Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

No way to do that, short lived 90 day expiry certs live in Letsencrypt servers until they expire.

Just updated acmetool.sh to 0.4 for custom web root method to have an index page copied over from /public so that you don't get 403 permission denied on access.

 

Centmin Mod nginx, php, phpmyadmin.sh when installed etc all rely on working main hostname. The future netdata addon will also Beta Branch - addons/netdata.sh - new system monitor addon | Centmin Mod Community

cheers, yeah it's always been on the books for Centmin Mod. Way before letsencrypt came around, I was working on paid SSL certificate integration methods into Centmin Mod Nginx as I already offer Centmin Mod Premium members discounted paid commercial SSL certificates including Wildcard SSL certificates. Which is something planned for even after acmetool.sh becomes stable

 

it's related to probably your mistaken centmin.sh menu option 2 run before running acmetool.sh as you created the nginx vhost first and then ran acmetool.sh webroot mode which removes the http version of vhost file and setups up redirect in https vhost file. The act of setting up via menu option 2 first probably messed with creating of the proper http to https redirect so when a site doesn't exist (http version) nginx defaults to the default host which is main hostname which has web root at /usr/local/nginx/html.

This happens for any domain which has DNS pointing to Centmin Mod based server's IP address but does not have a valid nginx vhost setup for the domain - the domain will be served via the main hostname which has web root at /usr/local/nginx/html.

 

That is for self-signed SSL certificate in original Centmin Mod Nginx generation routine separate from acmetool.sh. You would only see such cert after an acmetool.sh run if Letsencrypt ssl certificate validation failed so Centmin Mod falls back to the self-signed SSL certificate originally created to setup the Nginx HTTPS vhost for domain.com.ssl.conf. If Letsencrypt ssl certificate validation succeeded, acmetool.sh will replace the self-signed SSL certificate in original Centmin Mod Nginx generation routine with the one provided by Letsencrypt.

If you still want to override these temp self-signed SSL certs details, you should be able to via creating your Centmin Mod persistent config file or append to an existing persistent config file at /etc/centminmod/custom_config.inc and place in it or append to existing contents the following. Comments with hash # in front just for info. Then any new fresh launches of centmin.sh or acmetool.sh will use these overridden values.

Code (Text):

###############################################################
# Settings for centmin.sh menu option 2 and option 22 for
# the details of the self-signed SSL certificate that is auto
# generated. The default values where vhostname variable is
# auto added based on what you input for your site name
#
# -subj "/C=US/ST=California/L=Los Angeles/O=${vhostname}/OU=${vhostname}/CN=${vhostname}"
#
# You can only customise the first 5 variables for
# C = Country 2 digit code
# ST = state
# L = Location as in city
# 0 = organisation
# OU = organisational unit
#
# if left blank # defaults to same as vhostname that is your domain
# if set it overrides that
SELFSIGNEDSSL_C='US'
SELFSIGNEDSSL_ST='California'
SELFSIGNEDSSL_L='Los Angeles'
SELFSIGNEDSSL_O=''
SELFSIGNEDSSL_OU=''
###############################################################

FYI, Letsencrypt SSL certificates do not have any of the location info as they are domain validated certs which do no require such.

 

not yet, acmetool.sh specifically excludes phpmyadmin.sh created vhost/https vhost for now. Once acmetool.sh is 100% working and stable may rewrite phpmyadmin.sh to create a separate vhost off the main hostname, so that acmetool.sh can work on it.

 

when you answer yes to create letsencrypt ssl cert, it overrides and auto creates self-signed cert first then replaces with letsencrypt ssl cert if letsencrypt domain validation succeeds.

so using centmin.sh menu option 22 for wordpress auto installer should be all that is needed, just that your domain validation failed and didn't get letsencrypt ssl cert. The /root/centminlogs should have a log for the menu option 22 run which you can check too. Might want to use gist.github.com or pastebin.com to share contents of such logs

 

Strange just tested centmin.sh menu option 22 in 123.09beta01 beta with acmetool.sh in place and it worked fine

initial centmin.sh menu option 22 run for auto installing wordpress + letsencrypt ssl certificate

Code (Text):

./centmin.sh

--------------------------------------------------------
     Centmin Mod Menu 123.09beta01 domain1.com    
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install/Reinstall Redis PHP Extension
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Install/Re-Install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + Cache Plugin
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 22
--------------------------------------------------------
------------------------------------------------------------
Installing wpcli.sh
------------------------------------------------------------
installing...

Error: /usr/bin/wp not found !!! Downloading now......
2016-08-19 21:03:13 URL:https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar [4967063/4967063] -> "/usr/bin/wp" [1]
Download done.

Error: /root/wpcli/wp-completion.bash not found !!! Downloading now......
2016-08-19 21:03:13 URL:https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash [495/495] -> "/root/wpcli/wp-completion.bash" [1]
Download done.


-------------------------------------------------------------
PHP binary:     /usr/local/bin/php
PHP version:    5.6.23
php.ini used:   /usr/local/lib/php.ini
WP-CLI root dir:        phar://wp-cli.phar
WP-CLI packages dir:
WP-CLI global config:
WP-CLI project config:
WP-CLI version: 0.24.1
-------------------------------------------------------------

-------------------------------------------------------------
wp-cli install completed
Read http://wp-cli.org/ for full usage info

-------------------------------------------------------------
Please log out of SSH session and log back in
You can then call wp-cli via command: wp
i.e. wp --info --allow-root
-------------------------------------------------------------

the wordpress install and nginx vhost generation step. I opted for letsencrypt option 1 = issue staging test cert with HTTP + HTTPS

Code (Text):

-------------------------------------------------------------
Setup full Nginx vhost + Wordpress + WP Plugins
-------------------------------------------------------------

Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com

Create a self-signed SSL certificate Nginx vhost? [y/n]: n
Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y

You have 4 options:
1. issue staging test cert with HTTP + HTTPS
2. issue staging test cert with HTTPS default
3. issue live cert with HTTP + HTTPS
4. issue live cert with HTTPS default
Enter option number 1-4: 1

Theme Setup:
Install CyberChimps Responsive Theme (cyberchimps.com/responsive-theme/) [y/n]: n

Wordpress Setup:
Set custom WP Admin Display Name ? [y/n]: y
Enter Custom WP Admin Display Name: George
Install Wordpress in subdirectory /blog ? [y/n]: n
Disable Auto Generated WP Admin Username / Password ? [y/n]: n
Disable wp-login.php password protection ? (less security) [y/n]: y
Enter email address for Admin User for Wordpress Installation: emailusername@domain1.com

Default is to install KeyCDN WP Cache Enabler Plugin
as it's more stable and reliable than WP Super Cache.
To install KeyCDN Cache Enabler, answer = n to next question

Do you want to install WP Super Cache instead ? [y/n]: n
Create FTP username for vhost domain (enter username): FTPUSERNAME
Do you want to auto generate FTP password (recommended) [y/n]: y

letsencrypt validation succeeded and issued the ssl cert

Code (Text):

-------------------------------------------------------------
ok: /usr/local/src/centminmod/addons/acmetool.sh
/usr/local/src/centminmod/addons/acmetool.sh issue acme3.domain1.com

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
[Fri Aug 19 21:08:04 UTC 2016] Installing to /root/.acme.sh
[Fri Aug 19 21:08:04 UTC 2016] Installed to /root/.acme.sh/acme.sh
[Fri Aug 19 21:08:04 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
[Fri Aug 19 21:08:04 UTC 2016] Installing cron job
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Fri Aug 19 21:08:04 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
[Fri Aug 19 21:08:04 UTC 2016] OK
https://github.com/Neilpang/acme.sh
v2.4.1
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------
grep 'root' /usr/local/nginx/conf/conf.d/acme3.domain1.com.conf
  root /home/nginx/domains/acme3.domain1.com/public;
grep 'root' /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
  root /home/nginx/domains/acme3.domain1.com/public;

-----------------------------------------------------------
issue & install letsencrypt ssl certificate for acme3.domain1.com
-----------------------------------------------------------
/root/.acme.sh/acme.sh --staging --issue -d acme3.domain1.com -w /home/nginx/domains/acme3.domain1.com/public -k ec-256 --useragent centminmod-centos7-acmesh-webroot
[Fri Aug 19 21:08:05 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
[Fri Aug 19 21:08:08 UTC 2016] Skip register account key
[Fri Aug 19 21:08:08 UTC 2016] Creating domain key
[Fri Aug 19 21:08:08 UTC 2016] Use length 256
[Fri Aug 19 21:08:08 UTC 2016] Using ec name: prime256v1
[Fri Aug 19 21:08:08 UTC 2016] Single domain='acme3.domain1.com'
[Fri Aug 19 21:08:08 UTC 2016] Verify each domain
[Fri Aug 19 21:08:08 UTC 2016] Getting webroot for domain='acme3.domain1.com'
[Fri Aug 19 21:08:08 UTC 2016] Getting token for domain='acme3.domain1.com'
[Fri Aug 19 21:08:12 UTC 2016] acme3.domain1.com is already verified, skip.
[Fri Aug 19 21:08:12 UTC 2016] acme3.domain1.com is already verified, skip http-01.
[Fri Aug 19 21:08:12 UTC 2016] acme3.domain1.com is already verified, skip http-01.
[Fri Aug 19 21:08:12 UTC 2016] Verify finished, start to sign.
[Fri Aug 19 21:08:17 UTC 2016] Cert success.
-----BEGIN CERTIFICATE-----
MIIEIjCCAwqgAwIBAgITAPpTbn3cbwcjJk0U4FNRkciVbTANBgkqhkiG9w0BAQsF
....
8LClGx/Z
-----END CERTIFICATE-----
[Fri Aug 19 21:08:17 UTC 2016] Your cert is in /root/.acme.sh/acme3.domain1.com_ecc/acme3.domain1.com.cer
[Fri Aug 19 21:08:17 UTC 2016] The intermediate CA cert is in /root/.acme.sh/acme3.domain1.com_ecc/ca.cer
[Fri Aug 19 21:08:17 UTC 2016] And the full chain certs is there: /root/.acme.sh/acme3.domain1.com_ecc/fullchain.cer
  ssl_certificate      /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.key;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer; 

Once letsencrypt ssl cert is issued, it's installed into the auto generated wordpress nginx vhost files for the domain

Code (Text):

-----------------------------------------------------------
install cert
-----------------------------------------------------------
/root/.acme.sh/acme.sh --installcert -d acme3.domain1.com --certpath /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer --keypath /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.key --capath /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-fullchain-acme-ecc.key --ecc
[Fri Aug 19 21:08:18 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer
[Fri Aug 19 21:08:18 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer
[Fri Aug 19 21:08:18 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.key
[Fri Aug 19 21:08:18 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-fullchain-acme-ecc.key
[Fri Aug 19 21:08:18 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl):  [  OK  ]
[Fri Aug 19 21:08:18 UTC 2016] Reload success

letsencrypt ssl certificate setup completed
ssl certs located at: /usr/local/nginx/conf/ssl/acme3.domain1.com

openssl x509 -noout -text < /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-acme-ecc.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fa:53:6e:7d:dc:6f:07:23:26:4d:14:e0:53:51:91:c8:95:6d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Fake LE Intermediate X1
        Validity
            Not Before: Aug 19 20:08:00 2016 GMT
            Not After : Nov 17 20:08:00 2016 GMT
        Subject: CN=acme3.domain1.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:23:32:cd:ec:c7:3b:e3:23:86:6a:e3:56:dd:d8:
                    0e:35:fb:fa:6c:a7:16:fb:3d:eb:16:22:1d:a0:96:
                    f5:ef:9b:ac:98:23:7d:22:4c:0d:59:2e:ab:13:ac:
                    92:5a:91:39:21:0a:34:d6:54:04:92:37:d8:0d:ea:
                    19:fd:96:e5:3b
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                60:CD:FD:03:19:65:F0:47:20:A1:C9:F0:87:0D:6A:1A:37:99:63:8B
            X509v3 Authority Key Identifier:
                keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A

            Authority Information Access:
                OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org/
                CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:acme3.domain1.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

Nginx vhost auto generated info and paths to web root

Code (Text):

-------------------------------------------------------------
FTP hostname : IPADDR
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for acme3.domain1.com : FTPUSERNAME
FTP password created for acme3.domain1.com : ****
-------------------------------------------------------------
vhost for acme3.domain1.com created successfully

domain: http://acme3.domain1.com
vhost conf file for acme3.domain1.com created: /usr/local/nginx/conf/conf.d/acme3.domain1.com.conf

vhost ssl for acme3.domain1.com created successfully

domain: https://acme3.domain1.com
vhost ssl conf file for acme3.domain1.com created: /usr/local/nginx/conf/conf.d/acme3.domain1.com.ssl.conf
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.crt
SSL Private Key: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.key
SSL CSR File: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/acme3.domain1.com/acme3.domain1.com-backup.csr

upload files to /home/nginx/domains/acme3.domain1.com/public
vhost log files directory is /home/nginx/domains/acme3.domain1.com/log

------------------------------------------------------------
SSH commands to uninstall created Wordpress install and Nginx vhost:
  /root/tools/wp_uninstall_acme3.domain1.com.sh
------------------------------------------------------------

Wordpress install info

Code (Text):

------------------------------------------------------------
Wordpress Auto Updater created at:
  /root/tools/wp_updater_acme3.domain1.com.sh
cronjob set for every 8 hours update (3x times per day)
------------------------------------------------------------

Wordpress domain: acme3.domain1.com
Wordpress DB Name: wp89737304db_1724
Wordpress DB User: wpdb1724u18150
Wordpress DB Pass: wpdb+Da3RZYDpoTqp23125
Wordpress Admin User ID: 302658
Wordpress Admin User: z5VGVkdM9lmC8ZKmoFwp10298
Wordpress Admin Pass: zYraBXykiHfRwps25911
Wordpress Admin Email: emailusername@domain1.com
Wordpress Admin Display Name: George

...
------------------------------------------------------------
To complete setup:
1. Enable Permalinks (DO NOT use links with .html extensions for performance reasons) i.e. /%post_id%/%postname%/
2. Settings Menu > Cache Enabler set options and hit Save Changes
3. Settings Menu > Optimus set options and hit Save Changes
4. Appearance > Theme Options (Responsive theme) > Home Page nav bar > Uncheck Overrides Wordpress front page option
------------------------------------------------------------

-------------------------------------------------------------
vhost for acme3.domain1.com wordpress setup successfully
acme3.domain1.com setup info log saved at:
/root/centminlogs/centminmod_1.2.3-eva2000.09.001_190816-210306_wordpress_addvhost.log
-------------------------------------------------------------

Seems to be - letsencrypt servers sometimes have issues validating the domain with specific DNS providers. But can also be due to nginx vhost configuration.

Which option did you select for letsencrypt configuration from 1-4 options

Code (Text):

Create a self-signed SSL certificate Nginx vhost? [y/n]: n
Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y

You have 4 options:
1. issue staging test cert with HTTP + HTTPS
2. issue staging test cert with HTTPS default
3. issue live cert with HTTP + HTTPS
4. issue live cert with HTTPS default
Enter option number 1-4: 1

 

ah another niggling left over in wordpress routine i believe !

just updated 123.09beta01 branch code to remove it Beta Branch - remove dot file block from inc/wpsetup.inc for 123.09beta01 | Centmin Mod Community

 

thanks for heads up though strange as it works here it's due to where the /usr/local/nginx/conf/wpincludes/site.com/wpsecure_site.com.conf is positioned order wise to. Will have to test