Discover Centmin Mod today
Register Now

Letsencrypt Letsencrypt SSL certificate on Centmin Mod Nginx HTTP/2

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Aug 29, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Playing with letsencrypt preview client and managed to get my first test letsencrypt SSL certificate generated for site https://le1.http2ssl.xyz/ on Centmin Mod 123.09beta01 branch via /usr/bin/nv to first generate the nginx vhost + nginx ssl vhost and then letsencrypt to manually generate the SSL cert, private key etc and then manually alter the nginx ssl vhost config to point to those letsencrypt SSL certs :D

    Update: December 30th, 2015: created a new Centmin Mod experimental branch 123.09beta01le2 which merges 123.09beta01 + 123.09beta01le (letsencrypt) for testing.

    Prep Work for Nginx Vhosts



    Centmin Mod generate the Nginx vhost via /usr/bin/nv with SSL enabled for Self-signed SSL (-s y)

    Code:
    nv -d le1.http2ssl.xyz -s y -u ftpuser01
    You'll end up with both http at /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.conf and https SSL nginx vhosts at /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf

    Output of nv command below

    Code:
    ---------------------------------------------------------------
    Nginx Vhost Setup...
    ---------------------------------------------------------------
    
    ---------------------------------------------------------------
    SSL Vhost Setup...
    ---------------------------------------------------------------
    ---------------------------------------------------------------
    Generating self signed SSL certificate...
    CSR file can also be used to be submitted for paid SSL certificates
    If using for paid SSL certificates be sure to keep both private key and CSR safe
    creating CSR File: le1.http2ssl.xyz.csr
    creating private key: le1.http2ssl.xyz.key
    creating self-signed SSL certificate: le1.http2ssl.xyz.crt
    Generating a 2048 bit RSA private key
    ................+++
    ...........+++
    writing new private key to 'le1.http2ssl.xyz.key'
    -----
    Signature ok
    subject=/C=US/ST=California/L=Los Angeles/O=le1.http2ssl.xyz/OU=IT/CN=le1.http2ssl.xyz
    Getting Private key
    
    ---------------------------------------------------------------
    Generating backup CSR and private key for HTTP Public Key Pinning...
    creating CSR File: le1.http2ssl.xyz-backup.csr
    creating private key: le1.http2ssl.xyz-backup.key
    Generating a 2048 bit RSA private key
    .................+++
    ....................................................+++
    writing new private key to 'le1.http2ssl.xyz-backup.key'
    -----
    
    ---------------------------------------------------------------
    Extracting Base64 encoded information for primary and secondary
    private key's SPKI - Subject Public Key Information
    Primary private key - le1.http2ssl.xyz.key
    Backup private key - le1.http2ssl.xyz-backup.key
    For HPKP - HTTP Public Key Pinning hash generation...
    
    extracting SPKI Base64 encoded hash for primary private key = le1.http2ssl.xyz.key ...
    writing RSA key
    yWwLUfWRhv9gkbJo4KMOpfevrGyrn3lQ2X04CiyKDsI=
    
    extracting SPKI Base64 encoded hash for backup private key = le1.http2ssl.xyz-backup.key ...
    writing RSA key
    h9P0zmpPmBTuqUewOtw2oLm4a89754+Ia17UN8bWn08=
    
    HTTP Public Key Pinning Header for Nginx
    
    for 7 days max-age including subdomains
    
    add_header Public-Key-Pins 'pin-sha256="yWwLUfWRhv9gkbJo4KMOpfevrGyrn3lQ2X04CiyKDsI="; pin-sha256="h9P0zmpPmBTuqUewOtw2oLm4a89754+Ia17UN8bWn08="; max-age=604800; includeSubDomains';
    
    for 7 days max-age excluding subdomains
    
    add_header Public-Key-Pins 'pin-sha256="yWwLUfWRhv9gkbJo4KMOpfevrGyrn3lQ2X04CiyKDsI="; pin-sha256="h9P0zmpPmBTuqUewOtw2oLm4a89754+Ia17UN8bWn08="; max-age=604800';
    
    ---------------------------------------------------------------
    Generating dhparam.pem file - can take a few minutes...
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    ...............................................................++*++*
    dhparam file generation time: 176.171860408
    
    -------------------------------------------------------------
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Stopping nginx:                                            [  OK  ]
    Starting nginx:                                            [  OK  ]
    
    -------------------------------------------------------------
    vhost for le1.http2ssl.xyz created successfully
    
    domain: http://le1.http2ssl.xyz
    vhost conf file for le1.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.conf
    
    vhost ssl for le1.http2ssl.xyz created successfully
    
    domain: https://le1.http2ssl.xyz
    vhost ssl conf file for le1.http2ssl.xyz created: /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.key
    SSL CSR File: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-backup.csr
    
    upload files to /home/nginx/domains/le1.http2ssl.xyz/public
    vhost log files directory is /home/nginx/domains/le1.http2ssl.xyz/log
    
    -------------------------------------------------------------
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
    
    Aug 29  03:12   1.6K   virtual.conf
    Aug 29  03:12   845    ssl.conf
    Aug 29  03:12   1.1K   demodomain.com.conf
    Aug 29  03:45   3.8K   http2ssl.xyz.ssl.conf
    Aug 29  03:45   1.6K   http2ssl.xyz.conf
    Aug 29  03:49   1.6K   le1.http2ssl.xyz.conf
    Aug 29  03:49   3.9K   le1.http2ssl.xyz.ssl.conf
    
    -------------------------------------------------------------
    Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/le1.http2ssl.xyz
    
    Aug 29  03:46   1.7K   le1.http2ssl.xyz.key
    Aug 29  03:46   1.1K   le1.http2ssl.xyz.csr
    Aug 29  03:46   1.3K   le1.http2ssl.xyz.crt
    Aug 29  03:46   1.7K   le1.http2ssl.xyz-backup.key
    Aug 29  03:46   1.1K   le1.http2ssl.xyz-backup.csr
    Aug 29  03:46   45     hpkp-info-secondary-pin.txt
    Aug 29  03:46   45     hpkp-info-primary-pin.txt
    Aug 29  03:49   424    dhparam.pem
    
    -------------------------------------------------------------
    Commands to remove le1.http2ssl.xyz
    
    rm -rf /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.conf
    rm -rf /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.crt
    rm -rf /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.key
    rm -rf /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.csr
    rm -rf /usr/local/nginx/conf/ssl/le1.http2ssl.xyz
    rm -rf /home/nginx/domains/le1.http2ssl.xyz
    service nginx restart
    -------------------------------------------------------------
    Alter your /usr/local/nginx/conf/staticfiles.conf file via command shortcut = statfilesinc and add a location directory to allow dot prefix file that letsencrypt checks as it's blocked by default in latest Centmin Mod LEMP installs and restart Nginx server. See issue at Manual mode instructions fail in Nginx default configs that forbid serving dotfiles · Issue #730 · letsencrypt/letsencrypt · GitHub

    Code:
    location ~ /.well-known {
          location ~ /.well-known/acme-challenge/(.*) {
                  more_set_headers    "Content-Type: application/jose+json";
          }
    }
    

    Install Letsencrypt Preview Client



    It's preview as there's no CA trust certs in browsers so like self-signed SSL your browser will report untrusted.

    Code:
    mkdir -p /root/tools
    cd /root/tools
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    ./bootstrap/centos.sh
    virtualenv --no-site-packages -p python2 venv
    ./venv/bin/pip install -r requirements.txt acme/ . letsencrypt-apache/ letsencrypt-nginx/
    Then need to launch letsencrypt manual authentication mode for getting le1.http2ssl.xyz certificate

    Code:
    ./venv/bin/letsencrypt -d le1.http2ssl.xyz auth
    select option 2 for manual authentication

    letsencrypt-client-00.png letsencrypt-client-01.png letsencrypt-client-manual-00.png


    You'll get a message like the following

    Code:
    Make sure your web server displays the following content at
    https://le1.http2ssl.xyz/.well-known/acme-challenge/lcgzR4B6LeGkX4msvJcMLT6lG9PqmkNyghtbpv-jc08 before continuing:
    
    >[O
    
    Content-Type header MUST be set to application/jose+json.
    
    If you don't have HTTP server configured, you can run the following
    command on the target server (as root):
    
    mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
    cd /tmp/letsencrypt/public_html
    echo -n '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "vnWsLwWKjtO9FauytS7D2UCYJHpjIx53FvN7PDpnr0FGgfpqYxpj-P8QoNQnHxUg7Sq8FlnZrYiUJ3vEmJq8DAtUPej4lridXsPTEAFUFqx587A8DQHF09imk6VqJy8YxeAEFZ_7YID-cQGzLcScN7ZjIKnz5FsWpZgj-Qsuz-Xra5C7CQeZixpfVFOsQQN0A8-Snwbx-yq_SBNlIcPrJ0oc69jCqGVJJnS6E-QNq15Y7ipRkZngz7SLbrOA-BwZJ4g3DwGM0PwRZh0_dmRogbKtqNd__0wHwjsLnMrghJ3SU6rgzpZASg8o4V8oVqjji9jTk5rWzWquyEgKkuNdYQ"}}, "payload": "eyJ0bHMiOiB0cnVlLCAidG9rZW4iOiAibGNnelI0QjZMZUdrWDRtc3ZKY01MVDZsRzlQcW1rTnlnaHRicHYtamMwOCIsICJ0eXBlIjogInNpbXBsZUh0dHAifQ", "signature": "M3Y0wxGGLGpQcG6D4E3Jj1P_z-HVf6S2MZjE8M02sILq1DNztphXXxfR9hO55IC24bU1chXIHrpK25oiffgoeWyM-0sLc3vfWimVgRIGKMokU48QrBAvPIK_CjS52nZkPXmdF0eR6e39__gqvkYwn4vjLaTinBQzVD58hcyfpG99MdPLj0FaDIzQ6_ZLe4XUOMvCWOPxt3-ChQMc9YdKI-jS5vLytOJE_AiaB4STDXL-MqW8eaAxo1LyP_WaBHImyQR8fqTYoHH--dAypkUXFDwoMcbLMq8_4VhRdKEDI_-xpOB-bqLnE1KHoFs6hj8U0ZPeBFAsXiBuzp8Q0MbDcA"}' > .well-known/acme-challenge/lcgzR4B6LeGkX4msvJcMLT6lG9PqmkNyghtbpv-jc08
    # run only once per server:
    openssl req -new -newkey rsa:4096 -subj "/" -days 1 -nodes -x509 -keyout ../key.pem -out ../cert.pem
    $(command -v python2 || command -v python2.7 || command -v python2.6) -c \
    "import BaseHTTPServer, SimpleHTTPServer, ssl; \
    SimpleHTTPServer.SimpleHTTPRequestHandler.extensions_map = {'': 'application/jose+json'}; \
    s = BaseHTTPServer.HTTPServer(('', 443), SimpleHTTPServer.SimpleHTTPRequestHandler); \
    s.socket = ssl.wrap_socket(s.socket, keyfile='../key.pem', certfile='../cert.pem'); \
    s.serve_forever()"
    Press ENTER to continue
    Before hitting ENTER, start a 2nd SSH session window and you need to manually run some commands for Centmin Mod Nginx paths. Notice above has 3 commands starting with mkdir, cd and echo. You need to change that to

    Code:
    cd /home/nginx/domains/le1.http2ssl.xyz/public
    mkdir -p .well-known/acme-challenge
    echo -n '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "vnWsLwWKjtO9FauytS7D2UCYJHpjIx53FvN7PDpnr0FGgfpqYxpj-P8QoNQnHxUg7Sq8FlnZrYiUJ3vEmJq8DAtUPej4lridXsPTEAFUFqx587A8DQHF09imk6VqJy8YxeAEFZ_7YID-cQGzLcScN7ZjIKnz5FsWpZgj-Qsuz-Xra5C7CQeZixpfVFOsQQN0A8-Snwbx-yq_SBNlIcPrJ0oc69jCqGVJJnS6E-QNq15Y7ipRkZngz7SLbrOA-BwZJ4g3DwGM0PwRZh0_dmRogbKtqNd__0wHwjsLnMrghJ3SU6rgzpZASg8o4V8oVqjji9jTk5rWzWquyEgKkuNdYQ"}}, "payload": "eyJ0bHMiOiB0cnVlLCAidG9rZW4iOiAibGNnelI0QjZMZUdrWDRtc3ZKY01MVDZsRzlQcW1rTnlnaHRicHYtamMwOCIsICJ0eXBlIjogInNpbXBsZUh0dHAifQ", "signature": "M3Y0wxGGLGpQcG6D4E3Jj1P_z-HVf6S2MZjE8M02sILq1DNztphXXxfR9hO55IC24bU1chXIHrpK25oiffgoeWyM-0sLc3vfWimVgRIGKMokU48QrBAvPIK_CjS52nZkPXmdF0eR6e39__gqvkYwn4vjLaTinBQzVD58hcyfpG99MdPLj0FaDIzQ6_ZLe4XUOMvCWOPxt3-ChQMc9YdKI-jS5vLytOJE_AiaB4STDXL-MqW8eaAxo1LyP_WaBHImyQR8fqTYoHH--dAypkUXFDwoMcbLMq8_4VhRdKEDI_-xpOB-bqLnE1KHoFs6hj8U0ZPeBFAsXiBuzp8Q0MbDcA"}' > .well-known/acme-challenge/lcgzR4B6LeGkX4msvJcMLT6lG9PqmkNyghtbpv-jc08
    
    This will create the ACME challenge file at https://le1.http2ssl.xyz/.well-known/acme-challenge/lcgzR4B6LeGkX4msvJcMLT6lG9PqmkNyghtbpv-jc08 which is used as a form of domain validation for your domain you want to obtain a Letsencrypt SSL certificate for

    You can use curl to check the file and headers
    Code:
    curl -Ik https://le1.http2ssl.xyz/.well-known/acme-challenge/lcgzR4B6LeGkX4msvJcMLT6lG9PqmkNyghtbpv-jc08
    HTTP/1.1 200 OK
    Date: Sat, 29 Aug 2015 07:51:27 GMT
    Content-Type: application/jose+json
    Content-Length: 911
    Last-Modified: Sat, 29 Aug 2015 07:51:14 GMT
    Connection: keep-alive
    ETag: "55e16472-38f"
    Server: nginx centminmod
    Alternate-Protocol: 443:npn-spdy/3
    Accept-Ranges: bytes
    Then next switch to the first SSH window which is still at the ENTER prompt and then hit ENTER

    You'll get an error but it can be ignored Disable InsecureRequestWarning for the SimpleHTTP.simple_verify · Issue #737 · letsencrypt/letsencrypt · GitHub Check the 3 messages further below which mean SSL certificate was generated

    Code:
    /root/tools/letsencrypt/venv/lib/python2.6/site-packages/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
      InsecureRequestWarning)
    
    IMPORTANT NOTES:
    - If you lose your account credentials, you can recover through
       e-mails sent to YOUREMAIL.
    - Your account credentials have been saved in your Let's Encrypt
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Let's
       Encrypt so making regular backups of this folder is ideal.
    - Automatic renewal and deployment has been enabled for your
       certificate. These settings can be configured in the directories
       under /etc/letsencrypt/configs.
    It's not that clear that SSL certs are obtained, there's a issue logged at Report certificate creation explicitly · Issue #736 · letsencrypt/letsencrypt · GitHub

    The Letsencrypt SSL certs are located in /etc/letsencrypt/live/ directory i.e. /etc/letsencrypt/live/le1.http2ssl.xyz/

    Code:
    ls -lAhrt /etc/letsencrypt/live/le1.http2ssl.xyz/
    total 0
    lrwxrwxrwx 1 root root 43 Aug 29 07:52 privkey.pem -> ../../archive/le1.http2ssl.xyz/privkey1.pem
    lrwxrwxrwx 1 root root 45 Aug 29 07:52 fullchain.pem -> ../../archive/le1.http2ssl.xyz/fullchain1.pem
    lrwxrwxrwx 1 root root 41 Aug 29 07:52 chain.pem -> ../../archive/le1.http2ssl.xyz/chain1.pem
    lrwxrwxrwx 1 root root 40 Aug 29 07:52 cert.pem -> ../../archive/le1.http2ssl.xyz/cert1.pem

    Centmin Mod Nginx SSL Vhost for Letsencrypt



    Now to put in place these test Letsencrypt SSL certs in /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf edit it and comment out existing ssl_certificate and ssl_certificate_key lines and replace with Letsencrypt paths

    Code:
    server {
      listen 443 ssl http2;
      server_name le1.http2ssl.xyz www.le1.http2ssl.xyz;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/dhparam.pem;
      # letsencrypt
      ssl_certificate /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/le1.http2ssl.xyz/privkey.pem;
    
      #ssl_certificate      /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.crt;
      #ssl_certificate_key  /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.key;
    Then restart nginx server

    Code:
    ngxrestart
    letsencrypt-290815-00.png

    letsencrypt-290815-01.png

    letsencrypt-290815-02.png

    cipherscan

    Code:
    cipherscan le1.http2ssl.xyz:443     
    .....................
    Target: le1.http2ssl.xyz:443
    
    prio  ciphersuite                  protocols              pfs                 curves
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                ECDH,P-256,256bits  prime256v1
    2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
    3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
    4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,2048bits         None
    5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,2048bits         None
    6     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
    7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    8     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
    9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    10    DHE-RSA-AES128-SHA256        TLSv1.2                DH,2048bits         None
    11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
    12    DHE-RSA-AES256-SHA256        TLSv1.2                DH,2048bits         None
    13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
    14    AES128-GCM-SHA256            TLSv1.2                None                None
    15    AES256-GCM-SHA384            TLSv1.2                None                None
    16    AES128-SHA256                TLSv1.2                None                None
    17    AES256-SHA256                TLSv1.2                None                None
    18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    20    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  None                None
    
    Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
    TLS ticket lifetime hint: 3600
    OCSP stapling: not supported
    Cipher ordering: server
    
    Fallbacks required:
    big-SSLv3 config not supported, connection failed
    big-TLSv1.0 no fallback req, connected: TLSv1 ECDHE-RSA-AES128-SHA
    big-TLSv1.1 no fallback req, connected: TLSv1.1 ECDHE-RSA-AES128-SHA
    big-TLSv1.2 no fallback req, connected: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305
    Code:
    h2i -insecure=true le1.http2ssl.xyz   
    Connecting to le1.http2ssl.xyz:443 ...
    Connected to 23.92.216.163:443
    Negotiated protocol "h2"
    [FrameHeader SETTINGS len=18]
      [MAX_CONCURRENT_STREAMS = 128]
      [INITIAL_WINDOW_SIZE = 2147483647]
      [MAX_FRAME_SIZE = 16777215]
    [FrameHeader WINDOW_UPDATE len=4]
      Window-Increment = 2147418112
     
    Last edited: Dec 30, 2015
  2. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    The full Nginx vhost /usr/local/nginx/conf/conf.d/le1.http2ssl.xyz.ssl.conf looks like below on Centmin Mod 123.09beta01 branch which has Ngixn HTTP/2 patch enabled

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #   server_name le1.http2ssl.xyz www.le1.http2ssl.xyz;
    #    return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
      server_name le1.http2ssl.xyz www.le1.http2ssl.xyz;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/dhparam.pem;
      # letsencrypt
      ssl_certificate /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/le1.http2ssl.xyz/privkey.pem;
    
      #ssl_certificate      /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.crt;
      #ssl_certificate_key  /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      add_header Alternate-Protocol  443:npn-spdy/3;
      # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
      # You'd want to include subdomains if you're using SSL wildcard certificates
      # include subdomain
      #add_header Public-Key-Pins 'pin-sha256="yWwLUfWRhv9gkbJo4KMOpfevrGyrn3lQ2X04CiyKDsI="; pin-sha256="h9P0zmpPmBTuqUewOtw2oLm4a89754+Ia17UN8bWn08="; max-age=604800; includeSubDomains';
      # exclude subdomains
      #add_header Public-Key-Pins 'pin-sha256="yWwLUfWRhv9gkbJo4KMOpfevrGyrn3lQ2X04CiyKDsI="; pin-sha256="h9P0zmpPmBTuqUewOtw2oLm4a89754+Ia17UN8bWn08="; max-age=604800';
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      #spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/le1.http2ssl.xyz-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/le1.http2ssl.xyz/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/le1.http2ssl.xyz/log/error.log;
    
      root /home/nginx/domains/le1.http2ssl.xyz/public;
    
      location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    SSLLab Test - note that since Letsencrypt isn't fully launched there is no CA root trust in browsers yet, so SSLLabs gives you a score rating of T instead of A if there was trusted CA root. There's no A+ as I have HSTS disabled so can test both http and https sides of a web site.

    SSLLab test SSL Server Test: le1.http2ssl.xyz (Powered by Qualys SSL Labs)

    ssllab-le1-00.png
    ssllab-le1-01.png
    ssllab-le1-02.png
    ssllab-le1-03.png
    ssllab-le1-04.png
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Preparing for more Letsencrypt client testing :D

    Code:
        ls -lAh /usr/local/nginx/conf/conf.d/ | grep xyz
        -rw-r--r-- 1 root root 1.6K Aug 29 07:40 http2ssl.xyz.conf
        -rw-r--r-- 1 root root 3.8K Aug 29 07:40 http2ssl.xyz.ssl.conf
        -rw-r--r-- 1 root root 1.6K Aug 29 07:41 le1.http2ssl.xyz.conf
        -rw-r--r-- 1 root root 4.0K Aug 29 08:14 le1.http2ssl.xyz.ssl.conf
        -rw-r--r-- 1 root root 1.6K Aug 29 07:41 le2.http2ssl.xyz.conf
        -rw-r--r-- 1 root root 3.9K Aug 29 07:38 le2.http2ssl.xyz.ssl.conf
        -rw-r--r-- 1 root root 1.6K Aug 29 07:41 le3.http2ssl.xyz.conf
        -rw-r--r-- 1 root root 3.9K Aug 29 07:39 le3.http2ssl.xyz.ssl.conf
        -rw-r--r-- 1 root root 1.6K Aug 29 07:41 le4.http2ssl.xyz.conf
        -rw-r--r-- 1 root root 3.9K Aug 29 07:39 le4.http2ssl.xyz.ssl.conf
        -rw-r--r-- 1 root root 1.6K Aug 29 07:41 le5.http2ssl.xyz.conf
        -rw-r--r-- 1 root root 3.9K Aug 29 07:39 le5.http2ssl.xyz.ssl.conf
        -rw-r--r-- 1 root root 1.6K Aug 29 07:41 le6.http2ssl.xyz.conf
        -rw-r--r-- 1 root root 3.9K Aug 29 07:39 le6.http2ssl.xyz.ssl.conf
        -rw-r--r-- 1 root root 1.6K Aug 29 07:42 le7.http2ssl.xyz.conf
        -rw-r--r-- 1 root root 3.9K Aug 29 07:39 le7.http2ssl.xyz.ssl.conf
        -rw-r--r-- 1 root root 1.6K Aug 29 07:42 le8.http2ssl.xyz.conf
        -rw-r--r-- 1 root root 3.9K Aug 29 07:40 le8.http2ssl.xyz.ssl.conf
        -rw-r--r-- 1 root root 1.6K Aug 29 07:42 le9.http2ssl.xyz.conf
        -rw-r--r-- 1 root root 3.9K Aug 29 07:40 le9.http2ssl.xyz.ssl.conf
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Wow Jakub / kuba's plugin addition fully automated the Letsencrypt client SSL certificate issuing for my Centmin Mod Nginx stack allow you to pass the custom web root path to the authentication Allow letsencrypt client to pass the web root path on cmd for creation of SimplyHTTP/ACME challenge file · Issue #742 · letsencrypt/letsencrypt · GitHub

    Code:
    ./venv/bin/letsencrypt -a simplefs --simplefs-root /home/nginx/domains/le4.http2ssl.xyz/public --text --agree-eula -d le4.http2ssl.xyz auth
    
    So fully automating non-standard Ubuntu Apache/Nginx setups provided they already have the ssl vhost and web root for their respective domains setup prior like Centmin Mod Nginx vhost auto generation :D

    So only need to script automating the ssl vhost config file /usr/local/nginx/conf/conf.d/le4.http2ssl.xyz.ssl.conf paths to Letsencrypt obtained SSL certificate and key

    Code:
      # letsencrypt
      ssl_certificate /etc/letsencrypt/live/le4.http2ssl.xyz/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/le4.http2ssl.xyz/privkey.pem;
    
      #ssl_certificate      /usr/local/nginx/conf/ssl/le4.http2ssl.xyz/le4.http2ssl.xyz.crt;
      #ssl_certificate_key  /usr/local/nginx/conf/ssl/le4.http2ssl.xyz/le4.http2ssl.xyz.key;
    sed replacement should work

    Code:
    sed -i 's|\/usr\/local\/nginx\/conf\/ssl\/le4.http2ssl.xyz\/le4.http2ssl.xyz.crt|\/etc\/letsencrypt\/live\/le4.http2ssl.xyz\/fullchain.pem|' le4.http2ssl.xyz.ssl.conf
    
    sed -i 's|\/usr\/local\/nginx\/conf\/ssl\/le4.http2ssl.xyz\/le4.http2ssl.xyz.key|\/etc\/letsencrypt\/live\/le4.http2ssl.xyz\/privkey.pem|' le4.http2ssl.xyz.ssl.conf
    Code:
        ls -lah /etc/letsencrypt/live/
        total 28K
        drwx------ 7 root root 4.0K Sep  4 08:10 .
        drwxr-xr-x 8 root root 4.0K Aug 29 07:52 ..
        drwxr-xr-x 2 root root 4.0K Aug 29 07:52 le1.http2ssl.xyz
        drwxr-xr-x 2 root root 4.0K Aug 30 08:07 le2.http2ssl.xyz
        drwxr-xr-x 2 root root 4.0K Sep  4 07:53 le3.http2ssl.xyz
        drwxr-xr-x 2 root root 4.0K Sep  4 08:07 le4.http2ssl.xyz
        drwxr-xr-x 2 root root 4.0K Sep  4 08:10 le4.http2ssl.xyz-0001
    
        ls -lah /etc/letsencrypt/live/le4.http2ssl.xyz
        total 8.0K
        drwxr-xr-x 2 root root 4.0K Sep  4 08:07 .
        drwx------ 7 root root 4.0K Sep  4 08:10 ..
        lrwxrwxrwx 1 root root   40 Sep  4 08:07 cert.pem -> ../../archive/le4.http2ssl.xyz/cert1.pem
        lrwxrwxrwx 1 root root   41 Sep  4 08:07 chain.pem -> ../../archive/le4.http2ssl.xyz/chain1.pem
        lrwxrwxrwx 1 root root   45 Sep  4 08:07 fullchain.pem -> ../../archive/le4.http2ssl.xyz/fullchain1.pem
        lrwxrwxrwx 1 root root   43 Sep  4 08:07 privkey.pem -> ../../archive/le4.http2ssl.xyz/privkey1.pem
    
        ls -lah /etc/letsencrypt/live/le4.http2ssl.xyz-0001/
        total 8.0K
        drwxr-xr-x 2 root root 4.0K Sep  4 08:10 .
        drwx------ 7 root root 4.0K Sep  4 08:10 ..
        lrwxrwxrwx 1 root root   45 Sep  4 08:10 cert.pem -> ../../archive/le4.http2ssl.xyz-0001/cert1.pem
        lrwxrwxrwx 1 root root   46 Sep  4 08:10 chain.pem -> ../../archive/le4.http2ssl.xyz-0001/chain1.pem
        lrwxrwxrwx 1 root root   50 Sep  4 08:10 fullchain.pem -> ../../archive/le4.http2ssl.xyz-0001/fullchain1.pem
        lrwxrwxrwx 1 root root   48 Sep  4 08:10 privkey.pem -> ../../archive/le4.http2ssl.xyz-0001/privkey1.pem
    
    All it needs if for Jakub's plugin to merge into main branches code base :D

    So once Jakub's plugin is merged into main code, to automate Letsencrypt SSL certificate issuing for Centmin Mod Nginx would involve 3 commands

    Centmin Mod Nginx cmd line create the necessary Nginx vhost for domain named le4.http2ssl.xyz with http and https with self-signed SSL certificate and pure-ftpd virtual ftp username FTPusername
    Code:
    nv -d le4.http2ssl.xyz -s y -u FTPusername
    
    Then run Letsencrypt command line to issue the SSL certificate for le4http2ssl.xyz and auto generate the ACME Simple HTTP challenge file in Centmin Mod Nginx vhost's web root /home/nginx/domains/le4.http2ssl.xyz/public. Actual .well-known URI would be auto created at /home/nginx/domains/le4.http2ssl.xyz/public/.well-known/acme-challenge directory
    Code:
    ./venv/bin/letsencrypt -a simplefs --simplefs-root /home/nginx/domains/le4.http2ssl.xyz/public --text --agree-eula -d le4.http2ssl.xyz auth
    
    Then sed replacement for SSL nginx vhost to switch out self-signed SSL generated certificate with Letsencrypt's obtained SSL certificate

    Code:
    sed -i 's|\/usr\/local\/nginx\/conf\/ssl\/le4.http2ssl.xyz\/le4.http2ssl.xyz.crt|\/etc\/letsencrypt\/live\/le4.http2ssl.xyz\/fullchain.pem|' /usr/local/nginx/conf/conf.d/le4.http2ssl.xyz.ssl.conf
    
    sed -i 's|\/usr\/local\/nginx\/conf\/ssl\/le4.http2ssl.xyz\/le4.http2ssl.xyz.key|\/etc\/letsencrypt\/live\/le4.http2ssl.xyz\/privkey.pem|' /usr/local/nginx/conf/conf.d/le4.http2ssl.xyz.ssl.conf
    
    Then restart Nginx server

    Code:
    ngxrestart
    
    Full SSL vhost contents would then be at /usr/local/nginx/conf/conf.d/le4.http2ssl.xyz.ssl.conf. As I use Centmin Mod .09 beta01 with HPKP support, of course the HTTP Public Key Pinning codes would be invalid as the private key that was used to create them was switched out for Letsencypt's private key so would need regenerating those HPKP hashed pins.

    The primary HTTP Public Key Pinning hash would be easy to generate but there is no backup private key generated by Letsencrypt so can't do that for the backup pin
    Code:
    openssl rsa -in /etc/letsencrypt/live/le4.http2ssl.xyz/privkey.pem -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64 | tee -a /usr/local/nginx/conf/ssl/le4.http2ssl.xyz/hpkp-info-primary-pin-letsencrypt.txt
    
    So generated pin
    Code:
    openssl rsa -in /etc/letsencrypt/live/le4.http2ssl.xyz/privkey.pem -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64 | tee -a /usr/local/nginx/conf/ssl/le4.http2ssl.xyz/hpkp-info-primary-pin-letsencrypt.txt
    writing RSA key
    n6rQba4nx+s9LW00f6naIqVp0QGPHj+G3I1HZTb/eb8=
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #   server_name le4.http2ssl.xyz www.le4.http2ssl.xyz;
    #    return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
      server_name le4.http2ssl.xyz www.le4.http2ssl.xyz;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/le4.http2ssl.xyz/dhparam.pem;
      ssl_certificate /etc/letsencrypt/live/le4.http2ssl.xyz/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/le4.http2ssl.xyz/privkey.pem;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      add_header Alternate-Protocol  443:npn-spdy/3;
      # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
      # You'd want to include subdomains if you're using SSL wildcard certificates
      # include subdomain
      #add_header Public-Key-Pins 'pin-sha256="IhwkYRDulO6/fkQkzQ9B+FYEwd8V6Qgdn8yfWN3MAlk="; pin-sha256="PSaXjDjpM3xgNi4yBQpKC44HvcmhFD+ldkl9wu9h1XQ="; max-age=604800; includeSubDomains';
      # exclude subdomains
      #add_header Public-Key-Pins 'pin-sha256="IhwkYRDulO6/fkQkzQ9B+FYEwd8V6Qgdn8yfWN3MAlk="; pin-sha256="PSaXjDjpM3xgNi4yBQpKC44HvcmhFD+ldkl9wu9h1XQ="; max-age=604800';
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      #spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/le4.http2ssl.xyz/le4.http2ssl.xyz-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/le4.http2ssl.xyz/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/le4.http2ssl.xyz/log/error.log;
    
      root /home/nginx/domains/le4.http2ssl.xyz/public;
    
      location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
    Last edited: Sep 4, 2015
  6. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    4:43 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Letsencrypt SSL certificates :

    First certificate: Week of September 7, 2015
    General availability: Week of November 16, 2015
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  8. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  9. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  10. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
     
  11. Matt Williams

    Matt Williams WordPress Fanatic

    537
    104
    43
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +157
    Local Time:
    9:43 AM
    latest
    10
  12. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    10:43 PM
    Mainline
    10.2
    [​IMG]

    :D
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    welcome to the beta group :D
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Letsencrypt enters public beta December 3, 2015

     
  16. Eduardo

    Eduardo Member

    38
    3
    8
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    11:43 AM
    1.7.9
    after some manual work, I got it working! lets encrypt everything :)

    what do you guys think, it's ready to use in commercial sites or just for fun?
     
  17. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    10:43 PM
    Mainline
    10.2
    I don't think ready for commercial sites.
    But It's fine for personal site, or small bog sites.
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    i'd say it's wait and see as if you see their git hub code commits, they are still very much evolving the letsencrypt client side of things so things may break or change.

    Centmin Mod LEMP stack's official letsencrypt integration won't be available out of the box for some time while testing goes on so most likely won't make their Dec 3rd public beta date.
     
  19. Lundz

    Lundz Member

    42
    6
    8
    May 28, 2014
    Ratings:
    +7
    Local Time:
    3:43 PM
    How far from merging the 123.09beta01le into 123.09beta01 would you consider you are?

    I'm a little bit tired of switching branches when creating new vhosts :p
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    still a while a way from such a final merge.. only do testing in my free time FYI :)