Want more timely Centmin Mod News Updates?
Become a Member

Letsencrypt Welcome to acmetool.sh - new letsencrypt addon for Centmin Mod LEMP stacks

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, May 28, 2016.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod's Letsencrypt free SSL certificate integration is getting a whole new rewritten addon script for Centmin Mod 123.09beta01 branch and higher. The new addon script is called acmetool.sh and is a scripted shell based wrapper script which now solely uses the much lighter weight 3rd party shell bash script based acme.sh client written by Neil Pang.

    Centmin Mod Letsencrypt Integration Background



    cmm-letsencrypt-00-tnn.png

    I started Letsencrypt integration work in a totally separate Centmin Mod 123.09beta01le* based branch with integration of the official Letsencrypt python based client via webroot authentication method as outlined here. The python client's install dependencies were many and consumed alot of memory so that VPS systems with less than 512-768MB of memory available (not installed), would have issues installing the official Letsencrypt python based client. So I started looking at the list of 3rd party Letsencrypt clients and evaluated a few and finally settled on a pure bash shell based client called simply le.sh written by Neil Pang and had started working on integrating both official Letsencrypt client and le.sh into Centmin Mod's nginx vhost site generation routines for centmin.sh menu option 2, 22 and /usr/bin/nv command line nginx vhost generator.

    Renamed Clients


    Recently though both official Letsencrypt client and le.sh clients were renamed to Certbot (https://certbot.eff.org) & acme.sh respectively and further code changes made my current Letsencrypt integration outdated and broken !

    Switching to acme.sh client



    So I made the decision to dump all my existing official Letsencrypt client + acme.sh integration code from the separate Centmin Mod 123.09beta01le* based branches and do a total rewrite from scratch of a new Centmin Mod addon called acmetool.sh which is able to do the following:
    1. install the acme.sh client
    2. update the acme.sh client
    3. issue & install either live or staging test letsencrypt ssl certificates to an existing Centmin Mod Nginx created site vhost account via acme.sh webroot authentication method by pointing acme.sh to the site's public web root at /home/nginx/domains/domain.com/public where domain.com is the site domain.
    4. reissue either live or staging test letsencrypt ssl certificates where a new pair of private key and csr files are used to reissue the ssl certificate
    5. renew either live or staging test letsencrypt ssl certificates where it uses the existing pair of private key and csr files to renew the ssl certificate
    6. for issue, reissue and renew options if the domain name's nginx vhost web root doesn't not exist, will auto trigger the /usr/bin/nv command line method of nginx vhost generation and setup the domain's nginx vhost structure and http and https nginx vhost config files as outlined here.
    7. if the domain name's nginx vhost web root already exists, but there is no HTTP/2 SSL created vhost config file at /usr/local/nginx/conf/conf.d/domain.com.ssl.conf where domain.com is domain name, then only create that vhost config file at /usr/local/nginx/conf/conf.d/domain.com.ssl.conf and apply the Letsencrypt SSL certificate to it. If /usr/local/nginx/conf/conf.d/domain.com.ssl.conf doesn't exist but ssl_certificate option is detected in non-HTTPS vhost /usr/local/nginx/conf/conf.d/domain.com.conf, then create /usr/local/nginx/conf/conf.d/domain.com.ssl.conf but rename it /usr/local/nginx/conf/conf.d/domain.com.ssl.conf-disabled and apply the Letsencrypt SSL certificate to the renamed and disabled nginx vhost - this will then require end user to manually make adjustments to their /usr/local/nginx/conf/conf.d/domain.com.conf using the Letsencrypt SSL certificate paths set in the renamed vhost config file at /usr/local/nginx/conf/conf.d/domain.com.ssl.conf-disabled
    8. top level domain detection when you pass your domain name on command line. So if a top level domain is detected, acmetool.sh will also append the www version of your domain to the acme.sh commands to ensure the Letsencrypt ssl certificate covers both domain.com and the www version. If a subdomain.domain.com is detected, then it will skip appending www version.
    9. auto backup acme.sh config files related to each domain with issued SSL certs
    10. planned features include Amazon AWS S3 support for pushing a copy of the obtained Letsencrypt ssl certificate files to an AWS S3 bucket. This would be useful if you have a load balanced cluster of servers servicing the domain you want to use the ssl certificate for. Then you can script & setup s3cmd tool on each server within the cluster to pull from the AWS S3 bucket a copy of the ssl certificate files for your web server's domain usage. AWS S3 and s3cmd are convenient as they're already used as part of my dbbackup.sh script. I haven't coded this part yet of acmetool.sh though :)

    Prerequisites



    For acmetool.sh and the underlying acme.sh client to work and obtain valid web browser trusted domain validated SSL certificates, you need to before hand update your intended domain(s)' and subdomain(s)' DNS and point them their DNS A record IP addresses to the server IP address on which you are running acmetool.sh from. The acme.sh letsencrypt client needs to validate your domain and ensure it's DNS A record points to the server IP address that you're running acmetool.sh from and that is usually the same IP address as where you intend to install and setup your intended domain(s)' and subdomain(s)' on.

    Example acmetool.sh usage



    Current command options available for acmetool.sh are listed further below. For issue, reissue and renew commands, if you do not tag on the end the live flag, then you will be using staging test Letsencrypt ssl certificates which like self-signed ssl certificates are not web browser trusted. These are for testing only so not to run into the public live ssl certificate's rate limits which is linked to in official Certbot FAQ to this post on their support forums.

    Command options available to acmetool.sh addon for Centmin Mod LEMP stacks
    Code (Text):
    ./acmetool.sh
    
    ./acmetool.sh {acmeinstall|acmeupdate|acmesetup|issue|reissue|renew|s3issue|s3reissue|s3renew}
    
    Usage Commands:
    ./acmetool.sh acmeinstall
    ./acmetool.sh acmeupdate
    ./acmetool.sh acmesetup
    ./acmetool.sh issue domainname
    ./acmetool.sh issue domainname live
    ./acmetool.sh reissue domainname
    ./acmetool.sh reissue domainname live
    ./acmetool.sh renew domainname
    ./acmetool.sh renew domainname live
    ./acmetool.sh s3issue domainname
    ./acmetool.sh s3issue domainname live
    ./acmetool.sh s3reissue domainname
    ./acmetool.sh s3reissue domainname live
    ./acmetool.sh s3renew domainname
    ./acmetool.sh s3renew domainname live
    


    Example of acmetool.sh reissuing Letsencrypt ssl certificate (RSA 2048bit based) for domain.com
    Code (Text):
    ./acmetool.sh reissue domain.com
    
    reissue & install letsencrypt ssl certificate for domain.com
    /root/.acme.sh/acme.sh --force --createDomainKey -d domain.com -k 2048 --useragent centminmod-centos6-acmesh-webroot
    [Fri May 27 21:23:16 UTC 2016] Creating domain key
    [Fri May 27 21:23:16 UTC 2016] Use length 2048
    /root/.acme.sh/acme.sh --force --staging --issue -d domain.com -w /home/nginx/domains/domain.com/public -k 2048 --useragent centminmod-centos6-acmesh-webroot
    [Fri May 27 21:23:16 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Fri May 27 21:23:17 UTC 2016] Skip register account key
    [Fri May 27 21:23:17 UTC 2016] Creating csr
    [Fri May 27 21:23:17 UTC 2016] Single domain='domain.com'
    [Fri May 27 21:23:17 UTC 2016] Verify each domain
    [Fri May 27 21:23:17 UTC 2016] Getting webroot for domain='domain.com'
    [Fri May 27 21:23:17 UTC 2016] Getting token for domain='domain.com'
    [Fri May 27 21:23:18 UTC 2016] Verifying:domain.com
    [Fri May 27 21:23:24 UTC 2016] Success
    [Fri May 27 21:23:24 UTC 2016] Verify finished, start to sign.
    [Fri May 27 21:23:25 UTC 2016] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIE6zCCA9OgAwIBAgITAPqOo7MjfHcQjckQxDIREH0aHTANBgkqhkiG9w0BAQsF
    ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjA1Mjcy
    MDIzMDBaFw0xNjA4MjUyMDIzMDBaMB4xHDAaBgNVBAMTE2FjbWUuY2VudG1pbm1v
    ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZRLa6j+CJT2a0
    tkwXQ8ombnD8SCqI3aQqV+02sw7IwwVVfo9Nc123k3zxyZAY60wDd2//u8AeWGo+
    PoOh/Bh5bf4gmnuuhI8+d/tMSiEOC+MJ7AQOVNh8PSFai6NEgUBC6iKmWXXiOclr
    a82MOrqIDLLFJ5fyiJAYSI00QvNymgVce1wCRkY4BO71hPRzw2GRXezvDDohnLNz
    OWqjXN3j1XQMdKDsDuTLXEwesw3A1xqYwPK4x9eKzEVm7qMiOoLWPgLwg54D+RiU
    27KWYh8T3O3PBgRTO0VIq1RZ3ZymXa0PrGknSXofIdXVqmVOLsJYhxn6Bq7o/wta
    N03MWsLHAgMBAAGjggIcMIICGDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
    KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFKzx7qs
    9LYPyyHue4PSELQGg4roMB8GA1UdIwQYMBaAFMDMA0a5WCDMXHJw8+EuyyCm9Wg6
    MHgGCCsGAQUFBwEBBGwwajAzBggrBgEFBQcwAYYnaHR0cDovL29jc3Auc3RnLWlu
    dC14MS5sZXRzZW5jcnlwdC5vcmcvMDMGCCsGAQUFBzAChidodHRwOi8vY2VydC5z
    dGctaW50LXgxLmxldHNlbmNyeXB0Lm9yZy8wHgYDVR0RBBcwFYITYWNtZS5jZW50
    bWlubW9kLmNvbTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMB
    AQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGr
    BggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVs
    aWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFu
    Y2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8v
    bGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBn
    uj7iCNYITX4mXtcNEw723+23bDCljEp1RF3HoRH1ENCZBOBQv/YuqGQhPbk+hSTm
    +Akst+Go5JSvUlGx7FiJyGCI/s3f5h/JA5DnfhVwmCoFrigcP06zTxcm3odqsJss
    gLGWglmhpr+83TCzLUcMVsrBjnDxzuXGHjFniNbsq7yOiT4tQjiwq+oLYyg3RA3b
    7tZ8iQFfGPf7nYsg2pLmsdaAaRy3rCbJD1RL3zV2kReCfKOEtR0z/I4ukbimwrIw
    32H2FsMFmX+L4ZySfe7l3GWFnCwbMhWnMR7ABbbBvr7ojk2x8ZSWcfM8H9snXkYr
    UjPtFk2obBjz8a4EY71D
    -----END CERTIFICATE-----
    [Fri May 27 21:23:25 UTC 2016] Your cert is in /root/.acme.sh/domain.com/domain.com.cer
    [Fri May 27 21:23:25 UTC 2016] The intermediate CA cert is in /root/.acme.sh/domain.com/ca.cer
    [Fri May 27 21:23:25 UTC 2016] And the full chain certs is there: /root/.acme.sh/domain.com/fullchain.cer
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
    
    install cert
    /root/.acme.sh/acme.sh --installcert -d domain.com --certpath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key --capath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
    [Fri May 27 21:23:25 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
    [Fri May 27 21:23:25 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
    [Fri May 27 21:23:25 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key
    [Fri May 27 21:23:25 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
    [Fri May 27 21:23:25 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Reloading nginx:                                           [  OK  ]
    [Fri May 27 21:23:25 UTC 2016] Reload success.
    
    letsencrypt ssl certificate setup completed
    ssl certs located at: /usr/local/nginx/conf/ssl/domain.com
    
    openssl x509 -noout -text < /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                fa:8e:a3:b3:23:7c:77:10:8d:c9:10:c4:32:11:10:7d:1a:1d
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=Fake LE Intermediate X1
            Validity
                Not Before: May 27 20:23:00 2016 GMT
                Not After : Aug 25 20:23:00 2016 GMT
            Subject: CN=domain.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:d9:44:b6:ba:8f:e0:89:4f:66:b4:b6:4c:17:43:
                        ca:26:6e:70:fc:48:2a:88:dd:a4:2a:57:ed:36:b3:
                        0e:c8:c3:05:55:7e:8f:4d:73:5d:b7:93:7c:f1:c9:
                        90:18:eb:4c:03:77:6f:ff:bb:c0:1e:58:6a:3e:3e:
                        83:a1:fc:18:79:6d:fe:20:9a:7b:ae:84:8f:3e:77:
                        fb:4c:4a:21:0e:0b:e3:09:ec:04:0e:54:d8:7c:3d:
                        21:5a:8b:a3:44:81:40:42:ea:22:a6:59:75:e2:39:
                        c9:6b:6b:cd:8c:3a:ba:88:0c:b2:c5:27:97:f2:88:
                        90:18:48:8d:34:42:f3:72:9a:05:5c:7b:5c:02:46:
                        46:38:04:ee:f5:84:f4:73:c3:61:91:5d:ec:ef:0c:
                        3a:21:9c:b3:73:39:6a:a3:5c:dd:e3:d5:74:0c:74:
                        a0:ec:0e:e4:cb:5c:4c:1e:b3:0d:c0:d7:1a:98:c0:
                        f2:b8:c7:d7:8a:cc:45:66:ee:a3:22:3a:82:d6:3e:
                        02:f0:83:9e:03:f9:18:94:db:b2:96:62:1f:13:dc:
                        ed:cf:06:04:53:3b:45:48:ab:54:59:dd:9c:a6:5d:
                        ad:0f:ac:69:27:49:7a:1f:21:d5:d5:aa:65:4e:2e:
                        c2:58:87:19:fa:06:ae:e8:ff:0b:5a:37:4d:cc:5a:
                        c2:c7
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Subject Key Identifier:
                    52:B3:C7:BA:AC:F4:B6:0F:CB:21:EE:7B:83:D2:10:B4:06:83:8A:E8
                X509v3 Authority Key Identifier:
                    keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A
    
                Authority Information Access:
                    OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org/
                    CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/
    
                X509v3 Subject Alternative Name:
                    DNS:domain.com
                X509v3 Certificate Policies:
                    Policy: 2.23.140.1.2.1
                    Policy: 1.3.6.1.4.1.44947.1.1.1
                      CPS: http://cps.letsencrypt.org
                      User Notice:
                        Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
    
        Signature Algorithm: sha256WithRSAEncryption
             67:ba:3e:e2:08:d6:08:4d:7e:26:5e:d7:0d:13:0e:f6:df:ed:
             b7:6c:30:a5:8c:4a:75:44:5d:c7:a1:11:f5:10:d0:99:04:e0:
             50:bf:f6:2e:a8:64:21:3d:b9:3e:85:24:e6:f8:09:2c:b7:e1:
             a8:e4:94:af:52:51:b1:ec:58:89:c8:60:88:fd:12:b8:bc:0f:
             c9:03:90:e7:7e:15:70:98:2a:05:ae:28:1c:3f:4e:b3:4f:17:
             26:de:87:6a:b0:9b:2c:80:b1:96:82:59:a1:a6:bf:bc:dd:30:
             b3:2d:47:0c:56:ca:c1:8e:70:f1:ce:e5:c6:1e:31:67:88:d6:
             ec:ab:bc:8e:89:3e:2d:42:38:b0:ab:ea:0b:63:28:37:44:0d:
             db:ee:d6:7c:89:01:5f:18:f7:fb:9d:8b:20:da:92:e6:b1:d6:
             80:69:1c:b7:ac:26:c9:0f:54:4b:df:35:76:91:17:82:7c:a3:
             84:b5:1d:33:fc:8e:2e:91:b8:a6:c2:b2:30:df:61:f6:16:c3:
             05:99:7f:8b:e1:9c:92:7d:ee:e5:dc:65:85:9c:2c:1b:32:15:
             a7:31:1e:c0:05:b6:c1:be:be:e8:8e:4d:b1:f1:94:96:71:f3:
             3c:1f:db:27:5e:46:2b:52:33:ed:16:4d:a8:6c:18:f3:f1:ae:
             04:63:bd:43
    

    All acmetool.sh options' outputs are logged to timestamped log files
    Code (Text):
    ls -lAhrt /root/centminlogs/ | grep acmesh
    -rw-r--r-- 1 root root  706 May 27 20:28 acmesh-install_270516-202854.log
    -rw-r--r-- 1 root root  802 May 27 20:30 acmesh-install_270516-203006.log
    -rw-r--r-- 1 root root 4.0K May 27 20:30 acmesh-install_270516-203050.log
    -rw-r--r-- 1 root root 4.0K May 27 20:32 acmesh-install_270516-203218.log
    -rw-r--r-- 1 root root 4.0K May 27 20:34 acmesh-install_270516-203421.log
    -rw-r--r-- 1 root root 3.9K May 27 20:34 acmesh-update_270516-203444.log
    -rw-r--r-- 1 root root 4.0K May 27 20:35 acmesh-update_270516-203530.log
    -rw-r--r-- 1 root root  16K May 27 20:38 acmesh-issue_270516-203733.log
    -rw-r--r-- 1 root root  45K May 27 20:46 acmesh-issue_270516-204201.log
    -rw-r--r-- 1 root root  24K May 27 21:23 acmesh-reissue_270516-212131.log
    -rw-r--r-- 1 root root 8.8K May 27 21:23 acmesh-reissue_270516-212316.log
    

    Live Letsencrypt SSL certificate reissue
    Code (Text):
    ./acmetool.sh reissue domain.com live
    

    Gives the following ssllabs results = A (HSTS disabled so not A+)
    acme-ssllabs-280516-00.png
    acme-ssllabs-280516-01.png
    acme-ssllabs-280516-02.png

    Total Automated Install



    With acmetool.sh command line addon in place, it means you can use just 2 commands to setup a freshly installed virgin CentOS 6 or 7 system and auto install Centmin Mod LEMP stack with nginx 1.11 branch, PHP 5.6 defaults, MariaDB 10.1 branch and configured CSF Firewall + setup a new Nginx vhost with HTTP/2 SSL via Letsencrypt SSL certificate(s) ! :cool::D

    Can't get any easier :D
    Code (Text):
    curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh
    /path/to/acmetool.sh issue domainname live
    

    have more than one domain you need setting up ? like domain2name, domain3name - then a few more lines :D
    Code (Text):
    curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh
    /path/to/acmetool.sh issue domainname live
    /path/to/acmetool.sh issue domain2name live
    /path/to/acmetool.sh issue domain3name live
    
     
    Last edited: Sep 3, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    SAN SSL Certificate Support



    The acmetool.sh has SAN SSL certificate support so you can tag up to 100 subdomains, domains onto 1 SSL certificate. However, for site and SSL performance reasons you should keep the number of domains to minimum. Also in context of Centmin Mod Nginx vhost integration of acmetool.sh, SAN SSL certificates has limited usefulness as acme.sh uses webroot authentication. Meaning all domains listed in the SAN SSL certificate need to resolve to the same webroot in the current version of acmetool.sh i.e. /home/nginx/domains/domain.com/public would need to be the public webroot for all the listed SAN SSL certificate domains which would be useless if you intend to start a separate site for the additional domains. Some useful usage cases would be if you intend setup cdn or alias/parked domains on same main primary domain over HTTPS SSL as well.

    Example of reissuing for acme.domain.com and acme1.domain.com subdomains passing additional domains as command separated list (make sure no spaces between commas):
    Code (Text):
    ./acmetool.sh reissue acme.domain.com,acme1.domain.com
    


    Pay attention to this part of the output
    Code (Text):
                X509v3 Subject Alternative Name:
                    DNS:acme.domain.com, DNS:acme1.domain.com
    

    Full output
    Code (Text):
    ./acmetool.sh reissue acme.domain.com,acme1.domain.com                                                                                                                                    
    acme.domain.com,acme1.domain.com
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Reloading nginx:                                           [  OK  ]
    
    reissue & install letsencrypt ssl certificate for acme.domain.com
    /root/.acme.sh/acme.sh --force --createDomainKey -d acme.domain.com -d acme1.domain.com -k 2048 --useragent centminmod-centos6-acmesh-webroot
    [Sat May 28 10:35:55 UTC 2016] Creating domain key
    [Sat May 28 10:35:55 UTC 2016] Use length 2048
    /root/.acme.sh/acme.sh --force --staging --issue -d acme.domain.com -d acme1.domain.com -w /home/nginx/domains/acme.domain.com/public -k 2048 --useragent centminmod-centos6-acmesh-webroot
    [Sat May 28 10:35:55 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Sat May 28 10:35:55 UTC 2016] Skip register account key
    [Sat May 28 10:35:55 UTC 2016] Creating csr
    [Sat May 28 10:35:55 UTC 2016] Multi domain='DNS:acme1.domain.com'
    [Sat May 28 10:35:55 UTC 2016] Verify each domain
    [Sat May 28 10:35:55 UTC 2016] Getting webroot for domain='acme.domain.com'
    [Sat May 28 10:35:55 UTC 2016] Getting token for domain='acme.domain.com'
    [Sat May 28 10:35:57 UTC 2016] Getting webroot for domain='acme1.domain.com'
    [Sat May 28 10:35:57 UTC 2016] Getting token for domain='acme1.domain.com'
    [Sat May 28 10:35:57 UTC 2016] Verifying:acme.domain.com
    [Sat May 28 10:36:04 UTC 2016] Success
    [Sat May 28 10:36:04 UTC 2016] Verifying:acme1.domain.com
    [Sat May 28 10:36:10 UTC 2016] Success
    [Sat May 28 10:36:10 UTC 2016] Verify finished, start to sign.
    [Sat May 28 10:36:11 UTC 2016] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIFATCCA+mgAwIBAgITAPqvXVmhiQQEMxAVgi1FURw3rDANBgkqhkiG9w0BAQsF
    ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjA1Mjgw
    OTM2MDBaFw0xNjA4MjYwOTM2MDBaMB4xHDAaBgNVBAMTE2FjbWUuY2VudG1pbm1v
    ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7rYVje73k5uHq
    dGUmpZao8i6dUccqFhrtmMpsqJyTH7ZTsrKEwq8opFZTRe0oEP8tz5nC2WYNiBYG
    kDc5MJRughxOb75vmYakBS+H8R6H3nGGFijpgonjPBG37K3l9+wRlOQv4tyOpjSr
    WSUhukPhyrTEfnmpX9ykgpMwRl5VVHQEwpios6054uJ5rZYt2f8bMMBxmuKaWWgJ
    eFpqw9AGg0dz+x8he2oxTcLLU5ilnyJyvfzQQMSoAuP8pBmmNrCGWmdlmnrLCAeq
    QHj5zu49dCKAexUH1BC7B1ATmXrOdwJefiCBOToa4nrgnfrGZiIiziXdwgDeH6ZC
    ppIYElWdAgMBAAGjggIyMIICLjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
    KwYBBQUHAwEGCCsGAQUFBwxxxa2GA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBOPkflf
    lg8BP76dUA8aZDDaQnyCMB8GA1UdIwQYMBaAFMDMA0a5WCDMXHJw8+EuyyCm9Wg6
    MHgGCCsGAQUFBwEBBGwwajAzBggrBgEFBQcwAYYnaHR0cDovL29jc3Auc3RnLWlu
    dC14MS5sZXRzZW5jcnlwdC5vcmcvMDMGCCsGAQUFBzAChidodHRwOi8vY2VydC5z
    dGctaW50LXgxLmxldHNlbmNyeXB0Lm9yZy8wNAYDVR0RBC0wK4ITYWNtZS5jZW50
    bWlubW9kLmNvbYIUYWNtZTEuY2VudG1pbm1vZC5jb20wgf4GA1UdIASB9jCB8zAI
    BgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8v
    Y3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRp
    ZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGll
    cyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBv
    bGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5
    LzANBgkqhkiG9w0BAQsFAAOCAQEAnLtSXVbuSjR9CZIlTXLvzJIKt5N6P5yoRhVz
    6fqxUesWi/+s85ObllLQQ9i6tbaQrmLgS+hhGXYFG2fTnAXKLLngeNZee5TxV12S
    Hql3auXcVzC1m5nxU6ZQyXIiV052aZcTeYhhcHmL5BrtQx/yD4Rf43ioCtGN2VGn
    LjaYO4XNJafSfZmME7wwHZHor/FKCzFkvXAgbR9HuPWLQgXCyPt2UFrio+S1WkTO
    hikrv8QjeJXqK+mftsvsITAJ4vztBdQAbrEV+++FkJix/kveK7dlZ+mTa/PNDQcr
    xjQ9d1+1ubcfWqsWl3Wy6v6Ze3AJdmEsaQckjt+em89g0GvS8w==
    -----END CERTIFICATE-----
    [Sat May 28 10:36:11 UTC 2016] Your cert is in /root/.acme.sh/acme.domain.com/acme.domain.com.cer
    [Sat May 28 10:36:11 UTC 2016] The intermediate CA cert is in /root/.acme.sh/acme.domain.com/ca.cer
    [Sat May 28 10:36:11 UTC 2016] And the full chain certs is there: /root/.acme.sh/acme.domain.com/fullchain.cer
      ssl_certificate      /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.key;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer;
    
    install cert
    /root/.acme.sh/acme.sh --installcert -d acme.domain.com -d acme1.domain.com --certpath /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.key --capath /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-fullchain-acme.key
    [Sat May 28 10:36:11 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer
    [Sat May 28 10:36:11 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer
    [Sat May 28 10:36:11 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.key
    [Sat May 28 10:36:11 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-fullchain-acme.key
    [Sat May 28 10:36:11 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Reloading nginx:                                           [  OK  ]
    [Sat May 28 10:36:11 UTC 2016] Reload success.
    
    letsencrypt ssl certificate setup completed
    ssl certs located at: /usr/local/nginx/conf/ssl/acme.domain.com
    
    openssl x509 -noout -text < /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                fa:af:5d:59:a1:89:04:04:33:10:15:82:2d:45:51:1c:37:ac
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=Fake LE Intermediate X1
            Validity
                Not Before: May 28 09:36:00 2016 GMT
                Not After : Aug 26 09:36:00 2016 GMT
            Subject: CN=acme.domain.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:bb:ad:85:63:7b:bd:e4:e6:e1:ea:74:65:26:a5:
                        96:a8:f2:2e:9d:51:c7:2a:16:1a:ed:98:ca:6c:a8:
                        9c:93:1f:b6:53:b2:b2:84:c2:af:28:a4:56:53:45:
                        ed:28:10:ff:2d:cf:99:c2:d9:66:0d:88:16:06:90:
                        37:39:30:94:6e:82:1c:4e:6f:be:6f:99:86:a4:05:
                        2f:87:f1:1e:87:de:71:86:16:28:e9:82:89:e3:3c:
                        11:b7:ec:ad:e5:f7:ec:11:94:e4:2f:e2:dc:8e:a6:
                        34:ab:59:25:21:ba:43:e1:ca:b4:c4:7e:79:a9:5f:
                        dc:a4:82:93:30:46:5e:55:54:74:04:c2:98:a8:b3:
                        ad:39:e2:e2:79:ad:96:2d:d9:ff:1b:30:c0:71:9a:
                        e2:9a:59:68:09:78:5a:6a:c3:d0:06:83:47:73:fb:
                        1f:21:7b:6a:31:4d:c2:cb:53:98:a5:9f:22:72:bd:
                        fc:d0:40:c4:a8:02:e3:fc:a4:19:a6:36:b0:86:5a:
                        67:65:9a:7a:cb:08:07:aa:40:78:f9:ce:ee:3d:74:
                        22:80:7b:15:07:d4:10:bb:07:50:13:99:7a:ce:77:
                        02:5e:7e:20:81:39:3a:1a:e2:7a:e0:9d:fa:c6:66:
                        22:22:ce:25:dd:c2:00:de:1f:a6:42:a6:92:18:12:
                        55:9d
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Subject Key Identifier:
                    13:8F:91:F9:5F:96:0F:01:3F:BE:9D:50:0F:1A:64:30:DA:42:7C:82
                X509v3 Authority Key Identifier:
                    keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A
    
                Authority Information Access:
                    OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org/
                    CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/
    
                X509v3 Subject Alternative Name:
                    DNS:acme.domain.com, DNS:acme1.domain.com
                X509v3 Certificate Policies:
                    Policy: 2.23.140.1.2.1
                    Policy: 1.3.6.1.4.1.44947.1.1.1
                      CPS: http://cps.letsencrypt.org
                      User Notice:
                        Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
    
        Signature Algorithm: sha256WithRSAEncryption
             9c:bb:52:5d:56:ee:4a:34:7d:09:92:25:4d:72:ef:cc:92:0a:
             b7:93:7a:3f:9c:a8:46:15:73:e9:fa:b1:51:eb:16:8b:ff:ac:
             f3:93:9b:96:52:d0:43:d8:ba:b5:b6:90:ae:62:e0:4b:e8:61:
             19:76:05:1b:67:d3:9c:05:ca:2c:b9:e0:78:d6:5e:7b:94:f1:
             57:5d:92:1e:a9:77:6a:e5:dc:57:30:b5:9b:99:f1:53:a6:50:
             c9:72:22:57:4e:76:69:97:13:79:88:61:70:79:8b:e4:1a:ed:
             43:1f:f2:0f:84:5f:e3:78:a8:0a:d1:8d:d9:51:a7:2e:36:98:
             3b:85:cd:25:a7:d2:7d:99:8c:13:bc:30:1d:91:e8:af:f1:4a:
             0b:31:64:bd:70:20:6d:1f:47:b8:f5:8b:42:05:c2:c8:fb:76:
             50:5a:e2:a3:e4:b5:5a:44:ce:86:29:2b:bf:c4:23:78:95:ea:
             2b:e9:9f:b6:cb:ec:21:30:09:e2:fc:ed:05:d4:00:6e:b1:15:
             fb:ef:85:90:98:b1:fe:4b:de:2b:b7:65:67:e9:93:6b:f3:cd:
             0d:07:2b:c6:34:3d:77:5f:b5:b9:b7:1f:5a:ab:16:97:75:b2:
             ea:fe:99:7b:70:09:76:61:2c:69:07:24:8e:df:9e:9b:cf:60:
             d0:6b:d2:f3
    

    The nginx vhost's server_name is automatically adjusted for all the SAN SSL certificate listed domains.
    Code (Text):
    cat /usr/local/nginx/conf/conf.d/acme.domain.com.ssl.conf | grep server_name
    
      server_name acme.domain.com acme1.domain.com www.acme.domain.com;
    
     
    Last edited: May 28, 2016
  4. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    acmetool.sh updates



    acmetool.sh updated to auto update via git the acme.sh client everytime you issue, reissue and renew the Letsencrypt SSL certificates via acmetool.sh. This is to ensure you're running the latest acme.sh client code before hand.

    Example again for reissue of acme.domain.com without live option flag so staging test SSL certificate only.
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh reissue acme.domain.com
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    [Sat Jun  4 14:01:32 UTC 2016] Installing to /root/.acme.sh
    [Sat Jun  4 14:01:32 UTC 2016] Installed to /root/.acme.sh/acme.sh
    [Sat Jun  4 14:01:32 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
    [Sat Jun  4 14:01:33 UTC 2016] Installing cron job
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Sat Jun  4 14:01:33 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
    [Sat Jun  4 14:01:33 UTC 2016] OK
    https://github.com/Neilpang/acme.sh
    v2.2.5
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    Reloading nginx configuration (via systemctl):  [  OK  ]
    
    -----------------------------------------------------------
    reissue & install letsencrypt ssl certificate for acme.domain.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --force --createDomainKey -d acme.domain.com -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Sat Jun  4 14:01:33 UTC 2016] Creating domain key
    [Sat Jun  4 14:01:33 UTC 2016] Use length 2048
    /root/.acme.sh/acme.sh --force --staging --issue -d acme.domain.com -w /home/nginx/domains/acme.domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Sat Jun  4 14:01:34 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Sat Jun  4 14:01:36 UTC 2016] Skip register account key
    [Sat Jun  4 14:01:36 UTC 2016] Creating csr
    [Sat Jun  4 14:01:36 UTC 2016] Single domain='acme.domain.com'
    [Sat Jun  4 14:01:36 UTC 2016] Verify each domain
    [Sat Jun  4 14:01:36 UTC 2016] Getting webroot for domain='acme.domain.com'
    [Sat Jun  4 14:01:37 UTC 2016] Getting token for domain='acme.domain.com'
    [Sat Jun  4 14:01:42 UTC 2016] Verifying:acme.domain.com
    [Sat Jun  4 14:01:52 UTC 2016] Success
    [Sat Jun  4 14:01:52 UTC 2016] Verify finished, start to sign.
    [Sat Jun  4 14:01:57 UTC 2016] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIE6zCCA9OgAwIBAgITAPon/sdf21sjqHj6IEOWJIE79DANBgkqhkiG9w0BAQsF
    ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjA2MDQx
    MzAyMDBaFw0xNjA5MDIxMzAyMDBaMB4xHDAaBgNVBAMTE2FjbWUuY2VudG1pbm1v
    ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHk1776WevZtJp
    nMXY8QIxp0G3fz3pQcEluVgO/RFByOsEGH99W+GV2o0ZlyM62b59c9wxaE4qBwlh
    jmony47Q4Qw7PMsH0VCb/ve/Zx+ptazgquJP7WElsxU0vGcAeHHUaUOvAM/UYRq0
    RSQTDFf3+V+xeJ26ZmgFdmAT+SlB0G5KIJ6xu/Wd8E8W2bjZNPkkLCjL+1ZMgnnc
    vp18Ekwnqws/qR0wFNCgG2R+IsraEQUqlnkexnPkv2epJQXcsrpOZfqBvjK/fsi6
    rWbQTjHqs5jW0xTn9vQ00f0f4/THquSM9iM/hSPClqLWuaSaBWd72Z2KFNEEJdkF
    H4Z+ImvbAgMBAAGjggIcMIICGDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
    KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAYHOoBB
    Cpo+FTAMVZC+s2oVIoT2MB8GA1UdIwQYMBaAFMDMA0a5WCDMXHJw8+EuyyCm9Wg6
    MHgGCCsGAQUFBwEBBGwwajAzBggrBgEFBQcwAYYnaHR0cDovL29jc3Auc3RnLWlu
    dC14MS5sZXRzZW5jcnlwdC5vcmcvMDMGCCsGAQUFBzAChidodHRwOi8vY2VydC5z
    dGctaW50LXgxLmxldHNlbmNyeXB0Lm9yZy8wHgYDVR0RBBcwFYITYWNtZS5jZW50
    bWlubW9kLmNvbTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMB
    AQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGr
    BggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVs
    aWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFu
    Y2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8v
    bGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAB
    lrffNAKbOnbRc+IQUx6IOMkm5UMnDUa+dmvMjlMaLCKiZ6ROlYxQtyfX+lGzmkyn
    gfcUXlulT6z59yZAIX5r7D6gHow66zTN8EWd5Bzv2xWpefhbNXtmewryqvfCEvy9
    tnOy9b+vabgjBedCnR5w0292Na/zY8EKMhQeDqC3A0pfMI8U2ASUDGGg/+on1IrB
    m9AxpdgSXwavI6F5InUhPL3y0k98MocgkHqlEAYjpt5+aYvyqvEEikpC0Y5LeBHl
    wqsfqFzxB40cjXZCcQhLvyxMtm5ECntAZj6eSYguevFUV9uomx1gpjbz0m078o2f
    qvUHnrC5Q4CWwMmzJ302
    -----END CERTIFICATE-----
    [Sat Jun  4 14:01:57 UTC 2016] Your cert is in /root/.acme.sh/acme.domain.com/acme.domain.com.cer
    [Sat Jun  4 14:01:59 UTC 2016] The intermediate CA cert is in /root/.acme.sh/acme.domain.com/ca.cer
    [Sat Jun  4 14:01:59 UTC 2016] And the full chain certs is there: /root/.acme.sh/acme.domain.com/fullchain.cer
      ssl_certificate      /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.key;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer;
    
    -----------------------------------------------------------
    install cert
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --installcert -d acme.domain.com --certpath /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.key --capath /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-fullchain-acme.key
    [Sat Jun  4 14:02:00 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer
    [Sat Jun  4 14:02:00 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer
    [Sat Jun  4 14:02:00 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.key
    [Sat Jun  4 14:02:00 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-fullchain-acme.key
    [Sat Jun  4 14:02:00 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):  [  OK  ]
    [Sat Jun  4 14:02:00 UTC 2016] Reload success.
    
    letsencrypt ssl certificate setup completed
    ssl certs located at: /usr/local/nginx/conf/ssl/acme.domain.com
    
    openssl x509 -noout -text < /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                fa:27:ff:77:37:e9:40:a3:a8:78:fa:20:43:96:24:81:3b:f4
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=Fake LE Intermediate X1
            Validity
                Not Before: Jun  4 13:02:00 2016 GMT
                Not After : Sep  2 13:02:00 2016 GMT
            Subject: CN=acme.domain.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:c7:93:5e:fb:e9:67:af:66:d2:69:9c:c5:d8:f1:
                        02:31:a7:41:b7:7f:3d:e9:41:c1:25:b9:58:0e:fd:
                        11:41:c8:eb:04:18:7f:7d:5b:e1:95:da:8d:19:97:
                        23:3a:d9:be:7d:73:dc:31:68:4e:2a:07:09:61:8e:
                        6a:27:cb:8e:d0:e1:0c:3b:3c:cb:07:d1:50:9b:fe:
                        f7:bf:67:1f:a9:b5:ac:e0:aa:e2:4f:ed:61:25:b3:
                        15:34:bc:67:00:78:71:d4:69:43:af:00:cf:d4:61:
                        1a:b4:45:24:13:0c:57:f7:f9:5f:b1:78:9d:ba:66:
                        68:05:76:60:13:f9:29:41:d0:6e:4a:20:9e:b1:bb:
                        f5:9d:f0:4f:16:d9:b8:d9:34:f9:24:2c:28:cb:fb:
                        56:4c:82:79:dc:be:9d:7c:12:4c:27:ab:0b:3f:a9:
                        1d:30:14:d0:a0:1b:64:7e:22:ca:da:11:05:2a:96:
                        79:1e:c6:73:e4:bf:67:a9:25:05:dc:b2:ba:4e:65:
                        fa:81:be:32:bf:7e:c8:ba:ad:66:d0:4e:31:ea:b3:
                        98:d6:d3:14:e7:f6:f4:34:d1:fd:1f:e3:f4:c7:aa:
                        e4:8c:f6:23:3f:85:23:c2:96:a2:d6:b9:a4:9a:05:
                        67:7b:d9:9d:8a:14:d1:04:25:d9:05:1f:86:7e:22:
                        6b:db
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Subject Key Identifier:
                    06:07:3A:80:41:0A:9A:3E:15:30:0C:55:90:BE:B3:6A:15:22:84:F6
                X509v3 Authority Key Identifier:
                    keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A
    
                Authority Information Access:
                    OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org/
                    CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/
    
                X509v3 Subject Alternative Name:
                    DNS:acme.domain.com
                X509v3 Certificate Policies:
                    Policy: 2.23.140.1.2.1
                    Policy: 1.3.6.1.4.1.44947.1.1.1
                      CPS: http://cps.letsencrypt.org
                      User Notice:
                        Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
    
        Signature Algorithm: sha256WithRSAEncryption
             01:96:b7:df:34:02:9b:3a:76:d1:73:e2:10:53:1e:88:38:c9:
             26:e5:43:27:0d:46:be:76:6b:cc:8e:53:1a:2c:22:a2:67:a4:
             4e:95:8c:50:b7:27:d7:fa:51:b3:9a:4c:a7:81:f7:14:5e:5b:
             a5:4f:ac:f9:f7:26:40:21:7e:6b:ec:3e:a0:1e:8c:3a:eb:34:
             cd:f0:45:9d:e4:1c:ef:db:15:a9:79:f8:5b:35:7b:66:7b:0a:
             f2:aa:f7:c2:12:fc:bd:b6:73:b2:f5:bf:af:69:b8:23:05:e7:
             42:9d:1e:70:d3:6f:76:35:af:f3:63:c1:0a:32:14:1e:0e:a0:
             b7:03:4a:5f:30:8f:14:d8:04:94:0c:61:a0:ff:ea:27:d4:8a:
             c1:9b:d0:31:a5:d8:12:5f:06:af:23:a1:79:22:75:21:3c:bd:
             f2:d2:4f:7c:32:87:20:90:7a:a5:10:06:23:a6:de:7e:69:8b:
             f2:aa:f1:04:8a:4a:42:d1:8e:4b:78:11:e5:c2:ab:1f:a8:5c:
             f1:07:8d:1c:8d:76:42:71:08:4b:bf:2c:4c:b6:6e:44:0a:7b:
             40:66:3e:9e:49:88:2e:7a:f1:54:57:db:a8:9b:1d:60:a6:36:
             f3:d2:6d:3b:f2:8d:9f:aa:f5:07:9e:b0:b9:43:80:96:c0:c9:
             b3:27:7d:36


    acmetool.sh also got a new option that I am testing and that is specifying a custom webroot path via webroot-issue, webroot-reissue and webroot-renew options. An option suited to those folks running Laravel, node.js etc type of web applications which have their own custom webroot paths. Specifying these custom webroots will alter existing domain.com non-https nginx vhost root path as well as the created domain.com https nginx vhost root path in respective nginx vhost files /usr/local/nginx/conf/conf.d/domain.com.conf and /usr/local/nginx/conf/conf.d/domain.com.ssl.conf.
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh
    
    /usr/local/src/centminmod/addons/acmetool.sh {acmeinstall|acmeupdate|acmesetup|issue|reissue|renew|s3issue|s3reissue|s3renew}
    
    Usage Commands:
    /usr/local/src/centminmod/addons/acmetool.sh acmeinstall
    /usr/local/src/centminmod/addons/acmetool.sh acmeupdate
    /usr/local/src/centminmod/addons/acmetool.sh acmesetup
    /usr/local/src/centminmod/addons/acmetool.sh issue domainname
    /usr/local/src/centminmod/addons/acmetool.sh issue domainname live
    /usr/local/src/centminmod/addons/acmetool.sh reissue domainname
    /usr/local/src/centminmod/addons/acmetool.sh reissue domainname live
    /usr/local/src/centminmod/addons/acmetool.sh renew domainname
    /usr/local/src/centminmod/addons/acmetool.sh renew domainname live
    /usr/local/src/centminmod/addons/acmetool.sh webroot-issue domainname /path/to/custom/webroot
    /usr/local/src/centminmod/addons/acmetool.sh webroot-issue domainname /path/to/custom/webroot live
    /usr/local/src/centminmod/addons/acmetool.sh webroot-reissue domainname /path/to/custom/webroot
    /usr/local/src/centminmod/addons/acmetool.sh webroot-reissue domainname /path/to/custom/webroot live
    /usr/local/src/centminmod/addons/acmetool.sh webroot-renew domainname /path/to/custom/webroot
    /usr/local/src/centminmod/addons/acmetool.sh webroot-renew domainname /path/to/custom/webroot live
    /usr/local/src/centminmod/addons/acmetool.sh s3issue domainname
    /usr/local/src/centminmod/addons/acmetool.sh s3issue domainname live
    /usr/local/src/centminmod/addons/acmetool.sh s3reissue domainname
    /usr/local/src/centminmod/addons/acmetool.sh s3reissue domainname live
    /usr/local/src/centminmod/addons/acmetool.sh s3renew domainname
    /usr/local/src/centminmod/addons/acmetool.sh s3renew domainname live
    


    example of reissue for acme2.domain.com with custom web root at /home/nginx/domains/acme2.domain.com/customroot
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh webroot-reissue acme2.domain.com /home/nginx/domains/acme2.domain.com/customroot        
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    [Sat Jun  4 14:25:19 UTC 2016] Installing to /root/.acme.sh
    [Sat Jun  4 14:25:19 UTC 2016] Installed to /root/.acme.sh/acme.sh
    [Sat Jun  4 14:25:19 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
    [Sat Jun  4 14:25:19 UTC 2016] Installing cron job
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Sat Jun  4 14:25:19 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
    [Sat Jun  4 14:25:19 UTC 2016] OK
    https://github.com/Neilpang/acme.sh
    v2.2.5
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    adjusting /usr/local/nginx/conf/conf.d/acme2.domain.com.conf
    change web root: 
    from: 
    to: /home/nginx/domains/acme2.domain.com/customroot
      root /home/nginx/domains/acme2.domain.com/customroot;
    Reloading nginx configuration (via systemctl):  [  OK  ]
    
    -----------------------------------------------------------
    reissue & install letsencrypt ssl certificate for acme2.domain.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --force --createDomainKey -d acme2.domain.com -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Sat Jun  4 14:25:20 UTC 2016] Creating domain key
    [Sat Jun  4 14:25:20 UTC 2016] Use length 2048
    /root/.acme.sh/acme.sh --force --staging --issue -d acme2.domain.com -w /home/nginx/domains/acme2.domain.com/customroot -k 2048 --useragent centminmod-centos7-acmesh-webroot 
    [Sat Jun  4 14:25:20 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Sat Jun  4 14:25:23 UTC 2016] Skip register account key
    [Sat Jun  4 14:25:23 UTC 2016] Creating csr
    [Sat Jun  4 14:25:23 UTC 2016] Single domain='acme2.domain.com'
    [Sat Jun  4 14:25:23 UTC 2016] Verify each domain
    [Sat Jun  4 14:25:23 UTC 2016] Getting webroot for domain='acme2.domain.com'
    [Sat Jun  4 14:25:23 UTC 2016] Getting token for domain='acme2.domain.com'
    [Sat Jun  4 14:25:29 UTC 2016] Verifying:acme2.domain.com
    [Sat Jun  4 14:25:39 UTC 2016] Success
    [Sat Jun  4 14:25:39 UTC 2016] Verify finished, start to sign.
    [Sat Jun  4 14:25:44 UTC 2016] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIE7TCCA9WgAwIBAgITAPoMwEeINOYde7gqb9k/uFWzizANBgkqhkiG9w0BAQsF
    ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjA2MDQx
    MzI2MDBaFw0xNjA5MDIxMzI2MDBaMB8xHTAbBgNVBAMTFGFjbWUysd34bnRtaW5t
    b2QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp35jNkV1IPVX
    HyRYvTeFWeFzNeFWIB+M920KXTQNnIvgEyTESwzsKq9OtWuMj7os28oIRYM4xrLW
    PHfF0TPd3JDPVc1kSB1sDGtWr61lFMmpgMPZ/r3XgDun5MDsYLm2rxfCS+Zk2Sb2
    PNOdn6yJuU7XlDP1w1fjRJWotyUbwp5vot/3t34pTl88z+w3FtsUcTpAbFaupi+q
    QEy6UuQTjZQbyczcc5a6dJXbGDxYw931ycpxFRmNCFMv//d8Xw0fhTu97sTq/qoJ
    3nyP+Aw0OIDP0RnPS6hcAXaLfbtJaPUxMDmkc4HNcWYpxofmBI31i8SW3KTZPLtq
    Ss3jd9N/CQIDAQABo4ICHTCCAhkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
    CCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTGCFSW
    ehrPqPyYhvAYFnw4Z9aTEjAfBgNVHSMEGDAWgBTAzANGuVggzFxycPPhLssgpvVo
    OjB4BggrBgEFBQcBAQRsMGowMwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnN0Zy1p
    bnQteDEubGV0c2VuY3J5cHQub3JnLzAzBggrBgEFBQcwAoYnaHR0cDovL2NlcnQu
    c3RnLWludC14MS5sZXRzZW5jcnlwdC5vcmcvMB8GA1UdEQQYMBaCFGFjbWUyLmNl
    bnRtaW5tb2QuY29tMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLf
    EwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcw
    gasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSBy
    ZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3Jk
    YW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6
    Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEB
    AJiiYBkWO+wZ/+18+FUogdmJtRo8r9vvONqOmDFkNobkQ63CI0ZRLDDKN9NeXFcL
    w7HUtO7yDIEOthdcnm9vnwEk+JwsNK3+nLzOGvS/X3laECp+uj8ASH5vK0FLgvcg
    +Iw774sNYyHx1S5y8nzsQRCGBH3E4ZNVH5+8VLsG5CCndlbtzOG1HxeT6PxGQgQJ
    3CqtgN2Z4BtyAEy+qj110eU+xoSapmZtpAsFd11YE6wQRg3JIkzkfv0WhvBXcoer
    n7CMZogi9UFEh2fE1r5p3pXH2OJNtWOOlcMs3lIQxW3d5vyiB4tQTJ2LvsQVf62P
    TIl71s6yBkG1ZGDeH1H0uHw=
    -----END CERTIFICATE-----
    [Sat Jun  4 14:25:44 UTC 2016] Your cert is in /root/.acme.sh/acme2.domain.com/acme2.domain.com.cer
    [Sat Jun  4 14:25:45 UTC 2016] The intermediate CA cert is in /root/.acme.sh/acme2.domain.com/ca.cer
    [Sat Jun  4 14:25:45 UTC 2016] And the full chain certs is there: /root/.acme.sh/acme2.domain.com/fullchain.cer
      ssl_certificate      /usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-acme.key;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-acme.cer;  
    
    -----------------------------------------------------------
    install cert
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --installcert -d acme2.domain.com --certpath /usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-acme.key --capath /usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-fullchain-acme.key
    [Sat Jun  4 14:25:45 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-acme.cer
    [Sat Jun  4 14:25:45 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-acme.cer
    [Sat Jun  4 14:25:45 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-acme.key
    [Sat Jun  4 14:25:45 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-fullchain-acme.key
    [Sat Jun  4 14:25:45 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):  [  OK  ]
    [Sat Jun  4 14:25:46 UTC 2016] Reload success.
    
    letsencrypt ssl certificate setup completed
    ssl certs located at: /usr/local/nginx/conf/ssl/acme2.domain.com
    
    openssl x509 -noout -text < /usr/local/nginx/conf/ssl/acme2.domain.com/acme2.domain.com-acme.cer
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                fa:0c:c0:47:88:34:e6:1d:7b:b8:2a:6f:d9:3f:b8:55:b3:8b
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=Fake LE Intermediate X1
            Validity
                Not Before: Jun  4 13:26:00 2016 GMT
                Not After : Sep  2 13:26:00 2016 GMT
            Subject: CN=acme2.domain.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:a7:7e:63:36:45:75:20:f5:57:1f:24:58:bd:37:
                        85:59:e1:73:35:e1:56:20:1f:8c:f7:6d:0a:5d:34:
                        0d:9c:8b:e0:13:24:c4:4b:0c:ec:2a:af:4e:b5:6b:
                        8c:8f:ba:2c:db:ca:08:45:83:38:c6:b2:d6:3c:77:
                        c5:d1:33:dd:dc:90:cf:55:cd:64:48:1d:6c:0c:6b:
                        56:af:ad:65:14:c9:a9:80:c3:d9:fe:bd:d7:80:3b:
                        a7:e4:c0:ec:60:b9:b6:af:17:c2:4b:e6:64:d9:26:
                        f6:3c:d3:9d:9f:ac:89:b9:4e:d7:94:33:f5:c3:57:
                        e3:44:95:a8:b7:25:1b:c2:9e:6f:a2:df:f7:b7:7e:
                        29:4e:5f:3c:cf:ec:37:16:db:14:71:3a:40:6c:56:
                        ae:a6:2f:aa:40:4c:ba:52:e4:13:8d:94:1b:c9:cc:
                        dc:73:96:ba:74:95:db:18:3c:58:c3:dd:f5:c9:ca:
                        71:15:19:8d:08:53:2f:ff:f7:7c:5f:0d:1f:85:3b:
                        bd:ee:c4:ea:fe:aa:09:de:7c:8f:f8:0c:34:38:80:
                        cf:d1:19:cf:4b:a8:5c:01:76:8b:7d:bb:49:68:f5:
                        31:30:39:a4:73:81:cd:71:66:29:c6:87:e6:04:8d:
                        f5:8b:c4:96:dc:a4:d9:3c:bb:6a:4a:cd:e3:77:d3:
                        7f:09
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage: 
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Subject Key Identifier: 
                    C6:08:54:96:7A:1A:CF:A8:FC:98:86:F0:18:16:7C:38:67:D6:93:12
                X509v3 Authority Key Identifier: 
                    keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A
    
                Authority Information Access: 
                    OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org/
                    CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/
    
                X509v3 Subject Alternative Name: 
                    DNS:acme2.domain.com
                X509v3 Certificate Policies: 
                    Policy: 2.23.140.1.2.1
                    Policy: 1.3.6.1.4.1.44947.1.1.1
                      CPS: http://cps.letsencrypt.org
                      User Notice:
                        Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
    
        Signature Algorithm: sha256WithRSAEncryption
             98:a2:60:19:16:3b:ec:19:ff:ed:7c:f8:55:28:81:d9:89:b5:
             1a:3c:af:db:ef:38:da:8e:98:31:64:36:86:e4:43:ad:c2:23:
             46:51:2c:30:ca:37:d3:5e:5c:57:0b:c3:b1:d4:b4:ee:f2:0c:
             81:0e:b6:17:5c:9e:6f:6f:9f:01:24:f8:9c:2c:34:ad:fe:9c:
             bc:ce:1a:f4:bf:5f:79:5a:10:2a:7e:ba:3f:00:48:7e:6f:2b:
             41:4b:82:f7:20:f8:8c:3b:ef:8b:0d:63:21:f1:d5:2e:72:f2:
             7c:ec:41:10:86:04:7d:c4:e1:93:55:1f:9f:bc:54:bb:06:e4:
             20:a7:76:56:ed:cc:e1:b5:1f:17:93:e8:fc:46:42:04:09:dc:
             2a:ad:80:dd:99:e0:1b:72:00:4c:be:aa:3d:75:d1:e5:3e:c6:
             84:9a:a6:66:6d:a4:0b:05:77:5d:58:13:ac:10:46:0d:c9:22:
             4c:e4:7e:fd:16:86:f0:57:72:87:ab:9f:b0:8c:66:88:22:f5:
             41:44:87:67:c4:d6:be:69:de:95:c7:d8:e2:4d:b5:63:8e:95:
             c3:2c:de:52:10:c5:6d:dd:e6:fc:a2:07:8b:50:4c:9d:8b:be:
             c4:15:7f:ad:8f:4c:89:7b:d6:ce:b2:06:41:b5:64:60:de:1f:
             51:f4:b8:7c
    

    Code (Text):
    cat /usr/local/nginx/conf/conf.d/acme2.domain.com.conf | grep root
      root /home/nginx/domains/acme2.domain.com/customroot;
    
    cat /usr/local/nginx/conf/conf.d/acme2.domain.com.ssl.conf | grep root
      root /home/nginx/domains/acme2.domain.com/customroot;
    
     
    Last edited: Jun 5, 2016
  5. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    acmetool.sh adds Pushover.net Notification Support



    My favourite push notification service is Pushover.net - $5 once off setup fee allows you to setup email aliases and use Pushover.net API to send notification alerts to your tablet and mobile devices via the official Pushover mobile apps in respective web app stores. This is much better than plain old emails which can get lost in spam or junk inboxes etc.

    I've added Pushover.net support to acmetool.sh for issue, reissue and renewal notifications. Right now notification only happens at the issuance stage of issue, reissue or renewals. I have to work on the code for setting up a reliable renewal notification system that bypasses the acme.sh client and Letsencrypt's own email notifications. So instead of relying on acme.sh to setup the official Letsencrypt SSL certificate reminders, it can be done from the server itself via Pushover notification reminders.

    I love using Pushover ever since @Matt put me onto it and even use Pushover integration in my MySQL dbbackup.sh script and auto yum-cron setups too :D

    Example after running acmetool.sh to reissue Letsencrypt SSL certificate for acme.domain.com (real domain hidden and using domain.com as an example).
    Code (Text):
    ./acmetool.sh reissue acme.domain.com
    

    pushover-01.png
    pushover-02.png
    pushover-03.png

    As part of the process, I'd need to build in a renew all routine mimicking the acme.sh renew all routine for cronjob renewals which may eventually replace acme.sh's cronjob with acmetool.sh's own cron.

    2 new acmetool.sh options for renewall and renewall live
    Code (Text):
    ./acmetool.sh        
    
    ./acmetool.sh {acmeinstall|acmeupdate|acmesetup|issue|reissue|renew|s3issue|s3reissue|s3renew|renewall}
    
    Usage Commands:
    ./acmetool.sh acmeinstall
    ./acmetool.sh acmeupdate
    ./acmetool.sh acmesetup
    ./acmetool.sh issue domainname
    ./acmetool.sh issue domainname live
    ./acmetool.sh reissue domainname
    ./acmetool.sh reissue domainname live
    ./acmetool.sh renew domainname
    ./acmetool.sh renew domainname live
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot live
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot live
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot live
    ./acmetool.sh s3issue domainname
    ./acmetool.sh s3issue domainname live
    ./acmetool.sh s3reissue domainname
    ./acmetool.sh s3reissue domainname live
    ./acmetool.sh s3renew domainname
    ./acmetool.sh s3renew domainname live
    ./acmetool.sh renewall
    ./acmetool.sh renewall live
    

    example output for acmetool.sh renewall command without live flag so renew with test staging Letsencrypt SSL certificates only for acme.domain.com and acme2.domain.com on current server.
    Code (Text):
    ./acmetool.sh renewall
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    [Mon Jun  6 22:17:16 UTC 2016] Installing to /root/.acme.sh
    [Mon Jun  6 22:17:16 UTC 2016] Installed to /root/.acme.sh/acme.sh
    [Mon Jun  6 22:17:16 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
    [Mon Jun  6 22:17:16 UTC 2016] Installing cron job
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Mon Jun  6 22:17:16 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
    [Mon Jun  6 22:17:16 UTC 2016] OK
    https://github.com/Neilpang/acme.sh
    v2.2.5
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    
    -----------------------------------------------------------
    renew & install letsencrypt ssl certificate for acme2.domain.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue -d acme2.domain.com -w /home/nginx/domains/acme2.domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Mon Jun  6 22:17:17 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Mon Jun  6 22:17:17 UTC 2016] Skip, Next renewal time is: "Tue Aug 23 16:42:54 UTC 2016"
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    [Mon Jun  6 22:17:17 UTC 2016] Installing to /root/.acme.sh
    [Mon Jun  6 22:17:17 UTC 2016] Installed to /root/.acme.sh/acme.sh
    [Mon Jun  6 22:17:17 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
    [Mon Jun  6 22:17:18 UTC 2016] Installing cron job
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Mon Jun  6 22:17:18 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
    [Mon Jun  6 22:17:18 UTC 2016] OK
    https://github.com/Neilpang/acme.sh
    v2.2.5
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    
    -----------------------------------------------------------
    renew & install letsencrypt ssl certificate for acme.domain.com
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --staging --issue -d acme.domain.com -w /home/nginx/domains/acme.domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Mon Jun  6 22:17:18 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
    [Mon Jun  6 22:17:18 UTC 2016] Skip, Next renewal time is: "Thu Aug 25 21:21:52 UTC 2016"
    

    As you can see it skipped renewal for both acme.domain.com and acme2.domain.com as the SSL certificate is still valid and hasn't reached close to expiry date yet - which I have set to renew every 60 days or 30 days before the 90 day expiry.
     
    Last edited: Jun 7, 2016
  6. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Support for /usr/bin/nv default HTTPS Only Option



    Added a new flag to addons/acmetool.sh to be able to utilise /usr/bin/nv new HTTPS only + HTTP to HTTPS 302 redirect nginx vhost creation via new d and lived flags for test cert + HTTPS only and live cert + HTTPS only respectively
    Code (Text):
    ./acmetool.sh
    
    ./acmetool.sh {acmeinstall|acmeupdate|acmesetup|issue|reissue|renew|s3issue|s3reissue|s3renew|renewall}
    
    Usage Commands:
    ./acmetool.sh acmeinstall
    ./acmetool.sh acmeupdate
    ./acmetool.sh acmesetup
    ./acmetool.sh issue domainname
    ./acmetool.sh issue domainname d
    ./acmetool.sh issue domainname live
    ./acmetool.sh issue domainname lived
    ./acmetool.sh reissue domainname
    ./acmetool.sh reissue domainname d
    ./acmetool.sh reissue domainname live
    ./acmetool.sh reissue domainname lived
    ./acmetool.sh renew domainname
    ./acmetool.sh renew domainname d
    ./acmetool.sh renew domainname live
    ./acmetool.sh renew domainname lived
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot d
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot live
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot lived
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot d
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot live
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot lived
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot d
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot live
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot lived
    ./acmetool.sh s3issue domainname
    ./acmetool.sh s3issue domainname d
    ./acmetool.sh s3issue domainname live
    ./acmetool.sh s3issue domainname lived
    ./acmetool.sh s3reissue domainname
    ./acmetool.sh s3reissue domainname d
    ./acmetool.sh s3reissue domainname live
    ./acmetool.sh s3reissue domainname lived
    ./acmetool.sh s3renew domainname
    ./acmetool.sh s3renew domainname d
    ./acmetool.sh s3renew domainname live
    ./acmetool.sh s3renew domainname lived
    ./acmetool.sh renewall
    ./acmetool.sh renewall live
    ./acmetool.sh renewall lived
    

    Issued Letsencrypt ssl certificates' push notification to my Android based mobile via acmetool.sh :)

    staging test acme.domain.xyz with HTTPS default only + HTTP to HTTPS 302 redirect
    Code (Text):
    ./acmetool.sh issue acme.domain.xyz d
    


    upload_2016-6-18_10-51-37.png
     
    Last edited: Jun 18, 2016
  7. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Updated Nginx HTTPS Vhost Template - HTTP/2 + SPDY Support



    Updated acmetool.sh default Nginx vhost template to detect if Centmin Mod Nginx has enabled HTTPS support with dual HTTP/2 + SPDY Cloudflare patch which was added to Centmin Mod 123.09beta01branch.

    Centmin Mod 123.09beta01 Nginx 1.11.1 with HTTP/2 + SPDY working again

    Code (Text):
    echo QUIT | openssl s_client -connect sslspdy.com:443 -nextprotoneg ' ' 2>&1 | grep 'Protocols advertised'
    Protocols advertised by server: h2, spdy/3.1, http/1.1

    is-http2 tool test
    Code (Text):
    is-http2 https://sslspdy.com
    ✓ HTTP/2 supported by https://sslspdy.com
    Supported protocols: h2 spdy/3.1 http/1.1
    


    sslspdycom-spdy-http2-patch-ssllabs-01.png
    sslspdycom-spdy-http2-patch-ssllabs-02.png
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  9. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    acmetool.sh menu mode



    Added acmetool.sh menu mode structure for issue, renew and reissue of free Letsencrypt SSL certificates within Centmin Mod LEMP stacks. Not all menu options are linked and working yet. Just the basic menu structure and submenus are setup.

    main acme-menu option
    Code (Text):
    ./acmetool.sh acme-menu              
    
    --------------------------------------------------------
            SSL Management          
    --------------------------------------------------------
    1).  acemtool.sh install
    2).  acmetool.sh update
    3).  acmetool.sh setup
    4).  Issue SSL Management
    5).  Renew SSL Management
    6).  Reissue SSL Management
    7).  Renew All Staging /Test Certs
    8).  Renew ALL Live Certs
    9).  Renew All Live Certs HTTPS Default
    10). Exit
    --------------------------------------------------------
    Enter option [ 1 - 10 ] 4
    --------------------------------------------------------
    

    menu option 4 - issue SSL management
    Code (Text):
    --------------------------------------------------------
            SSL Issue Management          
    --------------------------------------------------------
    1).  Issue SSL Cert Staging/Test
    2).  Issue SSL Cert Staging/Test HTTPS Default
    3).  Issue SSL Cert Live
    4).  Issue SSL Cert Live HTTPS Default
    5).  Custom Webroot Issue SSL Cert Staging/Test
    6).  Custom Webroot Issue SSL Cert Staging/Test HTTPS Default
    7).  Custom Webroot Issue SSL Cert Live
    8).  Custom Webroot Issue SSL Cert Live HTTPS Default
    9).  S3 Issue SSL Cert
    10). S3 Issue SSL Cert
    11). S3 Issue SSL Cert
    12). S3 Issue SSL Cert
    13). Exit
    --------------------------------------------------------
    Enter option [ 1 - 13 ]
    --------------------------------------------------------
    

    menu option 5 - renew SSL management
    Code (Text):
    --------------------------------------------------------
            SSL Renew Management          
    --------------------------------------------------------
    1).   Renew SSL Cert Staging/Test
    2).   Renew SSL Cert Staging/Test HTTPS Default
    3).   Renew SSL Cert Live
    4).   Renew SSL Cert Live HTTPS Default
    5).   Custom Webroot Renew SSL Cert Staging/Test
    6).   Custom Webroot Renew SSL Cert Staging/Test HTTPS Default
    7).   Custom Webroot Renew SSL Cert Live
    8).   Custom Webroot Renew SSL Cert Live HTTPS Default
    9).   S3 Renew SSL Cert
    10).  S3 Renew SSL Cert
    11).  S3 Renew SSL Cert
    12).  S3 Renew SSL Cert
    13).  Exit
    --------------------------------------------------------
    Enter option [ 1 - 13 ]
    --------------------------------------------------------
    

    menu option 6 - reissue SSL management
    Code (Text):
    --------------------------------------------------------
            SSL Reissue Management          
    --------------------------------------------------------
    1).  Reissue SSL Cert Staging/Test
    2).  Reissue SSL Cert Staging/Test HTTPS Default
    3).  Reissue SSL Cert Live
    4).  Reissue SSL Cert Live HTTPS Default
    5).  Custom Webroot Reissue SSL Cert Staging/Test
    6).  Custom Webroot Reissue SSL Cert Staging/Test HTTPS Default
    7).  Custom Webroot Reissue SSL Cert Live
    8).  Custom Webroot Reissue SSL Cert Live HTTPS Default
    9).  S3 Reissue SSL Cert
    10). S3 Reissue SSL Cert
    11). S3 Reissue SSL Cert
    12). S3 Reissue SSL Cert
    13). Exit
    --------------------------------------------------------
    Enter option [ 1 - 13 ]
    


    Or if you prefer the command line method
    Code (Text):
    ./acmetool.sh
    
    ./acmetool.sh {acme-menu|acmeinstall|acmeupdate|acmesetup|issue|reissue|renew|s3issue|s3reissue|s3renew|renewall}
    
    Usage Commands:
    ./acmetool.sh acme-menu
    ./acmetool.sh acmeinstall
    ./acmetool.sh acmeupdate
    ./acmetool.sh acmesetup
    ./acmetool.sh issue domainname
    ./acmetool.sh issue domainname d
    ./acmetool.sh issue domainname live
    ./acmetool.sh issue domainname lived
    ./acmetool.sh reissue domainname
    ./acmetool.sh reissue domainname d
    ./acmetool.sh reissue domainname live
    ./acmetool.sh reissue domainname lived
    ./acmetool.sh renew domainname
    ./acmetool.sh renew domainname d
    ./acmetool.sh renew domainname live
    ./acmetool.sh renew domainname lived
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot d
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot live
    ./acmetool.sh webroot-issue domainname /path/to/custom/webroot lived
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot d
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot live
    ./acmetool.sh webroot-reissue domainname /path/to/custom/webroot lived
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot d
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot live
    ./acmetool.sh webroot-renew domainname /path/to/custom/webroot lived
    ./acmetool.sh s3issue domainname
    ./acmetool.sh s3issue domainname d
    ./acmetool.sh s3issue domainname live
    ./acmetool.sh s3issue domainname lived
    ./acmetool.sh s3reissue domainname
    ./acmetool.sh s3reissue domainname d
    ./acmetool.sh s3reissue domainname live
    ./acmetool.sh s3reissue domainname lived
    ./acmetool.sh s3renew domainname
    ./acmetool.sh s3renew domainname d
    ./acmetool.sh s3renew domainname live
    ./acmetool.sh s3renew domainname lived
    ./acmetool.sh renewall
    ./acmetool.sh renewall live
    ./acmetool.sh renewall lived
    
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    acmetool.sh acme-menu demo



    An example of acmetool.sh acme-menu menu option 4 submenu option 1 to issue a staging test Letsencrypt SSL certificate + auto generate the Centmin Mod Nginx vhost files and domain structure for acme.domain.xyz

    Code (Text):
    --------------------------------------------------------
            SSL Issue Management         
    --------------------------------------------------------
    1).  Issue SSL Cert Staging/Test
    2).  Issue SSL Cert Staging/Test HTTPS Default
    3).  Issue SSL Cert Live
    4).  Issue SSL Cert Live HTTPS Default
    5).  Custom Webroot Issue SSL Cert Staging/Test
    6).  Custom Webroot Issue SSL Cert Staging/Test HTTPS Default
    7).  Custom Webroot Issue SSL Cert Live
    8).  Custom Webroot Issue SSL Cert Live HTTPS Default
    9).  S3 Issue SSL Cert
    10). S3 Issue SSL Cert
    11). S3 Issue SSL Cert
    12). S3 Issue SSL Cert
    13). Exit
    --------------------------------------------------------
    Enter option [ 1 - 13 ] 1
    --------------------------------------------------------
    
    

    Code (Text):
    
    Enter SSL certificate domain name you want: acme.domain.xyz
    
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    [Sat Jun 25 23:47:19 UTC 2016] Installing to /root/.acme.sh
    [Sat Jun 25 23:47:19 UTC 2016] Installed to /root/.acme.sh/acme.sh
    [Sat Jun 25 23:47:20 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
    [Sat Jun 25 23:47:20 UTC 2016] Installing cron job
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Sat Jun 25 23:47:20 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
    [Sat Jun 25 23:47:20 UTC 2016] OK
    https://github.com/Neilpang/acme.sh
    v2.2.8
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    
    acme.domain.xyz nginx vhost + pureftp virtual ftp user setup
    
    /usr/bin/nv -d acme.domain.xyz -s y -u USERNAME
    ---------------------------------------------------------------
    Nginx Vhost Setup...
    ---------------------------------------------------------------
    
    
    FTP password auto generated: PASS
    
    Password:
    Enter it again:
    ---------------------------------------------------------------
    SSL Vhost Setup...
    ---------------------------------------------------------------
    
    ---------------------------------------------------------------
    Generating self signed SSL certificate...
    CSR file can also be used to be submitted for paid SSL certificates
    If using for paid SSL certificates be sure to keep both private key and CSR safe
    creating CSR File: acme.domain.xyz.csr
    creating private key: acme.domain.xyz.key
    creating self-signed SSL certificate: acme.domain.xyz.crt
    Generating a 2048 bit RSA private key
    ....................................+++
    ............+++
    writing new private key to 'acme.domain.xyz.key'
    -----
    No value provided for Subject Attribute C, skipped
    No value provided for Subject Attribute ST, skipped
    No value provided for Subject Attribute L, skipped
    Signature ok
    subject=/O=acme.domain.xyz/OU=acme.domain.xyz/CN=acme.domain.xyz
    Getting Private key
    
    ---------------------------------------------------------------
    Generating backup CSR and private key for HTTP Public Key Pinning...
    creating CSR File: acme.domain.xyz-backup.csr
    creating private key: acme.domain.xyz-backup.key
    Generating a 2048 bit RSA private key
    ......................................................................+++
    ....................+++
    writing new private key to 'acme.domain.xyz-backup.key'
    -----
    No value provided for Subject Attribute C, skipped
    No value provided for Subject Attribute ST, skipped
    No value provided for Subject Attribute L, skipped
    
    ---------------------------------------------------------------
    Extracting Base64 encoded information for primary and secondary
    private key's SPKI - Subject Public Key Information
    Primary private key - acme.domain.xyz.key
    Backup private key - acme.domain.xyz-backup.key
    For HPKP - HTTP Public Key Pinning hash generation...
    
    extracting SPKI Base64 encoded hash for primary private key = acme.domain.xyz.key ...
    writing RSA key
    WuC8mtHPd7ETqelHfeGmo5Mo3IHmPIVqd43fyxR+Uwg=
    
    extracting SPKI Base64 encoded hash for backup private key = acme.domain.xyz-backup.key ...
    writing RSA key
    GGJJ4GJv04I8pKzLgXxbzbsKSJAHLdqhtWnmIrx4ihw=
    
    HTTP Public Key Pinning Header for Nginx
    
    for 7 days max-age including subdomains
    
    add_header Public-Key-Pins 'pin-sha256="WuC8mtHPd7ETqelHfeGmo5Mo3IHmPIVqd43fyxR+Uwg="; pin-sha256="GGJJ4GJv04I8pKzLgXxbzbsKSJAHLdqhtWnmIrx4ihw="; max-age=86400; includeSubDomains';
    
    for 7 days max-age excluding subdomains
    
    add_header Public-Key-Pins 'pin-sha256="WuC8mtHPd7ETqelHfeGmo5Mo3IHmPIVqd43fyxR+Uwg="; pin-sha256="GGJJ4GJv04I8pKzLgXxbzbsKSJAHLdqhtWnmIrx4ihw="; max-age=86400';
    
    ---------------------------------------------------------------
    Generating dhparam.pem file - can take a few minutes...
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    .....................................................................................................................+..........+...............+...............................................................+...................................................................................+...........+........................................................+............................................................................................................................................................+...........................................................................................................................................................................................+..................................+.......+.....................................................................+................+........+.+....................................................................+...........................................................................+.........................................+........+................................................................................................................................................................................+.....................................+.........................+.................................................+...............................+.................................................................................................................................................................+...........+.........................................................................................................................................................................................................................+...........................+.............+.++*++*
    dhparam file generation time: 25.917429338
    
    -------------------------------------------------------------
    /usr/local/src/centminmod/tools/autoprotect.sh
    generated nginx include file: /usr/local/nginx/conf/autoprotect/acme.domain.xyz/autoprotect-acme.domain.xyz.conf
    
    autoprotect.sh run completed...
    
    Restarting nginx (via systemctl):  [  OK  ]
    Restarting nginx (via systemctl):  [  OK  ]
    systemctl restart pure-ftpd.service
    
    -------------------------------------------------------------
    FTP hostname : IPADDR
    FTP port : 21
    FTP mode : FTP (explicit SSL)
    FTP Passive (PASV) : ensure is checked/enabled
    FTP username created for acme.domain.xyz : USERNAME
    FTP password created for acme.domain.xyz : PASS
    -------------------------------------------------------------
    

    Code (Text):
    vhost for acme.domain.xyz created successfully
    
    domain: http://acme.domain.xyz
    vhost conf file for acme.domain.xyz created: /usr/local/nginx/conf/conf.d/acme.domain.xyz.conf
    
    vhost ssl for acme.domain.xyz created successfully
    
    domain: https://acme.domain.xyz
    vhost ssl conf file for acme.domain.xyz created: /usr/local/nginx/conf/conf.d/acme.domain.xyz.ssl.conf
    /usr/local/nginx/conf/ssl_include.conf created
    Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz.crt
    SSL Private Key: /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz.key
    SSL CSR File: /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz.csr
    Backup SSL Private Key: /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-backup.key
    Backup SSL CSR File: /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-backup.csr
    
    upload files to /home/nginx/domains/acme.domain.xyz/public
    vhost log files directory is /home/nginx/domains/acme.domain.xyz/log
    
    -------------------------------------------------------------
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
                    
    Jun 16  16:39   845    ssl.conf
    Jun 16  16:39   1.1K   demodomain.com.conf
    Jun 16  16:39   1.6K   virtual.conf
    Jun 25  23:48   2.1K   acme.domain.xyz.conf
    Jun 25  23:48   3.9K   acme.domain.xyz.ssl.conf
    
    -------------------------------------------------------------
    Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/acme.domain.xyz
    
                      
    Jun 25  23:47   1.7K   acme.domain.xyz.key
    Jun 25  23:47   976    acme.domain.xyz.csr
    Jun 25  23:47   1.2K   acme.domain.xyz.crt
    Jun 25  23:47   1.7K   acme.domain.xyz-backup.key
    Jun 25  23:47   976    acme.domain.xyz-backup.csr
    Jun 25  23:47   45     hpkp-info-primary-pin.txt
    Jun 25  23:47   45     hpkp-info-secondary-pin.txt
    Jun 25  23:48   424    dhparam.pem
    
    -------------------------------------------------------------
    Commands to remove acme.domain.xyz
    
    pure-pw userdel USERNAME
    rm -rf /usr/local/nginx/conf/conf.d/acme.domain.xyz.conf
    rm -rf /usr/local/nginx/conf/conf.d/acme.domain.xyz.ssl.conf
    rm -rf /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz.crt
    rm -rf /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz.key
    rm -rf /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz.csr
    rm -rf /usr/local/nginx/conf/ssl/acme.domain.xyz
    rm -rf /home/nginx/domains/acme.domain.xyz
    service nginx restart
    
    -------------------------------------------------------------
    vhost for acme.domain.xyz setup successfully
    acme.domain.xyz setup info log saved at:
    /root/centminlogs/centminmod_250616-234720_nginx_addvhost_nv.log
    -------------------------------------------------------------
    

    Code (Text):
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for acme.domain.xyz
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --issue -d acme.domain.xyz -w /home/nginx/domains/acme.domain.xyz/public -k 2048 --useragent centminmod-centos7-acmesh-webroot
    [Sat Jun 25 23:48:21 UTC 2016] Registering account
    [Sat Jun 25 23:48:26 UTC 2016] Already registered
    [Sat Jun 25 23:48:26 UTC 2016] Creating domain key
    [Sat Jun 25 23:48:26 UTC 2016] Use length 2048
    [Sat Jun 25 23:48:26 UTC 2016] Creating csr
    [Sat Jun 25 23:48:26 UTC 2016] Single domain='acme.domain.xyz'
    [Sat Jun 25 23:48:26 UTC 2016] Verify each domain
    [Sat Jun 25 23:48:26 UTC 2016] Getting webroot for domain='acme.domain.xyz'
    [Sat Jun 25 23:48:26 UTC 2016] Getting token for domain='acme.domain.xyz'
    [Sat Jun 25 23:48:32 UTC 2016] Verifying:acme.domain.xyz
    [Sat Jun 25 23:48:44 UTC 2016] Success
    [Sat Jun 25 23:48:44 UTC 2016] Verify finished, start to sign.
    [Sat Jun 25 23:48:49 UTC 2016] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIFBjCCA+6gAwIBAgISAzw+e5JCgjLtlPuYwkS90P9MMA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA2MjUyMjQ5MDBaFw0x
    NjA5MjMyMjQ5MDBaMBwxGjAYBgNVBAMTEWFjbWUuaHR0cDJzc2wueHl6MIIBIjAN
    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSiPT5LMdtEPoDKy5JxPVR/qStWV
    Q1QjxIdd/EoSzsHUrIYQm947Rpa+Wmd8JQSkHqzQHLMhVJAvAXYL3KRYiXzSfDrL
    xSuuY2Ss/2YW6iC4SvNfhalpiuSb/UvMV32rFaspuwH1iCTZ7vXS2e9kh/EDdyZ8
    kTb8vFqsxHeuDHCX05gAiM8s+eWqItPlIaya67MtrWsydoX+cSRtDDFkTUZ9yO2Y
    pqjGD8r20+V/pX22xC9nzxMvuf1iwoxpyCB3zSDUmEuAHXiNsdGhmwl4nAOBRa7M
    kc53/srkaDNUeUFzrxOGL7ah3B0JdmZqlyGJ5VYC+8qVMKtpKUn3d6tGZwIDAQAB
    o4ICEjCCAg4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
    BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTTz/jvVrjOcuMJUd6jIbgb
    c29S5DAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBwBggrBgEFBQcB
    AQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
    dC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5
    cHQub3JnLzAcBgNVHREEFTATghFhY21lLmh0dHAyc3NsLnh5ejCB/gYDVR0gBIH2
    MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0
    dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMg
    Q2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQ
    YXJ0aWVzIGFuZCBvbmx5IGluIGFjY29sh@hhs2Ugd2l0aCB0aGUgQ2VydGlmaWNh
    dGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9z
    aXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQB/DUA7m4dkdb9d8sC7M30NMEvbLHvt
    9fas4j+U66q+AY7xnCAdVME/yJPX9CimyQEsdoMhzzCKhWL9lOsramddmlENOVkL
    xprRYBSPCwGEPRV4EP3WEHMXa/R+DOBnNxABc7b90udRxBRGlQSjrkKQGJByOneW
    LYE+NPrkHQDoGy4WmW7k+sgf83dPvllyfX95pjFDrtHsLHXtFU9v3XJaJ+B0ldak
    WfDxj1C9VirqN+SOroy1z94Fk4ubDTLXdRMe6VDihH2Yj/Jp+xvetZFMe9PkgcYx
    x58TgVkjYStJsbSDjX6QAF2QfmPDHvM7PlDCutizr+TN4q1Gy+ykeiqQ
    -----END CERTIFICATE-----
    [Sat Jun 25 23:48:49 UTC 2016] Your cert is in /root/.acme.sh/acme.domain.xyz/acme.domain.xyz.cer
    [Sat Jun 25 23:48:50 UTC 2016] The intermediate CA cert is in /root/.acme.sh/acme.domain.xyz/ca.cer
    [Sat Jun 25 23:48:50 UTC 2016] And the full chain certs is there: /root/.acme.sh/acme.domain.xyz/fullchain.cer
      ssl_certificate      /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-acme.key;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-acme.cer;
    

    Code (Text):
    -----------------------------------------------------------
    install cert
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --installcert -d acme.domain.xyz --certpath /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-acme.cer --keypath /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-acme.key --capath /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-fullchain-acme.key
    [Sat Jun 25 23:48:50 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-acme.cer
    [Sat Jun 25 23:48:50 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-acme.cer
    [Sat Jun 25 23:48:50 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-acme.key
    [Sat Jun 25 23:48:50 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-fullchain-acme.key
    [Sat Jun 25 23:48:50 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):  [  OK  ]
    [Sat Jun 25 23:48:51 UTC 2016] Reload success.
    
    letsencrypt ssl certificate setup completed
    ssl certs located at: /usr/local/nginx/conf/ssl/acme.domain.xyz
    
    openssl x509 -noout -text < /usr/local/nginx/conf/ssl/acme.domain.xyz/acme.domain.xyz-acme.cer
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                03:3c:3e:7b:92:42:82:32:ed:94:fb:98:c2:44:bd:d0:ff:4c
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
            Validity
                Not Before: Jun 25 22:49:00 2016 GMT
                Not After : Sep 23 22:49:00 2016 GMT
            Subject: CN=acme.domain.xyz
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:c1:28:8f:4f:92:cc:76:d1:0f:a0:32:b2:e4:9c:
                        4f:55:1f:ea:4a:d5:95:43:54:23:c4:87:5d:fc:4a:
                        12:ce:c1:d4:ac:86:10:9b:de:3b:46:96:be:5a:67:
                        7c:25:04:a4:1e:ac:d0:1c:b3:21:54:90:2f:01:76:
                        0b:dc:a4:58:89:7c:d2:7c:3a:cb:c5:2b:ae:63:64:
                        ac:ff:66:16:ea:20:b8:4a:f3:5f:85:a9:69:8a:e4:
                        9b:fd:4b:cc:57:7d:ab:15:ab:29:bb:01:f5:88:24:
                        d9:ee:f5:d2:d9:ef:64:87:f1:03:77:26:7c:91:36:
                        fc:bc:5a:ac:c4:77:ae:0c:70:97:d3:98:00:88:cf:
                        2c:f9:e5:aa:22:d3:e5:21:ac:9a:eb:b3:2d:ad:6b:
                        32:76:85:fe:71:24:6d:0c:31:64:4d:46:7d:c8:ed:
                        98:a6:a8:c6:0f:ca:f6:d3:e5:7f:a5:7d:b6:c4:2f:
                        67:cf:13:2f:b9:fd:62:c2:8c:69:c8:20:77:cd:20:
                        d4:98:4b:80:1d:78:8d:b1:d1:a1:9b:09:78:9c:03:
                        81:45:ae:cc:91:ce:77:fe:ca:e4:68:33:54:79:41:
                        73:af:13:86:2f:b6:a1:dc:1d:09:76:66:6a:97:21:
                        89:e5:56:02:fb:ca:95:30:ab:69:29:49:f7:77:ab:
                        46:67
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Subject Key Identifier:
                    D3:CF:F8:EF:56:B8:CE:72:E3:09:51:DE:A3:21:B8:1B:73:6F:52:E4
                X509v3 Authority Key Identifier:
                    keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
    
                Authority Information Access:
                    OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
                    CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
    
                X509v3 Subject Alternative Name:
                    DNS:acme.domain.xyz
                X509v3 Certificate Policies:
                    Policy: 2.23.140.1.2.1
                    Policy: 1.3.6.1.4.1.44947.1.1.1
                      CPS: http://cps.letsencrypt.org
                      User Notice:
                        Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
    
        Signature Algorithm: sha256WithRSAEncryption
             7f:0d:40:3b:9b:87:64:75:bf:5d:f2:c0:bb:33:7d:0d:30:4b:
             db:2c:7b:ed:f5:f6:ac:e2:3f:94:eb:aa:be:01:8e:f1:9c:20:
             1d:54:c1:3f:c8:93:d7:f4:28:a6:c9:01:2c:76:83:21:cf:30:
             8a:85:62:fd:94:eb:2b:6a:67:5d:9a:51:0d:39:59:0b:c6:9a:
             d1:60:14:8f:0b:01:84:3d:15:78:10:fd:d6:10:73:17:6b:f4:
             7e:0c:e0:67:37:10:01:73:b6:fd:d2:e7:51:c4:14:46:95:04:
             a3:ae:42:90:18:90:72:3a:77:96:2d:81:3e:34:fa:e4:1d:00:
             e8:1b:2e:16:99:6e:e4:fa:c8:1f:f3:77:4f:be:59:72:7d:7f:
             79:a6:31:43:ae:d1:ec:2c:75:ed:15:4f:6f:dd:72:5a:27:e0:
             74:95:d6:a4:59:f0:f1:8f:50:bd:56:2a:ea:37:e4:8e:ae:8c:
             b5:cf:de:05:93:8b:9b:0d:32:d7:75:13:1e:e9:50:e2:84:7d:
             98:8f:f2:69:fb:1b:de:b5:91:4c:7b:d3:e4:81:c6:31:c7:9f:
             13:81:59:23:61:2b:49:b1:b4:83:8d:7e:90:00:5d:90:7e:63:
             c3:1e:f3:3b:3e:50:c2:ba:d8:b3:af:e4:cd:e2:ad:46:cb:ec:
             a4:7a:2a:90
    

    acmetool.sh push notification to Android mobile



    Pushover notification of Letsencrypt SSL certificate creation and expiry date.

    pushnotification-acmemenu-submenu1.png

    testssl run



    testssl diagnostic run for created HTTPS site. Test shows a live Letsencrypt SSL certificate was issued not staging test one, so a few bugs to iron out in acme-menu mode :)
    Code (Text):
    testssl https://acme.domain.xyz
    
    ###########################################################
        testssl       2.7dev from https://testssl.sh/dev/
        (1.507 2016/06/24 17:00:58)
    
          This program is free software. Distribution and
                 modification under GPLv2 permitted.
          USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
    
           Please file bugs @ https://testssl.sh/bugs/
    
    ###########################################################
    
    Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
    on bc729902afe0:/usr/local/http2-15/bin/openssl
    (built: "reproducible build, date unspecified", platform: "linux-x86_64")
    
    
    Start 2016-06-25 23:55:22    -->> IPADDR:443 (acme.domain.xyz) <<--
    
    rDNS (IPADDR):   --
    Service detected:       HTTP
    
    
    Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      offered
    TLS 1.1    offered
    TLS 1.2    offered (OK)
    SPDY/NPN   h2, http/1.1 (advertised)
    HTTP2/ALPN h2, http/1.1 (offered)
    
    Testing ~standard cipher lists
    
    Null Ciphers                 not offered (OK)
    Anonymous NULL Ciphers       not offered (OK)
    Anonymous DH Ciphers         not offered (OK)
    40 Bit encryption            not offered (OK)
    56 Bit encryption            not offered (OK)
    Export Ciphers (general)     not offered (OK)
    Low (<=64 Bit)               not offered (OK)
    DES Ciphers                  not offered (OK)
    Medium grade encryption      not offered (OK)
    Triple DES Ciphers           not offered (OK)
    High grade encryption        offered (OK)
    
    
    Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here
    
    PFS is offered (OK)  ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA
    
    
    Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH
    Cipher order
        TLSv1:     ECDHE-RSA-AES128-SHA
        TLSv1.1:   ECDHE-RSA-AES128-SHA
        TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA
        h2:        ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
        http/1.1:  ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
    
    
    Testing server defaults (Server Hello)
    
    TLS extensions (standard)    "server name/#0" "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15" "next protocol/#13172"
    Session Tickets RFC 5077     3600 seconds (PFS requires session ticket keys to be rotated <= daily)
    SSL Session ID support       yes
    TLS clock skew               random values, no fingerprinting possible
    Signature Algorithm          SHA256 with RSA
    Server key size              RSA 2048 bits
    Fingerprint / Serial         SHA1 9D6DA3F52C63F90361C15FE3572DE95939D0CC02 / 033C3E7B92428232ED94FB98C244BDD0FF4C
                                  SHA256 F1D43135DF724856DB09C3B04FE9916ABC90D87F540492BC4D10D2FD2AD20523
    Common Name (CN)             "acme.domain.xyz" (CN in response to request w/o SNI: "acme.domain.xyz")
    subjectAltName (SAN)         "acme.domain.xyz"
    Issuer                       "Let's Encrypt Authority X3" ("Let's Encrypt" from "US")
    EV cert (experimental)       no
    Certificate Expiration       89 >= 30 days (2016-06-25 22:49 --> 2016-09-23 22:49 +0000)
    # of certificates provided   2
    Chain of trust (experim.)    "/usr/bin/etc/*.pem" cannot be found / not readable
    Certificate Revocation List  --
    OCSP URI                     http://ocsp.int-x3.letsencrypt.org/
    OCSP stapling                --
    
    
    Testing HTTP header response @ "/"
    
    HTTP Status Code             200 OK
    HTTP clock skew              0 sec from localtime
    Strict Transport Security    --
    Public Key Pinning           --
    Server banner                nginx centminmod
    Application banner           X-Powered-By: centminmod
    Cookie(s)                    (none issued at "/")
    Security headers             --
    Reverse Proxy banner         --
    
    
    Testing vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK)
    CCS (CVE-2014-0224)                       not vulnerable (OK)
    Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
    Secure Client-Initiated Renegotiation     not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
    BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/" tested
    POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
    TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
    FREAK (CVE-2015-0204)                     not vulnerable (OK)
    DROWN (2016-0800, CVE-2016-0703), exper.  not vulnerable on this port (OK)
                                               make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                               https://censys.io/ipv4?q=F1E43135DF724856DB09C3B04FE9916ABC90E87F540492BC4D10D2FD2AD20523 could help you to find out
    LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
    BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES128-SHA
                                               VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
    RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
    
    
    Testing all 183 locally available ciphers against the server, ordered by encryption strength
    
    Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits
    ------------------------------------------------------------------------
    xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM    256   
    xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES       256   
    xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM    128   
    xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES       128   
    xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES       128   
    
    
    Running browser simulations (experimental)
    
    Android 2.3.7                 TLSv1.0 DHE-RSA-AES128-SHA
    Android 4.0.4                 TLSv1.0 ECDHE-RSA-AES128-SHA
    Android 4.1.1                 TLSv1.0 ECDHE-RSA-AES128-SHA
    Android 4.2.2                 TLSv1.0 ECDHE-RSA-AES128-SHA
    Android 4.3                   TLSv1.0 ECDHE-RSA-AES128-SHA
    Android 4.4.2                 TLSv1.1 ECDHE-RSA-AES128-SHA
    Android 5.0.0                 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    Baidu Jan 2015                TLSv1.0 ECDHE-RSA-AES128-SHA
    BingPreview Jan 2015          TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
    Chrome 47 / OSX               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    Firefox 31.3.0ESR / Win7      TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    Firefox 42 / OSX              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    GoogleBot Feb 2015            TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    IE6 / XP                      No connection
    IE7 / Vista                   TLSv1.0 ECDHE-RSA-AES128-SHA
    IE8 / XP                      No connection
    IE8-10 / Win7                 TLSv1.0 ECDHE-RSA-AES128-SHA
    IE11 / Win7                   TLSv1.2 ECDHE-RSA-AES128-SHA256
    IE11 / Win8.1                 TLSv1.2 ECDHE-RSA-AES128-SHA256
    IE10 / Win Phone 8.0          TLSv1.0 ECDHE-RSA-AES128-SHA
    IE11 / Win Phone 8.1          TLSv1.2 ECDHE-RSA-AES128-SHA256
    IE11 / Win Phone 8.1 Update   TLSv1.2 ECDHE-RSA-AES128-SHA256
    IE11 / Win10                  TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
    Edge 13 / Win10               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
    Edge 12 / Win Phone 10        TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
    Java 6u45                     TLSv1.0 DHE-RSA-AES128-SHA
    Java 7u25                     TLSv1.0 ECDHE-RSA-AES128-SHA
    Java 8u31                     TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    OpenSSL 0.9.8y                No connection
    OpenSSL 1.0.1l                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
    OpenSSL 1.0.2e                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
    Safari 5.1.9/ OSX 10.6.8      TLSv1.0 ECDHE-RSA-AES128-SHA
    Safari 6 / iOS 6.0.1          TLSv1.2 ECDHE-RSA-AES128-SHA256
    Safari 6.0.4/ OS X 10.8.4     TLSv1.0 ECDHE-RSA-AES128-SHA
    Safari 7 / iOS 7.1            TLSv1.2 ECDHE-RSA-AES128-SHA256
    Safari 7 / OS X 10.9          TLSv1.2 ECDHE-RSA-AES128-SHA256
    Safari 8 / iOS 8.4            TLSv1.2 ECDHE-RSA-AES128-SHA256
    Safari 8 / OS X 10.10         TLSv1.2 ECDHE-RSA-AES128-SHA256
    Safari 9 / iOS 9              TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
    Safari 9 / OS X 10.11         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
    
     
    Last edited: Jun 26, 2016
  11. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    addons/acmetool.sh installation routine



    More testing. To install underlying acme.sh tool you run addons/acmetool.sh acmeinstall routine via command line (or via acme-menu mode)
    Code (Text):
    ./acmetool.sh acmeinstall
    
    -----------------------------------------------------
    installing acme.sh client...
    -----------------------------------------------------
    Initialized empty Git repository in /root/tools/acme.sh/.git/
    [Mon Jul 25 17:37:00 UTC 2016] Installing to /root/.acme.sh
    [Mon Jul 25 17:37:00 UTC 2016] Installed to /root/.acme.sh/acme.sh
    [Mon Jul 25 17:37:00 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
    [Mon Jul 25 17:37:00 UTC 2016] Installing cron job
    [Mon Jul 25 17:37:00 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
    [Mon Jul 25 17:37:00 UTC 2016] OK
    https://github.com/Neilpang/acme.sh
    v2.3.2
    Usage: acme.sh  command ...[parameters]....
    Commands:
      --help, -h               Show this help message.
      --version, -v            Show version info.
      --install                Install acme.sh to your system.
      --uninstall              Uninstall acme.sh, and uninstall the cron job.
      --upgrade                Upgrade acme.sh to the latest code from https://github.com/Neilpang/acme.sh
      --issue                  Issue a cert.
      --installcert            Install the issued cert to apache/nginx or any other server.
      --renew, -r              Renew a cert.
      --renewAll               Renew all the certs
      --revoke                 Revoke a cert.
      --list                   List all the certs
      --installcronjob         Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
      --uninstallcronjob       Uninstall the cron job. The 'uninstall' command can do this automatically.
      --cron                   Run cron job to renew all the certs.
      --toPkcs                 Export the certificate and key to a pfx file.
      --createAccountKey, -cak Create an account private key, professional use.
      --createDomainKey, -cdk  Create an domain private key, professional use.
      --createCSR, -ccsr       Create CSR , professional use.
    Parameters:
      --domain, -d   domain.tld         Specifies a domain, used to issue, renew or revoke etc.
      --force, -f                       Used to force to install or force to renew a cert immediately.
      --staging, --test                 Use staging server, just for test.
      --debug                           Output debug info.
     
      --webroot, -w  /path/to/webroot   Specifies the web root folder for web root mode.
      --standalone                      Use standalone mode.
      --tls                             Use standalone tls mode.
      --apache                          Use apache mode.
      --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file]   Use dns mode or dns api.
      --dnssleep  [120]                  The time in seconds to wait for all the txt records to take effect in dns api mode. Default 120 seconds.
      --keylength, -k [2048]            Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
      --accountkeylength, -ak [2048]    Specifies the account key length.
      These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
      --certpath /path/to/real/cert/file  After issue/renew, the cert will be copied to this path.
      --keypath /path/to/real/key/file  After issue/renew, the key will be copied to this path.
      --capath /path/to/real/ca/file    After issue/renew, the intermediate cert will be copied to this path.
      --fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
      --reloadcmd "service nginx reload" After issue/renew, it's used to reload the server.
    
      --accountconf                     Specifies a customized account config file.
      --home                            Specifies the home dir for acme.sh .
      --certhome                        Specifies the home dir to save all the certs, only valid for '--install' command.
      --useragent                       Specifies the user agent string. it will be saved for future use too.
      --accountemail                    Specifies the account email for registering, Only valid for the '--install' command.
      --accountkey                      Specifies the account key path, Only valid for the '--install' command.
      --days                            Specifies the days to renew the cert when using '--issue' command. The max value is 80 days.
      --httpport                        Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
      --tlsport                         Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
      --listraw                         Only used for '--list' command, list the certs in raw format.
      --stopRenewOnError, -se           Only valid for '--renewall' command. Stop if one cert has error in renewal.
      --insecure                        Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
      --nocron                          Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
    
    -----------------------------------------------------
    check acme auto renew cronjob setup:
    -----------------------------------------------------
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    -----------------------------------------------------
    acme.sh installed
    -----------------------------------------------------
    

    This will output install routine via git and output the cronjob setup by acme.sh for cronjob auto renewals of letsencrypt ssl certificates.

    FYI, you can also do the initial install via acme-menu option 1 too
    Code (Text):
    ./acmetool.sh acme-menu
    
    --------------------------------------------------------
            SSL Management              
    --------------------------------------------------------
    1).  acemtool.sh install
    2).  acmetool.sh update
    3).  acmetool.sh setup
    4).  Issue SSL Management
    5).  Renew SSL Management
    6).  Reissue SSL Management
    7).  Renew All Staging /Test Certs
    8).  Renew ALL Live Certs 
    9).  Renew All Live Certs HTTPS Default
    10). Exit
    --------------------------------------------------------
    Enter option [ 1 - 10 ] 1
    --------------------------------------------------------
    
     
    Last edited: Jul 26, 2016
  12. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Preparing for public beta testing for addons/acmetool.sh



    The above outlined addons/acmetool.sh for letsencrypt ssl certificates is nearly ready for public beta testing. It is still beta so needs testing before being marked as stable. The below are the requirements for beta testing addons/acmetool.sh

    Requirements for addon/acmetool.sh testing
    1. A test domain name or subdomain names with DNS updated to point to a test server i.e. testdomain.com or testsubdomain.domain.com
    2. Test server that at internet addressable and accessible. This means you must be able to point a test domain name or subdomain name's DNS A record to the test server's IP address.
    3. Test server must already have Centmin Mod LEMP stack installed - 123.09beta01 precisely. Install instructions for Centmin Mod 123.09beta01 outlined here.
    4. Be willing to completely wipe CentOS OS and reinstall Centmin Mod 123.09beta01 when required
    5. Be willing to completely wipe the testdomain.com or testsubdomain.domain.com ssl cert, files and nginx vhost during beta testing
    When you generate an Centmin Mod Nginx vhost via centmin.sh menu option 2, 22 or via acmetool.sh the end output also lists commands to remove the domain you just created. There's also a log saved for the output so you can reference back to it.

    Example of the output to delete the pure-ftpd virtual ftp user that was auto generated and the nginx vhost files and ssl related files.
    Code (Text):
    -------------------------------------------------------------
    Commands to remove testsubdomain.domain.com
    
     pure-pw userdel mbnAA9Ii9iwWdW
     rm -rf /usr/local/nginx/conf/conf.d/testsubdomain.domain.com.conf
     rm -rf /usr/local/nginx/conf/conf.d/testsubdomain.domain.com.ssl.conf
     rm -rf /usr/local/nginx/conf/ssl/testsubdomain.domain.com/testsubdomain.domain.com.crt
     rm -rf /usr/local/nginx/conf/ssl/testsubdomain.domain.com/testsubdomain.domain.com.key
     rm -rf /usr/local/nginx/conf/ssl/testsubdomain.domain.com/testsubdomain.domain.com.csr
     rm -rf /usr/local/nginx/conf/ssl/testsubdomain.domain.com
     rm -rf /home/nginx/domains/testsubdomain.domain.com
     service nginx restart
    
    -------------------------------------------------------------
    vhost for testsubdomain.domain.com setup successfully
    testsubdomain.domain.com setup info log saved at: 
    /root/centminlogs/centminmod_250716-175142_nginx_addvhost_nv.log
    -------------------------------------------------------------
    
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
Thread Status:
Not open for further replies.