Join the community today
Register Now

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI working on acmetool.sh 0.8.6 which will add Cloudflare DNS API support for DNS Mode so you don't have to use manual TXT DNS record setup with certonly-issue DNS Mode if your domain is using Cloudflare :)
    Code (Text):
    ###############################################################
    # Cloudflare DNS API for DNS Mode
    # https://github.com/Neilpang/acme.sh/tree/master/dnsapi
    # login to your Cloudflare account to get your API Key in
    # My Settings section of your account
    # to ensure these settings persist DO NOT change them in this
    # script but set these variables in persistent config file at
    # /etc/centminmod/acmetoool-config.ini
    # set to CF_DNSAPI='y' and fill in CF_KEY and CF_EMAIL settings
    CF_DNSAPI='n'
    CF_KEY=''
    CF_EMAIL=''
    ###############################################################


    Just working out the kinks first :)


    Push notification for DNS mode with Cloudflare API

    Screenshot_20160824-120846~01~01.png
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Cloudflare API Support in DNS Mode



    acmetool.sh 0.8.6 updated and released with Cloudflare API Support for DNS Mode option certonly-issue.

    Usage case for this certonly-issue DNS mode
    1. When you do not want to create the accompanying Centmin Mod Nginx vhost directories/files
    2. When you do not want acmetool.sh to touch or alter any existing Centmin Mod Nginx vhost conf files i.e. domain.com.conf or domain.com.ssl.conf.
    3. When you want just to get the letsencrypt SSL certificate itself and manually install it on a Centmin Mod Nginx vhost site or even a separate remote server
    4. For local internal lan/private lan server testing and need to copy the letsencrypt SSL certificate itself. You'll have 4 files to copy i.e. with example acme9.domain1.com.cer:
      Code (Text):
      Your cert is in  /root/.acme.sh/acme9.domain1.com/acme9.domain1.com.cer
      Your cert key is in  /root/.acme.sh/acme9.domain1.com/acme9.domain1.com.key
      The intermediate CA cert is in  /root/.acme.sh/acme9.domain1.com/ca.cer
      And the full chain certs is there:  /root/.acme.sh/acme9.domain1.com/fullchain.cer
    Appropriate settings to add to persistent acmetool config file at /etc/centminmod/acmetool-config.ini or /etc/centminmod/custom_config.inc global persistent config file (create file if doesn't exist) and set Cloudflare API key and email before running acmetool.sh where CF_EMAIL is email used for your Cloudflare account.

    Updated: August 25, 2020 with acmetool.sh 1.0.64, added Cloudflare API Token support via CF_Token and CF_Account_ID variables where Cloudflare Account ID from any of your Cloudflare domain's main dashboard's right side column listing and CF_Token is geneated via CF API Tokens page at https://dash.cloudflare.com/profile/api-tokens. This can be used for all Letsencrypt SSL certificate issuance and not just certonly-issue mode. For more details see https://community.centminmod.com/th...cloudflare-dns-api-domain-verification.22630/.
    Code (Text):
    ###############################################################
    # Cloudflare DNS API for DNS Mode
    # https://github.com/Neilpang/acme.sh/tree/master/dnsapi
    # login to your Cloudflare account to get your API Key in
    # My Settings section of your account
    # to ensure these settings persist DO NOT change them in this
    # script but set these variables in persistent config file at
    # /etc/centminmod/acmetool-config.ini
    # set to CF_DNSAPI='y' and fill in CF_KEY and CF_EMAIL settings
    CF_DNSAPI='n'
    # global CF API Key
    CF_KEY=''
    CF_EMAIL=''
    # new CF API Tokens
    # need read access to Zone.Zone, and write access to Zone.DNS
    # across all Zones
    # Cloudflare Account ID from any of your Cloudflare domain's
    # main dashboard's right side column listing
    CF_Token=''
    CF_Account_ID=''
    ###############################################################
    


    example run for test staging SSL cert
    Code (Text):
    ./acmetool.sh certonly-issue acme9.domain1.com
    

    example run for live real SSL cert
    Code (Text):
    ./acmetool.sh certonly-issue acme9.domain1.com live
    

    full output
    Code (Text):
    ./acmetool.sh certonly-issue acme9.domain1.com
    
    -----------------------------------------------------------
    [DNS mode] issue & install letsencrypt ssl certificate for acme9.domain1.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue --dns dns_cf -d acme9.domain1.com -k 2048 --useragent centminmod-centos7-acmesh-dns
    [Wed Aug 24 02:52:12 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Wed Aug 24 02:52:15 UTC 2016] Skip register account key
    [Wed Aug 24 02:52:15 UTC 2016] Creating domain key
    [Wed Aug 24 02:52:15 UTC 2016] Use length 2048
    [Wed Aug 24 02:52:15 UTC 2016] Using RSA: 2048
    [Wed Aug 24 02:52:16 UTC 2016] Single domain='acme9.domain1.com'
    [Wed Aug 24 02:52:16 UTC 2016] Verify each domain
    [Wed Aug 24 02:52:16 UTC 2016] Getting webroot for domain='acme9.domain1.com'
    [Wed Aug 24 02:52:16 UTC 2016] Getting token for domain='acme9.domain1.com'
    [Wed Aug 24 02:52:22 UTC 2016] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
    [Wed Aug 24 02:52:24 UTC 2016] Adding record
    [Wed Aug 24 02:52:25 UTC 2016] Added, sleeping 10 seconds
    [Wed Aug 24 02:52:35 UTC 2016] Sleep 120 seconds for the txt records to take effect
    [Wed Aug 24 02:54:35 UTC 2016] Verifying:acme9.domain1.com
    [Wed Aug 24 02:54:46 UTC 2016] Success
    [Wed Aug 24 02:54:46 UTC 2016] Verify finished, start to sign.
    [Wed Aug 24 02:54:50 UTC 2016] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIE7zCCA9egAwIBAgITAPoKDlcK8Dk/+aRR0yK19g/KFzANBgkqhkiG9w0BAQsF
    ...
    F0fdQEY3Yy/bZ25S1N7pM+p7Cg==
    -----END CERTIFICATE-----
    [Wed Aug 24 02:54:50 UTC 2016] Your cert is in  /root/.acme.sh/acme9.domain1.com/acme9.domain1.com.cer
    [Wed Aug 24 02:54:50 UTC 2016] Your cert key is in  /root/.acme.sh/acme9.domain1.com/acme9.domain1.com.key
    [Wed Aug 24 02:54:51 UTC 2016] The intermediate CA cert is in  /root/.acme.sh/acme9.domain1.com/ca.cer
    [Wed Aug 24 02:54:51 UTC 2016] And the full chain certs is there:  /root/.acme.sh/acme9.domain1.com/fullchain.cer
    
    ---------------------------------
    DNS mode via Cloudflare DNS API
    ---------------------------------
    setup TXT DNS record via Cloudflare API
    Using stage api:https://acme-staging.api.letsencrypt.org
    Skip register account key
    Creating domain key
    Use length 2048
    Using RSA: 2048
    Single domain='acme9.domain1.com'
    Verify each domain
    Getting webroot for domain='acme9.domain1.com'
    Getting token for domain='acme9.domain1.com'
    Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
    Adding record
    Added, sleeping 10 seconds
    Sleep 120 seconds for the txt records to take effect
    Verifying:acme9.domain1.com
    Success
    Verify finished, start to sign.
    Cert success.
    -----BEGIN CERTIFICATE-----
    MIIE7zCCA9egAwIBAgITAPoKDlcK8Dk/+aRR0yK19g/KFzANBgkqhkiG9w0BAQsF
    ...
    F0fdQEY3Yy/bZ25S1N7pM+p7Cg==
    -----END CERTIFICATE-----
    Your cert is in  /root/.acme.sh/acme9.domain1.com/acme9.domain1.com.cer
    Your cert key is in  /root/.acme.sh/acme9.domain1.com/acme9.domain1.com.key
    The intermediate CA cert is in  /root/.acme.sh/acme9.domain1.com/ca.cer
    And the full chain certs is there:  /root/.acme.sh/acme9.domain1.com/fullchain.cer
    

    Then you can optionally install the obtained letsencrypt ssl certificates using acme.sh command

    Install cert to existing Nginx vhost command replacing all instances of acme9.domain1.com with your domain below. This is a single command just replace the paths in the command for your ssl files for
    • acme9.domain1.com-acme.cer
    • acme9.domain1.com-acme.key
    • acme9.domain1.com-fullchain-acme.key
    • and replacing acme9.domain1.com with your domain name
    Code (Text):
    /root/.acme.sh/acme.sh --installcert -d acme9.domain1.com --certpath /usr/local/nginx/conf/ssl/acme9.domain1.com/acme9.domain1.com-acme.cer --keypath /usr/local/nginx/conf/ssl/acme9.domain1.com/acme9.domain1.com-acme.key --capath /usr/local/nginx/conf/ssl/acme9.domain1.com/acme9.domain1.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acme9.domain1.com/acme9.domain1.com-fullchain-acme.key


    Then you'll need to create or modify your Nginx HTTPS vhost config file at /usr/local/nginx/conf/conf.d/acme9.domain1.com.ssl.conf similar to step 6 outlined at https://centminmod.com/migrating-to-https.html which setups up ssl cert files as inline as
    Code (Text):
      ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-acme.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    

    Or you can replicate acmetool.shs automated way manually using an include file like /usr/local/nginx/conf/ssl/acme9.domain1.com/acme9.domain1.com.crt.key.conf

    and place your Cloudflare DNS API obtained letsencrypt SSL certs in the /usr/local/nginx/conf/ssl/acme9.domain1.com/acme9.domain1.com.crt.key.conf
    Code (Text):
      ssl_dhparam /usr/local/nginx/conf/ssl/acme9.domain1.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/acme9.domain1.com/acme9.domain1.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/acme9.domain1.com/acme9.domain1.com-acme.key;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/acme9.domain1.com/acme9.domain1.com-acme.cer;
    

    and in your Nginx HTTPS vhost config file at /usr/local/nginx/conf/conf.d/acme9.domain1.com.ssl.conf just use include file for /usr/local/nginx/conf/ssl/acme9.domain1.com/acme9.domain1.com.crt.key.conf
    Code (Text):
      include /usr/local/nginx/conf/ssl/acme9.domain1.com/acme9.domain1.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
     
    Last edited: Apr 12, 2022
  3. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    acmetool.sh 0.8.8 update checkdate function

    Report both nginx installed ssl cert + acme.sh obtained ssl cert expiry dates. As new acmetool.sh certonly-issue DNS mode doesn't install ssl cert to nginx but only obtains it and saves to /root/.acme.sh/ directory. Also report ssl cert's SHA1 fingerprint so easier to identify the same ssl certs that are nginx installed.

    Code (Text):
    ./acmetool.sh checkdates      
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/acme.domain1.com/acme.domain1.com-acme.cer
    SHA1 Fingerprint=87:AA:E6:79:CA:14:61:77:07:59:6B:BB:EC:BC:8A:F7:B1:3A:9E:F4
    certificate expires in 10 days on 4 Sep 2016
    
    /usr/local/nginx/conf/ssl/acme2.domain1.com/acme2.domain1.com-acme.cer
    SHA1 Fingerprint=A7:E3:72:64:55:12:B7:E8:3E:48:35:64:5E:9A:FF:EA:61:46:9E:8A
    certificate expires in 88 days on 21 Nov 2016
    
    /usr/local/nginx/conf/ssl/acme1.domain1.com/acme1.domain1.com-acme-ecc.cer
    SHA1 Fingerprint=F5:42:00:15:7D:AC:80:21:02:F5:27:E0:84:7A:06:D5:80:91:B8:C6
    certificate expires in 78 days on 11 Nov 2016
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/acme.domain1.com/acme.domain1.com.cer
    SHA1 Fingerprint=87:AA:E6:79:CA:14:61:77:07:59:6B:BB:EC:BC:8A:F7:B1:3A:9E:F4
    certificate expires in 10 days on 4 Sep 2016
    
    /root/.acme.sh/acme9.domain2.com/acme9.domain2.com.cer
    SHA1 Fingerprint=AC:72:0F:AA:4C:B0:96:49:DD:1F:C2:92:09:B2:BE:89:38:FC:96:3B
    certificate expires in 89 days on 22 Nov 2016
    
    /root/.acme.sh/acme2.domain1.com/acme2.domain1.com.cer
    SHA1 Fingerprint=A7:E3:72:68:55:12:B7:E8:3E:48:35:68:5E:9A:FF:EA:61:46:9E:8A
    certificate expires in 88 days on 21 Nov 2016
    
    /root/.acme.sh/acme1.domain1.com_ecc/acme1.domain1.com.cer
    SHA1 Fingerprint=F5:42:00:15:7D:AC:80:21:02:F5:27:E0:84:7A:06:D5:80:91:AA:C6
    certificate expires in 78 days on 11 Nov 2016


    FYI, for acme.domain1.com ssl cert it expires in 10 days because i started testing with renewal period every 80 days or 10 days before expiry while current acmetool.sh uses every 21 days for renewal during beta and every 60 days renewal once out of beta testing.

    The acme.sh config file for the domain is at /root/.acme.sh/acme.domain1.com/acme.domain1.com.conf as you can see it should auto renew in about 2hrs 6 minutes from now :)
    Code (Text):
    egrep 'Le_RenewalDays|Le_NextRenewTimeStr' /root/.acme.sh/acme.domain1.com/acme.domain1.com.conf   
    Le_RenewalDays="80"
    Le_NextRenewTimeStr="Thu Aug 25 21:21:52 UTC 2016"
     
    Last edited: Aug 25, 2016
  4. JarylW

    JarylW Active Member

    216
    41
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +103
    Local Time:
    10:25 PM
    Code:
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for domain.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --issue -d domain.com -d www.domain.com -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Sun Aug 28 05:31:30 UTC 2016] Creating account key
    [Sun Aug 28 05:31:33 UTC 2016] Registering account
    [Sun Aug 28 05:31:37 UTC 2016] Registered
    [Sun Aug 28 05:31:37 UTC 2016] Creating domain key
    [Sun Aug 28 05:31:37 UTC 2016] Multi domain='DNS:www.domain.com'
    [Sun Aug 28 05:31:37 UTC 2016] Verify each domain
    [Sun Aug 28 05:31:37 UTC 2016] Getting webroot for domain='domain.com'
    [Sun Aug 28 05:31:37 UTC 2016] Getting token for domain='domain.com'
    [Sun Aug 28 05:31:42 UTC 2016] Getting webroot for domain='www.domain.com'
    [Sun Aug 28 05:31:42 UTC 2016] Getting token for domain='www.domain.com'
    [Sun Aug 28 05:31:47 UTC 2016] Verifying:domain.com
    [Sun Aug 28 05:31:57 UTC 2016] Success
    [Sun Aug 28 05:31:57 UTC 2016] Verifying:www.domain.com
    [Sun Aug 28 05:32:07 UTC 2016] www.domain.com:Verify error:Could not connect to http://www.domain.com/.well-known/acme-challenge/QtjWcukjFVFFIxH1OddYzIiltF_haAZWKfWE8q3hRrs
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
    
    Something is still breaking for www verification.
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    What does the domain.com.conf and domain.com.ssl.conf contents look like?
     
    Last edited: Aug 28, 2016
  6. JarylW

    JarylW Active Member

    216
    41
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +103
    Local Time:
    10:25 PM
    There was no domain.conf because I selected https default. domain.ssl.conf looks ok. I reran acmetool.sh after deleting the generated domain.ssl.conf and restarting nginx and it works fine though I am not sure why.

    This is https default with centmin menu #22. both domain.com and Domain Name Registration and Web Hosting | Domain.com has A record in cloudflare to server IP. Maybe this is not conventional as www normally is a cname of @?
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If you wipe the domsin vhost and ssl cert and redo centmin.sh menu option 22 does it work?

    Cname A dns record is correct
     
  8. JarylW

    JarylW Active Member

    216
    41
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +103
    Local Time:
    10:25 PM
    You mean delete certs in /root/.acme.sh too? I think /home/nginx/domains/domain.com need to be removed too for the menu option 22 to work.

    Edit: I did centmin 22 again and it worked, but now the generated conf doesn't have the proper wordpress includes
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
      server_name domain.com www.domain.com;
      return 302 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;  
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    The behavior of this tool is too unpredictable :(
     
    Last edited: Aug 28, 2016
  9. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    have fixed code for that just doing internal testing first
    hence why it's beta right now working on it and why users helping with beta testing feedback is important :)
     
  10. JarylW

    JarylW Active Member

    216
    41
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +103
    Local Time:
    10:25 PM
    Nice. Also maybe have HTTPS default for wordpress specify
    Code:
    https://domain.com
    instead of
    Code:
    http://domain.com 
    in WordPress Address (URL) and Site Address (URL)
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    thanks for the reminder :)
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  14. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    acmetool.sh 0.9.2 update custom web root menu option for acme-menu mode to prompt for just the custom web root directory name and then ensure it's within /home/nginx/domains/yourdomain.com path

    example for domain14.com
    Code (Text):
    --------------------------------------------------------
            SSL Management            
    --------------------------------------------------------
    1).  acemtool.sh install
    2).  acmetool.sh update
    3).  acmetool.sh setup
    4).  Issue SSL Management
    5).  Renew SSL Management
    6).  Reissue SSL Management
    7).  Renew All Staging /Test Certs
    8).  Renew ALL Live Certs
    9).  Renew All Live Certs HTTPS Default
    10). Exit
    --------------------------------------------------------
    Enter option [ 1 - 10 ] 4
    --------------------------------------------------------
    

    Code (Text):
    --------------------------------------------------------
            SSL Issue Management            
    --------------------------------------------------------
    1).  Issue SSL Cert Staging/Test
    2).  Issue SSL Cert Staging/Test HTTPS Default
    3).  Issue SSL Cert Live
    4).  Issue SSL Cert Live HTTPS Default
    5).  Custom Webroot Issue SSL Cert Staging/Test
    6).  Custom Webroot Issue SSL Cert Staging/Test HTTPS Default
    7).  Custom Webroot Issue SSL Cert Live
    8).  Custom Webroot Issue SSL Cert Live HTTPS Default
    9).  S3 Issue SSL Cert
    10). S3 Issue SSL Cert
    11). S3 Issue SSL Cert
    12). S3 Issue SSL Cert
    13). Exit
    --------------------------------------------------------
    Enter option [ 1 - 13 ] 5
    --------------------------------------------------------
    

    entered custom webroot as webpub for domain14.com and it gets created at /home/nginx/domains/domain14.com/webpub
    Code (Text):
    Enter SSL certificate domain name you want without www. prefix host: domain14.com
    
    custom web root should be within /home/nginx/domains/yourdomain.com path
    i.e. /home/nginx/domains/yourdomain.com/customwebrootpath
    
    Enter custom webroot path you want: webroot
    
    you entered custom webroot = webroot
    full path location will be at:
    
    /home/nginx/domains/domain14.com/webroot
    
    is this path correct ? [y/n]: n
    
    custom web root should be within /home/nginx/domains/yourdomain.com path
    i.e. /home/nginx/domains/yourdomain.com/customwebrootpath
    
    Enter custom webroot path you want: webpub
    
    you entered custom webroot = webpub
    full path location will be at:
    
    /home/nginx/domains/domain14.com/webpub
    
    is this path correct ? [y/n]: y
    
    full path location will be at:
    /home/nginx/domains/domain14.com/webpub
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Updated Centmin Mod 123.09beta01 with LETSENCRYPT_DETECT variable to control integration detection of addons/acmetool.sh Beta Branch - add LETSENCRYPT_DETECT variable to control addons/acmetool.sh detecti… | Centmin Mod Community

    In 123.09beta01, add LETSENCRYPT_DETECT variable to control Letsencrypt integration via addons/acmetool.sh auto detection in centmin.sh menu option 2, 22, and /usr/bin/nv nginx vhost generators. You can control whether or not to enable or disable integration detection in these menu options using persistent config file which you can create if it doesn't exist at /etc/centminmod/custom_config.inc.

    Currently, defaults to LETSENCRYPT_DETECT='n' to disable detection integration support of addons/acmetool.sh during beta testing phase Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01 so that beta testers only can enable it for beta testing.

    You can enable addons/acmetool.sh integration detection by setting LETSENCRYPT_DETECT='y' in persistent config file /etc/centminmod/custom_config.inc.
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  17. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Tested Centmin Mod 123.09beta01 + acmetool.sh for new BuyVM Slice 1024 KVM VPS server to migrate my mysqlmymon.com site to HTTP + HTTPS Letsencrypt SSL based site :)

    Code (Text):
    ./acmetool.sh checkdates
    
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/mysqlmymon.com/mysqlmymon.com-acme.cer
    SHA1 Fingerprint=5E5C4C3FF94971A14652E0165FB6B12C0A31A547
    certificate expires in 89 days on 1 Dec 2016
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/mysqlmymon.com/mysqlmymon.com.cer
    SHA1 Fingerprint=5E5C4C3FF94971A14652E0165FB6B12C0A31A547
    https://crt.sh/?sha1=5E5C4C3FF94971A14652E0165FB6B12C0A31A547
    certificate expires in 89 days on 1 Dec 2016


    letsencrypt-ssl-mysqlmymoncom-01.png sslabs-01.png sslabs-02.png sslabs-03.png sslabs-04.png
     
    Last edited: Sep 2, 2016
  18. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    4:25 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Hi :)

    Now as there are many pages with info can you please post some info on 3 common scenarios how can i use it? :

    1)when i am just creating a new vhost?
    2)when i have already create a vhost with self signed certificate
    3)when i have already create a vhost without a self signed certificate

    DNS changes from before?

    Thank you !!!

    Ready to test it on all scenarios :)
     
  19. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    read 1st post completely + it's contained

    contents links ;)

    with LETSENCRYPT_DETECT='y' set just use the normal centmin.sh menu option 2 or /usr/bin/nv methods which is also posted in 1st page of posts in this page 1 of thread

    use addons/acmetool.sh methods which is also posted in 1st page of posts in this page 1 of thread either via command line mode or acmemenu mode. Of course all testing on test server and not live production site/server or where you are willing to wipe the vhost and data if there are issues.

    ?

    see 1st page of thread for Preparing for public beta testing for addons/acmetool.sh
     
    Last edited: Sep 2, 2016
  20. erfolgskompass

    erfolgskompass New Member

    13
    1
    3
    Jun 8, 2016
    Ratings:
    +10
    Local Time:
    9:25 PM
    Hey I have tried to install a Lets encrypt SSL certificate with acmetool.sh for a Domain with German Umlaute.

    However acmetool died with the message:

    Code:
    [Wed Sep  7 14:02:13 CEST 2016] new-authz error: {"type":"urn:acme:error:unsupportedIdentifier","detail":"Internationalized domain names (starting with xn--) not yet supported","status": 400}
    For some reason acmetool has altered the vhost config, which I reverted to the backup.

    So that I have now installed an SSL certificate from StartSSL.

    What bugs me is that the first SSL connection to the domain now takes about 10 seconds and sometimes doesnt even work.

    Is that a problem because of enabling Lets encrypt? and how can I solve this?

    Is there still something that I didnt revert to the original settings?

    Thanks for your help