Welcome to Centmin Mod Community
Register Now

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. Kintaro

    Kintaro Member

    63
    3
    8
    Dec 2, 2016
    Italy
    Ratings:
    +14
    Local Time:
    7:14 PM
    1.15.x
    MariaDB 10
    how to issue a multidomain certificate?

    I have a multidomain installation of a single script (prestashop).
    I need to create a new vhost and point the root to the "first" one? and then issue a new certificate?

    Actually I have the "main" vhost with a working ssl cert (issued from option 2)
     
  2. eva2000

    eva2000 Administrator Staff Member

    41,997
    9,471
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,575
    Local Time:
    4:14 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    What do you mean by multi-domain you mean?

    If you want all these 5 domain/subdomains on same Letsencrypt SSL certification for pointing to the same single script/site vhost at /home/nginx/domains/domain.com/public web root.
    • domain.com
    • www.domain.com
    • sub1.domain.com
    • sub2.domain.com
    • sub3.domain.com
    If you have not yet created any of the 5 domains/nginx vhosts, you can use addons/acmetool.sh directly via SANS Multi-Domain SSL Certificates method.

    But if you already created domain.com (example below newdomain.com), then you would have to manually do it using existing vhost guide just with minor change to step 4 instead. So for step 4 of the existing vhost guide, instead of these 2 commands
    Code (Text):
    /root/.acme.sh/acme.sh --force --issue --days 60 -d newdomain.com -d www.newdomain.com -w /home/nginx/domains/newdomain.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-newdomain.com.log --log-level 2
    /root/.acme.sh/acme.sh --installcert -d newdomain.com -d www.newdomain.com --certpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key --capath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-fullchain-acme.key
    

    where you have
    Code (Text):
    -d newdomain.com -d www.newdomain.com
    

    it would be changed to
    Code (Text):
    /root/.acme.sh/acme.sh --force --issue --days 60 -d newdomain.com -d www.newdomain.com -d sub1.newdomain.com -d sub2.newdomain.com -d sub3.newdomain.com -w /home/nginx/domains/newdomain.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-newdomain.com.log --log-level 2
    /root/.acme.sh/acme.sh --installcert -d newdomain.com -d www.newdomain.com -d sub1.newdomain.com -d sub2.newdomain.com -d sub3.newdomain.com --certpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key --capath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-fullchain-acme.key
    

    so pass all domains your want on your letsencrypt ssl certificate
    Code (Text):
    -d newdomain.com -d www.newdomain.com -d sub1.newdomain.com -d sub2.newdomain.com -d sub3.newdomain.com
    

    Note all domains have to have DNS with A records pointing to server IP first and nginx vhost server_name directive has to list them all first too i.e.
    Code (Text):
    server {
      listen 443 ssl http2;
      server_name newdomain.com www.newdomain.com sub1.newdomain.com sub2.newdomain.com sub3.newdomain.com;
    

    Note all domain/subdomains listed in server_name directive would need to be exclusive used in the same single nginx vhost site and not have been created anywhere else on the server i.e. additional/separate centmin.sh menu option 2/22/nv cmd created nginx vhosts should NOT have same domain/subdomain names.

    If you have existing /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf and/or /usr/local/nginx/conf/conf.d/newdomain.com.conf nginx vhosts, back those up as the contents may be changed by the letsencrypt ssl cert process done during setup.

    You may want to start your own dedicated thread for your question in this forum at Domains, DNS, Email & SSL Certificates to discuss further.
     
    Last edited: Nov 13, 2018
    • Like Like x 1
  3. Kintaro

    Kintaro Member

    63
    3
    8
    Dec 2, 2016
    Italy
    Ratings:
    +14
    Local Time:
    7:14 PM
    1.15.x
    MariaDB 10
  4. eva2000

    eva2000 Administrator Staff Member

    41,997
    9,471
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,575
    Local Time:
    4:14 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x

    acmetool.sh 1.0.47 update



    Add new reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.com live
    

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
     
  5. eva2000

    eva2000 Administrator Staff Member

    41,997
    9,471
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,575
    Local Time:
    4:14 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    FYI, acmetool.sh 1.0.50 was updated with some cosmetic fixes for HTTPS default mode generated Nginx HTTPS vhosts. Also came across a new tool, letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. Very :cool:
     
  6. Rick7C2

    Rick7C2 New Member

    2
    0
    1
    Apr 1, 2019
    Ratings:
    +0
    Local Time:
    12:14 PM
    I'm having the same issue.

    I've tried adding..

    CF_DNSAPI='y'
    CF_KEY='mykey'
    CF_EMAIL='myemail'

    To both configs

    But it still says I didn't set it.

    I did the edits with nano but tried the dos2unix anyways and still no luck.
     
  7. eva2000

    eva2000 Administrator Staff Member

    41,997
    9,471
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,575
    Local Time:
    4:14 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    so you only running certonly-issue for cloudflare dns only validation issuance ?

    this is for non browser trusted test staging letsencrypt ssl cert
    Code (Text):
    ./acmetool.sh certonly-issue yourdomain.com
    

    this is for live browser trusted letsencrypt ssl cert
    Code (Text):
    ./acmetool.sh certonly-issue yourdomain.com live
    

    what is the output for the command you can mask your domain if you want

    also output for these commands
    Code (Text):
    cat /etc/centminmod/acmetool-config.ini
    cat /etc/centminmod/custom_config.inc
    locale
    

    also output for
    Code (Text):
    cat ~/.acme.sh/account.conf

    just mask real cloudflare api details if they match what you set for CF_KEY='mykey' and CF_EMAIL='myemail'

    for posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)
     
  8. integritly

    integritly New Member

    9
    4
    3
    Apr 29, 2016
    Ratings:
    +7
    Local Time:
    1:14 PM
    Is there a way to stop nginx from automatically redirecting http to https? I've tried commenting out the
    "return 302 https://$server_name$request_uri;" line from the vhost file, but then http stops working altogether.

    Basically I just want the domain to be usable with both http and https, and not auto-redirecting me to https.

    Thanks!
     
  9. integritly

    integritly New Member

    9
    4
    3
    Apr 29, 2016
    Ratings:
    +7
    Local Time:
    1:14 PM
    Well, looks like I've solved my own question. It appears as though I didn't fully read the documentation, and did the HTTPS Default command line installation, "mydomain lived" and didn't notice there were other options, let alone a menu installation option. Here's is your post that outlines the different installation options:

    https://community.centminmod.com/th...-for-centmin-mod-lemp-stacks.7476/#post-32889

    I removed my domain and redid the setup with menu option 3 this time, not setting HTTPS as default, and now both HTTP and HTTPS are operational.

    Thank you for all your documentation, everything is working great!
     
    • Informative Informative x 1
  10. eva2000

    eva2000 Administrator Staff Member

    41,997
    9,471
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,575
    Local Time:
    4:14 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Documentation is always nice - self help at it's best. Glad to hear you sorted out the issue :)