Want more timely Centmin Mod News Updates?
Become a Member

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. Kintaro

    Kintaro Member

    106
    11
    18
    Dec 2, 2016
    Italy
    Ratings:
    +30
    Local Time:
    10:10 AM
    1.15.x
    MariaDB 10
    how to issue a multidomain certificate?


    I have a multidomain installation of a single script (prestashop).
    I need to create a new vhost and point the root to the "first" one? and then issue a new certificate?

    Actually I have the "main" vhost with a working ssl cert (issued from option 2)
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,148
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    What do you mean by multi-domain you mean?

    If you want all these 5 domain/subdomains on same Letsencrypt SSL certification for pointing to the same single script/site vhost at /home/nginx/domains/domain.com/public web root.
    • domain.com
    • www.domain.com
    • sub1.domain.com
    • sub2.domain.com
    • sub3.domain.com
    If you have not yet created any of the 5 domains/nginx vhosts, you can use addons/acmetool.sh directly via SANS Multi-Domain SSL Certificates method.

    But if you already created domain.com (example below newdomain.com), then you would have to manually do it using existing vhost guide just with minor change to step 4 instead. So for step 4 of the existing vhost guide, instead of these 2 commands
    Code (Text):
    /root/.acme.sh/acme.sh --force --issue --days 60 -d newdomain.com -d www.newdomain.com -w /home/nginx/domains/newdomain.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-newdomain.com.log --log-level 2
    /root/.acme.sh/acme.sh --installcert -d newdomain.com -d www.newdomain.com --certpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key --capath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-fullchain-acme.key
    

    where you have
    Code (Text):
    -d newdomain.com -d www.newdomain.com
    

    it would be changed to
    Code (Text):
    /root/.acme.sh/acme.sh --force --issue --days 60 -d newdomain.com -d www.newdomain.com -d sub1.newdomain.com -d sub2.newdomain.com -d sub3.newdomain.com -w /home/nginx/domains/newdomain.com/public -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-newdomain.com.log --log-level 2
    /root/.acme.sh/acme.sh --installcert -d newdomain.com -d www.newdomain.com -d sub1.newdomain.com -d sub2.newdomain.com -d sub3.newdomain.com --certpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key --capath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-fullchain-acme.key
    

    so pass all domains your want on your letsencrypt ssl certificate
    Code (Text):
    -d newdomain.com -d www.newdomain.com -d sub1.newdomain.com -d sub2.newdomain.com -d sub3.newdomain.com
    

    Note all domains have to have DNS with A records pointing to server IP first and nginx vhost server_name directive has to list them all first too i.e.
    Code (Text):
    server {
      listen 443 ssl http2;
      server_name newdomain.com www.newdomain.com sub1.newdomain.com sub2.newdomain.com sub3.newdomain.com;
    

    Note all domain/subdomains listed in server_name directive would need to be exclusive used in the same single nginx vhost site and not have been created anywhere else on the server i.e. additional/separate centmin.sh menu option 2/22/nv cmd created nginx vhosts should NOT have same domain/subdomain names.

    If you have existing /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf and/or /usr/local/nginx/conf/conf.d/newdomain.com.conf nginx vhosts, back those up as the contents may be changed by the letsencrypt ssl cert process done during setup.

    You may want to start your own dedicated thread for your question in this forum at Domains, DNS, Email & SSL Certificates to discuss further.
     
    Last edited: Nov 13, 2018
  3. Kintaro

    Kintaro Member

    106
    11
    18
    Dec 2, 2016
    Italy
    Ratings:
    +30
    Local Time:
    10:10 AM
    1.15.x
    MariaDB 10
  4. eva2000

    eva2000 Administrator Staff Member

    53,148
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    acmetool.sh 1.0.47 update



    Add new reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.com live
    

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,148
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, acmetool.sh 1.0.50 was updated with some cosmetic fixes for HTTPS default mode generated Nginx HTTPS vhosts. Also came across a new tool, letsdebug.net online testing tool to check for potential errors with HTTP-01 validation. Very :cool:
     
  6. Rick7C2

    Rick7C2 New Member

    3
    0
    1
    Apr 1, 2019
    Ratings:
    +0
    Local Time:
    3:10 AM
    I'm having the same issue.

    I've tried adding..

    CF_DNSAPI='y'
    CF_KEY='mykey'
    CF_EMAIL='myemail'

    To both configs

    But it still says I didn't set it.

    I did the edits with nano but tried the dos2unix anyways and still no luck.
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,148
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    so you only running certonly-issue for cloudflare dns only validation issuance ?

    this is for non browser trusted test staging letsencrypt ssl cert
    Code (Text):
    ./acmetool.sh certonly-issue yourdomain.com
    

    this is for live browser trusted letsencrypt ssl cert
    Code (Text):
    ./acmetool.sh certonly-issue yourdomain.com live
    

    what is the output for the command you can mask your domain if you want

    also output for these commands
    Code (Text):
    cat /etc/centminmod/acmetool-config.ini
    cat /etc/centminmod/custom_config.inc
    locale
    

    also output for
    Code (Text):
    cat ~/.acme.sh/account.conf

    just mask real cloudflare api details if they match what you set for CF_KEY='mykey' and CF_EMAIL='myemail'

    for posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)
     
  8. integritly

    integritly New Member

    16
    6
    3
    Apr 29, 2016
    Ratings:
    +14
    Local Time:
    4:10 AM
    Is there a way to stop nginx from automatically redirecting http to https? I've tried commenting out the
    "return 302 https://$server_name$request_uri;" line from the vhost file, but then http stops working altogether.

    Basically I just want the domain to be usable with both http and https, and not auto-redirecting me to https.

    Thanks!
     
  9. integritly

    integritly New Member

    16
    6
    3
    Apr 29, 2016
    Ratings:
    +14
    Local Time:
    4:10 AM
    Well, looks like I've solved my own question. It appears as though I didn't fully read the documentation, and did the HTTPS Default command line installation, "mydomain lived" and didn't notice there were other options, let alone a menu installation option. Here's is your post that outlines the different installation options:

    https://community.centminmod.com/th...-for-centmin-mod-lemp-stacks.7476/#post-32889

    I removed my domain and redid the setup with menu option 3 this time, not setting HTTPS as default, and now both HTTP and HTTPS are operational.

    Thank you for all your documentation, everything is working great!
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,148
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Documentation is always nice - self help at it's best. Glad to hear you sorted out the issue :)
     
  11. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    3:10 AM
    Typo
    # /etc/centminmod/acmetoool-config.ini
    should be
    # /etc/centminmod/acmetool-config.ini
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,148
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    acmetool.sh 1.0.64



    Updated to support Cloudflare API Tokens for DNS mode this is for standalone acmetool.sh standalone certonly-issue mode. With acmetool.sh 1.0.64, added Cloudflare API Token support via CF_Token and CF_Account_ID variables where Cloudflare Account ID from any of your Cloudflare domain's main dashboard's right side column listing and CF_Token is geneated via CF API Tokens page at Cloudflare | Web Performance & Security
    Code (Text):
    ###############################################################
    # Cloudflare DNS API for DNS Mode
    # https://github.com/Neilpang/acme.sh/tree/master/dnsapi
    # login to your Cloudflare account to get your API Key in
    # My Settings section of your account
    # to ensure these settings persist DO NOT change them in this
    # script but set these variables in persistent config file at
    # /etc/centminmod/acmetool-config.ini
    # set to CF_DNSAPI='y' and fill in CF_KEY and CF_EMAIL settings
    CF_DNSAPI='n'
    # global CF API Key
    CF_KEY=''
    CF_EMAIL=''
    # new CF API Tokens
    # need read access to Zone.Zone, and write access to Zone.DNS
    # across all Zones
    # Cloudflare Account ID from any of your Cloudflare domain's
    # main dashboard's right side column listing
    CF_Token=''
    CF_Account_ID=''
    ###############################################################
    

    Also added a command option to check Cloudflare Global API key and API Tokens are working via acmetool.sh check_cfapi command.

    Example when neither CF Globale API Key or API Tokens are setupin persistent config file at /etc/centminmod/custom_config.inc
    Code (Text):
    cd /usr/local/src/centminmod/addons
    echo y | ./acmetool.sh check_cfapi
    
    Verifying working Cloudflare DNS API Credentials
    No Cloudflare Global API Key or API Token detected

    If Cloudflare API Token is set in persistent config file at /etc/centminmod/custom_config.inc
    Code (Text):
    CF_DNSAPI='y'
    CF_Token="YOUR_CF_TOKEN"
    CF_Account_ID="YOUR_CF_ACCOUNT_ID"
    

    Code (Text):
    cd /usr/local/src/centminmod/addons
    echo y | ./acmetool.sh check_cfapi
    
    Verifying working Cloudflare DNS API Credentials
    CF API Tokens detected
    Ok: CF API Token works
    

    If Cloudflare Global API Key is set in persistent config file at /etc/centminmod/custom_config.inc
    Code (Text):
    CF_DNSAPI='y'
    CF_KEY='YOUR_CF_GLOBAL_API_KEY'
    CF_EMAIL='YOUR_CF_ACCOUNT_EMAIL'
    

    Code (Text):
    cd /usr/local/src/centminmod/addons
    echo y | ./acmetool.sh check_cfapi         
    
    Verifying working Cloudflare DNS API Credentials
    CF Global API Key detected
    Ok: CF Global API works

    If Both Cloudflare Global API key and Cloudflare API Token are set in persistent config file at /etc/centminmod/custom_config.inc, then acmetool.sh will use Cloudflare API Tokens
    Code (Text):
    CF_DNSAPI='y'
    # api token
    CF_Token="YOUR_CF_TOKEN"
    CF_Account_ID="YOUR_CF_ACCOUNT_ID"
    # global api key
    CF_KEY='YOUR_CF_GLOBAL_API_KEY'
    CF_EMAIL='YOUR_CF_ACCOUNT_EMAIL'

    Code (Text):
    cd /usr/local/src/centminmod/addons
    echo y | ./acmetool.sh check_cfapi
    
    Verifying working Cloudflare DNS API Credentials
    CF API Tokens detected
    Ok: CF API Token works
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,148
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    acmetool.sh 1.0.66 add full Cloudflare DNS API Token support



    Instead of default webroot authentication, update addons/acmetool.sh with full Cloudflare DNS API domain validation for Letsencrypt SSL certificate issuance that can be optionally enabled variables for Cloudflare API Token is set in persistent config file at /etc/centminmod/custom_config.inc. Existing users need to run cmupdate command to get updated addons/acmetool.sh.
    Code (Text):
    CF_DNSAPI_GLOBAL='y'
    CF_Token="YOUR_CF_TOKEN"
    CF_Account_ID="YOUR_CF_ACCOUNT_ID"

    Cloudflare API Tokens, requires you create your Cloudflare Token API with permissions for read access to Zone.Zone, and edit/write access to Zone.DNS, across all Zones at https://dash.cloudflare.com/profile/api-tokens and to grab your Cloudflare Account ID from any of your Cloudflare domain's main dashboard's right side column listing.
    [​IMG]
    Only one Cloudflare Account is supported, so intended domains need to be within same Cloudflare Account unless you have Cloudflare Account with invited admin access to other Cloudflare Accounts and you can generate the CF API Token to include access to the other Cloudflare Accounts.

    Full details at Beta Branch - update addons/acmetool.sh with full Cloudflare DNS API in 123.09beta01
     
  14. David Schargel

    David Schargel New Member

    26
    8
    3
    Feb 2, 2020
    Ratings:
    +18
    Local Time:
    1:10 AM
    Even though it's mentioned earlier on this thread, here's how you can find your 32-character CF_Account_ID:
    1. Log into your Cloudflare account and the account ID will appear as a 32-character string in the URL after dash.cloudflare.com/, or
    2. Within any domain, the Account ID appears towards the bottom on the right column.
    Also, you create new Tokens under "My Profile".
     
  15. eva2000

    eva2000 Administrator Staff Member

    53,148
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  16. dandumit

    dandumit New Member

    19
    1
    3
    Jan 9, 2021
    Ratings:
    +1
    Local Time:
    11:10 AM
    Unfortunately I don't have in my system this file in that location and I cannot set LETSENCRYPT_DETECT='y' .

    answering to myself : options using persistent config file which you can create if it doesn't exist at /etc/centminmod/custom_config.inc.
     
    Last edited: Feb 2, 2021
  17. eva2000

    eva2000 Administrator Staff Member

    53,148
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yes you're meant to create /etc/centminmod/custom_config.inc if it doesn't already exist. You can also use cmd shortcut = customconfig which will use nano linux text editor to create or open /etc/centminmod/custom_config.inc. Then save and exit from nano editor.

    Easiest way to edit configuration or any files on your server is via logging into your server via ssh and directly editing them using nano or vim linux text editors.

    For nano which you can read up more about nano here and here. For vim text editor read here and here and thread at WebPerf - Popular Vim Commands – a Comprehensive Vim Cheatsheet

    Also there's numerous online how to use guides for nano and vim you can search for via google :)
     
  18. David Coate

    David Coate New Member

    9
    2
    3
    Jun 20, 2020
    Pensacola, Florida, US
    Ratings:
    +6
    Local Time:
    3:10 AM
    running './acmetool.sh acmeinstall' from the command line resulted in "
    acme.sh --set-default-ca --server letsencrypt

    ./acmetool.sh: line 652: acme.sh: command not found"

    Should acmetool.sh function set_dafault_ca() hardcode path to acme.sh?
     
  19. eva2000

    eva2000 Administrator Staff Member

    53,148
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah I believe I should set default ca only when acme.sh is already installed. So you might have ran into a bug :)

    edit: I see I should use the full path to acme.sh :)
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,148
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @David Coate just updated 123.09beta01 with a fix, you can run cmupdate on your install to get the updated addons/acmetool.sh :)