Welcome to Centmin Mod Community
Register Now

Letsencrypt Letsencrypt Free SSL certificates with web root authentication method

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Oct 5, 2015.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Letsencrypt Auto Renewal Cron Improvements




    Changed cron file routine for letsencrypt ssl certificate auto renewal to check certificate expiry date every 9 days and run auto renewal only if certificate expiry date is less than 30 days. This will ensure if auto renewal fails for some reason on either side, that there's 29/9 = ~ 3 more chances for auto renewal of ssl certificate. So in total there would 3+1 = 4 attempts at auto renewal of LE SSL certificate before expiry :)
     
    Last edited: Nov 29, 2015
  2. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Letsencrypt Integration Into Wordpress Auto Installer Menu



    Now testing Letsencrypt integration into centmin.sh menu option 22 for auto installation of Wordpress + WP Super Cache + deploying free SSL certificate from Letsencrypt. I am testing on local virtualbox CentOS 7 server using dummy domain = domain1.com so the Letsencrypt SSL verification will fail expectedly so the domain1.com's Nginx HTTP/2 SSL based vhost will fall back to the auto generated self-signed SSL certificate instead. For live working domains, when Letsencrypt domain validation succeeds, you're end up with a fully browser trusted Nginx HTTP/2 SSL Wordpress installation :). For now, just a local test before trying on VPS server :) Testing is done on a separate Centmin Mod 123.09beta01le branch until ready for merging into 123.09beta01 branch.

    centmin.sh menu option 22 run
    Code:
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu                
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + WP Super Cache
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 22
    --------------------------------------------------------
    
    Code:
    -------------------------------------------------------------
    Setup full Nginx vhost + Wordpress + WP Super Cache
    -------------------------------------------------------------
    
    Enter vhost domain name you want to add (without www. prefix): domain1.com
    
    Create a self-signed SSL certificate Nginx vhost? [y/n]: y
    
    
    To get Letsencrypt SSL certificate, you must already have updated intended
    domain vhost name's DNS A record to this server's IP addresss.
    If top level domain, DNS A record is needed also for www. version of domain
    otherwise, Letsencrypt domain name validation will fail.
    
    
    !! Error: domain1.com DNS records not found or setup properly yet or domain1.com invalid
    
    Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
    Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y
    Enter email address for Wordpress Installation: validemail@addy
    Create FTP username for vhost domain (enter username): ***
    Do you want to auto generate FTP password (recommended) [y/n]: y
    
    FTP username you entered: ***
    FTP password auto generated: ***
    
    Code:
    ---------------------------------------------------------------
    SSL Vhost Setup...
    ---------------------------------------------------------------
    
    ---------------------------------------------------------------
    Generating self signed SSL certificate...
    CSR file can also be used to be submitted for paid SSL certificates
    If using for paid SSL certificates be sure to keep both private key and CSR safe
    creating CSR File: domain1.com.csr
    creating private key: domain1.com.key
    creating self-signed SSL certificate: domain1.com.crt
    Generating a 2048 bit RSA private key
    .............................................+++
    ......+++
    writing new private key to 'domain1.com.key'
    -----
    Signature ok
    subject=/C=US/ST=California/L=Los Angeles/O=domain1.com/OU=domain1.com/CN=domain1.com
    Getting Private key
    
    Code:
    ---------------------------------------------------------------
    Generating dhparam.pem file - can take a few minutes...
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    ...........++*++*
    dhparam file generation time: 29.079570321
    
    Wordpress + WP Plugins auto installation stage
    Code:
    ------------------------------------------------------------
    Setup Wordpress + Super Cache for domain1.com
    ------------------------------------------------------------
    Downloading WordPress 4.3.1 (en_US)...
    Success: WordPress downloaded.
    Success: Generated wp-config.php file.
    0 */4 * * * /usr/bin/cminfo_updater
    */15 * * * * sleep 807s ; wget -O - -q -t 1 http://domain1.com/wp-cron.php?doing_wp_cron=1 > /dev/null 2>&1
    Success: WordPress installed successfully.
    ------------------------------------------------------------
    Installing Responsive (1.9.7.7)
    Downloading install package from http://downloads.wordpress.org/theme/responsive.1.9.7.7.zip...
    Unpacking the package...
    Installing the theme...
    Theme installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'responsive'...
    Success: Switched to 'Responsive' theme.
    ------------------------------------------------------------
    ------------------------------------------------------------
    Installing WP Super Cache (1.4.6)
    Downloading install package from https://downloads.wordpress.org/plugin/wp-super-cache.1.4.6.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'wp-super-cache'...
    Success: Plugin 'wp-super-cache' activated.
    ------------------------------------------------------------
    Installing WP Super Cache - Clear all cache (1.3.1)
    Downloading install package from https://downloads.wordpress.org/plugin/wp-super-cache-clear-cache-menu.1.3.1.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'wp-super-cache-clear-cache-menu'...
    Success: Plugin 'wp-super-cache-clear-cache-menu' activated.
    ------------------------------------------------------------
    Installing Autoptimize (1.9.4)
    Downloading install package from https://downloads.wordpress.org/plugin/autoptimize.1.9.4.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'autoptimize'...
    Success: Plugin 'autoptimize' activated.
    ------------------------------------------------------------
    Installing Rocket Lazy Load (1.0.4)
    Downloading install package from https://downloads.wordpress.org/plugin/rocket-lazy-load.1.0.4.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'rocket-lazy-load'...
    Success: Plugin 'rocket-lazy-load' activated.
    ------------------------------------------------------------
    Installing Acunetix WP Security (4.0.5)
    Downloading install package from https://downloads.wordpress.org/plugin/wp-security-scan.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'wp-security-scan'...
    Success: Plugin 'wp-security-scan' activated.
    ------------------------------------------------------------
    Installing Sucuri Security - Auditing, Malware Scanner and Security Hardening (1.7.16)
    Downloading install package from https://downloads.wordpress.org/plugin/sucuri-scanner.1.7.16.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'sucuri-scanner'...
    Success: Plugin 'sucuri-scanner' activated.
    ------------------------------------------------------------
    Installing Disable XML-RPC (1.0.1)
    Downloading install package from https://downloads.wordpress.org/plugin/disable-xml-rpc.1.0.1.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'disable-xml-rpc'...
    Success: Plugin 'disable-xml-rpc' activated.
    ------------------------------------------------------------
    Installing Limit Login Attempts (1.7.1)
    Downloading install package from https://downloads.wordpress.org/plugin/limit-login-attempts.1.7.1.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'limit-login-attempts'...
    Success: Plugin 'limit-login-attempts' activated.
    ------------------------------------------------------------
    Installing WP Updates Notifier (1.4.3)
    Downloading install package from https://downloads.wordpress.org/plugin/wp-updates-notifier.1.4.3.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'wp-updates-notifier'...
    Success: Plugin 'wp-updates-notifier' activated.
    ------------------------------------------------------------
    Installing No Longer in Directory (1.0.45)
    Downloading install package from https://downloads.wordpress.org/plugin/no-longer-in-directory.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'no-longer-in-directory'...
    Success: Plugin 'no-longer-in-directory' activated.
    ------------------------------------------------------------
    Installing WP-Optimize (1.8.9.10)
    Downloading install package from https://downloads.wordpress.org/plugin/wp-optimize.1.8.9.10.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'wp-optimize'...
    Success: Plugin 'wp-optimize' activated.
    ------------------------------------------------------------
    Installing TPC! Memory Usage (0.9.1)
    Downloading install package from https://downloads.wordpress.org/plugin/tpc-memory-usage.0.9.1.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'tpc-memory-usage'...
    Success: Plugin 'tpc-memory-usage' activated.
    ------------------------------------------------------------
    Installing GTmetrix for WordPress (0.4.1)
    Downloading install package from https://downloads.wordpress.org/plugin/gtmetrix-for-wordpress.0.4.1.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'gtmetrix-for-wordpress'...
    Success: Plugin 'gtmetrix-for-wordpress' activated.
    ------------------------------------------------------------
    Installing P3 (Plugin Performance Profiler) (1.5.3.9)
    Downloading install package from https://downloads.wordpress.org/plugin/p3-profiler.1.5.3.9.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'p3-profiler'...
    Success: Plugin 'p3-profiler' activated.
    ------------------------------------------------------------
    Installing Yoast SEO (3.0.6)
    Downloading install package from https://downloads.wordpress.org/plugin/wordpress-seo.3.0.6.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'wordpress-seo'...
    Success: Plugin 'wordpress-seo' activated.
    ------------------------------------------------------------
    Installing UpdraftPlus Backup and Restoration (1.11.18)
    Downloading install package from https://downloads.wordpress.org/plugin/updraftplus.1.11.18.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'updraftplus'...
    Success: Plugin 'updraftplus' activated.
    ------------------------------------------------------------
    Installing Google Analytics by Yoast (5.4.6)
    Downloading install package from https://downloads.wordpress.org/plugin/google-analytics-for-wordpress.5.4.6.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'google-analytics-for-wordpress'...
    Success: Plugin 'google-analytics-for-wordpress' activated.
    ------------------------------------------------------------
    Installing Heartbeat Control (1.0.3)
    Downloading install package from https://downloads.wordpress.org/plugin/heartbeat-control.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Activating 'heartbeat-control'...
    Success: Plugin 'heartbeat-control' activated.
    ------------------------------------------------------------
    ------------------------------------------------------------
    Installing Nginx Helper (1.9.6)
    Downloading install package from https://downloads.wordpress.org/plugin/nginx-helper.1.9.6.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    ------------------------------------------------------------
    Installing Query Monitor (2.8.1)
    Downloading install package from https://downloads.wordpress.org/plugin/query-monitor.2.8.1.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    ------------------------------------------------------------
    Installing Gigaom New Relic (0.3)
    Downloading install package from https://downloads.wordpress.org/plugin/go-newrelic.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    ------------------------------------------------------------
    Installing DB Cache Reloaded Fix (2.3)
    Downloading install package from https://downloads.wordpress.org/plugin/db-cache-reloaded-fix.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    ------------------------------------------------------------
    Installing Google Authenticator (0.47)
    Downloading install package from https://downloads.wordpress.org/plugin/google-authenticator.0.47.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    ------------------------------------------------------------
    Installing Smart Layers by AddThis (1.0.10)
    Downloading install package from https://downloads.wordpress.org/plugin/addthis-smart-layers.1.0.10.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    ------------------------------------------------------------
    Installing Search Regex (1.4.15)
    Downloading install package from https://downloads.wordpress.org/plugin/search-regex.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    ------------------------------------------------------------
    Installing Disable Emojis (1.5.1)
    Downloading install package from https://downloads.wordpress.org/plugin/disable-emojis.1.5.1.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    ------------------------------------------------------------
    Installing WP User Avatar (2.0.3)
    Downloading install package from https://downloads.wordpress.org/plugin/wp-user-avatar.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    ------------------------------------------------------------
    Installing Lazy Load for Videos (2.2.1)
    Downloading install package from https://downloads.wordpress.org/plugin/lazy-load-for-videos.zip...
    Unpacking the package...
    Installing the plugin...
    Plugin installed successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    ------------------------------------------------------------
    Downloading update from https://downloads.wordpress.org/plugin/akismet.3.1.5.zip...
    Unpacking the update...
    Installing the latest version...
    Removing the old version of the plugin...
    Plugin updated successfully.
    Success: Translations updates are not needed for the 'English (US)' locale.
    Success: Updated 1/1 plugins.
    name    old_version     new_version     status
    akismet 3.1.3   3.1.5   Updated
    
    31 installed plugins:
      A wp-security-scan                4.0.5
      I addthis-smart-layers            1.0.10
      I akismet                         3.1.5
      A autoptimize                     1.9.4
      I db-cache-reloaded-fix           2.3
      I disable-emojis                  1.5.1
      A disable-xml-rpc                 1.0.1
      I go-newrelic                     0.3
      A google-analytics-for-wordpress  5.4.6
      I google-authenticator            0.47
      A gtmetrix-for-wordpress          0.4.1
      A heartbeat-control               1.0.3
      I hello                           1.6
      I lazy-load-for-videos            2.2.1
      A limit-login-attempts            1.7.1
      I nginx-helper                    1.9.6
      A no-longer-in-directory          1.0.45
      A p3-profiler                     1.5.3.9
      I query-monitor                   2.8.1
      A rocket-lazy-load                1.0.4
      I search-regex                    1.4.15
      A sucuri-scanner                  1.7.16
      A tpc-memory-usage                0.9.1
      A updraftplus                     1.11.18
      A wp-optimize                     1.8.9.10
      A wp-super-cache                  1.4.6
      A wp-super-cache-clear-cache-menu 1.3.1
      A wp-updates-notifier             1.4.3
      I wp-user-avatar                  2.0.3
      A wordpress-seo                   3.0.6
      M p3-profiler                 
    
    Legend: A = Active, I = Inactive, M = Must Use
    ------------------------------------------------------------
    ------------------------------------------------------------
    Created uninstall script
    /root/tools/wp_uninstall_domain1.com.sh
    ------------------------------------------------------------
    ------------------------------------------------------------
    Created wp_updater_domain1.com.sh script
    /root/tools/wp_updater_domain1.com.sh
    ------------------------------------------------------------
    0 */4 * * * /usr/bin/cminfo_updater
    */15 * * * * sleep 807s ; wget -O - -q -t 1 http://domain1.com/wp-cron.php?doing_wp_cron=1 > /dev/null 2>&1
    0 */8 * * * sleep 324s ;/root/tools/wp_updater_domain1.com.sh 2>/dev/null
    Letsencrypt stage
    Code:
    setup general /etc/letsencrypt/webroot.ini letsencrypt config file
    
    Registering an account with Letsencrypt
    You only do this once, so that Letsencrypt can notify &
    contact you via email regarding your SSL certificates
    Enter your email address to setup Letsencrypt account: validemail@addy
    
    You are registering validemail@addy address for Letsencrypt
    
    Actual Letsencrypt webroot authentication step - domain1.com is dummy domain so expected to fail validation/authorization
    Code:
    obtaining Letsencrypt SSL certificate via webroot authentication...
    
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos7-webroot --webroot-path /home/nginx/domains/domain1.com/public -d domain1.com certonly
    Failed authorization procedure. domain1.com (http-01): urn:acme:error:connection :: The server could not connect to the client for DV :: Server failure at resolver
    IMPORTANT NOTES:
    - If you lose your account credentials, you can recover through
       e-mails sent to validemail@addy.
    - The following 'urn:acme:error:connection' errors were reported by
       the server:
    
       Domains: domain1.com
       Error: The server could not connect to the client for DV
    - Your account credentials have been saved in your Let's Encrypt
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Let's
       Encrypt so making regular backups of this folder is ideal.
    
    Nginx vhost generated info
    Code:
    -------------------------------------------------------------
    FTP hostname : IP
    FTP port : 21
    FTP mode : FTP (explicit SSL)
    FTP Passive (PASV) : ensure is checked/enabled
    FTP username created for domain1.com : ***
    FTP password created for domain1.com : ***
    -------------------------------------------------------------
    vhost for domain1.com created successfully
    
    domain: http://domain1.com
    vhost conf file for domain1.com created: /usr/local/nginx/conf/conf.d/domain1.com.conf
    
    vhost ssl for domain1.com created successfully
    
    domain: https://domain1.com
    vhost ssl conf file for domain1.com created: /usr/local/nginx/conf/conf.d/domain1.com.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/domain1.com/domain1.com.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/domain1.com/domain1.com.key
    SSL CSR File: /usr/local/nginx/conf/ssl/domain1.com/domain1.com.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/domain1.com/domain1.com-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/domain1.com/domain1.com-backup.csr
    
    upload files to /home/nginx/domains/domain1.com/public
    vhost log files directory is /home/nginx/domains/domain1.com/log
    
    ------------------------------------------------------------
    SSH commands to uninstall created Wordpress install and Nginx vhost:
      /root/tools/wp_uninstall_domain1.com.sh
    ------------------------------------------------------------
    
    WP Install specific information
    Code:
    ------------------------------------------------------------
    Wordpress Auto Updater created at:
      /root/tools/wp_updater_domain1.com.sh
    cronjob set for every 8 hours update (3x times per day)
    ------------------------------------------------------------
    
    Wordpress domain: domain1.com
    Wordpress DB Name: wp10893db_4015
    Wordpress DB User: wpdb4015u18259
    Wordpress DB Pass: wpdbeu9CCZYGJ4+xp8547
    Wordpress Admin User ID: 351012
    Wordpress Admin User: z21gTQztjE51arulYjUwp23308
    Wordpress Admin Pass: zYvy8fayN+Wwps9291
    Wordpress Admin Email: validemail@addy
    
    Wordpress wp-login.php password protection info:
    wp-login.php protection file /home/nginx/domains/domain1.com/htpasswd_wplogin
    wp-login.php protection Username: u2axZWuEb4HYwAx21338
    wp-login.php protection Password: phVyz6WksNBuf85m7/qLy21338
    http://u2axZWuEb4HYwAx21338:phVyz6WksNBuf85m7/qLy21338@domain1.com/wp-login.php
    
    Resetting wp-login.php protection:
    Step 1. remove protection file at /home/nginx/domains/domain1.com/htpasswd_wplogin
         rm -rf /home/nginx/domains/domain1.com/htpasswd_wplogin
    Step 2. run command:
         /usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/domain1.com/htpasswd_wplogin YOURUSERNAME YOURPASSWORD
    Step 3. restart Nginx + PHP-FPM services
         nprestart
    
    -------------------------------------------------------------
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
    
                        
    Nov 5   19:33   1.1K   demodomain.com.conf
    Nov 5   19:33   845    ssl.conf
    Nov 6   05:40   1.6K   virtual.conf
    Dec 2   20:00   2.6K   domain1.com.conf
    Dec 2   20:00   4.9K   domain1.com.ssl.conf
    
    -------------------------------------------------------------
    Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/domain1.com
    
                        
    Dec 2   19:59   1.7K   domain1.com.key
    Dec 2   19:59   1.1K   domain1.com.csr
    Dec 2   19:59   1.3K   domain1.com.crt
    Dec 2   19:59   1.7K   domain1.com-backup.key
    Dec 2   19:59   1.1K   domain1.com-backup.csr
    Dec 2   19:59   45     hpkp-info-primary-pin.txt
    Dec 2   19:59   45     hpkp-info-secondary-pin.txt
    Dec 2   20:00   424    dhparam.pem
    
    ------------------------------------------------------------
    To complete setup:
    1. Enable Permalinks (DO NOT use links with .html extensions for performance reasons) i.e. /%post_id%/%postname%/
    2. Settings Menu > Super Cache > Easy tab and enable it by checking Caching On (Recommended) and hit Update Status
    3. Advanced tab & check Use mod_rewrite serve cache files & Don’t cache pages with GET parameters and Known User.
       (Recommended), Cache rebuild for anonymous users, clear all cache when a post or page updated & hit Update Status
    4. WP Security Menu > Settings > Check All except Enable Live Traffic tool and hit Update settings
    5. Settings Menu > Updates Notifier and setup your notify email address and cronjob (save and test button to check)
    6. Settings Mnenu > Autoptimize and check Optimize HTML, JavaScript and CSS options (show advanced settings)
    7. Settings Menu > Limit Login Attempts and configure as desired or leave as defaults
    8. Sucuri Security Menu and top left click Generate API key for your domain/email and configure your Settings tab
    9. WP-Optimize Menu and configure as needed
    10. Memory Usage Menu > Settings and adjust accordingly
    11. GTmetrix Menu > setup and register your GTmetrix Account and API Key
    12. go-newrelic plugin installed but not activated read https://wordpress.org/plugins/go-newrelic/installation/
    13. Tools > P3 Plugin Profiler > Start Scan to profile all your plugins
    14. Plugins > Query Monitor is disabled by default, enable to check MySQL query stats
    15. Plugins > DB Cache Reloaded disabled by default unsure if works with Wordpress 4.x ?
    16. Appearance > Theme Options (Responsive theme) > Home Page nav bar > Uncheck Overrides Wordpress front page option
    17. Seo Menu (Yoast SEO) > configure accordingly
    18. Settings > UpdraftPlus Backups > Settings set file/database backup intervals & optional backup to remote storage
    19. Analytics > Settings > configure your Google Analytics UA Code
    ------------------------------------------------------------
    
    As dummy domain1.com fails Letsencrypt validation, centmin.sh menu option 22 will fall back to self-signed SSL certificate which was auto generated and setup.

    upload_2015-12-3_6-18-25.png

    FYI, centmin.sh menu option 22 will undergo changes once this branch is merged into 123.09beta01 as I added support for an alternative WP Cache plugin, KeyCDN Cache Enabler instead of WP Super Cache.
     
    Last edited: Dec 3, 2015
  3. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Dealing with Cloudflare + Letsencrypt Validations



    Update: Apparently Letsencrypt domain validation works fine for webroot authentication method just not for other authentication methods. So Centmin Mod stack's webroot authentication should work fine !

    Letsencrypt domain validation doesn't work if Cloudflare is used in protection mode in front of your intended domain. So added Cloudflare dns checks into Centmin Mod Letsencrypt integration at update letsencrypt integration add cloudflare check · centminmod/centminmod@8366122 · GitHub which prompts users to disable Cloudflare protection before proceeding with Letsencrypt webroot authentication and domain validation.

    However, also looking at Cloudflare API documentation to disable Cloudflare protection at the API level and I think I found the setting in the paused = true/false setting in Zone properties ?

    Code:
    domain=
    cfemail=
    cfkey=
    
    ZID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$domain" -H "X-Auth-Email: $cfemail" -H "X-Auth-Key: $cfkey" -H "Content-Type: application/json" | grep -Po '(?<="id":")[^"]*' | head -1)
    
    curl -X PATCH "https://api.cloudflare.com/client/v4/zones/${ZID}" \
    -H "X-Auth-Email: $cfemail" \
    -H "X-Auth-Key: $cfkey" \
    -H "Content-Type: application/json" \
    --data '{"paused":false}'
    
    curl -X PATCH "https://api.cloudflare.com/client/v4/zones/${ZID}" \
    -H "X-Auth-Email: $cfemail" \
    -H "X-Auth-Key: $cfkey" \
    -H "Content-Type: application/json" \
    --data '{"paused":true}'
    Will need to test and confirm this before committing such changes to Centmin Mod's Letsencrypt integration :)

    Update: sweet !

    paused = true via API call

    upload_2015-12-7_16-56-36.png

    paused = false via API call

    upload_2015-12-7_16-57-36.png

    Unfortunately, this might not be feasible for folks behind Cloudflare for protection/anti-DDOS reasons as you do not want to expose your origin server's IP address even temporarily especially when folks can look up when your Letsencrypt SSL certificate is about to expire and needs renewal.

    I wonder if you can setup a Cloudflare page rule to only allow .well-known urls to go through ?
     
    Last edited: Dec 8, 2015
  4. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Letsencrypt SSL certificates RSA Key Sizes: 2048bit vs 3072bit vs 4096bit



    Using Centmin Mod 123.09beta01le2 experimental branch for Letsencrypt SSL integration testing and creating Nginx vhost HTTP/2 enabled sites with Letsencrypt SSL certificates auto created via /usr/bin/nv command line. Three sites are created:

    command options for /usr/bin/nv
    Code:
    nv
    
    Usage: /usr/bin/nv [-d yourdomain.com] [-s y|n|le] [-u ftpusername]
    
      -d  yourdomain.com or subdomain.yourdomain.com
      -s  ssl self-signed create = y or n or le (for letsencrypt ssl certs)
      -u  your FTP username
    
      example:
    
      /usr/bin/nv -d yourdomain.com -s y -u ftpusername
      /usr/bin/nv -d yourdomain.com -s le -u ftpusername
    
    edit /etc/letsencrypt/webroot.ini and change default rsa-key-size before running /usr/bin/nv command to generate nginx vhost HTTP/2 site with letsencrypt ssl certificate

    Code:
    rsa-key-size = 2048
    
    pass -s y for non-letsencrypt self-signed SSL certificates - they all default to 2048bit RSA keys
    Code (Text):
    nv -d le13.http2ssl.xyz -s y -u USERNAME
    

    pass -s le for letsencrypt SSL certificates
    Code (Text):
    nv -d le13.http2ssl.xyz -s le -u USERNAME
    


    ensure your intended domain already has DNS updated to point to this server's IP address, the nginx vhost creation routine will also check DNS and display current DNS for the intended domain to give you time to abort the run to fix up DNS if needed

    Code (Text):
    ---------------------------------------------------------------
    Nginx Vhost Setup...
    ---------------------------------------------------------------
    
    To get Letsencrypt SSL certificate, you must already have updated intended
    domain vhost name's DNS A record to this server's IP addresss.
    If top level domain, DNS A record is needed also for www. version of domain
    otherwise, Letsencrypt domain name validation will fail.
    
    le13.http2ssl.xyz is not a top level domain
    your server IP address: 104.152.214.220
    current DNS A record IP address for le13.http2ssl.xyz is: 104.152.214.220
    
    Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
    Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y
    


    Sucessful nginx vhost site generated with Letsencrypt SSL certificate

    Code:
    obtaining Letsencrypt SSL certificate via webroot authentication...
    
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le13.http2ssl.xyz/public -d le13.http2ssl.xyz certonly
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/le13.http2ssl.xyz/fullchain.pem. Your cert
       will expire on 2016-04-03. To obtain a new version of the
       certificate in the future, simply run Let's Encrypt again.
    - If you like Let's Encrypt, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
    Code (Text):
    vhost for le13.http2ssl.xyz created successfully
    
    domain: http://le13.http2ssl.xyz
    vhost conf file for le13.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le13.http2ssl.xyz.conf
    
    vhost ssl for le13.http2ssl.xyz created successfully
    
    domain: https://le13.http2ssl.xyz
    vhost ssl conf file for le13.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le13.http2ssl.xyz.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le13.http2ssl.xyz/le13.http2ssl.xyz.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/le13.http2ssl.xyz/le13.http2ssl.xyz.key
    SSL CSR File: /usr/local/nginx/conf/ssl/le13.http2ssl.xyz/le13.http2ssl.xyz.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/le13.http2ssl.xyz/le13.http2ssl.xyz-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/le13.http2ssl.xyz/le13.http2ssl.xyz-backup.csr
    
    Letsencrypt SSL Certificate: /etc/letsencrypt/live/le13.http2ssl.xyz/cert.pem
    Letsencrypt SSL Certificate Private Key: /etc/letsencrypt/live/le13.http2ssl.xyz/privkey.pem
    Letsencrypt SSL Certificate Chain: /etc/letsencrypt/live/le13.http2ssl.xyz/chain.pem
    Letsencrypt SSL Certificate Full Chain: /etc/letsencrypt/live/le13.http2ssl.xyz/fullchain.pem
    Letsencrypt le13.http2ssl.xyz cronjob file: /usr/local/nginx/conf/ssl/le13.http2ssl.xyz/letsencrypt-le13.http2ssl.xyz-cron
    
    upload files to /home/nginx/domains/le13.http2ssl.xyz/public
    vhost log files directory is /home/nginx/domains/le13.http2ssl.xyz/log
    


    Then proceed to generate the other 2 Nginx HTTP/2 based sites one with RSA Key size 3072bit and other with 4096bit

    edit /etc/letsencrypt/webroot.ini and change default rsa-key-size before running /usr/bin/nv command to generate nginx vhost HTTP/2 site with letsencrypt ssl certificate

    Code:
    rsa-key-size = 3072
    
    pass -s y for non-letsencrypt self-signed SSL certificates - they all default to 2048bit RSA keys
    Code (Text):
    nv -d le14.http2ssl.xyz -s y -u USERNAME
    

    pass -s le for letsencrypt SSL certificates
    Code (Text):
    nv -d le14.http2ssl.xyz -s le -u USERNAME
    


    edit /etc/letsencrypt/webroot.ini and change default rsa-key-size before running /usr/bin/nv command to generate nginx vhost HTTP/2 site with letsencrypt ssl certificate

    Code:
    rsa-key-size = 4096
    
    pass -s y for non-letsencrypt self-signed SSL certificates - they all default to 2048bit RSA keys
    Code (Text):
    nv -d le15.http2ssl.xyz -s y -u USERNAME
    

    pass -s le for letsencrypt SSL certificates
    Code (Text):
    nv -d le15.http2ssl.xyz -s le -u USERNAME
    


    Doh ran into Letsencrypt rate limit for le15 site so will need to wait :( It seems Centmin Mod LEMP's stack auto renewal cronjob ran for renewing my earlier generated Let's Encrypt SSL certificates for le10.http2ssl.xyz, le11.http2ssl.xyz and le12.http2ssl.xyz domains on Jan 1st, 2016 so they took up my free slots and put me over the rate limit threshold !

    Code (Text):
    obtaining Letsencrypt SSL certificate via webroot authentication...
    
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le15.http2ssl.xyz/public -d le15.http2ssl.xyz certonly
    An unexpected error occurred:
    There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: http2ssl.xyz
    Please see the logfiles in /var/log/letsencrypt for more details.
    


    Code (Text):
    ./expirydate.sh
    
    /etc/letsencrypt/live/le10.http2ssl.xyz/cert.pem
    certificate expires in 86 days on 31 Mar 2016
    
    /etc/letsencrypt/live/le11.http2ssl.xyz/cert.pem
    certificate expires in 86 days on 31 Mar 2016
    
    /etc/letsencrypt/live/le12.http2ssl.xyz/cert.pem
    certificate expires in 86 days on 31 Mar 2016
    
    /etc/letsencrypt/live/le14.http2ssl.xyz/cert.pem
    certificate expires in 89 days on 3 Apr 2016
    
    /etc/letsencrypt/live/le13.http2ssl.xyz/cert.pem
    certificate expires in 89 days on 3 Apr 2016


    Update: reran creation of rsa key 4096 sized le15.http2ssl.xyz
    Code (Text):
    nv -d le15.http2ssl.xyz -s le -u USERNAME
    

    section related to letsencrypt :)
    Code:
    /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le15.http2ssl.xyz/public -d le15.http2ssl.xyz certonly
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/le15.http2ssl.xyz/fullchain.pem. Your cert
       will expire on 2016-04-15. To obtain a new version of the
       certificate in the future, simply run Let's Encrypt again.
    - If you like Let's Encrypt, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    Code (Text):
    ./expirydate.sh
    
    /etc/letsencrypt/live/le10.http2ssl.xyz/cert.pem
    certificate expires in 74 days on 31 Mar 2016
    
    /etc/letsencrypt/live/le11.http2ssl.xyz/cert.pem
    certificate expires in 74 days on 31 Mar 2016
    
    /etc/letsencrypt/live/le15.http2ssl.xyz/cert.pem
    certificate expires in 89 days on 15 Apr 2016
    
    /etc/letsencrypt/live/le12.http2ssl.xyz/cert.pem
    certificate expires in 74 days on 31 Mar 2016
    
    /etc/letsencrypt/live/le14.http2ssl.xyz/cert.pem
    certificate expires in 77 days on 3 Apr 2016
    
    /etc/letsencrypt/live/le13.http2ssl.xyz/cert.pem
    certificate expires in 77 days on 3 Apr 2016
     
    Last edited: Jan 17, 2016
  5. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: Jan 17, 2016
  6. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Letsencrypt SSL certificates RSA Key Sizes: 2048bit vs 3072bit vs 4096bit continued...



    Continuing testing of different Letsencrypt SSL certificates RSA key size for 2048bit vs 3072bit vs 4096bit as originally outlined at https://community.centminmod.com/posts/23476/

    Using Centmin Mod 123.09beta01le3 experimental branch for Letsencrypt SSL integration testing and creating Nginx vhost HTTP/2 enabled sites with Letsencrypt SSL certificates auto created via /usr/bin/nv command line. Three sites are created:
    Code (Text):
    /expirydate.sh
    
    /etc/letsencrypt/live/le10.http2ssl.xyz/cert.pem
    certificate expires in 74 days on 31 Mar 2016
    
    /etc/letsencrypt/live/le11.http2ssl.xyz/cert.pem
    certificate expires in 74 days on 31 Mar 2016
    
    /etc/letsencrypt/live/le15.http2ssl.xyz/cert.pem
    certificate expires in 89 days on 15 Apr 2016
    
    /etc/letsencrypt/live/le12.http2ssl.xyz/cert.pem
    certificate expires in 74 days on 31 Mar 2016
    
    /etc/letsencrypt/live/le14.http2ssl.xyz/cert.pem
    certificate expires in 77 days on 3 Apr 2016
    
    /etc/letsencrypt/live/le13.http2ssl.xyz/cert.pem
    certificate expires in 77 days on 3 Apr 2016
    


    The stronger the RSA key is the more time it takes for SSL negotiation. Using Webpagetest.org San Jose Cable 5Mbps to test each site with 5x runs each and taking the median.

    2048bit RSA Key = SSL Negotiation: 84 ms
    Code:
    URL: https://le13.http2ssl.xyz/
    Host: le13.http2ssl.xyz
    Error/Status Code: 200
    Priority: VeryHigh
    Client Port: 0
    Request Start: 0.159 s
    DNS Lookup: 34 ms
    Initial Connection: 40 ms
    SSL Negotiation: 84 ms
    Time to First Byte: 45 ms
    Content Download: 4 ms
    Bytes In (downloaded): 0.7 KB
    Bytes Out (uploaded): 0.4 KB
    3072bit RSA key = SSL Negotiation: 87 ms ~3.57% slower than 2048bit RSA key
    Code:
    URL: https://le14.http2ssl.xyz/
    Host: le14.http2ssl.xyz
    Error/Status Code: 200
    Priority: VeryHigh
    Client Port: 0
    Request Start: 0.161 s
    DNS Lookup: 33 ms
    Initial Connection: 40 ms
    SSL Negotiation: 87 ms
    Time to First Byte: 45 ms
    Content Download: 3 ms
    Bytes In (downloaded): 0.7 KB
    Bytes Out (uploaded): 0.4 KB
    4096bit RSA key = SSL Negotiation: 95 ms ~13.1% slower than 2048bit RSA key and ~9.2% slower than 3072bit RSA key
    Code:
    URL: https://le15.http2ssl.xyz/
    Host: le15.http2ssl.xyz
    Error/Status Code: 200
    Priority: VeryHigh
    Client Port: 0
    Request Start: 0.169 s
    DNS Lookup: 33 ms
    Initial Connection: 41 ms
    SSL Negotiation: 95 ms
    Time to First Byte: 45 ms
    Content Download: 4 ms
    Bytes In (downloaded): 0.7 KB
    Bytes Out (uploaded): 0.4 KB
    This was tested over single index.html default placeholder page.
     
    Last edited: Jan 17, 2016
Thread Status:
Not open for further replies.