Learn about Centmin Mod LEMP Stack today
Become a Member

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Testing Letsencrypt Integration with acmetool.sh



    This thread is for discussions and testing of addons/acmetool.sh which integrates Letsencrypt SSL certificates for Centmin Mod Nginx server. Please read the requirements for preparing for testing addons/acmetool.sh below which includes setting up persistent config file /etc/centminmod/custom_config.inc variable LETSENCRYPT_DETECT='y' (details here). I would not do testing on live sites or live servers. Use test server only.

    If you are unable to help beta test acmetool.sh, but would like to support Centmin Mod, please consider a Paypal donation and/or upgrading to Premium Membership and all the benefits it can give you including access to the Private Premium Members only forum ;)

    Contents


    What is addons/acmetool.sh ?



    Basically, addons/acmetool.sh is a standalone Centmin Mod Addon added to Centmin Mod 123.09beta01 branch which extends the feature set of Centmin Mod to allow users to automatically create Nginx based vhost site domain accounts and automatically obtain and configure the site to use free domain validated Letsencrypt SSL certificates and serve your site(s) via Nginx HTTP/2 protocol based HTTPS. It's primary use is integration into centmin.sh menu option 2, 22 and nv command line based Nginx vhost creation routines outlined here, here and in Wordpress installs here.

    It is one of the last remaining pieces needed before pushing Centmin Mod 123.09beta01 branch to stable release.

    During beta testing phase, you now have to specifically enable addons/acmetool.sh integration detection via setting up persistent config file /etc/centminmod/custom_config.inc variable LETSENCRYPT_DETECT='y' (details here)

    Preparing for public beta testing for addons/acmetool.sh



    The outlined addons/acmetool.sh for letsencrypt ssl certificates is ready for public beta testing. It is still beta so needs testing before being marked as stable. The below are the requirements for beta testing addons/acmetool.sh

    Requirements for addon/acmetool.sh testing
    1. A test domain name or subdomain names with DNS updated to point to a test server i.e. testdomain.com or testsubdomain.domain.com
    2. Test server that at internet addressable and accessible. This means you must be able to point a test domain name or subdomain name's DNS A record to the test server's IP address. You can use whatsmydns.net to test your domain's DNS A records point to the server IP and that DNS updates have propagated worldwide.
    3. Test server must already have Centmin Mod LEMP stack installed - 123.09beta01 precisely. Pay attention to minimum system requirements for Centmin Mod outlined here. Install instructions for Centmin Mod 123.09beta01 outlined here. Or simple one line install command:
      Code (Text):
      yum -y update; curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh
      Once 123.09beta01 is installed, to get addons/acmetool.sh when it's publicly released, just run centmin.sh menu option 23 submenu option 2 to use git backed repo to update your local server's Centmin Mod code which will pull the addons/acmetool.sh into your Centmin Mod local install at /usr/local/src/centminmod/addons/acmetool.sh.
    4. After initial Centmin Mod 123.09beta01, follow Getting Started Guide step 1 to setup main hostname for server too. This subdomain/hostname must be different to any nginx vhost site domain/subdomain you intend to setup on the server.
    5. Be willing to completely wipe CentOS OS and reinstall Centmin Mod 123.09beta01 when required
    6. Be willing to completely wipe the testdomain.com or testsubdomain.domain.com ssl cert, files and nginx vhost during beta testing
    7. May want to register for a Pushover.net account and install the Pushover mobile app if you want SSL certificate notices pushed to your mobile and tablet devices. Once registered, you'll have a Pushover email address. Sending messages to this email address will push messages to your mobile/tablet devices.
    8. If you need to post snippets of output, you might want to use CODE tags for code How to use forum BBCODE code tags

    Removing Test Nginx Vhost Site + SSL Certificates



    When you generate an Centmin Mod Nginx vhost via centmin.sh menu option 2, 22 or via acmetool.sh the end output also lists commands to remove the domain you just created. There's also a log saved for the output so you can reference back to it. The acmetool.sh script also creates a log for removing vhost in /root/centminlogs :)

    Example for acme3.domain1.com at /root/centminlogs/
    centminmod_190816-021907_nginx_addvhost_nv-remove-cmds-acme3.domain1.com.log
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep remove
    -rw-r--r--   1 root root 1.1K Aug 19 02:21 centminmod_190816-021907_nginx_addvhost_nv-remove-cmds-acme3.domain1.com.log
    

    Contents with commands for removing vhost site
    Code (Text):
    cat /root/centminlogs/centminmod_190816-021907_nginx_addvhost_nv-remove-cmds-acme3.domain1.com.log
    -------------------------------------------------------------
    Commands to remove acme3.domain1.com
    
    pure-pw userdel vq4QKxGjf4Uy01a
    rm -rf /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.crt
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.key
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.csr
    rm -rf /usr/local/nginx/conf/ssl/acme3.domain1.com
    rm -rf /home/nginx/domains/acme3.domain1.com
    service nginx restart
    
    -------------------------------------------------------------
    vhost for acme3.domain1.com setup successfully
    acme3.domain1.com setup info log saved at:
    /root/centminlogs/centminmod_190816-021907_nginx_addvhost_nv.log
    -------------------------------------------------------------

    This still does leave acme.sh obtained cert stored at /root/.acme.sh/yourdomainname or /root/.achem.sh/yourdomain_ecc for ECDSA certs directory which can be manually removed too.
    Code (Text):
    ls -lah /root/.acme.sh/acme3.domain1.com_ecc/
    total 36K
    drwxr-xr-x 2 root root 4.0K Aug 19 02:21 .
    drwx------ 8 root root 4.0K Aug 19 02:21 ..
    -rw-r--r-- 1 root root 1.5K Aug 19 02:21 acme3.domain1.com.cer
    -rw-r--r-- 1 root root  921 Aug 19 02:21 acme3.domain1.com.conf
    -rw-r--r-- 1 root root  371 Aug 19 02:21 acme3.domain1.com.csr
    -rw-r--r-- 1 root root  302 Aug 19 02:21 acme3.domain1.com.key
    -rw-r--r-- 1 root root   79 Aug 19 02:21 acme3.domain1.com.ssl.conf
    -rw-r--r-- 1 root root 1.7K Aug 19 02:21 ca.cer
    -rw-r--r-- 1 root root 3.1K Aug 19 02:21 fullchain.cer

    so I can remove that directory too
    Code (Text):
    rm -rf /root/.acme.sh/acme3.domain1.com_ecc/


    Version Notification Alert



    addons/acmetool.sh is getting the same treatment as Centmin Mod dbbackup.sh tool in getting auto version update notifications when you run the addons/acmetool.sh script.
    Code (Text):
    ./acmetool.sh
    
    ------------------------------------------------------------------------------
    Version Check:
    ------------------------------------------------------------------------------
    !!!  there maybe a newer version of acmetool.sh available  !!!
    https://community.centminmod.com/posts/34492/
    update using centmin.sh menu option 23 submenu option 2
    
    Always ensure Current Version is higher or equal to Latest Version
    ------------------------------------------------------------------------------
    Current acmetool.sh Version: 0.1
    Latest acmetool.sh Version: 0.2
    ------------------------------------------------------------------------------
    


    addons/acmetool.sh Beta Testing Notice



    During beta testing an additional notice is displayed at run time so folks can be pointed to this specific thread for bug reports, suggestions and feedback ;)
    Code (Text):
    ./acmetool.sh
    
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://community.centminmod.com/posts/34492/
    -------------------------------------------------
    
    continue [y/n] ?
    


    Check Dates Option



    addons/acmetool.sh has a checkdates option you can run on SSH command line to report all issued Letsencrypt SSL certificates days till expiry. It reports both nginx installed ssl certs + any ssl certs obtained by acme.sh client in /root/.acme.sh these would include ssl certs in new DNS only mode via certonly-issue option on command line.
    Code (Text):
    ./acmetool.sh checkdates
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    /usr/local/nginx/conf/ssl/acme.domain1.com/acme.domain1.com-acme.cer
    SHA1 Fingerprint=87:AA:E6:79:CA:14:61:77:07:59:6B:BB:EC:BC:8A:F7:B1:3A:9E:F4
    certificate expires in 10 days on 4 Sep 2016
    
    /usr/local/nginx/conf/ssl/acme2.domain1.com/acme2.domain1.com-acme.cer
    SHA1 Fingerprint=A7:E3:72:64:55:12:B7:E8:3E:48:35:64:5E:9A:FF:EA:61:46:9E:8A
    certificate expires in 88 days on 21 Nov 2016
    
    /usr/local/nginx/conf/ssl/acme1.domain1.com/acme1.domain1.com-acme-ecc.cer
    SHA1 Fingerprint=F5:42:00:15:7D:AC:80:21:02:F5:27:E0:84:7A:06:D5:80:91:B8:C6
    certificate expires in 78 days on 11 Nov 2016
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    /root/.acme.sh/acme.domain1.com/acme.domain1.com.cer
    SHA1 Fingerprint=87:AA:E6:79:CA:14:61:77:07:59:6B:BB:EC:BC:8A:F7:B1:3A:9E:F4
    certificate expires in 10 days on 4 Sep 2016
    
    /root/.acme.sh/acme9.domain2.com/acme9.domain2.com.cer
    SHA1 Fingerprint=AC:72:0F:AA:4C:B0:96:49:DD:1F:C2:92:09:B2:BE:89:38:FC:96:3B
    certificate expires in 89 days on 22 Nov 2016
    
    /root/.acme.sh/acme2.domain1.com/acme2.domain1.com.cer
    SHA1 Fingerprint=A7:E3:72:68:55:12:B7:E8:3E:48:35:68:5E:9A:FF:EA:61:46:9E:8A
    certificate expires in 88 days on 21 Nov 2016
    
    /root/.acme.sh/acme1.domain1.com_ecc/acme1.domain1.com.cer
    SHA1 Fingerprint=F5:42:00:15:7D:AC:80:21:02:F5:27:E0:84:7A:06:D5:80:91:AA:C6
    certificate expires in 78 days on 11 Nov 2016


    Troubleshooting Issues



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • Use letsdebug.net online testing tool to check for potential errors with HTTP-01 validation
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    


     
    Last edited: Jul 17, 2024
  2. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Notes for addons/acmetool.sh


    • Letsencrypt servers have maintenance periods etc and the official status page is at Let's Encrypt Status
    • Letsencrypt SSL certificates have 90 day expiry and recommended is renew every 60 days automatically. The addons/acmetool.sh will default to 60 days auto renew once stable. For beta testing right now auto renew is every 21 days. So testing will allow for auto renewal tests.
    • Letsencrypt DOES NOT support Internationalized Domain Names xn--- prefix until after November 30, 2016. Details here.
    • Letsencrypt SSL certificate requests have rate limits for both live SSL certs and staging SSL certs. The staging test SSL certs have much more generous rate limits for testing. For live Letsencrypt SSL certificates the published rate limits are at Rate Limits - Let's Encrypt - Free SSL/TLS Certificates
    • /etc/centminmod/acmetool-config.ini is the acmetool.sh persistent config file which overrides settings in addons/acmetool.sh. The main use for this right now is if you have registered a pushover.net account to obtain a pushover email address which you can set in /etc/centminmod/acmetool-config.ini the variables below to receive push notifications to your linked mobile or tablet devices in your pushover.net account.
      Code (Text):
      PUSHALERT='y'
      pushover_email=''
      You can also override the default type of SSL certificates issues via this file by setting the appropriate KEYLENGTH value which defaults to 2048 = RSA 2048bit, and value of ec-256 for ECC 256bit ECDSA based SSL certificates. Full example can be see here.
      Code (Text):
      # options for KEYLENGTH
      # 2048, 3072, 4096, 8192, ec-256, ec-384
      KEYLENGTH='2048'
    • addons/acmetool.sh Amazon S3 related options are not yet available and will be added later on. Update maybe able to use another Centmin Mod addons/rclone.sh to support syncing SSL certificates to multiple cloud storage providers including Google Drive, Dropbox, OneDrive, Hubic as well as AWS S3 etc.
    • addons/acmetool.sh obtained Letsencrypt SSL certificates are saved by the underlying acme.sh tool at /root/.acme.sh/${vhostname}/ for RSA based SSL certs and at /root/.acme.sh/${vhostname}_ecc/ for ECDSA based certs where hostname is your domain.com and then installed and copied over to your Centmin Mod Nginx vhost /usr/local/nginx/conf/conf.d/domain.com.ssl.conf vhost config file and the domain.com's directory for the following paths
      • /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.cer which is your actual SSL certificate. The filename will have a -ecc suffix if using ECDSA certs
      • /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.key which is your SSL certificates' private key. The filename will have a -ecc suffix if using ECDSA certs
      • /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-fullchain-acme.key which is your concatenated certificate. The filename will have a -ecc suffix if using ECDSA certs
    • There's 3 types of options, issuing, reissuing and renewing SSL certificates. Issuing a domain SSL certificate only happens once during the the renewal period.
    • If you try to re-run issue command on a domain that already has SSL certificate issued via addons/acmetool.sh, it will skip issuance as you already have a SSL cert valid within the auto renewal period of 21 days during beta and 60 days once stable.
    • If you need to refresh the existing domain's SSL certificate, you need to use the reissue option instead
    • Main hostname domain of the server is currently NOT supported in addons/acmetool.sh for using Letsencrypt SSL certificate.
    • There are 2 modes of using addons/acmetool.sh via SSH command line or via inbuilt shell based menu outlined below.
    • Read updated official site's config file list Centmin Mod Configuration Files - CentminMod.com LEMP Nginx web stack for CentOS on dealing with Nginx & Nginx site domain vhost config files when moving between two Centmin Mod 123.09beta01 or higher version servers.

    addons/acmetool.sh Installation



    First up you need to install acmetool.sh's underlying Letsencrypt client, acme.sh written by Neil Pang. The addons/acmetool.sh is a wrapper script for acme.sh to integrate Letsencrypt SSL routines into Centmin Mod LEMP stack. Install either via SSH command line or shell based menu outlined here.

    SSH command line install
    Code (Text):
    ./acmetool.sh acmeinstall
    

    Example output
    Code (Text):
    ./acmetool.sh acmeinstall
    
    -----------------------------------------------------
    installing acme.sh client...
    -----------------------------------------------------
    Initialized empty Git repository in /root/tools/acme.sh/.git/
    [Mon Jul 25 17:37:00 UTC 2016] Installing to /root/.acme.sh
    [Mon Jul 25 17:37:00 UTC 2016] Installed to /root/.acme.sh/acme.sh
    [Mon Jul 25 17:37:00 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
    [Mon Jul 25 17:37:00 UTC 2016] Installing cron job
    [Mon Jul 25 17:37:00 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
    [Mon Jul 25 17:37:00 UTC 2016] OK
    https://github.com/Neilpang/acme.sh
    v2.3.2
    Usage: acme.sh  command ...[parameters]....
    Commands:
      --help, -h               Show this help message.
      --version, -v            Show version info.
      --install                Install acme.sh to your system.
      --uninstall              Uninstall acme.sh, and uninstall the cron job.
      --upgrade                Upgrade acme.sh to the latest code from https://github.com/Neilpang/acme.sh
      --issue                  Issue a cert.
      --installcert            Install the issued cert to apache/nginx or any other server.
      --renew, -r              Renew a cert.
      --renewAll               Renew all the certs
      --revoke                 Revoke a cert.
      --list                   List all the certs
      --installcronjob         Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
      --uninstallcronjob       Uninstall the cron job. The 'uninstall' command can do this automatically.
      --cron                   Run cron job to renew all the certs.
      --toPkcs                 Export the certificate and key to a pfx file.
      --createAccountKey, -cak Create an account private key, professional use.
      --createDomainKey, -cdk  Create an domain private key, professional use.
      --createCSR, -ccsr       Create CSR , professional use.
    Parameters:
      --domain, -d   domain.tld         Specifies a domain, used to issue, renew or revoke etc.
      --force, -f                       Used to force to install or force to renew a cert immediately.
      --staging, --test                 Use staging server, just for test.
      --debug                           Output debug info.
    
      --webroot, -w  /path/to/webroot   Specifies the web root folder for web root mode.
      --standalone                      Use standalone mode.
      --tls                             Use standalone tls mode.
      --apache                          Use apache mode.
      --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file]   Use dns mode or dns api.
      --dnssleep  [120]                  The time in seconds to wait for all the txt records to take effect in dns api mode. Default 120 seconds.
      --keylength, -k [2048]            Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
      --accountkeylength, -ak [2048]    Specifies the account key length.
      These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
      --certpath /path/to/real/cert/file  After issue/renew, the cert will be copied to this path.
      --keypath /path/to/real/key/file  After issue/renew, the key will be copied to this path.
      --capath /path/to/real/ca/file    After issue/renew, the intermediate cert will be copied to this path.
      --fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
      --reloadcmd "service nginx reload" After issue/renew, it's used to reload the server.
    
      --accountconf                     Specifies a customized account config file.
      --home                            Specifies the home dir for acme.sh .
      --certhome                        Specifies the home dir to save all the certs, only valid for '--install' command.
      --useragent                       Specifies the user agent string. it will be saved for future use too.
      --accountemail                    Specifies the account email for registering, Only valid for the '--install' command.
      --accountkey                      Specifies the account key path, Only valid for the '--install' command.
      --days                            Specifies the days to renew the cert when using '--issue' command. The max value is 80 days.
      --httpport                        Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
      --tlsport                         Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
      --listraw                         Only used for '--list' command, list the certs in raw format.
      --stopRenewOnError, -se           Only valid for '--renewall' command. Stop if one cert has error in renewal.
      --insecure                        Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
      --nocron                          Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
    
    -----------------------------------------------------
    check acme auto renew cronjob setup:
    -----------------------------------------------------
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    -----------------------------------------------------
    acme.sh installed
    -----------------------------------------------------
    

    This will output install routine via git and output the cronjob setup by acme.sh for cronjob auto renewals of letsencrypt ssl certificates.

    Shell based menu option 1 install
    Code (Text):
    ./acmetool.sh acme-menu
    
    --------------------------------------------------------
            SSL Management
    --------------------------------------------------------
    1).  acemtool.sh install
    2).  acmetool.sh update
    3).  acmetool.sh setup
    4).  Issue SSL Management
    5).  Renew SSL Management
    6).  Reissue SSL Management
    7).  Renew All Staging /Test Certs
    8).  Renew ALL Live Certs
    9).  Renew All Live Certs HTTPS Default
    10). Exit
    --------------------------------------------------------
    Enter option [ 1 - 10 ] 1
    --------------------------------------------------------
    


    addons/acmetool.sh SSH Command Line Mode



    The command line mode has finer grain control with some additional options that are not accessible via the shell based mode.

    Code (Text):
    ./acmetool.sh {acme-menu|acmeinstall|acmeupdate|acmesetup|issue|reissue|renew|s3issue|s3reissue|s3renew|renewall|checkdates}
    
    Usage Commands:
    ./acmetool.sh acme-menu
    ./acmetool.sh acmeinstall
    ./acmetool.sh acmeupdate
    ./acmetool.sh acmesetup
    ./acmetool.sh issue domainname
    ./acmetool.sh issue domainname d
    ./acmetool.sh issue domainname live
    ./acmetool.sh issue domainname lived
    ./acmetool.sh reissue domainname
    ./acmetool.sh reissue domainname d
    ./acmetool.sh reissue domainname live
    ./acmetool.sh reissue domainname lived
    ./acmetool.sh renew domainname
    ./acmetool.sh renew domainname d
    ./acmetool.sh renew domainname live
    ./acmetool.sh renew domainname lived
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot d
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot live
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot lived
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot d
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot live
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot lived
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot d
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot live
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot lived
    ./acmetool.sh s3issue domainname
    ./acmetool.sh s3issue domainname d
    ./acmetool.sh s3issue domainname live
    ./acmetool.sh s3issue domainname lived
    ./acmetool.sh s3reissue domainname
    ./acmetool.sh s3reissue domainname d
    ./acmetool.sh s3reissue domainname live
    ./acmetool.sh s3reissue domainname lived
    ./acmetool.sh s3renew domainname
    ./acmetool.sh s3renew domainname d
    ./acmetool.sh s3renew domainname live
    ./acmetool.sh s3renew domainname lived
    ./acmetool.sh renewall
    ./acmetool.sh renewall live
    ./acmetool.sh renewall lived
    ./acmetool.sh checkdates
    


    addons/acmetool.sh Shell Based Menu Mode



    The shell based menu is more convenient for some though if you want unattended mode, use above SSH command line mode.

    Code (Text):
    ./acmetool.sh acme-menu
    
    --------------------------------------------------------
            SSL Management
    --------------------------------------------------------
    1).  acemtool.sh install
    2).  acmetool.sh update
    3).  acmetool.sh setup
    4).  Issue SSL Management
    5).  Renew SSL Management
    6).  Reissue SSL Management
    7).  Renew All Staging /Test Certs
    8).  Renew ALL Live Certs
    9).  Renew All Live Certs HTTPS Default
    10). Exit
    --------------------------------------------------------
    Enter option [ 1 - 10 ] 1
    --------------------------------------------------------
    
     
    Last edited: Feb 26, 2017
  3. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Issuing a Letsencrypt SSL Certificate via Command Line



    Issuing a Letsencrypt SSL certificate has 2 types, staging test SSL certificates which like self-signed SSL certificates are NOT web browser trusted. These are mainly the types I suggest you use for addons/acmetool.sh testing at first as you do not want to hit live real Letsencrypt SSL certificate's rate limits for issuing domains. The second type is live real Letsencrypt SSL certificates which are web browser trusted.

    Issuance directly via addons/acmetool.sh will auto generate and add the Nginx vhost site to Centmin Mod LEMP based server so your site can be served via Nginx HTTP/2 based HTTPS. In such automation, the Pure-FTPD virtual FTP username and password is auto generated and displayed in the run output.

    If you want more control over the desired Pure-FTPD virtual FTP username and password, you can use the /usr/bin/nv command line which has been updated to detect the existence of addons/acmetool.sh and automatically expand it's existing feature set to generate a new Nginx vhost site with Letsencrypt SSL certificates by calling addons/acmetool.sh within the process.

    Issuing a SSL certificate also works with existing Centmin Mod Nginx vhosts generated via centmin.sh menu option 2, 22 or /usr/bin/nv methods outlined here if the existing Nginx vhosts are pretty close to their original generated templates. Particularly, if the include staticfiles.conf include file exists as it contents the location handling for .well-known directory for Letsencrypt domain validation. If existing Nginx vhost has a /usr/local/nginx/conf/conf.d/yourdomain.com.ssl.conf vhost file already, it will back that up at defined backup directory ACMEBACKUPDIR='/usr/local/nginx/conf/acmevhostbackup' with file name timestamped. Then move it aside to be replaced with acmetool.sh generated version within /usr/local/nginx/conf/conf.d/ directory where Nginx vhosts are located. If you're new to Centmin Mod structure, check out the official Config Files page for an overview.

    Note



    acmetool.sh will autodetect if the first domain passed on the command line is a subdomain.domain.com or domain.com and auto append www version so you do not need to pass the www version just domain.com or subdomain.domain.com.

    To issue staging test Letsencrypt SSL certificate
    Code (Text):
    ./acmetool.sh issue acme.domain.com
    

    To issue a live real Letsencrypt SSL certificate
    Code (Text):
    ./acmetool.sh issue acme.domain.com live
    

    To issue staging test Letsencrypt SSL certificate + make HTTPS default with HTTP to HTTPS redirect configured
    Code (Text):
    ./acmetool.sh issue acme.domain.com d
    

    To issue a live real Letsencrypt SSL certificate + make HTTPS default with HTTP to HTTPS redirect configured
    Code (Text):
    ./acmetool.sh issue acme.domain.com lived
    


    Issuing a Letsencrypt SSL Certificate via Shell Menu



    Via shell based menu invoke it via command
    Code (Text):
    ./acmetool.sh acme-menu
    

    You'll be greeted with shell based menu options of which option 4 for Issue SSL Management is the one you want
    Code (Text):
    --------------------------------------------------------
            SSL Management         
    --------------------------------------------------------
    1).  acemtool.sh install
    2).  acmetool.sh update
    3).  acmetool.sh setup
    4).  Issue SSL Management
    5).  Renew SSL Management
    6).  Reissue SSL Management
    7).  Renew All Staging /Test Certs
    8).  Renew ALL Live Certs
    9).  Renew All Live Certs HTTPS Default
    10). Exit
    --------------------------------------------------------
    Enter option [ 1 - 10 ] 4
    --------------------------------------------------------
    

    Once entered option 4, you'll have a submenu listing below which is self explanatory really. FYI, S3 options are not available yet.
    Code (Text):
    --------------------------------------------------------
            SSL Issue Management         
    --------------------------------------------------------
    1).  Issue SSL Cert Staging/Test
    2).  Issue SSL Cert Staging/Test HTTPS Default
    3).  Issue SSL Cert Live
    4).  Issue SSL Cert Live HTTPS Default
    5).  Custom Webroot Issue SSL Cert Staging/Test
    6).  Custom Webroot Issue SSL Cert Staging/Test HTTPS Default
    7).  Custom Webroot Issue SSL Cert Live
    8).  Custom Webroot Issue SSL Cert Live HTTPS Default
    9).  S3 Issue SSL Cert
    10). S3 Issue SSL Cert
    11). S3 Issue SSL Cert
    12). S3 Issue SSL Cert
    13). Exit
    --------------------------------------------------------
    Enter option [ 1 - 13 ]
    --------------------------------------------------------
    
     
    Last edited: Oct 10, 2016
  4. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Reissuing a Letsencrypt SSL Certificate via Command Line



    Reissuing a Letsencrypt SSL certificate is a refresh of an existing domain's Letsencrypt SSL certificate. And similar to above issuing in terms of commands and processes


    Note



    acmetool.sh will autodetect if the first domain passed on the command line is a subdomain.domain.com or domain.com and auto append www version so you do not need to pass the www version just domain.com or subdomain.domain.com.

    To reissue staging test Letsencrypt SSL certificate
    Code (Text):
    ./acmetool.sh reissue acme.domain.com
    

    To reissue a live real Letsencrypt SSL certificate
    Code (Text):
    ./acmetool.sh reissue acme.domain.com live
    

    To reissue staging test Letsencrypt SSL certificate + make HTTPS default with HTTP to HTTPS redirect configured
    Code (Text):
    ./acmetool.sh reissue acme.domain.com d
    

    To reissue a live real Letsencrypt SSL certificate + make HTTPS default with HTTP to HTTPS redirect configured
    Code (Text):
    ./acmetool.sh reissue acme.domain.com lived
    


    Reissuing a Letsencrypt SSL Certificate via Shell Menu



    Via shell based menu invoke it via command
    Code (Text):
    ./acmetool.sh acme-menu
    

    You'll be greeted with shell based menu options of which option 6 for Reissue SSL Management is the one you want
    Code (Text):
    --------------------------------------------------------
            SSL Management           
    --------------------------------------------------------
    1).  acemtool.sh install
    2).  acmetool.sh update
    3).  acmetool.sh setup
    4).  Issue SSL Management
    5).  Renew SSL Management
    6).  Reissue SSL Management
    7).  Renew All Staging /Test Certs
    8).  Renew ALL Live Certs
    9).  Renew All Live Certs HTTPS Default
    10). Exit
    --------------------------------------------------------
    Enter option [ 1 - 10 ] 6
    --------------------------------------------------------
    

    Once entered option 6, you'll have a submenu listing below which is self explanatory really. FYI, S3 options are not available yet.
    Code (Text):
    --------------------------------------------------------
            SSL Reissue Management             
    --------------------------------------------------------
    1).  Reissue SSL Cert Staging/Test
    2).  Reissue SSL Cert Staging/Test HTTPS Default
    3).  Reissue SSL Cert Live
    4).  Reissue SSL Cert Live HTTPS Default
    5).  Custom Webroot Reissue SSL Cert Staging/Test
    6).  Custom Webroot Reissue SSL Cert Staging/Test HTTPS Default
    7).  Custom Webroot Reissue SSL Cert Live
    8).  Custom Webroot Reissue SSL Cert Live HTTPS Default
    9).  S3 Reissue SSL Cert
    10). S3 Reissue SSL Cert
    11). S3 Reissue SSL Cert
    12). S3 Reissue SSL Cert
    13). Exit
    --------------------------------------------------------
    Enter option [ 1 - 13 ]
    
     
    Last edited: Oct 10, 2016
  5. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Renewal Letsencrypt SSL Certificates



    Follows the same structure above.

    Note



    acmetool.sh will autodetect if the first domain passed on the command line is a subdomain.domain.com or domain.com and auto append www version so you do not need to pass the www version just domain.com or subdomain.domain.com.

    To renew staging test Letsencrypt SSL certificate
    Code (Text):
    ./acmetool.sh renew acme.domain.com
    

    To renew a live real Letsencrypt SSL certificate
    Code (Text):
    ./acmetool.sh renew acme.domain.com live
    

    To renew staging test Letsencrypt SSL certificate + make HTTPS default with HTTP to HTTPS redirect configured
    Code (Text):
    ./acmetool.sh renew acme.domain.com d
    

    To renew a live real Letsencrypt SSL certificate + make HTTPS default with HTTP to HTTPS redirect configured
    Code (Text):
    ./acmetool.sh renew acme.domain.com lived
    


    Renewing a Letsencrypt SSL Certificate via Shell Menu



    Via shell based menu invoke it via command
    Code (Text):
    ./acmetool.sh acme-menu
    

    You'll be greeted with shell based menu options of which option 5 for Renew SSL Management is the one you want
    Code (Text):
    --------------------------------------------------------
            SSL Management         
    --------------------------------------------------------
    1).  acemtool.sh install
    2).  acmetool.sh update
    3).  acmetool.sh setup
    4).  Issue SSL Management
    5).  Renew SSL Management
    6).  Reissue SSL Management
    7).  Renew All Staging /Test Certs
    8).  Renew ALL Live Certs
    9).  Renew All Live Certs HTTPS Default
    10). Exit
    --------------------------------------------------------
    Enter option [ 1 - 10 ] 5
    --------------------------------------------------------
    

    Once entered option 5, you'll have a submenu listing below which is self explanatory really. FYI, S3 options are not available yet.
    Code (Text):
    --------------------------------------------------------
            SSL Renew Management            
    --------------------------------------------------------
    1).   Renew SSL Cert Staging/Test
    2).   Renew SSL Cert Staging/Test HTTPS Default
    3).   Renew SSL Cert Live
    4).   Renew SSL Cert Live HTTPS Default
    5).   Custom Webroot Renew SSL Cert Staging/Test
    6).   Custom Webroot Renew SSL Cert Staging/Test HTTPS Default
    7).   Custom Webroot Renew SSL Cert Live
    8).   Custom Webroot Renew SSL Cert Live HTTPS Default
    9).   S3 Renew SSL Cert
    10).  S3 Renew SSL Cert
    11).  S3 Renew SSL Cert
    12).  S3 Renew SSL Cert
    13).  Exit
    --------------------------------------------------------
    Enter option [ 1 - 13 ]
    
     
    Last edited: Oct 10, 2016
  6. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    addons/acmetool.sh Integration into Nginx Vhost Routines



    In Centmin Mod 123.09beta01, addons/acmetool.sh is also integrated into Centmin Mod Nginx vhost creation routines via centmin.sh menu option 2, menu option 22 and via /usr/bin/nv command line. You can see example of /usr/bin/nv method of generating Nginx vhost site domain accounts at [Guide] Save time creating Nginx vhost & MySQL users and databases | Centmin Mod Community

    without addons/acmetool.sh, the /usr/bin/nv command usage looks like
    Code (Text):
    nv
    
    Usage: /bin/nv [-d yourdomain.com] [-s y|n|yd] [-u ftpusername]
    
      -d  yourdomain.com or subdomain.yourdomain.com
      -s  ssl self-signed create = y or n or https only vhost = yd
      -u  your FTP username
    
      example:
    
      /bin/nv -d yourdomain.com -s y -u ftpusername
      /bin/nv -d yourdomain.com -s n -u ftpusername
      /bin/nv -d yourdomain.com -s yd -u ftpusername
    

    when nv command detects the existence of addons/acmetool.sh via persistent config file /etc/centminmod/custom_config.inc variable LETSENCRYPT_DETECT='y', the command usage expands and changes to look like this
    Code (Text):
    nv
    
    Usage: /bin/nv [-d yourdomain.com] [-s y|n|yd|le|led|lelive|lelived] [-u ftpusername]
    
      -d  yourdomain.com or subdomain.yourdomain.com
      -s  ssl self-signed create = y or n or https only vhost = yd
      -s  le - letsencrypt test cert or led test cert with https default
      -s  lelive - letsencrypt live cert or lelived live cert with https default
      -u  your FTP username
    
      example:
    
      /bin/nv -d yourdomain.com -s y -u ftpusername
      /bin/nv -d yourdomain.com -s n -u ftpusername
      /bin/nv -d yourdomain.com -s yd -u ftpusername
      /bin/nv -d yourdomain.com -s le -u ftpusername
      /bin/nv -d yourdomain.com -s led -u ftpusername
      /bin/nv -d yourdomain.com -s lelive -u ftpusername
      /bin/nv -d yourdomain.com -s lelived -u ftpusername
    
     
    Last edited: Sep 11, 2016
  7. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    addons/acmetool.sh Integration into Nginx Vhost Routines - Part 2



    Continuting from previous post, here's an example of centmin.sh menu option 2 integration when addons/acmetool.sh is detected via persistent config file /etc/centminmod/custom_config.inc variable LETSENCRYPT_DETECT='y'.

    Run centmin.sh menu option 2 to add a new Nginx vhost = newdomain10.com with Letsencrypt SSL certificate from staging test server.
    Code (Text):
    ./centmin.sh
    
    --------------------------------------------------------
         Centmin Mod Menu 123.09beta01 centminmod.com 
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 2
    --------------------------------------------------------
    

    centmin.sh menu option 2 prompted questions and choices when addons/acmetool.sh is detected
    Code (Text):
    ---------------------------------------------
    
    Enter vhost domain name to add (without www. prefix): newdomain10.com
    
    Create a self-signed SSL certificate Nginx vhost? [y/n]: y
    Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
    
    You have 4 options:
    1. issue staging test cert with HTTP + HTTPS
    2. issue staging test cert with HTTPS default
    3. issue live cert with HTTP + HTTPS
    4. issue live cert with HTTPS default
    Enter option number 1-4: 1
    
    
    Create FTP username for vhost domain (enter username): ftpusername
    Auto generate FTP password (recommended) [y/n]: y
    
    FTP username you entered: ftpusername
    FTP password auto generated: ****
    
    Password:
    Enter it again:
    ---------------------------------------------------------------
    SSL Vhost Setup...
    ---------------------------------------------------------------
    
    ---------------------------------------------------------------
    Generating self signed SSL certificate...
    CSR file can also be used to be submitted for paid SSL certificates
    If using for paid SSL certificates be sure to keep both private key and CSR safe
    creating CSR File: newdomain10.com.csr
    creating private key: newdomain10.com.key
    creating self-signed SSL certificate: newdomain10.com.crt
    Generating a 2048 bit RSA private key
    ..................................................................................................................+++
    ...................................................+++
    writing new private key to 'newdomain10.com.key'
    -----
    Signature ok
    subject=/C=US/ST=California/L=Los Angeles/O=newdomain10.com/OU=newdomain10.com/CN=newdomain10.com
    Getting Private key
    

    continuation of the routine
    Code (Text):
    ---------------------------------------------------------------
    Generating dhparam.pem file - can take a few minutes...
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    .......++*++*
    dhparam file generation time: 41.115482207
    
    -------------------------------------------------------------
    generated nginx include file: /usr/local/nginx/conf/autoprotect/newdomain10.com/autoprotect-newdomain10.com.conf
    
    autoprotect.sh run completed...
    
    Restarting nginx (via systemctl):  [  OK  ]
    service nginx reload
    Reloading nginx configuration (via systemctl):  [  OK  ]
    systemctl restart pure-ftpd.service
    

    Start of the addons/acmetool.sh routine when detected - note letsencrypt domain validation failed as newdomain10.com is not a DNS working valid domain. When this happens, Centmin Mod falls back on self-signed SSL certificate that is also auto generated so as to keep in place the HTTPS Nginx vhost.

    acme.sh client is always auto updated on each run to ensure latest code is in place before using it to issue a Letsencrypt SSL certificate
    Code (Text):
    -------------------------------------------------------------
    ok: /usr/local/src/centminmod/addons/acmetool.sh
    /usr/local/src/centminmod/addons/acmetool.sh issue newdomain10.com
    
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://community.centminmod.com/posts/34492/
    -------------------------------------------------
    
    continue [y/n] ? y
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    [Fri Aug 12 14:04:46 UTC 2016] Installing to /root/.acme.sh
    [Fri Aug 12 14:04:46 UTC 2016] Installed to /root/.acme.sh/acme.sh
    [Fri Aug 12 14:04:46 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
    [Fri Aug 12 14:04:46 UTC 2016] Installing cron job
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Fri Aug 12 14:04:46 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
    [Fri Aug 12 14:04:46 UTC 2016] OK
    https://github.com/Neilpang/acme.sh
    v2.3.6
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for newdomain10.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue -d newdomain10.com -w /home/nginx/domains/newdomain10.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Fri Aug 12 14:04:47 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Fri Aug 12 14:04:47 UTC 2016] Skip register account key
    [Fri Aug 12 14:04:47 UTC 2016] Creating domain key
    [Fri Aug 12 14:04:47 UTC 2016] Use length 2048
    [Fri Aug 12 14:04:47 UTC 2016] Creating csr
    [Fri Aug 12 14:04:47 UTC 2016] Single domain='newdomain10.com'
    [Fri Aug 12 14:04:47 UTC 2016] Verify each domain
    [Fri Aug 12 14:04:47 UTC 2016] Getting webroot for domain='newdomain10.com'
    [Fri Aug 12 14:04:47 UTC 2016] Getting token for domain='newdomain10.com'
    [Fri Aug 12 14:04:50 UTC 2016] Verifying:newdomain10.com
    [Fri Aug 12 14:04:58 UTC 2016] newdomain10.com:Verify error:DNS problem: NXDOMAIN looking up A for newdomain10.com
    -------------------------------------------------------------
    

    Last line of output reports newdomain10.com does not have valid DNS setup as expected
    Code (Text):
    newdomain10.com:Verify error:DNS problem: NXDOMAIN looking up A for newdomain10.com
    

    Nginx vhost pure-ftpd log in details etc
    Code (Text):
    -------------------------------------------------------------
    FTP hostname : IPADDR
    FTP port : 21
    FTP mode : FTP (explicit SSL)
    FTP Passive (PASV) : ensure is checked/enabled
    FTP username created for newdomain10.com : ftpusername
    FTP password created for newdomain10.com : ****
    -------------------------------------------------------------
    vhost for newdomain10.com created successfully
    
    domain: http://newdomain10.com
    vhost conf file for newdomain10.com created: /usr/local/nginx/conf/conf.d/newdomain10.com.conf
    
    vhost ssl for newdomain10.com created successfully
    
    domain: https://newdomain10.com
    vhost ssl conf file for newdomain10.com created: /usr/local/nginx/conf/conf.d/newdomain10.com.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/newdomain10.com/newdomain10.com.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/newdomain10.com/newdomain10.com.key
    SSL CSR File: /usr/local/nginx/conf/ssl/newdomain10.com/newdomain10.com.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/newdomain10.com/newdomain10.com-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/newdomain10.com/newdomain10.com-backup.csr
    
    upload files to /home/nginx/domains/newdomain10.com/public
    vhost log files directory is /home/nginx/domains/newdomain10.com/log
    
    -------------------------------------------------------------
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
                       
    Aug 11  11:43   846    ssl.conf
    Aug 11  11:43   1.1K   demodomain.com.conf
    Aug 11  11:52   1.6K   virtual.conf
    Aug 12  14:04   2.2K   newdomain10.com.conf
    Aug 12  14:04   3.9K   newdomain10.com.ssl.conf
    
    -------------------------------------------------------------
    Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/newdomain10.com
                       
    Aug 12  14:03   1.7K   newdomain10.com.key
    Aug 12  14:03   1.1K   newdomain10.com.csr
    Aug 12  14:03   1.3K   newdomain10.com.crt
    Aug 12  14:03   1.7K   newdomain10.com-backup.key
    Aug 12  14:03   1.1K   newdomain10.com-backup.csr
    Aug 12  14:03   45     hpkp-info-primary-pin.txt
    Aug 12  14:03   45     hpkp-info-secondary-pin.txt
    Aug 12  14:04   424    dhparam.pem
    
    -------------------------------------------------------------
    Commands to remove newdomain10.com
    
    pure-pw userdel ftpusername
    rm -rf /usr/local/nginx/conf/conf.d/newdomain10.com.conf
    rm -rf /usr/local/nginx/conf/conf.d/newdomain10.com.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/newdomain10.com/newdomain10.com.crt
    rm -rf /usr/local/nginx/conf/ssl/newdomain10.com/newdomain10.com.key
    rm -rf /usr/local/nginx/conf/ssl/newdomain10.com/newdomain10.com.csr
    rm -rf /usr/local/nginx/conf/ssl/newdomain10.com
    rm -rf /home/nginx/domains/newdomain10.com
    service nginx restart
    -------------------------------------------------------------
    vhost for newdomain10.com setup successfully
    newdomain10.com setup info log saved at:
    /root/centminlogs/centminmod_1.2.3-eva2000.09.001_120816-140252_nginx_addvhost.log
    -------------------------------------------------------------
    
     
    Last edited: Sep 11, 2016
  8. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Creating Nginx HTTPS Vhost + ECC 256 bit ECDSA SSL Certificates



    The addons/acmetool.sh defaults to using traditional RSA 2048bit SSL certificates but can support ECC 256 bit ECDSA SSL certificates. You can switch to ECDSA based SSL certificates by overriding addons/acmetool.sh set KEYLENGTH variable which defaults to KEYLENGTH='2048' to KEYLENGTH='ec-256'.

    To override this you do not edit addons/acmetool.sh but instead create a persistent config file at /etc/centminmod/acmetoool-config.ini or at /etc/centminmod/custom_config.inc and enter into the file the value.
    Code (Text):
    KEYLENGTH='ec-256'

    Then whenever addons/acmetool.sh or centmin.sh menu option 2 or 22 or /usr/bin/nv is invoked, it will detect that /etc/centminmod/acmetoool-config.ini exists and override in addons/acmetool.sh whatever variables you have set in /etc/centminmod/acmetoool-config.ini.

    An example via /usr/bin/nv method of creating a Letsencrypt ECC 256bit ECDSA SSL certificate using test staging method for acme1.domain.com
    Code (Text):
    nv -d acme1.domain.com -s le -u ftpusername


    Note the Letsencrypt SSL certificates are installed into /usr/local/nginx/conf/ssl/acme1.domain.com with a -ecc suffix for ECDSA SSL certificates
    Code (Text):
    Aug 13  14:22   3.1K   acme1.domain.com-acme-ecc.cer
    Aug 13  14:22   302    acme1.domain.com-acme-ecc.key
    Aug 13  14:22   3.1K   acme1.domain.com-fullchain-acme-ecc.key

    Example output
    Code (Text):
    nv -d acme1.domain.com -s le -u ftpusername
    ---------------------------------------------------------------
    Nginx Vhost Setup...
    ---------------------------------------------------------------
    
    
    FTP password auto generated: ***
    
    Password:
    Enter it again:
    ---------------------------------------------------------------
    SSL Vhost Setup...
    ---------------------------------------------------------------
    
    ---------------------------------------------------------------
    Generating self signed SSL certificate...
    CSR file can also be used to be submitted for paid SSL certificates
    If using for paid SSL certificates be sure to keep both private key and CSR safe
    creating CSR File: acme1.domain.com.csr
    creating private key: acme1.domain.com.key
    creating self-signed SSL certificate: acme1.domain.com.crt
    Generating a 2048 bit RSA private key
    ...................................................................................................+++
    .................................................................+++
    writing new private key to 'acme1.domain.com.key'
    -----
    No value provided for Subject Attribute C, skipped
    No value provided for Subject Attribute ST, skipped
    No value provided for Subject Attribute L, skipped
    Signature ok
    subject=/O=acme1.domain.com/OU=acme1.domain.com/CN=acme1.domain.com
    Getting Private key
    
    ---------------------------------------------------------------
    Generating backup CSR and private key for HTTP Public Key Pinning...
    creating CSR File: acme1.domain.com-backup.csr
    creating private key: acme1.domain.com-backup.key
    Generating a 2048 bit RSA private key
    .........................................+++
    ..............+++
    writing new private key to 'acme1.domain.com-backup.key'
    -----
    ---------------------------------------------------------------
    Generating dhparam.pem file - can take a few minutes...
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    .............++*++*
    dhparam file generation time: 138.735859393
    
    -------------------------------------------------------------
    /usr/local/src/centminmod/tools/autoprotect.sh
    generated nginx include file: /usr/local/nginx/conf/autoprotect/acme1.domain.com/autoprotect-acme1.domain.com.conf
    
    autoprotect.sh run completed...
    
    Restarting nginx (via systemctl):  [  OK  ]
    Restarting nginx (via systemctl):  [  OK  ]
    systemctl restart pure-ftpd.service
    
    -------------------------------------------------------------
    ok: /usr/local/src/centminmod/addons/acmetool.sh
    /usr/local/src/centminmod/addons/acmetool.sh issue acme1.domain.com
    
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://community.domain.com/posts/34492/
    -------------------------------------------------
    
    continue [y/n] ? y
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    [Sat Aug 13 14:22:14 UTC 2016] Installing to /root/.acme.sh
    [Sat Aug 13 14:22:14 UTC 2016] Installed to /root/.acme.sh/acme.sh
    [Sat Aug 13 14:22:14 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
    [Sat Aug 13 14:22:14 UTC 2016] Installing cron job
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Sat Aug 13 14:22:15 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
    [Sat Aug 13 14:22:15 UTC 2016] OK
    https://github.com/Neilpang/acme.sh
    v2.4.0
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for acme1.domain.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue -d acme1.domain.com -w /home/nginx/domains/acme1.domain.com/public -k ec-256 --useragent centminmod-centos7-acmesh-webroot
    [Sat Aug 13 14:22:15 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Sat Aug 13 14:22:18 UTC 2016] Registering account
    [Sat Aug 13 14:22:24 UTC 2016] Already registered
    [Sat Aug 13 14:22:24 UTC 2016] Creating domain key
    [Sat Aug 13 14:22:24 UTC 2016] Use length 256
    [Sat Aug 13 14:22:24 UTC 2016] Using ec name: prime256v1
    [Sat Aug 13 14:22:24 UTC 2016] Single domain='acme1.domain.com'
    [Sat Aug 13 14:22:24 UTC 2016] Verify each domain
    [Sat Aug 13 14:22:24 UTC 2016] Getting webroot for domain='acme1.domain.com'
    [Sat Aug 13 14:22:24 UTC 2016] Getting token for domain='acme1.domain.com'
    [Sat Aug 13 14:22:34 UTC 2016] Verifying:acme1.domain.com
    [Sat Aug 13 14:22:47 UTC 2016] Success
    [Sat Aug 13 14:22:48 UTC 2016] Verify finished, start to sign.
    [Sat Aug 13 14:22:55 UTC 2016] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIEIjCCAwqgAwIBAgITAPoxK7At7f4sb2dl2qzAE13HDjANBgkqhkiG9w0BAQsF
    ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjA4MTMx
    MzIzMDBaFw0xNjExMTExMzIzMDBaMB8xHTAbBgNVBAMTFGFjbWUxLmNlbnRtaW5t
    b2QuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEssNPpigSCt9yKmytSTgl
    DsudCpSEs7as/p85Nu2Casffr4fgcvbt20atFgdjqdB4JOAtpL1lsuxeGcr4WG4V
    rqOCAh0wggIZMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
    KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUczFrFpQ9dyDbmXjMiU6l
    hW74biEwHwYDVR0jBBgwFoAUwMwDRrlYIMxccnDz4S7LIKb1aDoweAYIKwYBBQUH
    AQEEbDBqMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5zdGctaW50LXgxLmxldHNl
    bmNyeXB0Lm9yZy8wMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jZXJ0LnN0Zy1pbnQteDEu
    bGV0c2VuY3J5cHQub3JnLzAfBgNVHREEGDAWghRhY21lMS5jZW50bWlubW9kLmNv
    bTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI
    KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC
    AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g
    YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0
    aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5
    cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQDIgMsNYblYiGP8
    phRlZp4Qn5XFNaUKOFDdVXNp6CclQ5CbqmvqLdroJ763cj4r9Tq7cmDTfoz7JwPo
    wvcvWiSFMFVoJHNT54pHVyhiGSpp90erF43hnFJf/vFN2cvf2jehHCUShKeAcqdG
    xXjQySsJOps+aw6rbVRx3rcLV5OJniC71bZ0hZX0V1SkIHuLgsWXpsE3iEzkc4X8
    TbYDEhkfaHKXAbFQi3GJwS0tsFzH+0+WGyPowBEKL0k2792LuA3TteLUuYUMVOKf
    5Fap+RXm4z7AGtE6Vrw15g3RZ21yxP1p8BTKR6NjBh1fPCUVhSEDPFYyIpGBcPPH
    eF3Y6mf/
    -----END CERTIFICATE-----
    [Sat Aug 13 14:22:55 UTC 2016] Your cert is in /root/.acme.sh/acme1.domain.com_ecc/acme1.domain.com.cer
    [Sat Aug 13 14:22:57 UTC 2016] The intermediate CA cert is in /root/.acme.sh/acme1.domain.com_ecc/ca.cer
    [Sat Aug 13 14:22:57 UTC 2016] And the full chain certs is there: /root/.acme.sh/acme1.domain.com_ecc/fullchain.cer
      ssl_certificate      /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.key;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer;
    
    -----------------------------------------------------------
    install cert
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --installcert -d acme1.domain.com --certpath /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer --keypath /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.key --capath /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-fullchain-acme-ecc.key --ecc
    [Sat Aug 13 14:22:57 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer
    [Sat Aug 13 14:22:57 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer
    [Sat Aug 13 14:22:57 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.key
    [Sat Aug 13 14:22:57 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-fullchain-acme-ecc.key
    [Sat Aug 13 14:22:57 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):  [  OK  ]
    [Sat Aug 13 14:22:58 UTC 2016] Reload success
    
    letsencrypt ssl certificate setup completed
    
    -------------------------------------------------------------
    
    
    -------------------------------------------------------------
    FTP hostname : IPADDR
    FTP port : 21
    FTP mode : FTP (explicit SSL)
    FTP Passive (PASV) : ensure is checked/enabled
    FTP username created for acme1.domain.com : ftpusername
    FTP password created for acme1.domain.com : ***
    -------------------------------------------------------------
    vhost for acme1.domain.com created successfully
    
    domain: http://acme1.domain.com
    vhost conf file for acme1.domain.com created: /usr/local/nginx/conf/conf.d/acme1.domain.com.conf
    
    vhost ssl for acme1.domain.com created successfully
    
    domain: https://acme1.domain.com
    vhost ssl conf file for acme1.domain.com created: /usr/local/nginx/conf/conf.d/acme1.domain.com.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com.key
    SSL CSR File: /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-backup.csr
    
    upload files to /home/nginx/domains/acme1.domain.com/public
    vhost log files directory is /home/nginx/domains/acme1.domain.com/log
    
    -------------------------------------------------------------
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
    
                         
    Aug 1   19:22   2.1K   acme2.domain.com.conf
    Aug 1   19:22   2.2K   acme.domain.com.conf
    Aug 1   19:22   4.4K   acme2.domain.com.ssl.conf
    Aug 1   19:22   845    ssl.conf
    Aug 1   19:22   1.1K   demodomain.com.conf
    Aug 1   19:22   4.4K   acme.domain.com.ssl.conf
    Aug 1   19:22   1.9K   virtual.conf
    Aug 13  14:22   2.1K   acme1.domain.com.conf
    Aug 13  14:22   4.0K   acme1.domain.com.ssl.conf
    
    -------------------------------------------------------------
    Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/acme1.domain.com
    
                         
    Aug 13  14:17   1.7K   acme1.domain.com.key
    Aug 13  14:17   989    acme1.domain.com.csr
    Aug 13  14:17   1.2K   acme1.domain.com.crt
    Aug 13  14:17   1.7K   acme1.domain.com-backup.key
    Aug 13  14:17   989    acme1.domain.com-backup.csr
    Aug 13  14:17   45     hpkp-info-primary-pin.txt
    Aug 13  14:17   45     hpkp-info-secondary-pin.txt
    Aug 13  14:19   424    dhparam.pem
    Aug 13  14:22   321    acme-vhost-config.txt
    Aug 13  14:22   3.1K   acme1.domain.com-acme-ecc.cer
    Aug 13  14:22   302    acme1.domain.com-acme-ecc.key
    Aug 13  14:22   3.1K   acme1.domain.com-fullchain-acme-ecc.key
    
    -------------------------------------------------------------
    Commands to remove acme1.domain.com
    
    pure-pw userdel ftpusername
    rm -rf /usr/local/nginx/conf/conf.d/acme1.domain.com.conf
    rm -rf /usr/local/nginx/conf/conf.d/acme1.domain.com.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com.crt
    rm -rf /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com.key
    rm -rf /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com.csr
    rm -rf /usr/local/nginx/conf/ssl/acme1.domain.com
    rm -rf /home/nginx/domains/acme1.domain.com
    service nginx restart
    
    -------------------------------------------------------------
    vhost for acme1.domain.com setup successfully
    acme1.domain.com setup info log saved at:
    /root/centminlogs/centminmod_130816-141655_nginx_addvhost_nv.log
    -------------------------------------------------------------

    Chrome Security Tab will show ECDSA based SSL certificate

    upload_2016-8-14_0-25-20.png

    addons/acmetool.sh checkdates option
    Code (Text):
    ./acmetool.sh checkdates                                              
    
    /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer
    certificate expires in 21 days on 4 Sep 2016
    
    /usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-acme.cer
    certificate expires in 19 days on 2 Sep 2016
    
    /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer
    certificate expires in 89 days on 11 Nov 2016
     
    Last edited: Aug 14, 2016
  9. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    SANS Multi-Domain SSL Certificates



    One of the extended features only available in SSH command line addons/acmetool.sh and not available in the menu mode, is support for multi-domain SAN SSL certificates. Meaning a single SSL certificate that covers more than one domain name i.e. to cover domain1.com and domain2.com.

    In the context of Nginx vhost auto generation there's not much use for SAN SSL certificates as requirement for Letsencrypt SSL is for domain validation they'd have to resolve to the same public web root - so domain1.com and domain2.com will serve the same files form web root at /home/nginx/domains/domain1.com/public. Not many folks would need domain1.com and domain2.com to point to same web site unless for domain parking. Though a legit use would be if you want to cover different domain extensions to same site i.e. cover domain1.com, domain1.net, domain1.org, domain1.xyz all on the same SAN SSL certificate that point to same files from web root at /home/nginx/domains/domain1.com/public.

    To do addons/acmetool.sh SAN SSL certificate, the domain names need to be passed via a comma separated list without spaces.

    Example for domain1.com and domain2.com coverage. You need to specify the www for domain2.com specifically too. For the 1st domain listed, acmetool.sh automatically detects if your domain is top level or not and appends the www version of domain1.com
    Code (Text):
    ./acmetool.sh issue domain1.com,domain2.com,www.domain2.com lived
    

    last option flag for lived = live letsencrypt SSL certificate set as HTTPS default as outlined in 3rd post at https://centminmod.com/acmetool/

    Full output of course validation failed as this was dummy domains without proper DNS setup.
    Code (Text):
    ./acmetool.sh issue domain1.com,domain2.com,www.domain2.com lived
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    [Sat Aug 13 23:42:00 UTC 2016] Installing to /root/.acme.sh
    [Sat Aug 13 23:42:00 UTC 2016] Installed to /root/.acme.sh/acme.sh
    [Sat Aug 13 23:42:00 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
    [Sat Aug 13 23:42:00 UTC 2016] Installing cron job
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Sat Aug 13 23:42:00 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
    [Sat Aug 13 23:42:00 UTC 2016] OK
    https://github.com/Neilpang/acme.sh
    v2.4.0
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    domain1.com,domain2.com,www.domain2.com
    
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for domain1.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue -d domain1.com -d domain2.com -d www.domain2.com -d www.domain1.com -w /home/nginx/domains/domain1.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Sat Aug 13 23:42:02 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Sat Aug 13 23:42:02 UTC 2016] Skip register account key
    [Sat Aug 13 23:42:02 UTC 2016] Multi domain='DNS:domain2.com,DNS:www.domain2.com,DNS:www.domain1.com'
    [Sat Aug 13 23:42:02 UTC 2016] Verify each domain
    [Sat Aug 13 23:42:02 UTC 2016] Getting webroot for domain='domain1.com'
    [Sat Aug 13 23:42:02 UTC 2016] Getting token for domain='domain1.com'
    [Sat Aug 13 23:42:05 UTC 2016] Getting webroot for domain='domain2.com'
    [Sat Aug 13 23:42:05 UTC 2016] Getting token for domain='domain2.com'
    [Sat Aug 13 23:42:08 UTC 2016] Getting webroot for domain='www.domain2.com'
    [Sat Aug 13 23:42:08 UTC 2016] Getting token for domain='www.domain2.com'
    [Sat Aug 13 23:42:11 UTC 2016] Getting webroot for domain='www.domain1.com'
    [Sat Aug 13 23:42:11 UTC 2016] Getting token for domain='www.domain1.com'
    [Sat Aug 13 23:42:13 UTC 2016] Verifying:domain1.com
    [Sat Aug 13 23:42:22 UTC 2016] domain1.com:Verify error:DNS problem: SERVFAIL looking up A for domain1.com
     
    Last edited: Jun 7, 2019
  10. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    HTTPS SSL & HTTP/2 Testing Tools



    Once you get a HTTPS based site online with a Letsencrypt SSL certificate, you'll need to test the SSL certificate to ensure it's working 100% and is valid. Below are some of the tools I use for HTTPS, SSL and HTTP/2 testing.

    SSL Certificate Testing
    HTTPS / HTTP/2 Testing
     
    Last edited: Aug 16, 2016
  11. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Push Notifications To Mobile/Tablet Devices



    You may want to register for a Pushover.net account and install the Pushover mobile app if you want SSL certificate notices pushed to your mobile and tablet devices. Once registered, you'll have a Pushover email address. Sending messages to this email address will push messages to your mobile/tablet devices. Right now only issuance, renew and reissue processes via addons/acmetool.sh or centmin.sh menu option 2, 22 or /usr/bin/nv has notification support to push notifications. The aim is to eventually get auto renewals to do the same as well as send expiry alerts eventually.

    /etc/centminmod/acmetool-config.ini is the acmetool.sh persistent config file which overrides settings in addons/acmetool.sh. The main use for this right now is if you have registered a pushover.net account to obtain a pushover email address which you can set in /etc/centminmod/acmetoool-config.ini the variables below to receive push notifications to your linked mobile or tablet devices in your pushover.net account.
    Code (Text):
    PUSHALERT='y'
    pushover_email=''
    

    Example right after issuance of Letsencrypt SSL certificate.

    upload_2016-8-17_2-8-59.png

    upload_2016-8-17_2-9-24.png
     
    Last edited: Feb 12, 2017
  12. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Public Beta Testing of addons/acmetool.sh Begins



    So testing begins, I've just added addons/acmetool.sh to Centmin Mod 123.09beta01 branch. Every single post made above has important information that you should read and follow and then re-read - especially regarding testing addons/acmetool.sh on a test server and test domain and NOT live server/domain ;)

    For existing Centmin Mod 123.09beta01 users who already have installed a fresh copy on a test server. You can update your local Centmin Mod code at /usr/local/src/centminmod via centmin.sh menu option 23 submenu option 2.

    Upgrading Centmin Mod Code to Latest Version



    Getting Started Guide step 19 outlines also how to keep Centmin Mod code updated or how to switch version branches.

    Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch swicthing via Git backed environment you can setup. For full details read the following links:
    If you prefer SSH command line updating of Centmin Mod code at /usr/local/src/centminmod on your server, it's as simple as.
    Code (Text):
    cmdir
    git stash
    git pull
    ./centmin.sh

    cmdir is a command shortcut to change to /usr/local/src/centminmod directory where your Centmin Mod code for centmin.sh is installed.

    Example run via SSH command line which is equivalent to centmin.sh menu option 23 submenu option 2. The git pull will pull in any changes from Centmin Mod official Github repository and list the changed files, additions and deletions. As you can see on this test server I had more than just addons/acmetool.sh to pull in and update.
    Code (Text):
    cmdir
    
    git stash            
    No local changes to save
    
    git pull            
    Updating 1acaef3..6b4d152
    Fast-forward
    addons/acmetool.sh        | 2739 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    addons/ffmpeg.sh          |   31 +++
    addons/golang.sh          |   24 +-
    addons/opendkim.sh        |   40 ++--
    centmin.sh                |    4 +-
    example/custom_config.inc |    4 +-
    inc/apcinstall.inc        |    2 +-
    inc/ffmpeginstall.inc     |    2 +-
    inc/memcached_install.inc |    4 +-
    inc/nginx_addvhost.inc    |   23 ++
    inc/nginx_configure.inc   |    8 +-
    inc/openssl_install.inc   |    4 +-
    inc/wpsetup.inc           |    4 +-
    installer7-gitlab.sh      |    2 +-
    installer7.sh             |    2 +-
    tools/nginxupdate.sh      |    4 +-
    16 files changed, 2849 insertions(+), 48 deletions(-)
    create mode 100755 addons/acmetool.sh

    Code (Text):
    ./centmin.sh
    
    --------------------------------------------------------
         Centmin Mod Menu 123.09beta01 centminmod.com    
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 

    You can also check the Git commit log's last 2 entries to see what they were via SSH command line
    Code (Text):
    cmdir
    git log -2

    Code (Text):
    git log -2
    commit 6b4d15241f6e9b85f103e0658858c225b0392170
    Author: George Liu <MYEMAIL>
    Date:   Thu Aug 18 01:18:06 2016 +1000
    
        chmod +x addons/acmetool.sh
      
        full details at https://community.centminmod.com/threads/official-acmetool-sh-testing-thread-for-centmin-mod-123-09beta01.8290/
    
    commit 07c5f483dcca5eadcf853136467b425ec0f6765e
    Author: George Liu <MYEMAIL>
    Date:   Thu Aug 18 01:17:19 2016 +1000
    
        add addons/acmetool.sh to 123.09beta01
      
        full details at https://community.centminmod.com/threads/official-acmetool-sh-testing-thread-for-centmin-mod-123-09beta01.8290/
     
  13. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    10:02 AM
    I have been trying to get the LE functions to work, but have not had any luck.

    I am currently seeing two problems.

    1. The challenge file that should be located in webroot/.well-known/acme-challenge does not show up. This occurs for both the default webroot and custom webroot.
    Code:
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for sub.mydomain.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue -d sub.mydomain.com -w /home/nginx/domains/sub.mydomain.com/public -k 2048 --useragent centminmod-centos6-acmesh-webroot
    [Wed Aug 17 23:55:44 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Wed Aug 17 23:55:45 UTC 2016] Skip register account key
    [Wed Aug 17 23:55:45 UTC 2016] Single domain='sub.mydomain.com'
    [Wed Aug 17 23:55:45 UTC 2016] Verify each domain
    [Wed Aug 17 23:55:45 UTC 2016] Getting webroot for domain='sub.mydomain.com'
    [Wed Aug 17 23:55:45 UTC 2016] Getting token for domain='sub.mydomain.com'
    [Wed Aug 17 23:55:47 UTC 2016] Verifying:sub.mydomain.com
    [Wed Aug 17 23:55:53 UTC 2016] sub.mydomain.com:Verify error:Invalid response from http://sub.mydomain.com/.well-known/acme-challenge/IZuJJQe1yOeAnO1oE5fUXOsrZag_iRnOXYei1XVb6is: \
    
    2. When trying to use the custom webroot, the webroot is being set to 'd' regardless of what I type in.
    Code:
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    adjusting /usr/local/nginx/conf/conf.d/yii.atlone.com.ssl.conf
    change web root:
    from:
    to: d
      root d;
    
    Let me know if you need any more information.
    Thanks
    -John
     
  14. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what's contents of /usr/local/nginx/conf/conf.d/yii.atlone.com.ssl.conf ? make sure you have default staticfiles.conf include file
    Code (Text):
    include /usr/local/nginx/conf/staticfiles.conf;

    it has the required location match for letsencrypt domain verification
    Code (Text):
        # prepare for letsencrypt
        # https://community.centminmod.com/posts/17774/
        location ~ /.well-known {
            location ~ /.well-known/acme-challenge/(.*) {
                    more_set_headers    "Content-Type: text/plain";
            }
        }


    Might want to use CODE tags for code How to use forum BBCODE code tags :)

    strange will check that one out

    how are you passing custom webroot, it needs starting forward slash and full path as i tried and works
    Code (Text):
    ./acmetool.sh webroot-issue domain1.com /home/nginx/domains/domain1.com/customwebroot

    so ends up with
    Code (Text):
    -------------------------------------------------------------
    vhost for domain1.com setup successfully
    domain1.com setup info log saved at:
    /root/centminlogs/centminmod_180816-003638_nginx_addvhost_nv.log
    -------------------------------------------------------------
    
    
    adjusting /usr/local/nginx/conf/conf.d/domain1.com.ssl.conf
    change web root:
    from:
    to: /home/nginx/domains/domain1.com/customwebroot
      root /home/nginx/domains/domain1.com/customwebroot;
    
    adjusting /usr/local/nginx/conf/conf.d/domain1.com.conf
    change web root:
    from:
    to: /home/nginx/domains/domain1.com/customwebroot
      root /home/nginx/domains/domain1.com/customwebroot;
    
    
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for domain1.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue -d domain1.com -d www.domain1.com -w /home/nginx/domains/domain1.com/customwebroot -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Thu Aug 18 00:38:24 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Thu Aug 18 00:38:24 UTC 2016] Skip register account key
    [Thu Aug 18 00:38:24 UTC 2016] Multi domain='DNS:www.domain1.com'
    [Thu Aug 18 00:38:24 UTC 2016] Verify each domain
    [Thu Aug 18 00:38:25 UTC 2016] Getting webroot for domain='domain1.com'
    [Thu Aug 18 00:38:25 UTC 2016] Getting token for domain='domain1.com'
    [Thu Aug 18 00:38:29 UTC 2016] Getting webroot for domain='www.domain1.com'
    [Thu Aug 18 00:38:29 UTC 2016] Getting token for domain='www.domain1.com'
    [Thu Aug 18 00:38:31 UTC 2016] Verifying:domain1.com
    

    verify the root in /usr/local/nginx/conf/conf.d/domain1.com.ssl.conf
    Code (Text):
    cat /usr/local/nginx/conf/conf.d/domain1.com.ssl.conf | grep root
      root /home/nginx/domains/domain1.com/customwebroot;
     
    Last edited: Aug 18, 2016
  15. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    10:02 AM
    It is completely stock as created by option 2. staticfiles.conf is there, and contains the stated section.

    Eh? I did use them... I used CODE and /Code inside my brackets where you used CODEB. Is CODEB preferred over CODE? It is showing up on my screen as a CODE section....

    I am using the same acmetool.sh command that you showed.

    Looks good....

    Full acmetool.sh output

    Code (Text):
    [root@test addons]# ./acmetool.sh webroot-issue yii.atlone.com /home/nginx/domains/yii.atlone.com/public/basic/web
    
    ------------------------------------------------------------------------------
    Version Check:
    ------------------------------------------------------------------------------
    !!!  there maybe a newer version of ./acmetool.sh available  !!!
    https://community.centminmod.com/posts/34492/
    update using centmin.sh menu option 23 submenu option 2
    
    Always ensure Current Version is higher or equal to Latest Version
    ------------------------------------------------------------------------------
    Current acmetool.sh Version: 0.1
    Latest acmetool.sh Version: 0.1
    ------------------------------------------------------------------------------
    
    
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://community.centminmod.com/posts/34492/
    -------------------------------------------------
    
    continue [y/n] ? y
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    [Thu Aug 18 00:58:25 UTC 2016] Installing to /root/.acme.sh
    [Thu Aug 18 00:58:25 UTC 2016] Installed to /root/.acme.sh/acme.sh
    [Thu Aug 18 00:58:25 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
    [Thu Aug 18 00:58:25 UTC 2016] Installing cron job
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Thu Aug 18 00:58:25 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
    [Thu Aug 18 00:58:25 UTC 2016] OK
    https://github.com/Neilpang/acme.sh
    v2.4.1
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    adjusting /usr/local/nginx/conf/conf.d/yii.atlone.com.ssl.conf
    change web root:
    from:
    to: /home/nginx/domains/yii.atlone.com/public/basic/web
      root /home/nginx/domains/yii.atlone.com/public/basic/web;
    
    adjusting /usr/local/nginx/conf/conf.d/yii.atlone.com.conf
    change web root:
    from:
    to: /home/nginx/domains/yii.atlone.com/public/basic/web
      root /home/nginx/domains/yii.atlone.com/public/basic/web;
    
    
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for yii.atlone.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue -d yii.atlone.com -w /home/nginx/domains/yii.atlone.com/public/basic/web -k 2048 --useragent centminmod-centos6-acmesh-webroot
    [Thu Aug 18 00:58:26 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Thu Aug 18 00:58:26 UTC 2016] Registering account
    [Thu Aug 18 00:58:28 UTC 2016] Already registered
    [Thu Aug 18 00:58:28 UTC 2016] Single domain='yii.atlone.com'
    [Thu Aug 18 00:58:28 UTC 2016] Verify each domain
    [Thu Aug 18 00:58:28 UTC 2016] Getting webroot for domain='yii.atlone.com'
    [Thu Aug 18 00:58:28 UTC 2016] Getting token for domain='yii.atlone.com'
    [Thu Aug 18 00:58:30 UTC 2016] Verifying:yii.atlone.com
    [Thu Aug 18 00:58:37 UTC 2016] yii.atlone.com:Verify error:Invalid response from http://yii.atlone.com/.well-known/acme-challenge/SHqInypepbrJODNivYEwmmRcLwsauKWcrabce7ApaqU: \
    [root@test addons]# ls -l /home/nginx/domains/yii.atlone.com/public/basic/web
    total 0
    You have new mail in /var/spool/mail/root
    [root@test addons]# ^C
    [root@test addons]# cat /usr/local/nginx/conf/conf.d/yii.atlone.com.ssl.conf | grep root
      root /home/nginx/domains/yii.atlone.com/public/basic/web;
    [root@test addons]#
    
    


    -John
     
  16. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    that comment was for benefit for everyone else reading the thread ;)
    yup your output looks good
    Code (Text):
    cat /usr/local/nginx/conf/conf.d/yii.atlone.com.ssl.conf | grep root
      root /home/nginx/domains/yii.atlone.com/public/basic/web;
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    is the dns for yii.atlone.com working globally ? You can use whatsmydns.net to test your domain's DNS A records point to the server IP and that DNS updates have propagated worldwide. Could be an issue at letsencrypt end ? i should update above notes to link to letsencrypt status page too at Let's Encrypt Status
     
  18. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you can also manually troubleshoot invalid response errors (
    Verify error:Invalid response from http://yii.atlone.com/.well-known/acme-challenge/
    ) from letsencrypt via underlying acme.sh client

    so when you see output at
    Code (Text):
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for yii.atlone.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue -d yii.atlone.com -w /home/nginx/domains/yii.atlone.com/public/basic/web -k 2048 --useragent centminmod-centos6-acmesh-webroot
    [Thu Aug 18 00:58:26 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Thu Aug 18 00:58:26 UTC 2016] Registering account
    [Thu Aug 18 00:58:28 UTC 2016] Already registered
    [Thu Aug 18 00:58:28 UTC 2016] Single domain='yii.atlone.com'
    [Thu Aug 18 00:58:28 UTC 2016] Verify each domain
    [Thu Aug 18 00:58:28 UTC 2016] Getting webroot for domain='yii.atlone.com'
    [Thu Aug 18 00:58:28 UTC 2016] Getting token for domain='yii.atlone.com'
    [Thu Aug 18 00:58:30 UTC 2016] Verifying:yii.atlone.com
    [Thu Aug 18 00:58:37 UTC 2016] yii.atlone.com:Verify error:Invalid response from http://yii.atlone.com/.well-known/acme-challenge/SHqInypepbrJODNivYEwmmRcLwsauKWcrabce7ApaqU: \
    

    You'll see the actual acme.sh command used
    Code (Text):
    /root/.acme.sh/acme.sh --staging --issue -d yii.atlone.com -w /home/nginx/domains/yii.atlone.com/public/basic/web -k 2048 --useragent centminmod-centos6-acmesh-webroot

    now if you copy that command and append to the end --debug and run it manually it will output more verbose debug info
    Code (Text):
    /root/.acme.sh/acme.sh --staging --issue -d yii.atlone.com -w /home/nginx/domains/yii.atlone.com/public/basic/web -k 2048 --useragent centminmod-centos6-acmesh-webroot --debug


    also does it work if you change from
    /home/nginx/domains/yii.atlone.com/public/basic/web to
    /home/nginx/domains/yii.atlone.com/public/web so only 1 path deep ?
     
    Last edited: Aug 18, 2016
  19. jscott

    jscott Member

    104
    14
    18
    Aug 13, 2015
    Ratings:
    +33
    Local Time:
    10:02 AM
    I thought that the validation file was not in my root but it was hidden by starting with a dot. I though ls -l would show those, but it does not. so the file is there.

    OK, I tried the url that LE is using to validate the domain, and I am getting a 403 forbidden error...

    I put a index.html in my root and it works fine....

    So this 403 error is the only problem at the moment. I did not change any configuration files.

    Debug option says:

    Code (Text):
    [root@test addons]# /root/.acme.sh/acme.sh --staging --issue -d yii.atlone.com -w /home/nginx/domains/yii.atlone.com/public/basic/web -k 2048 --useragent centminmod-centos6-acmesh-webroot --debug
    https://github.com/Neilpang/acme.sh
    v2.4.1
    [Thu Aug 18 03:10:22 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Thu Aug 18 03:10:22 UTC 2016] DOMAIN_PATH='/root/.acme.sh/yii.atlone.com'
    [Thu Aug 18 03:10:22 UTC 2016] Le_NextRenewTime
    [Thu Aug 18 03:10:22 UTC 2016] '/home/nginx/domains/yii.atlone.com/public/basic/web' does not contain 'no'
    [Thu Aug 18 03:10:22 UTC 2016] '/home/nginx/domains/yii.atlone.com/public/basic/web' does not contain 'tls'
    [Thu Aug 18 03:10:22 UTC 2016] '/home/nginx/domains/yii.atlone.com/public/basic/web' does not contain 'apache'
    [Thu Aug 18 03:10:22 UTC 2016] RSA key
    [Thu Aug 18 03:10:22 UTC 2016] Skip register account key
    [Thu Aug 18 03:10:22 UTC 2016] Read key length:2048
    [Thu Aug 18 03:10:22 UTC 2016] _createcsr
    [Thu Aug 18 03:10:22 UTC 2016] Single domain='yii.atlone.com'
    [Thu Aug 18 03:10:22 UTC 2016] Verify each domain
    [Thu Aug 18 03:10:22 UTC 2016] Getting webroot for domain='yii.atlone.com'
    [Thu Aug 18 03:10:22 UTC 2016] _w='/home/nginx/domains/yii.atlone.com/public/basic/web'
    [Thu Aug 18 03:10:22 UTC 2016] _currentRoot='/home/nginx/domains/yii.atlone.com/public/basic/web'
    [Thu Aug 18 03:10:22 UTC 2016] Getting token for domain='yii.atlone.com'
    [Thu Aug 18 03:10:22 UTC 2016] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Thu Aug 18 03:10:22 UTC 2016] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "yii.atlone.com"}}'
    [Thu Aug 18 03:10:22 UTC 2016] RSA key
    [Thu Aug 18 03:10:23 UTC 2016] GET
    [Thu Aug 18 03:10:23 UTC 2016] url='https://acme-staging.api.letsencrypt.org/directory'
    [Thu Aug 18 03:10:23 UTC 2016] timeout
    [Thu Aug 18 03:10:23 UTC 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
    [Thu Aug 18 03:10:23 UTC 2016] ret='0'
    [Thu Aug 18 03:10:23 UTC 2016] POST
    [Thu Aug 18 03:10:23 UTC 2016] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Thu Aug 18 03:10:23 UTC 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
    [Thu Aug 18 03:10:24 UTC 2016] _ret='0'
    [Thu Aug 18 03:10:24 UTC 2016] code='201'
    [Thu Aug 18 03:10:24 UTC 2016] entry='"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/z_TJGWAdI8hfGcPstQgfsyqYb6cJmwGY1h8F8AI2UaA/10870252","token":"m-5xCxKJHA9kqZvamdSaonAA2gPQqjPshx9hFVOexPA"'
    [Thu Aug 18 03:10:24 UTC 2016] token='m-5xCxKJHA9kqZvamdSaonAA2gPQqjPshx9hFVOexPA'
    [Thu Aug 18 03:10:24 UTC 2016] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/z_TJGWAdI8hfGcPstQgfsyqYb6cJmwGY1h8F8AI2UaA/10870252'
    [Thu Aug 18 03:10:24 UTC 2016] keyauthorization='m-5xCxKJHA9kqZvamdSaonAA2gPQqjPshx9hFVOexPA.lH2o4Ot7WBJL_r7GwLDE782sq_QhicFiQsPo1JhasaI'
    [Thu Aug 18 03:10:24 UTC 2016] dvlist='yii.atlone.com#m-5xCxKJHA9kqZvamdSaonAA2gPQqjPshx9hFVOexPA.lH2o4Ot7WBJL_r7GwLDE782sq_QhicFiQsPo1JhasaI#https://acme-staging.api.letsencrypt.org/acme/challenge/z_TJGWAdI8hfGcPstQgfsyqYb6cJmwGY1h8F8AI2UaA/10870252#http-01#/home/nginx/domains/yii.atlone.com/public/basic/web'
    [Thu Aug 18 03:10:24 UTC 2016] ok, let's start to verify
    [Thu Aug 18 03:10:24 UTC 2016] Verifying:yii.atlone.com
    [Thu Aug 18 03:10:24 UTC 2016] d='yii.atlone.com'
    [Thu Aug 18 03:10:24 UTC 2016] keyauthorization='m-5xCxKJHA9kqZvamdSaonAA2gPQqjPshx9hFVOexPA.lH2o4Ot7WBJL_r7GwLDE782sq_QhicFiQsPo1JhasaI'
    [Thu Aug 18 03:10:24 UTC 2016] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/z_TJGWAdI8hfGcPstQgfsyqYb6cJmwGY1h8F8AI2UaA/10870252'
    [Thu Aug 18 03:10:24 UTC 2016] _currentRoot='/home/nginx/domains/yii.atlone.com/public/basic/web'
    [Thu Aug 18 03:10:24 UTC 2016] wellknown_path='/home/nginx/domains/yii.atlone.com/public/basic/web/.well-known/acme-challenge'
    [Thu Aug 18 03:10:24 UTC 2016] writing token:m-5xCxKJHA9kqZvamdSaonAA2gPQqjPshx9hFVOexPA to /home/nginx/domains/yii.atlone.com/public/basic/web/.well-known/acme-challenge/m-5xCxKJHA9kqZvamdSaonAA2gPQqjPshx9hFVOexPA
    [Thu Aug 18 03:10:24 UTC 2016] Changing owner/group of .well-known to nginx:nginx
    [Thu Aug 18 03:10:24 UTC 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/z_TJGWAdI8hfGcPstQgfsyqYb6cJmwGY1h8F8AI2UaA/10870252'
    [Thu Aug 18 03:10:24 UTC 2016] payload='{"resource": "challenge", "keyAuthorization": "m-5xCxKJHA9kqZvamdSaonAA2gPQqjPshx9hFVOexPA.lH2o4Ot7WBJL_r7GwLDE782sq_QhicFiQsPo1JhasaI"}'
    [Thu Aug 18 03:10:24 UTC 2016] RSA key
    [Thu Aug 18 03:10:24 UTC 2016] GET
    [Thu Aug 18 03:10:24 UTC 2016] url='https://acme-staging.api.letsencrypt.org/directory'
    [Thu Aug 18 03:10:24 UTC 2016] timeout
    [Thu Aug 18 03:10:25 UTC 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
    [Thu Aug 18 03:10:25 UTC 2016] ret='0'
    [Thu Aug 18 03:10:25 UTC 2016] POST
    [Thu Aug 18 03:10:25 UTC 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/z_TJGWAdI8hfGcPstQgfsyqYb6cJmwGY1h8F8AI2UaA/10870252'
    [Thu Aug 18 03:10:25 UTC 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
    [Thu Aug 18 03:10:25 UTC 2016] _ret='0'
    [Thu Aug 18 03:10:25 UTC 2016] code='202'
    [Thu Aug 18 03:10:25 UTC 2016] sleep 5 secs to verify
    [Thu Aug 18 03:10:30 UTC 2016] checking
    [Thu Aug 18 03:10:30 UTC 2016] GET
    [Thu Aug 18 03:10:30 UTC 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/z_TJGWAdI8hfGcPstQgfsyqYb6cJmwGY1h8F8AI2UaA/10870252'
    [Thu Aug 18 03:10:30 UTC 2016] timeout
    [Thu Aug 18 03:10:30 UTC 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
    [Thu Aug 18 03:10:31 UTC 2016] ret='0'
    [Thu Aug 18 03:10:31 UTC 2016] yii.atlone.com:Verify error:Invalid response from http://yii.atlone.com/.well-known/acme-challenge/m-5xCxKJHA9kqZvamdSaonAA2gPQqjPshx9hFVOexPA: \
    [Thu Aug 18 03:10:31 UTC 2016] GET
    [Thu Aug 18 03:10:31 UTC 2016] url='http://yii.atlone.com/.well-known/acme-challenge/m-5xCxKJHA9kqZvamdSaonAA2gPQqjPshx9hFVOexPA'
    [Thu Aug 18 03:10:31 UTC 2016] timeout
    [Thu Aug 18 03:10:31 UTC 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
    <html>
    <head><title>403 Forbidden</title></head>
    <body bgcolor="white">
    <center><h1>403 Forbidden</h1></center>
    <hr><center>nginx</center>
    </body>
    </html>
    [Thu Aug 18 03:10:31 UTC 2016] ret='0'
    [Thu Aug 18 03:10:31 UTC 2016] Debugging, skip removing: /home/nginx/domains/yii.atlone.com/public/basic/web/.well-known
    [Thu Aug 18 03:10:31 UTC 2016] pid
    
    




    -John
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,869
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    1:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    i made an update to addons/acmetool.sh version 0.2 which may help so run the commands to remove the vhost listed at end of vhost creation outlined in 1st post of this thread you would have a log in /root/centminlogs if you need to reference it to get the commands to remove pure-ftp user and vhost directories, so you can try again with updated version

    one suspect would be if custom webroot isn't properly changed in vhost file(s). You can check your nginx vhost error and access logs in /home/nginx/domains/yii.atlone.com/log/ directory for clues too