + WP Super Cache
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 2
--------------------------------------------------------

As domain1.com is invalid DNS wise, it gives an error earlier on before it got to Letsencrypt client running stage. Gives you an opportunity to abort nginx vhost domain setup, so you can correct or update the domain's DNS settings.

Code:

Enter vhost domain name to add (without www. prefix): domain1.com

Create a self-signed SSL certificate Nginx vhost? [y/n]: y

To get Letsencrypt SSL certificate, you must already have updated intended
domain vhost name's DNS A record to this server's IP addresss.
If top level domain, DNS A record is needed also for www. version of domain
otherwise, Letsencrypt domain name validation will fail.


!! Error: domain1.com DNS records not found or setup properly yet or domain1.com invalid

Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: y

If using a valid top level domain i.e. http2ssl.xyz

Code:

Enter vhost domain name to add (without www. prefix): http2ssl.xyz

Create a self-signed SSL certificate Nginx vhost? [y/n]: y

To get Letsencrypt SSL certificate, you must already have updated intended
domain vhost name's DNS A record to this server's IP addresss.
If top level domain, DNS A record is needed also for www. version of domain
otherwise, Letsencrypt domain name validation will fail.


http2ssl.xyz is a top level domain
current DNS A record IP address for http2ssl.xyz is: 23.92.216.163
current DNS A record IP address for www.http2ssl.xyz is: 23.92.216.163

Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: 

If continuing on the setup with valid top level domain http2ssl.xyz

Code:

Enter vhost domain name to add (without www. prefix): http2ssl.xyz

Create a self-signed SSL certificate Nginx vhost? [y/n]: y

To get Letsencrypt SSL certificate, you must already have updated intended
domain vhost name's DNS A record to this server's IP addresss.
If top level domain, DNS A record is needed also for www. version of domain
otherwise, Letsencrypt domain name validation will fail.


http2ssl.xyz is a top level domain
current DNS A record IP address for http2ssl.xyz is: 23.92.216.163
current DNS A record IP address for www.http2ssl.xyz is: 23.92.216.163

Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y

Create FTP username for vhost domain (enter username): *****************
Auto generate FTP password (recommended) [y/n]: y

FTP username you entered: **********************
FTP password auto generated: **********************

Code:

---------------------------------------------------------------
SSL Vhost Setup...
---------------------------------------------------------------

---------------------------------------------------------------
Generating self signed SSL certificate...
CSR file can also be used to be submitted for paid SSL certificates
If using for paid SSL certificates be sure to keep both private key and CSR safe
creating CSR File: http2ssl.xyz.csr
creating private key: http2ssl.xyz.key
creating self-signed SSL certificate: http2ssl.xyz.crt
Generating a 2048 bit RSA private key
.......+++
.............+++
writing new private key to 'http2ssl.xyz.key'
-----
Signature ok
subject=/C=US/ST=California/L=Los Angeles/O=http2ssl.xyz/OU=http2ssl.xyz/CN=http2ssl.xyz
Getting Private key

Code:

installing or updating letsencrypt client

setup general /etc/letsencrypt/webroot.ini letsencrypt config file

Registering an account with Letsencrypt
You only do this once, so that Letsencrypt can notify &
contact you via email regarding your SSL certificates
Enter your email address to setup Letsencrypt account: valid@validemailaddy.com

You are registering valid@validemailaddy.com address for Letsencrypt

obtaining Letsencrypt SSL certificate via webroot authentication...

/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --webroot-path /home/nginx/domains/http2ssl.xyz/public -d http2ssl.xyz -d www.http2ssl.xyz auth
Failed authorization procedure. http2ssl.xyz (http-01): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://http2ssl.xyz/.well-known/acme-challenge/xfoy_qPd-oOTcRfs4xNltTA42xyZHzitksIIM0_wYLg [23.92.216.163]: 404, www.http2ssl.xyz (http-01): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.http2ssl.xyz/.well-known/acme-challenge/q4bx3Ub3Y_NImehn8-0wuLILGFWA1RE3eKTM-6JFxBg [23.92.216.163]: 404
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
   e-mails sent to valid@validemailaddy.com.
- The following 'unauthorized' errors were reported by the server:

   Domains: http2ssl.xyz, www.http2ssl.xyz
   Error: The client lacks sufficient authorization

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
- Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.

Notice above error in Letsencrypt webroot authentication it didn't validate the domain via http-01 verification method as http2ssl.xyz A record IP pointed to a server other than the existing server's IP address. The domain's DNS A record and for top level domains the www DNS A record must point to the IP of the server you're running on.

Code:

/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --webroot-path /home/nginx/domains/http2ssl.xyz/public -d http2ssl.xyz -d www.http2ssl.xyz auth

Failed authorization procedure. http2ssl.xyz (http-01): unauthorized ::
The client lacks sufficient authorization :: Invalid response from http://http2ssl.xyz/.well-known/acme-challenge/xfoy_qPd-oOTcRfs4xNltTA42xyZHzitksIIM0_wYLg [23.92.216.163]: 404,
www.http2ssl.xyz (http-01): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.http2ssl.xyz/.well-known/acme-challenge/q4bx3Ub3Y_NImehn8-0wuLILGFWA1RE3eKTM-6JFxBg [23.92.216.163]: 404

 

Letsencrypt enters public beta December 3, 2015

 

Letsencrypt Webroot Authentication Plugin Integration - Live Run

Update: added official site page at http://centminmod.com/letsencrypt-freessl.html

The first test of beta invited whitelisted domain le10.http2ssl.xyz Nginx vhost creation routine with Letsencrypt free domain validated SSL certificate on Centmin Mod 123.09beta01le experimental branch which was forked from official 123.09beta01 branch. The latest code includes passing the --user-agent flag to Letsencrypt client for identification.

This is full run from start to finish via centmin.sh menu option 2 which is the only place currently were Letsencrypt client integration has been added (once menu option routine for LE is working fully, will add routines to /usr/bin/nv command line method of Nginx vhost auto generation ). The end result will be Nginx vhosts auto generated for both http and https sides of the web site with Letsencrypt domain validated SSL certificate in place on https side.

• vhost conf file for le10.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.conf
• vhost ssl conf file for le10.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.ssl.conf

Invoking centmin.sh menu option 2 to add new nginx vhost le10.http2ssl.xyz

Code:

--------------------------------------------------------
Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
--------------------------------------------------------
                   Centmin Mod Menu  
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install ioping.sh vbtechsupport.com/1239/
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Re-install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + WP Super Cache
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 2
--------------------------------------------------------

Prompt for creation of nginx vhost le10.http2ssl.xyz. Selecting yes to self-signed SSL certificate and then Letsencrypt SSL certificate. There's checks for valid DNS for domain and if first time running also MX DNS checks for valid email address to register a Letsencrypt account (one time only task).

Code:

Enter vhost domain name to add (without www. prefix): le10.http2ssl.xyz

Create a self-signed SSL certificate Nginx vhost? [y/n]: y

To get Letsencrypt SSL certificate, you must already have updated intended
domain vhost name's DNS A record to this server's IP addresss.
If top level domain, DNS A record is needed also for www. version of domain
otherwise, Letsencrypt domain name validation will fail.


le10.http2ssl.xyz is not a top level domain
your server IP address: 104.152.214.220
current DNS A record IP address for le10.http2ssl.xyz is: 104.152.214.220

Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y

Create FTP username for vhost domain (enter username): *********************
Auto generate FTP password (recommended) [y/n]: y

FTP username you entered: *********************
FTP password auto generated: *********************

SSL nginx vhost setup stage - 1st part is for self-signed SSL certificate generation and dhparam file generation.

Code:

---------------------------------------------------------------
SSL Vhost Setup...
---------------------------------------------------------------

---------------------------------------------------------------
Generating self signed SSL certificate...
CSR file can also be used to be submitted for paid SSL certificates
If using for paid SSL certificates be sure to keep both private key and CSR safe
creating CSR File: le10.http2ssl.xyz.csr
creating private key: le10.http2ssl.xyz.key
creating self-signed SSL certificate: le10.http2ssl.xyz.crt
Generating a 2048 bit RSA private key
.................................................+++
......+++
writing new private key to 'le10.http2ssl.xyz.key'
-----
Signature ok
subject=/C=US/ST=California/L=Los Angeles/O=le10.http2ssl.xyz/OU=le10.http2ssl.xyz/CN=le10.http2ssl.xyz
Getting Private key

---------------------------------------------------------------
Generating backup CSR and private key for HTTP Public Key Pinning...
creating CSR File: le10.http2ssl.xyz-backup.csr
creating private key: le10.http2ssl.xyz-backup.key
Generating a 2048 bit RSA private key
..........................+++
................................................+++
writing new private key to 'le10.http2ssl.xyz-backup.key'
-----
---------------------------------------------------------------
Generating dhparam.pem file - can take a few minutes...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............++*++*
dhparam file generation time: 79.957781154

-------------------------------------------------------------

Installing Letsencrypt client via git clone. Right now each run of centmin.sh menu option 2 will also update letsencrypt client to ensure during the beta and public beta that latest client code is used always.

Actual Letsencrypt webroot command is below where --user-agent centminmod-centos6-webroot is dynamically determined based on CentOS version.

Code:

/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le10.http2ssl.xyz/public -d le10.http2ssl.xyz auth

Code:

installing or updating letsencrypt client

Initialized empty Git repository in /root/tools/letsencrypt/.git/
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --agree-dev-preview --server https://acme-staging.api.letsencrypt.org/directory
Version: 1.1-20080819
Version: 1.1-20080819
No installers are available on your OS yet; try running "letsencrypt-auto certonly" to get a cert you can install manually

obtaining Letsencrypt SSL certificate via webroot authentication...

/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le10.http2ssl.xyz/public -d le10.http2ssl.xyz auth
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/le10.http2ssl.xyz/fullchain.pem. Your cert
   will expire on 2016-02-13. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le10.http2ssl.xyz/public -d le10.http2ssl.xyz auth

setup cronjob for /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron
0 */4 * * * /usr/bin/cminfo_updater
15 1 1 */2 * sleep 704s ; bash /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron > /dev/null 2>&1
service nginx restart
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]

-------------------------------------------------------------
FTP hostname : 104.152.214.220
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for le10.http2ssl.xyz : *********************
FTP password created for le10.http2ssl.xyz : *********************
-------------------------------------------------------------

There's also a cronjob file setup on successfully obtaining Letsencrypt SSL certificate only at /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron. Contents of /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron

Code:

/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le10.http2ssl.xyz/public -d le10.http2ssl.xyz auth
/usr/bin/nprestart

cronjob is auto setup to run every 2 months with random sleep interval set so if you have many nginx vhosts with Letsencrypt SSL certificates, cronjob auto renewals are not all run simultaneously

Code:

15 1 1 */2 * sleep 704s ; bash /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron > /dev/null 2>&1

on completion of centmin.sh menu option 2 the nginx vhost files and info for your record

Code:

vhost for le10.http2ssl.xyz created successfully

domain: http://le10.http2ssl.xyz
vhost conf file for le10.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.conf

vhost ssl for le10.http2ssl.xyz created successfully

domain: https://le10.http2ssl.xyz
vhost ssl conf file for le10.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.ssl.conf
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.crt
SSL Private Key: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.key
SSL CSR File: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz-backup.csr

Letsencrypt SSL Certificate: /etc/letsencrypt/live/le10.http2ssl.xyz/cert.pem
Letsencrypt SSL Certificate Private Key: /etc/letsencrypt/live/le10.http2ssl.xyz/privkey.pem
Letsencrypt SSL Certificate Chain: /etc/letsencrypt/live/le10.http2ssl.xyz/chain.pem
Letsencrypt SSL Certificate Full Chain: /etc/letsencrypt/live/le10.http2ssl.xyz/fullchain.pem
Letsencrypt le10.http2ssl.xyz cronjob file: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron

upload files to /home/nginx/domains/le10.http2ssl.xyz/public
vhost log files directory is /home/nginx/domains/le10.http2ssl.xyz/log

-------------------------------------------------------------
Current vhost listing at: /usr/local/nginx/conf/conf.d/

      
Nov 5   18:02   1.1K   demodomain.com.conf
Nov 5   18:02   1.6K   ftp.ftpdomain.com.conf
Nov 5   18:02   3.9K   ftp.ftpdomain.com.ssl.conf
Nov 5   18:02   845    ssl.conf
Nov 6   00:13   1.6K   ftp2.domain.com.conf
Nov 6   00:13   3.9K   ftp2.domain.com.ssl.conf
Nov 6   07:15   1.6K   virtual.conf
Nov 15  21:55   1.7K   le10.http2ssl.xyz.conf
Nov 15  21:55   3.9K   le10.http2ssl.xyz.ssl.conf

-------------------------------------------------------------
Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/le10.http2ssl.xyz

      
Nov 15  21:53   1.7K   le10.http2ssl.xyz.key
Nov 15  21:53   1.1K   le10.http2ssl.xyz.csr
Nov 15  21:53   1.3K   le10.http2ssl.xyz.crt
Nov 15  21:53   1.7K   le10.http2ssl.xyz-backup.key
Nov 15  21:53   1.1K   le10.http2ssl.xyz-backup.csr
Nov 15  21:54   45     hpkp-info-primary-pin.txt
Nov 15  21:54   45     hpkp-info-secondary-pin.txt
Nov 15  21:55   424    dhparam.pem
Nov 15  21:55   205    letsencrypt-le10.http2ssl.xyz-cron

-------------------------------------------------------------
Commands to remove le10.http2ssl.xyz

rm -rf /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.conf
rm -rf /usr/local/nginx/conf/conf.d/le10.http2ssl.xyz.ssl.conf
rm -rf /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.crt
rm -rf /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.key
rm -rf /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/le10.http2ssl.xyz.csr
rm -rf /usr/local/nginx/conf/ssl/le10.http2ssl.xyz
rm -rf /home/nginx/domains/le10.http2ssl.xyz
service nginx restart
-------------------------------------------------------------

If you manually ran the letsencrypt cronjob to renew SSL certificate

Code:

bash /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/le10.http2ssl.xyz/fullchain.pem. Your cert
   will expire on 2016-02-13. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]
Gracefully shutting down php-fpm . done
Starting php-fpm  done

Code:

ls -lah /etc/letsencrypt/live/le10.http2ssl.xyz/
total 8.0K
drwxr-xr-x 2 root root 4.0K Nov 15 22:34 .
drwx------ 3 root root 4.0K Nov 15 21:55 ..
lrwxrwxrwx 1 root root   41 Nov 15 22:34 cert.pem -> ../../archive/le10.http2ssl.xyz/cert2.pem
lrwxrwxrwx 1 root root   42 Nov 15 22:34 chain.pem -> ../../archive/le10.http2ssl.xyz/chain2.pem
lrwxrwxrwx 1 root root   46 Nov 15 22:34 fullchain.pem -> ../../archive/le10.http2ssl.xyz/fullchain2.pem
lrwxrwxrwx 1 root root   44 Nov 15 22:34 privkey.pem -> ../../archive/le10.http2ssl.xyz/privkey2.pem

Service Monitoring: crond

As crond service is critical for auto renewals, probably need to monitor and auto restart such services. I've been working on monit support for Centmin Mod and several dozen monit services' configuration profiles for ages now with CentOS 6 support - only started adding CentOS 7 support as well so to monitor and auto restart all Centmin Mod LEMP stack's services.

Then I deliberately stopped crond service so that monit can detect crond service as being down and auto restart it. The current default is to wait 120 seconds before reporting a service as being down and auto restart and send email notifications.

Code:

tail -50 /var/log/monit.log
[UTC Nov 16 20:17:21] info     : Generated unique Monit id 9a71505590331e4d3fb1558db4491b04 and stored to '/root/.monit.id'
[UTC Nov 16 20:17:21] info     : Starting Monit 5.14 daemon with http interface at [localhost]:2812
[UTC Nov 16 20:17:21] info     : Monit start delay set -- pause for 240s
[UTC Nov 16 20:18:18] info     : Monit daemon with pid [4226] stopped
[UTC Nov 16 20:18:18] info     : 'centos7.localdomain' Monit 5.14 stopped
[UTC Nov 16 20:18:29] info     : Starting Monit 5.14 daemon with http interface at [localhost]:2812
[UTC Nov 16 20:18:29] info     : Monit start delay set -- pause for 240s
[UTC Nov 16 20:22:29] info     : Starting Monit HTTP server at [localhost]:2812
[UTC Nov 16 20:22:29] info     : Monit HTTP server started
[UTC Nov 16 20:22:29] info     : 'centos7.localdomain' Monit 5.14 started

[UTC Nov 16 20:23:00] error    : 'cron' process is not running
[UTC Nov 16 20:23:00] info     : 'cron' trying to restart
[UTC Nov 16 20:23:00] info     : 'cron' start: /usr/bin/systemctl

Then checked crond service and see monit auto restarted the service

Code:

service crond status
Redirecting to /bin/systemctl status  crond.service
crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled)
   Active: active (running) since Mon 2015-11-16 20:23:00 UTC; 3min 1s ago
Main PID: 4362 (crond)
   CGroup: /system.slice/crond.service
           └─4362 /usr/sbin/crond -n

Nov 16 20:23:00 centos7.localdomain systemd[1]: Started Command Scheduler.
Nov 16 20:23:00 centos7.localdomain crond[4362]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 91% if used.)
Nov 16 20:23:00 centos7.localdomain crond[4362]: (CRON) INFO (running with inotify support)
Nov 16 20:23:00 centos7.localdomain crond[4362]: (CRON) INFO (@reboot jobs will be run at computer's startup.)

monit email notifications which are configured to set on monit events

Code:

Does not exist Service cron

        Date:        Mon, 16 Nov 2015 20:23:00
        Action:      restart
        Host:        centos7.localdomain
        Description: process is not running

Code:

Exists Service cron

        Date:        Mon, 16 Nov 2015 20:25:30
        Action:      alert
        Host:        centos7.localdomain
        Description: process is running with pid 4362

Monit command line status

Code:

monit status
The Monit daemon 5.14 uptime: 2m

Process 'sshd'
  status                            Running
  monitoring status                 Monitored
  pid                               1001
  parent pid                        1
  uid                               0
  effective uid                     0
  gid                               0
  uptime                            3h 33m
  children                          4
  memory                            3.5 MB
  memory total                      16.0 MB
  memory percent                    0.1%
  memory percent total              0.8%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  port response time                0.009s to [127.0.0.1]:22 type TCP/IP protocol SSH
  data collected                    Mon, 16 Nov 2015 22:14:36

Process 'postfix'
  status                            Running
  monitoring status                 Monitored
  pid                               2010
  parent pid                        1
  uid                               0
  effective uid                     0
  gid                               0
  uptime                            3h 33m
  children                          8
  memory                            2.2 MB
  memory total                      37.3 MB
  memory percent                    0.1%
  memory percent total              2.0%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  data collected                    Mon, 16 Nov 2015 22:14:36

Process 'php-fpm'
  status                            Running
  monitoring status                 Monitored
  pid                               6263
  parent pid                        1
  uid                               0
  effective uid                     0
  gid                               0
  uptime                            23m
  children                          0
  memory                            16.5 MB
  memory total                      16.5 MB
  memory percent                    0.8%
  memory percent total              0.8%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  port response time                0.000s to [localhost]:9000 type TCP/IP protocol DEFAULT
  data collected                    Mon, 16 Nov 2015 22:14:36

Process 'nsd'
  status                            Running
  monitoring status                 Monitored
  pid                               1252
  parent pid                        1
  uid                               1001
  effective uid                     1001
  gid                               1001
  uptime                            3h 33m
  children                          2
  memory                            944.0 kB
  memory total                      6.2 MB
  memory percent                    0.0%
  memory percent total              0.3%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  data collected                    Mon, 16 Nov 2015 22:14:36

Process 'nginx'
  status                            Running
  monitoring status                 Monitored
  pid                               2508
  parent pid                        1
  uid                               0
  effective uid                     0
  gid                               0
  uptime                            3h 33m
  children                          2
  memory                            28.0 MB
  memory total                      92.5 MB
  memory percent                    1.5%
  memory percent total              5.0%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  data collected                    Mon, 16 Nov 2015 22:14:36

Process 'mysql'
  status                            Not monitored
  monitoring status                 Not monitored
  data collected                    Mon, 16 Nov 2015 22:13:36

Process 'memcached'
  status                            Running
  monitoring status                 Monitored
  pid                               2493
  parent pid                        1
  uid                               99
  effective uid                     99
  gid                               99
  uptime                            3h 33m
  children                          0
  memory                            1.1 MB
  memory total                      1.1 MB
  memory percent                    0.0%
  memory percent total              0.0%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  port response time                0.000s to [localhost]:11211 type TCP/IP protocol DEFAULT
  data collected                    Mon, 16 Nov 2015 22:14:36

Process 'lfd'
  status                            Running
  monitoring status                 Monitored
  pid                               5260
  parent pid                        1
  uid                               0
  effective uid                     0
  gid                               0
  uptime                            1h 5m
  children                          0
  memory                            22.6 MB
  memory total                      22.6 MB
  memory percent                    1.2%
  memory percent total              1.2%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  data collected                    Mon, 16 Nov 2015 22:14:36

Process 'cron'
  status                            Running
  monitoring status                 Monitored
  pid                               4362
  parent pid                        1
  uid                               0
  effective uid                     0
  gid                               0
  uptime                            1h 51m
  children                          0
  memory                            1.5 MB
  memory total                      1.5 MB
  memory percent                    0.0%
  memory percent total              0.0%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  data collected                    Mon, 16 Nov 2015 22:14:36

System 'centos7.localdomain'
  status                            Running
  monitoring status                 Monitored
  load average                      [0.01] [0.02] [0.05]
  cpu                               0.0%us 0.0%sy 0.0%wa
  memory usage                      368.1 MB [20.0%]
  swap usage                        0 B [0.0%]
  data collected                    Mon, 16 Nov 2015 22:14:36

Monit web gui

 

Working on a companion script to report every Letsencrypt SSL certificates' expiry dates in number of days

Code:

./expirydate.sh 

/etc/letsencrypt/live/le2.http2ssl.xyz/cert.pem
certificate expires in 74 days on 2 Feb 2016

/etc/letsencrypt/live/le8.http2ssl.xyz/cert.pem
certificate expires in 70 days on 29 Jan 2016

/etc/letsencrypt/live/le1.http2ssl.xyz/cert.pem
certificate expires in 66 days on 25 Jan 2016

/etc/letsencrypt/live/http2ssl.xyz/cert.pem
certificate expires in 66 days on 25 Jan 2016

 

Could be problematic that Letsencrypt client installed dependency requires quite a bit of system memory - not even 512MB VPS is working Running with 192MB RAM is not enough · Issue #1081 · letsencrypt/letsencrypt · GitHub Both my test VPSes for Letsencrypt are 1GB VPS so probably why I haven't run into this problem myself.

 

tools/nv.sh and /usr/bin/nv Letsencrypt integration

So far have been only working on shell based menu LE integration into centmin.sh menu option 2. Now that this is more polished, working on Letsencrypt integration into the command line version of Centmin Mod's auto generator for Nginx vhost domains - tools/nv.sh and /usr/bin/nv commands.

/usr/bin/nv command has added a new flag option for -s le specifically for auto generation of an Nginx vhost with Letsencrypt SSL certificates. If you use the regular -s y flag option it just auto generates Nginx vhost with self-signed SSL certificate instead.

Code:

nv -h

Usage: /usr/bin/nv [-d yourdomain.com] [-s y|n|le] [-u ftpusername]

  -d  yourdomain.com or subdomain.yourdomain.com
  -s  ssl self-signed create = y or n or le (for letsencrypt ssl certs)
  -u  your FTP username

  example:

  /usr/bin/nv -d yourdomain.com -s y -u ftpusername
  /usr/bin/nv -d yourdomain.com -s le -u ftpusername

Example run below is done in virtualbox test CentOS 7 server, so the final authorisation for Letsencrypt will fail as DNS A record for le11.http2ssl.xyz domain isn't pointing to my virtualbox server local IP.

Run nv command with -s le flag for Letsencrypt and pass pure-ftpd virtual ftp username you want to use for Nginx vhost domain.

Code:

nv -d le11.http2ssl.xyz -s le -u **********

Code:

nv -d le11.http2ssl.xyz -s le -u **********
---------------------------------------------------------------
Nginx Vhost Setup...
---------------------------------------------------------------


To get Letsencrypt SSL certificate, you must already have updated intended
domain vhost name's DNS A record to this server's IP addresss.
If top level domain, DNS A record is needed also for www. version of domain
otherwise, Letsencrypt domain name validation will fail.


le11.http2ssl.xyz is not a top level domain
your server IP address: *************
current DNS A record IP address for le11.http2ssl.xyz is: 104.152.214.220

Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y

FTP password auto generated: *************

Code:

---------------------------------------------------------------
SSL Vhost Setup...
---------------------------------------------------------------

---------------------------------------------------------------
Generating self signed SSL certificate...
CSR file can also be used to be submitted for paid SSL certificates
If using for paid SSL certificates be sure to keep both private key and CSR safe
creating CSR File: le11.http2ssl.xyz.csr
creating private key: le11.http2ssl.xyz.key
creating self-signed SSL certificate: le11.http2ssl.xyz.crt
Generating a 2048 bit RSA private key
......................+++
...........+++
writing new private key to 'le11.http2ssl.xyz.key'
-----
No value provided for Subject Attribute C, skipped
No value provided for Subject Attribute ST, skipped
No value provided for Subject Attribute L, skipped
Signature ok
subject=/O=le11.http2ssl.xyz/OU=le11.http2ssl.xyz/CN=le11.http2ssl.xyz
Getting Private key

---------------------------------------------------------------
Generating backup CSR and private key for HTTP Public Key Pinning...
creating CSR File: le11.http2ssl.xyz-backup.csr
creating private key: le11.http2ssl.xyz-backup.key
Generating a 2048 bit RSA private key
...........................................................................+++
....+++
writing new private key to 'le11.http2ssl.xyz-backup.key'
-----
---------------------------------------------------------------
Generating dhparam.pem file - can take a few minutes...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............................................................................++*++*
dhparam file generation time: 28.509509484

-------------------------------------------------------------
Restarting nginx (via systemctl):  [  OK  ]
systemctl restart pure-ftpd.service

installing or updating letsencrypt client

Code:

setup general /etc/letsencrypt/webroot.ini letsencrypt config file

Registering an account with Letsencrypt
You only do this once, so that Letsencrypt can notify &
contact you via email regarding your SSL certificates
Enter your email address to setup Letsencrypt account: validemail@addy.com

You are registering validemail@addy.com address for Letsencrypt

obtaining Letsencrypt SSL certificate via webroot authentication...

/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos7-webroot --webroot-path /home/nginx/domains/le11.http2ssl.xyz/public -d le11.http2ssl.xyz certonly
Failed authorization procedure. le11.http2ssl.xyz (http-01): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://le11.http2ssl.xyz/.well-known/acme-challenge/iyJehKV8_TJZ9u95KjRNn8ZOWg5jUbOggIUf0aZB4gk [104.152.214.220]: 404
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
   e-mails sent to validemail@addy.com.
- The following 'unauthorized' errors were reported by the server:

   Domains: le11.http2ssl.xyz
   Error: The client lacks sufficient authorization

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
- Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.

-------------------------------------------------------------

Code:

-------------------------------------------------------------
vhost for le11.http2ssl.xyz created successfully

domain: http://le11.http2ssl.xyz
vhost conf file for le11.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le11.http2ssl.xyz.conf

vhost ssl for le11.http2ssl.xyz created successfully

domain: https://le11.http2ssl.xyz
vhost ssl conf file for le11.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le11.http2ssl.xyz.ssl.conf
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz.crt
SSL Private Key: /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz.key
SSL CSR File: /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz-backup.csr

upload files to /home/nginx/domains/le11.http2ssl.xyz/public
vhost log files directory is /home/nginx/domains/le11.http2ssl.xyz/log

-------------------------------------------------------------
Current vhost listing at: /usr/local/nginx/conf/conf.d/

                 
Nov 5   19:33   1.1K   demodomain.com.conf
Nov 5   19:33   845    ssl.conf
Nov 6   05:40   1.6K   virtual.conf
Nov 20  03:31   1.6K   le11.http2ssl.xyz.conf
Nov 20  03:31   3.9K   le11.http2ssl.xyz.ssl.conf

-------------------------------------------------------------
Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/le11.http2ssl.xyz

                 
Nov 20  03:31   1.7K   le11.http2ssl.xyz.key
Nov 20  03:31   976    le11.http2ssl.xyz.csr
Nov 20  03:31   1.2K   le11.http2ssl.xyz.crt
Nov 20  03:31   1.7K   le11.http2ssl.xyz-backup.key
Nov 20  03:31   976    le11.http2ssl.xyz-backup.csr
Nov 20  03:31   45     hpkp-info-primary-pin.txt
Nov 20  03:31   45     hpkp-info-secondary-pin.txt
Nov 20  03:31   424    dhparam.pem

-------------------------------------------------------------
Commands to remove le11.http2ssl.xyz

rm -rf /usr/local/nginx/conf/conf.d/le11.http2ssl.xyz.conf
rm -rf /usr/local/nginx/conf/conf.d/le11.http2ssl.xyz.ssl.conf
rm -rf /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz.crt
rm -rf /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz.key
rm -rf /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/le11.http2ssl.xyz.csr
rm -rf /usr/local/nginx/conf/ssl/le11.http2ssl.xyz
rm -rf /home/nginx/domains/le11.http2ssl.xyz
service nginx restart
-------------------------------------------------------------

Then doing same test on live VPS server

Code:

nv -d le11.http2ssl.xyz -s le -u **********

Code:

obtaining Letsencrypt SSL certificate via webroot authentication...

/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le11.http2ssl.xyz/public -d le11.http2ssl.xyz certonly
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/le11.http2ssl.xyz/fullchain.pem. Your cert
   will expire on 2016-02-18. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le11.http2ssl.xyz/public -d le11.http2ssl.xyz certonly
/usr/bin/nprestart

setup cronjob for /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/letsencrypt-le11.http2ssl.xyz-cron
0 */4 * * * /usr/bin/cminfo_updater
15 1 1 */2 * sleep 704s ; bash /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron > /dev/null 2>&1
15 1 1 */2 * sleep 624s ; bash /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/letsencrypt-le11.http2ssl.xyz-cron > /dev/null 2>&1
service nginx restart

Code:

ls -lAht /etc/letsencrypt/live/le11.http2ssl.xyz/
total 0
lrwxrwxrwx 1 root root 41 Nov 20 08:19 cert.pem -> ../../archive/le11.http2ssl.xyz/cert1.pem
lrwxrwxrwx 1 root root 42 Nov 20 08:19 chain.pem -> ../../archive/le11.http2ssl.xyz/chain1.pem
lrwxrwxrwx 1 root root 46 Nov 20 08:19 fullchain.pem -> ../../archive/le11.http2ssl.xyz/fullchain1.pem
lrwxrwxrwx 1 root root 44 Nov 20 08:19 privkey.pem -> ../../archive/le11.http2ssl.xyz/privkey1.pem

Code:

./expirydate.sh

/etc/letsencrypt/live/le10.http2ssl.xyz/cert.pem
certificate expires in 84 days on 13 Feb 2016

/etc/letsencrypt/live/le11.http2ssl.xyz/cert.pem
certificate expires in 89 days on 18 Feb 2016

 

Centmin Mod Auto Renewal of Letsencrypt SSL Certificate

An illustrative example of running the auto renewal cronjob file has been updated at centminmod.com/letsencrypt-freessl.html#autocron. Only takes 7.8 seconds to renew the Letsencrypt SSL certificate

Auto Renewal Cron Error and Email Notifications

Also updated cronfile with error detection and email notification on failed LE SSL certificate auto renewal and changed to just nginx reload command

Using le12.http2ssl.xyz as an example via nv command line auto generation of Nginx vhost + SSL vhost and LE SSL certificate deployment

Code (Text):

nv -d le12.http2ssl.xyz -s le -u ***************
---------------------------------------------------------------
Nginx Vhost Setup...
---------------------------------------------------------------

To get Letsencrypt SSL certificate, you must already have updated intended
domain vhost name's DNS A record to this server's IP addresss.
If top level domain, DNS A record is needed also for www. version of domain
otherwise, Letsencrypt domain name validation will fail.

le12.http2ssl.xyz is not a top level domain
your server IP address: 104.152.214.220
current DNS A record IP address for le12.http2ssl.xyz is: 104.152.214.220

Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y

FTP password auto generated: ***************

Code (Text):

obtaining Letsencrypt SSL certificate via webroot authentication...

/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le12.http2ssl.xyz/public -d le12.http2ssl.xyz certonly
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/le12.http2ssl.xyz/fullchain.pem. Your cert
   will expire on 2016-02-24. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.

/usr/local/nginx/conf/ssl/le12.http2ssl.xyz/letsencrypt-le12.http2ssl.xyz-cron contents:

Code (Text):

EMAIL=$(awk '/email/ {print $3}' /etc/letsencrypt/webroot.ini)
ERRORLOG=$(tail /var/log/letsencrypt/letsencrypt.log)
/root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le12.http2ssl.xyz/public -d le12.http2ssl.xyz certonly
if [ $? -ne 0 ]; then
    sleep 1; echo -e "The Lets Encrypt SSL Certificate for le12.http2ssl.xyz has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" $EMAIL
  else
    /usr/bin/ngxreload
fi
exit 0

cronjobs with auto inserted random sleep intervals to ensure not all LE SSL cron files run simultaneously

Code (Text):

setup cronjob for /usr/local/nginx/conf/ssl/le12.http2ssl.xyz/letsencrypt-le12.http2ssl.xyz-cron
0 */4 * * * /usr/bin/cminfo_updater
15 1 1 */2 * sleep 704s ; bash /usr/local/nginx/conf/ssl/le10.http2ssl.xyz/letsencrypt-le10.http2ssl.xyz-cron > /dev/null 2>&1
15 1 1 */2 * sleep 624s ; bash /usr/local/nginx/conf/ssl/le11.http2ssl.xyz/letsencrypt-le11.http2ssl.xyz-cron > /dev/null 2>&1
15 1 1 */2 * sleep 896s ; bash /usr/local/nginx/conf/ssl/le12.http2ssl.xyz/letsencrypt-le12.http2ssl.xyz-cron > /dev/null 2>&1

basically cron file's EMAIL field is dynamically obtained from /etc/letsencrypt/webroot.ini listed email field so that if you change the email address, it's automatically updated.

expiry dates

Code (Text):

./expirydate.sh

/etc/letsencrypt/live/le10.http2ssl.xyz/cert.pem
certificate expires in 78 days on 13 Feb 2016

/etc/letsencrypt/live/le11.http2ssl.xyz/cert.pem
certificate expires in 88 days on 23 Feb 2016

/etc/letsencrypt/live/le12.http2ssl.xyz/cert.pem
certificate expires in 89 days on 24 Feb 2016

Testing manual run of cronfile auto renewal - 4.9 seconds to renew SSL certificate

Code (Text):

time bash /usr/local/nginx/conf/ssl/le12.http2ssl.xyz/letsencrypt-le12.http2ssl.xyz-cron

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/le12.http2ssl.xyz/fullchain.pem. Your cert
   will expire on 2016-02-24. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Reloading nginx:                                           [  OK  ]

real    0m4.903s
user    0m0.850s
sys     0m0.120s