Discover Centmin Mod today
Register Now

SSL Switch from http to https and http/2

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Sunka, Nov 25, 2015.

  1. Sunka

    Sunka Active Member

    917
    240
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +388
    Local Time:
    11:44 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    So, I bought Comodo Essential SSL, which is verified.
    What are my steps on server to use this certificaate. Also, how to redirect all non-www to www and http to https.
    I belive that in my nginx 1.9.6 I can use http/2 and not spdy

    Thank you
     
  2. Sunka

    Sunka Active Member

    917
    240
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +388
    Local Time:
    11:44 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    I have 3 files downloaded from site where I bought ssl certification.
    CA-Bundle
    CSR
    Security certificate

    Where should I upload them?
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:44 AM
    Nginx 1.13.x
    MariaDB 5.5
    see the following

     
    Last edited: Nov 25, 2015
    • Like Like x 1
  4. Sunka

    Sunka Active Member

    917
    240
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +388
    Local Time:
    11:44 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    Lol, I am lost again.
    I will try to read that manuals couple of times again.
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:44 AM
    Nginx 1.13.x
    MariaDB 5.5
    key to learning is
    1. not to fear messing up and
    2. reading
    3. practise :)
    using a test VPS and not live VPS helps too
     
    • Agree Agree x 1
    • Useful Useful x 1
  6. Sunka

    Sunka Active Member

    917
    240
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +388
    Local Time:
    11:44 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    I am confused with allready on my server certifikates in /usr/local/nginx/conf/ssl/pijanitvor.com/
    Should I overvrited with files I downloaded from my payed ssl cerifikates
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:44 AM
    Nginx 1.13.x
    MariaDB 5.5
  8. Sunka

    Sunka Active Member

    917
    240
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +388
    Local Time:
    11:44 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    I have three files from my ssl provider:
    • www_pijanitvor_com.ca-bundle
    • www_pijanitvor_com.crt
    • www_pijanitvor_com.csr

    If I understand procedure:
    upload www_pijanitvor_com.crt and overwrite existing one to /usr/local/nginx/conf/ssl/pijanitvor.com/

    also another two files www_pijanitvor_com.csr and www_pijanitvor_com.ca-bundle copy and overwrite existing one to /usr/local/nginx/conf/ssl/pijanitvor.com/

    delete old one dhparam.pem file in /usr/local/nginx/conf/ssl/pijanitvor.com and create new one
    Code:
     cd /usr/local/nginx/conf/ssl/pijanitvor.com
    openssl dhparam -out dhparam.pem 4096
    add in (nginx) virtual.conf on the bottom of file:
    Code:
    ssl_dhparam /usr/local/nginx/conf/ssl/domaincom/dhparam.pem;
    then this three commands:
    Code:
    cd /usr/local/nginx/conf/ssl/pijanitvor.com/
    cat www_pijanitvor_com.crt www_pijanitvor_com.ca-bundle > ssl-unified.crt
    cat www_pijanitvor_com.ca-bundle > ssl-trusted.crt
    then I need change /usr/local/nginx/conf/conf.d/pijanitvor.com.ssl.conf

    find:

    Code:
    server {
      listen 443 ssl http2;
      server_name pijanitvor.com www.pijanitvor.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/pijanitvor.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    replace with:

    Code:
    server {
      listen 443 ssl http2;
      server_name pijanitvor.com www.pijanitvor.com;
      ssl_dhparam /usr/local/nginx/conf/ssl/pijanitvor.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    About pijanitvor.com.key. Manual say change ssl.key to newdomain.com.key, I allready have in there pijanitvor.com.key (when created virtual host via installing centminmod), and from my ssl provider I do not have any similiar to that, or this is the generated key which is in certificate? So, should I live that row as it is or not (ssl_certificate_key /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;)


    find:
    Code:
    # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com-trusted.crt;  
    replace with:

    Code:
      enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-trusted.crt;  
    then run this command to disable http:
    Code:
    mv /usr/local/nginx/conf/conf.d/pijanitvor.com.conf /usr/local/nginx/conf/conf.d/pijanitvor.com.conf-disabled
    then again change /usr/local/nginx/conf/conf.d/pijanitvor.com.ssl.conf and make changes to redirect from Pijani Tvor and Pijani Tvor to https://www.pijanitvor.com

    Find:
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #  server_name pijanitvor.com www.pijanitvor.com;
    #  return 302 https://$server_name$request_uri;
    # }
    
    replace with:
    
    [CODE]# Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
       server {
       server_name pijanitvor.com www.pijanitvor.com;
       return 302 https://www.$server_name$request_uri;
     }
    

    then restart nginx and php-fpm
    Code:
    nprestart
    then check ssl is it OK
    Code:
    openssl s_client -connect domain.com:443 -tls1 -tlsextdebug -status
    And after few days if all is OK, change 302 to 301

    Is this setup OK?
    Am I missing some step or do I need to change any other file?
    Most confused to me is ssl files generated in the creation of virtual host, and I am not sure should I replace them with providers ssl files or put them somwhere else (default one).
    Also, pijanitvor.com.key (ssl.key to newdomain.com.key), I do not have that file from my ssl provider
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:44 AM
    Nginx 1.13.x
    MariaDB 5.5
    no need to overwrite unless you uploaded that crt file before as nginx auto generates a self-signed ssl crt and it isn't named in that format anyway it would be like pijanitvor.com.crt so no overwriting necessary. you do not need to delete any nginx auto generated self-signed ssl certificate files or dhparam files
    no need to delete dhparam file and re-generate you use the one nginx auto generated for you and just upload those files to /usr/local/nginx/conf/ssl/pijanitvor.com/
    yes
    yes
    you should leave that key nginx auto generated IF you use the accompanying CSR file with that private key to get your paid SSL certificate as the key signs the CSR file and need to match. If you generated a separate new private key with your paid SSL certificate, you need to use that new private key in place of ssl_certificate_key /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;
    Yes
    yes
    yes
    nginx auto generated files in /usr/local/nginx/conf/ssl/pijanitvor.com/ are generally left untouched and no need to delete. The only time you will need to delete is if you didn't use the auto generated *.csr file (when you submitted your order for paid SSL certificate) which was auto generated and signed by auto generated private *.key.
     
    • Like Like x 1
  10. Sunka

    Sunka Active Member

    917
    240
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +388
    Local Time:
    11:44 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    yep, I see this now. Have overlooked that

    Hm, I use their online generator, so I think that default key is not the same. I have e-mailed that key from provider in txt file. Should I backup default key and create new file with provider key with same name and upload there?
    So rename old .key to something else and create new file with name pijanitvor.com.key (in notepad++ copy/paste private key, and save with .key extension)?
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:44 AM
    Nginx 1.13.x
    MariaDB 5.5
    yup
     
    • Like Like x 1
  12. Sunka

    Sunka Active Member

    917
    240
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +388
    Local Time:
    11:44 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    Ok, will not create new one.
    but, do I still have to add on the bottom in (nginx) virtual.conf
    Code:
    ssl_dhparam /usr/local/nginx/conf/ssl/domaincom/dhparam.pem;
     
  13. Sunka

    Sunka Active Member

    917
    240
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +388
    Local Time:
    11:44 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    After trying to restart nginx
    Code:
    [root@tvor-ocean conf.d]# nprestart
    Restarting nginx (via systemctl):  Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.
                                                               [FAILED]
    Gracefully shutting down php-fpm . done
    Starting php-fpm  done
    [root@tvor-ocean conf.d]# systemctl status nginx.service
    nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
       Loaded: loaded (/etc/rc.d/init.d/nginx)
       Active: failed (Result: exit-code) since Thu 2015-11-26 00:27:21 CET; 13s ago
      Process: 12355 ExecStop=/etc/rc.d/init.d/nginx stop (code=exited, status=0/SUCCESS)
      Process: 12409 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=1/FAILURE)
    Main PID: 2388 (code=exited, status=0/SUCCESS)
    
    Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: Starting SYSV: Nginx is...
    Nov 26 00:27:21 tvor-ocean.pijanitvor.com nginx[12409]: Starting nginx: nginx...
    Nov 26 00:27:21 tvor-ocean.pijanitvor.com nginx[12409]: [FAILED]
    Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: nginx.service: control ...
    Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: Failed to start SYSV: N...
    Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: Unit nginx.service ente...
    Hint: Some lines were ellipsized, use -l to show in full.
    [root@tvor-ocean conf.d]# systemctl status nginx.service -l
    nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
       Loaded: loaded (/etc/rc.d/init.d/nginx)
       Active: failed (Result: exit-code) since Thu 2015-11-26 00:27:21 CET; 27s ago
      Process: 12355 ExecStop=/etc/rc.d/init.d/nginx stop (code=exited, status=0/SUCCESS)
      Process: 12409 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=1/FAILURE)
    Main PID: 2388 (code=exited, status=0/SUCCESS)
    
    Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server...
    Nov 26 00:27:21 tvor-ocean.pijanitvor.com nginx[12409]: Starting nginx: nginx: [emerg] unknown directive "enable" in /usr/local/nginx/conf/conf.d/pijanitvor.com.ssl.conf:35
    Nov 26 00:27:21 tvor-ocean.pijanitvor.com nginx[12409]: [FAILED]
    Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: nginx.service: control process exited, code=exited status=1
    Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
    Nov 26 00:27:21 tvor-ocean.pijanitvor.com systemd[1]: Unit nginx.service entered failed state.
     
  14. Sunka

    Sunka Active Member

    917
    240
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +388
    Local Time:
    11:44 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    found an error and solved (delete # on comment row so command enable is set active, but there is not command enable ;))

    Still, bellow question is still an answered...

     
  15. Sunka

    Sunka Active Member

    917
    240
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +388
    Local Time:
    11:44 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    Hmmm, only main page is showing, every other link (include relative one) is broken. Also, baloon (for alerts) when selected by mouse, showing error.
    Nginx 404 error

    :cry:
     
    Last edited: Nov 26, 2015
  16. Sunka

    Sunka Active Member

    917
    240
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +388
    Local Time:
    11:44 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    Nothing is working on forum except home page and Admin CP.
    I tried click on resources tab, and this is error from log on server:
    Code:
    2015/11/26 02:14:58 [error] 2858#2858: *786 "/home/nginx/domains/pijanitvor.com/public/resources/index.php" is not found (2: No such file or directory), client: 93.137.185.104, server: pijanitvor.com, request: "GET /resources/ HTTP/2.0", host: "www.pijanitvor.com", referrer: "https://www.pijanitvor.com/"
    Somewhere is not enabled redirection or some step is missing. @eva2000 could you help?
     
  17. Sunka

    Sunka Active Member

    917
    240
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +388
    Local Time:
    11:44 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    I found it :)
    lol, last few hours I am talking here with my self.

    Problem was in friendly url code. They were missing in pijanitvor.com.ssl.conf.
    I added them, but then show up old error for double location in file, so I commented last location cause main rows for that were commented allready.

    @eva2000, @RoldanLT or anybody else, could you please make this .conf to include commented location, but friendly urls work as they work OK now. Two commented rows are near bottom (last location, open row and close row) :
    #location / {

    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;

    # Enables directory listings when index file not found
    #autoindex on;

    # Shows file listing times as local time
    #autoindex_localtime on;

    # Enable for vBulletin usage WITHOUT vbSEO installed
    # More example Nginx vhost configurations at
    # Nginx Configuration Examples - CentminMod.com LEMP Nginx web stack for CentOS
    #try_files $uri $uri/ /index.php;

    #}

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
       server_name pijanitvor.com www.pijanitvor.com;
        return 301 https://www.$server_name$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name pijanitvor.com www.pijanitvor.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/pijanitvor.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
      ##add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      ##spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
     
      #enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-trusted.crt; 
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/pijanitvor.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/pijanitvor.com/log/error.log;
    
      root /home/nginx/domains/pijanitvor.com/public;
    
      location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
        }
    
        location /internal_data/ {
            internal;
            allow 127.0.0.1;
            allow 46.101.130.248;
            deny all;
        }
    
        location /library/ {
            internal;
            allow 127.0.0.1;
            allow 46.101.130.248;
            deny all;
        }
     
      # prevent access to ./directories and files
        location ~ (?:^|/)\. {
       deny all;
        } 
    
      #location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      #}
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
    • Informative Informative x 1
  18. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:44 AM
    Nginx 1.13.x
    MariaDB 5.5
    just remove this part
    Code:
      #location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      #}
    
     
    • Like Like x 1
    • Informative Informative x 1