Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL Where do you suggest getting a SSL Certificate

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Itworx4me, Oct 15, 2018.

  1. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    As per the title. Also how would a person add this to a non-vHost site?

    Thanks,
    Itworx4me
     
  2. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:23 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    non-vhost ??? All SSL certificates for HTTPS require a site/nginx vhost account
     
  3. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    I currently have a nginx vhost site that doesn’t have a ssl. I am looking to add this to the current vhost site. Where do you suggest getting a ssl and how would you go about adding it to the vhost site?
     
  4. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:23 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    For existing Centmin Mod Nginx non-HTTPS vhosts, you can follow method 3 migrating existing non-HTTPS to HTTPS guide at SSL - Centmin Mod Nginx + SPDY & HTTP/2 SSL Setup Guide. Or direct link Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates
     
  5. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Nginx 1.15.X
    MariaDB 10.1.X
  6. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:23 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    1st link if using paid non-letsencrypt ssl, 2nd link if using centmin mod integrated letsencrypt ssl certs
     
  7. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    Is one better than the other?
     
  8. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:23 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  9. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    When I get to the end of step 6 I get this error:
    Code:
     nprestart
    Restarting nginx (via systemctl):  Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
                                                               [FAILED]
    Gracefully shutting down php-fpm . done
    Starting php-fpm  done
    
    Any ideas? Whatever happened took down my site....
     
  10. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:23 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    output for nginx config check
    Code (Text):
    nginx -t
    
     
  11. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    Code (Text):
    nginx: [emerg] access_log "/home/nginx/domains/domain.com/log/access.log" already defined with conflicting parameters in /usr/local/nginx/conf/conf.d/domain.com.ssl.conf:52
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:23 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    what's output for command
    Code (Text):
    grep -ri 'access_log' /usr/local/nginx/conf/conf.d/
    
     
  13. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    Code (Text):
    /usr/local/nginx/conf/conf.d/demodomain.com.conf:            access_log /home/nginx/domains/demodomain.com/log/access.log ;
    /usr/local/nginx/conf/conf.d/virtual.conf:        access_log              /var/log/nginx/localhost.access.log     combined buffer=8k flush=1m;
    /usr/local/nginx/conf/conf.d/virtual.conf:        access_log   off;
    /usr/local/nginx/conf/conf.d/domain2.com.conf:  access_log /home/nginx/domains/domain2.com/log/access.log main_ext buffer=256k flush=60m;
    /usr/local/nginx/conf/conf.d/domain.com.conf:  access_log /home/nginx/domains/domain.com/log/access.log main_ext buffer=256k flush=60m;
    /usr/local/nginx/conf/conf.d/domain.com.ssl.conf:  access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
    
     
  14. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:23 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    edit /usr/local/nginx/conf/conf.d/virtual.conf

    change access_log settings ending with
    Code (Text):
    buffer=8k flush=1m
    

    To
    Code (Text):
    buffer=256k flush=5m
    

    edit /usr/local/nginx/conf/conf.d/domain2.com.conf and /usr/local/nginx/conf/conf.d/domain.com.conf

    change access_log settings ending with
    Code (Text):
    buffer=256k flush=60m
    

    To
    Code (Text):
    buffer=256k flush=5m
    

    then restart nginx service
     
    • Like Like x 1
  15. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    Thank you @eva2000 for helping me get this fixed. Onto step 7 :)
     
    • Like Like x 1
  16. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    Another issue @eva2000 . When I use this command:
    Code (Text):
    mv /usr/local/nginx/conf/conf.d/newdomain.com.conf /usr/local/nginx/conf/conf.d/newdomain.com.conf-disabled


    It takes my site down completely. Any ideas? I had to reverse this in order to get my site back up.

    Thanks,
    Itworx4me
     
  17. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:23 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  18. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    Yes I followed your steps to a tee. Here is my ssl.conf file.
    Code (Text):
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
     server {
       server_name domain.com www.domain.com;
        return 302 https://domain.com$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # dual cert supported ssl ciphers
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      root /home/nginx/domains/domain.com/public;
    
    location / {
         index index.php index.html index.htm;
         try_files $uri $uri/ /index.php?$uri&$args;
    }
    
    location /admin.php {
         auth_basic "Private";
         auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
            include /usr/local/nginx/conf/php.conf;
            allow ;
            allow ;
            deny all;
    }
    
    location /install/data/ {
         internal;
    }
    
    location /install/templates/ {
         internal;
    }
    
    location /internal_data/ {
         internal;
    }
    
    # xenforo 2 uncomment / remove hash from next 3 lines
    location /src/ {
         internal;
    }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      #include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  19. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:23 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    With non-https vhost domain.com.conf disabled, can you test in SSH via curl to check headers for location field (where the redirect goes) using the following commands:
    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    
     
  20. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    Code (Text):
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 21 Oct 2018 21:49:22 GMT
    Content-Type: text/html
    Connection: keep-alive
    Set-Cookie: __cfduid=d60f7424d7ffed9473ba89aa592f690931540158562; expires=Mon, 21-Oct-19 21:49:22 GMT; path=/; domain=.domain.com; HttpOnly
    Location: https://domain.com/
    X-Powered-By: centminmod
    Server: cloudflare
    CF-RAY: 46d6ef06269ab9be-ATL
    


    Code (Text):
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 21 Oct 2018 21:51:25 GMT
    Content-Type: text/html
    Connection: keep-alive
    Set-Cookie: __cfduid=d5f0b57e7f00c4cf16404269ed6de255a1540158685; expires=Mon, 21-Oct-19 21:51:25 GMT; path=/; domain=.domain.com; HttpOnly
    Location: https://domain.com/
    X-Powered-By: centminmod
    Server: cloudflare
    CF-RAY: 46d6f205d1315e82-TPA


    Code (Text):
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 21 Oct 2018 21:52:35 GMT
    Content-Type: text/html
    Connection: keep-alive
    Set-Cookie: __cfduid=ddebae70f659d7f12cec14b4ee4f611a91540158755; expires=Mon, 21-Oct-19 21:52:35 GMT; path=/; domain=.domain.com; HttpOnly
    Location: https://domain.com/
    X-Powered-By: centminmod
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Server: cloudflare
    CF-RAY: 46d6f3bfaf8e5e70-TPA


    Code (Text):
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 21 Oct 2018 21:53:47 GMT
    Content-Type: text/html
    Connection: keep-alive
    Set-Cookie: __cfduid=d50457230c8c107c1dc144c9b52c3e5511540158827; expires=Mon, 21-Oct-19 21:53:47 GMT; path=/; domain=.domain.com; HttpOnly
    Location: https://domain.com/
    X-Powered-By: centminmod
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Server: cloudflare
    CF-RAY: 46d6f57f4c5b5e6a-TPA
     
..