Discover Centmin Mod today
Register Now

Nginx SSL update of domain.com.ssl.conf old vhost

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by adamus007p, Jan 3, 2022.

  1. adamus007p

    adamus007p Member

    283
    17
    18
    Feb 8, 2019
    Ratings:
    +29
    Local Time:
    10:38 PM
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed:123.09beta01.b760
      Nginx Version Installed: 1.21.4
    • PHP Version Installed: 8.0.14
    • When was last time updated Centmin Mod code base ? : today
    • Persistent Config:

    Code (Text):
    CF_DNSAPI_GLOBAL='y'
    CF_Token="xxxxxxxxxxxx"
    CF_Account_ID="xxxxxxxxxxxxxxxx"
    NGINX_SSLCACHE_ALLOWOVERRIDE='y'
    NGINX_STAPLE_CACHE_OVERRIDE='y'
    NGINX_STAPLE_CACHE_TTL='86400'
    SET_DEFAULT_MYSQLCHARSET='utf8mb4'
    AUTOHARDTUNE_NGINXBACKLOG='y'
    ZSTD_LOGROTATE_NGINX='y'
    ZSTD_LOGROTATE_PHPFPM='y'
    NGINX_LIBBROTLI='y'
    NGXDYNAMIC_BROTLI='y'
    PHP_PGO='y'
    PHP_BROTLI='y'
    PHP_LZFOUR='y'
    PHP_LZF='y'
    PHP_ZSTD='y'
    MARCH_TARGETNATIVE='n'
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    AUDITD_ENABLE='y'
    PHPINTL='y'
    PHPFINFO='y'
    LIBRESSL_SWITCH='n'
    DMOTD_PHPCHECK='y'
    WPCLI_CE_QUERYSTRING_INCLUDED='y'
    NGINX_ZERODT='y'
    



    Hello,

    I have noticed that some of my very old vhosts located in
    Code (Text):
    /usr/local/nginx/conf/conf.d/
    
    domain1.com.ssl.conf
    domain2.com.ssl.conf


    do not have some lines, like which exist in newer domains.

    I see also that
    Code (Text):
    # mozilla recommended
    ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256......
    



    Code (Text):
    # mozilla recommended
    TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13......
    


    I update my VPS:
    cmupdate
    update option 24 and update all things
    nginx and php updates
    so I keep everhting up to date.

    I have tested and I have added to persistent config file /etc/centminmod/custom_config.inc
    Code (Text):
    PRIORITIZE_CHACHA_OPENSSL='y'
    


    and reinstalled nginx with and without CHACHA.

    Nothing helped.



    Dear @eva2000 is there a chance to update old vhost or I need to install new server and migrade everything from scratch? What options are possible?


    New vhost configs have some extra line, old do not have it.

    Do you need a config file to see?
     
    Last edited: Jan 3, 2022
  2. eva2000

    eva2000 Administrator Staff Member

    48,487
    11,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,303
    Local Time:
    6:38 AM
    Nginx 1.21.x
    MariaDB 10.x
    Easy way is on a test Centmin Mod VPS server create a new Nginx vhost site matching your domain name. Then just compare the lines that differ and manually copy/update them on your old nginx vhosts and to take care of SSL certificate paths maybe different on new vhost compared to old run acmetool.sh reissue only command

    acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.com live
    

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf

    No longer a required setting.

    Of course backup your nginx vhosts before you make changes.

    Centmin Mod generally does not touch or update nginx vhosts after they have been created automatically so as to not mess with users own custom configurations.
     
  3. adamus007p

    adamus007p Member

    283
    17
    18
    Feb 8, 2019
    Ratings:
    +29
    Local Time:
    10:38 PM
    Thank you @eva2000 for your answer. I was trying your method and it helps with other problem, but did not update vhost SSL.

    I will write more examples

    Code (Text):
    server {
     
       server_name domain.com www.domain.com;
       return 302 https://domain.com$request_uri;
       root /home/nginx/domains/domain.com/public;
       include /usr/local/nginx/conf/staticfiles.conf; << this is missing
     }
    
    
    and
    
      #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"; << this is missing
    



    Should I just copy it and nothing else?
    I am wondering which other files beside ngix config could be different to?


    I was thinking to create a new domain configure it and then go to old domain rename it and use new domain and rename it to correct domain.

    or something to refresh all configuration.
    I will make a backup of database, files and old nginx config.

    Is it possible to do it and how?
     
    Last edited: Jan 3, 2022
  4. eva2000

    eva2000 Administrator Staff Member

    48,487
    11,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,303
    Local Time:
    6:38 AM
    Nginx 1.21.x
    MariaDB 10.x
    because the reissue command doesn't touch nginx vhost config that's why it's missing the non-https to https 302 redirect. You can re-add again if required.

    You should be able to do that too but you'd have more site downtime in between if that is ok for you
     
  5. adamus007p

    adamus007p Member

    283
    17
    18
    Feb 8, 2019
    Ratings:
    +29
    Local Time:
    10:38 PM
    Hello @eva2000 may you advise how to do it? What and how should I rename?
     
  6. adamus007p

    adamus007p Member

    283
    17
    18
    Feb 8, 2019
    Ratings:
    +29
    Local Time:
    10:38 PM
    I wanted to use command line to update config files like in your tutorial:
    https://servermanager.guide/203/wordpress-cache-enabler-advanced-full-page-caching-guide/

    but the command:
    Code (Text):
    sed -i 's|^ #include /usr/local/nginx/conf/cloudflare.conf;| include /usr/local/nginx/conf/cloudflare.conf;|' /usr/local/nginx/conf/conf.d/cache-enabler.centminmod.com.ssl.conf
    


    I have changed domian name to my domain, for example it is a domian.com

    Code (Text):
    sed -i 's|^ #include /usr/local/nginx/conf/cloudflare.conf;|include /usr/local/nginx/conf/cloudflare.conf;|' /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    


    but nothing happen. I was a root. Paths are ok, maybe something with syntax?
     
  7. eva2000

    eva2000 Administrator Staff Member

    48,487
    11,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,303
    Local Time:
    6:38 AM
    Nginx 1.21.x
    MariaDB 10.x
    sed command there would be positionally dependent on the include file being at
    Code (Text):
     include /usr/local/nginx/conf/cloudflare.conf
    

    with 1 space before the include. The ^ # means find matches that begin with a space and then #include line. If you had different spacing, the sed command would of skipped the replacement.