Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL Suggestion: Add third-party SSL option to vhost creations

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Daniel J. Lewis, Jul 21, 2018.

  1. Daniel J. Lewis

    Daniel J. Lewis Award-winning podcaster and consultant

    Oct 20, 2014
    Local Time:
    3:26 PM
    For those serious about security and displaying that with a premium SSL (such as from Thawte, Comodo, Geotrust, etc.), it would be nice for Centminmod's vhost generators (blank and WP) to offer a "prepare for third-party SSL" option. This could set up everything like a normal live SSL, but let the user use their own cert. This could work like any of the following:
    1. Ask for their cert as part of the setup (and validate along the way)
    2. Prepare the SSL information with clear instructions on what to replace to add the cert
    3. Do some kind of dynamic thing where it's looking for the cert to be in a particular path with a particular file name.
    Or maybe easier for now would be to add comments to the nginx vhost files that would indicate what changes to make if switching from LetsEncrypt (or no SSL) to a third-party SSL.
  2. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    6:26 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Yeah that was one of my intended improvements which spurred starting this thread to gather known ssl cert provider files SSL - Compiled list of SSL certificate file name bundles. But providers have changed file/file bundles names over time which would cause issues. The manual way is still the same as outlined at Nginx HTTP/2 & SPDY SSL Configuration - LEMP Nginx web stack for CentOS though heh.

    @deltahf posted a guide for renewing paid ssl certs which is same as obtaining new paid ssl certs too at SSL - Guide: Renewing & Reinstalling SSL Certificate on Centminmod with GoGetSSL

    Though Letsencrypt free SSL really has taken over the space for most usage scenarios - not all though.

    Indeed something to think about :)