Cài đặt SSL Let’s Encrypt cho Centmin Mod

Let’s Encrypt là một nhà cung cấp chứng chỉ số SSL (Certificate Authority) cho các web server. Ưu điểm của Let’s Encript là đơn giản, dễ sử dụng và đặc biệt, nó cung cấp các SSL certificate hoàn toàn miễn phí.

Mặc định khi thêm mới domain bằng chức năng số 2 hoặc 22 thì Centmin Mod cũng cung cấp cho bạn một lựa chọn để tạo chứng chỉ SSL, tuy nhiên vì độ phổ biến của Let’s Encript nên mình vẫn hay dùng nó hơn. Để tạo chứng chỉ SSL của Let’s Encript ta sử dụng một addon chỉ có trên Centmin Mod Beta là acmetool.sh.

Các bước cài đặt acmetool

Để cài đặt acmetool trước tiên phải cài đặt Centmin Mod đã, sau khi hoàn tất cài đặt Centmin Mod vào thư mục addon của Centmin Mod.

cd /usr/local/src/centminmod/addons

Trong thư mục addon dùng lệnh sau để cài acmetool

./acmetool.sh acmeinstall

Sau khi bấm enter bạn sẽ được thông báo acmetool đang trong giai đoạn thử nghiệm, nếu có lỗi trong quá trình sử dụng có thể phản hồi qua đường link https://centminmod.com/acmetool

-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://centminmod.com/acmetool
-------------------------------------------------

continue [y/n] ? y

Bấm “y” để tiếp tục cài đặt acmetool.

Sau khi bấm “y” quá trình cài đặt sẽ bắt đầu.

-----------------------------------------------------
installing acme.sh client...
-----------------------------------------------------
Cloning into 'acme.sh'...
[Sun Sep 22 17:11:29 UTC 2019] It is recommended to install socat first.
[Sun Sep 22 17:11:29 UTC 2019] We use socat for standalone server if you use standalone mode.
[Sun Sep 22 17:11:29 UTC 2019] If you don't use standalone mode, just ignore this warning.
[Sun Sep 22 17:11:29 UTC 2019] Installing to /root/.acme.sh
[Sun Sep 22 17:11:29 UTC 2019] Installed to /root/.acme.sh/acme.sh
[Sun Sep 22 17:11:29 UTC 2019] Installing alias to '/root/.bashrc'
[Sun Sep 22 17:11:29 UTC 2019] OK, Close and reopen your terminal to start using acme.sh
[Sun Sep 22 17:11:29 UTC 2019] Installing alias to '/root/.cshrc'
[Sun Sep 22 17:11:29 UTC 2019] Installing alias to '/root/.tcshrc'
[Sun Sep 22 17:11:29 UTC 2019] Installing cron job
[Sun Sep 22 17:11:29 UTC 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Sun Sep 22 17:11:30 UTC 2019] OK
https://github.com/Neilpang/acme.sh
v2.8.3
Usage: acme.sh command ...[parameters]....
Commands:
--help, -h Show this help message.
--version, -v Show version info.
--install Install acme.sh to your system.
--uninstall Uninstall acme.sh, and uninstall the cron job.
--upgrade Upgrade acme.sh to the latest code from https://github.com/Neilpang/acme.sh.
--issue Issue a cert.
--signcsr Issue a cert from an existing csr.
--deploy Deploy the cert to your server.
--install-cert Install the issued cert to apache/nginx or any other server.
--renew, -r Renew a cert.
--renew-all Renew all the certs.
--revoke Revoke a cert.
--remove Remove the cert from list of certs known to acme.sh.
--list List all the certs.
--showcsr Show the content of a csr.
--install-cronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
--uninstall-cronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
--cron Run cron job to renew all the certs.
--toPkcs Export the certificate and key to a pfx file.
--toPkcs8 Convert to pkcs8 format.
--update-account Update account info.
--register-account Register account key.
--deactivate-account Deactivate the account.
--create-account-key Create an account private key, professional use.
--create-domain-key Create an domain private key, professional use.
--createCSR, -ccsr Create CSR , professional use.
--deactivate Deactivate the domain authz, professional use.
--set-notify Set the cron notification hook, level or mode.

Parameters:
--domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
--challenge-alias domain.tld The challenge domain alias for DNS alias mode: https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
--domain-alias domain.tld The domain alias for DNS alias mode: https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
--force, -f Used to force to install or force to renew a cert immediately.
--staging, --test Use staging server, just for test.
--debug Output debug info.
--output-insecure Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
--webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
--standalone Use standalone mode.
--alpn Use standalone alpn mode.
--stateless Use stateless mode, see: https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
--apache Use apache mode.
--dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
--dnssleep [120] The time in seconds to wait for all the txt records to take effect in dns api mode. Default 120 seconds.

--keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
--accountkeylength, -ak [2048] Specifies the account key length.
--log [/path/to/logfile] Specifies the log file. The default is: "/root/.acme.sh/acme.sh.log" if you don't give a file path here.
--log-level 1|2 Specifies the log level, default is 1.
--syslog [0|3|6|7] Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.

These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:

--cert-file After issue/renew, the cert will be copied to this path.
--key-file After issue/renew, the key will be copied to this path.
--ca-file After issue/renew, the intermediate cert will be copied to this path.
--fullchain-file After issue/renew, the fullchain cert will be copied to this path.

--reloadcmd "service nginx reload" After issue/renew, it's used to reload the server.

--server SERVER ACME Directory Resource URI. (default: https://acme-v01.api.letsencrypt.org/directory)
--accountconf Specifies a customized account config file.
--home Specifies the home dir for acme.sh.
--cert-home Specifies the home dir to save all the certs, only valid for '--install' command.
--config-home Specifies the home dir to save all the configurations.
--useragent Specifies the user agent string. it will be saved for future use too.
--accountemail Specifies the account email, only valid for the '--install' and '--update-account' command.
--accountkey Specifies the account key path, only valid for the '--install' command.
--days Specifies the days to renew the cert when using '--issue' command. The default value is 60 days.
--httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
--tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
--local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
--listraw Only used for '--list' command, list the certs in raw format.
--stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal.
--insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
--ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate.
--ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
--nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
--noprofile Only valid for '--install' command, which means: do not install aliases to user profile.
--no-color Do not output color text.
--force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
--csr Specifies the input csr.
--pre-hook Command to be run before obtaining any certificates.
--post-hook Command to be run after attempting to obtain/renew certificates. No matter the obtain/renew is success or failed.
--renew-hook Command to be run once for each successfully renewed certificate.
--deploy-hook The hook file to deploy cert
--ocsp-must-staple, --ocsp Generate ocsp must Staple extension.
--always-force-new-domain-key Generate new domain key when renewal. Otherwise, the domain key is not changed by default.
--auto-upgrade [0|1] Valid for '--upgrade' command, indicating whether to upgrade automatically in future.
--listen-v4 Force standalone/tls server to listen at ipv4.
--listen-v6 Force standalone/tls server to listen at ipv6.
--openssl-bin Specifies a custom openssl bin location.
--use-wget Force to use wget, if you have both curl and wget installed.
--yes-I-know-dns-manual-mode-enough-go-ahead-please Force to use dns manual mode: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode
--branch, -b Only valid for '--upgrade' command, specifies the branch name to upgrade to.

--notify-level 0|1|2|3 Set the notification level: Default value is 2.
0: disabled, no notification will be sent.
1: send notifications only when there is an error.
2: send notifications when a cert is successfully renewed, or there is an error.
3: send notifications when a cert is skipped, renewed, or error.
--notify-mode 0|1 Set notification mode. Default value is 0.
0: Bulk mode. Send all the domain's notifications in one message(mail).
1: Cert mode. Send a message for every single cert.
--notify-hook [hookname] Set the notify hook

-----------------------------------------------------
check acme auto renew cronjob setup:
-----------------------------------------------------
29 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
-----------------------------------------------------
acme.sh installed

Sau khi có thông báo acme.sh installed tức là acmetool đã cài đặt thành công. Vì chứng chỉ SSL của Let’s Encrypt SSL sẽ hết hạn sau 90 ngày nên acmetool.sh còn có chức năng tự động gia hạn chứng chỉ cho bạn trước 1 tháng.

Cách sử dụng acmetool trong Centmin Mod

Sau khi cài đặt thành công acmetool để tạo chứng chỉ SSL từ Let’s Encrypt, để sử dụng tool này vẫn trong thư mục addon của Centmin Mod bạn dùng lệnh.

./acmetool.sh acme-menu

Sau khi sử dụng lệnh trên, sẽ xuất hiện một menu

--------------------------------------------------------
        SSL Management              
--------------------------------------------------------
1).  acemtool.sh install
2).  acmetool.sh update
3).  acmetool.sh setup
4).  Issue SSL Management
5).  Renew SSL Management
6).  Reissue SSL Management
7).  Renew All Staging /Test Certs
8).  Renew ALL Live Certs 
9).  Renew All Live Certs HTTPS Default
10). Exit
--------------------------------------------------------
Enter option [ 1 - 10 ]

Menu này sẽ bao gồm các chức năng của acmetool đã cài đặt. Trong đó để tạo chứng chỉ SSL từ Let’s Encrypt ta dùng chức năng số 4.

--------------------------------------------------------
Enter option [ 1 - 10 ] 4
--------------------------------------------------------

...

--------------------------------------------------------
        SSL Issue Management              
--------------------------------------------------------
1).  Issue SSL Cert Staging/Test
2).  Issue SSL Cert Staging/Test HTTPS Default
3).  Issue SSL Cert Live
4).  Issue SSL Cert Live HTTPS Default
5).  Custom Webroot Issue SSL Cert Staging/Test
6).  Custom Webroot Issue SSL Cert Staging/Test HTTPS Default
7).  Custom Webroot Issue SSL Cert Live
8).  Custom Webroot Issue SSL Cert Live HTTPS Default
9).  S3 Issue SSL Cert
10). S3 Issue SSL Cert
11). S3 Issue SSL Cert
12). S3 Issue SSL Cert
13). Exit
--------------------------------------------------------
Enter option [ 1 - 13 ]

Trong mục quản lí và tạo chứng chỉ SSL bạn chỉ cần quan tâm đến chức năng số 3 hoặc 4. Mình sẽ thử tạo chứng chỉ SSL bằng menu số 4 cho domain testcentmin.ml nhé.

Lưu ý: trước khi tạo chứng chỉ bạn hãy chắc chắn là domain đã trỏ về IP của VPS nhé.

--------------------------------------------------------
        SSL Issue Management              
--------------------------------------------------------
1).  Issue SSL Cert Staging/Test
2).  Issue SSL Cert Staging/Test HTTPS Default
3).  Issue SSL Cert Live
4).  Issue SSL Cert Live HTTPS Default
5).  Custom Webroot Issue SSL Cert Staging/Test
6).  Custom Webroot Issue SSL Cert Staging/Test HTTPS Default
7).  Custom Webroot Issue SSL Cert Live
8).  Custom Webroot Issue SSL Cert Live HTTPS Default
9).  S3 Issue SSL Cert
10). S3 Issue SSL Cert
11). S3 Issue SSL Cert
12). S3 Issue SSL Cert
13). Exit
--------------------------------------------------------
Enter option [ 1 - 13 ] 4
--------------------------------------------------------

...

Enter SSL certificate domain name you want without www. prefix host: testcentmin.ml


-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://centminmod.com/acmetool
-------------------------------------------------

continue [y/n] ? y

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
Cloning into 'acme.sh'...
[Tue Sep 24 09:07:13 UTC 2019] It is recommended to install socat first.
[Tue Sep 24 09:07:13 UTC 2019] We use socat for standalone server if you use standalone mode.
[Tue Sep 24 09:07:13 UTC 2019] If you don't use standalone mode, just ignore this warning.
[Tue Sep 24 09:07:13 UTC 2019] Installing to /root/.acme.sh
[Tue Sep 24 09:07:13 UTC 2019] Installed to /root/.acme.sh/acme.sh
[Tue Sep 24 09:07:13 UTC 2019] Installing alias to '/root/.bashrc'
[Tue Sep 24 09:07:13 UTC 2019] OK, Close and reopen your terminal to start using acme.sh
[Tue Sep 24 09:07:13 UTC 2019] Installing alias to '/root/.cshrc'
[Tue Sep 24 09:07:13 UTC 2019] Installing alias to '/root/.tcshrc'
[Tue Sep 24 09:07:13 UTC 2019] Installing cron job
29 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Tue Sep 24 09:07:13 UTC 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Sep 24 09:07:14 UTC 2019] OK
https://github.com/Neilpang/acme.sh
v2.8.3
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------

testcentmin.ml nginx vhost + pureftp virtual ftp user setup

/usr/bin/nv -d testcentmin.ml -s ydle -u QPECW1F3oQstbNN
---------------------------------------------------------------
Nginx Vhost Setup...
---------------------------------------------------------------


FTP password auto generated: 1I}6M4K^zx.|bi)%7DFvu

Password: 
Enter it again: 
---------------------------------------------------------------
SSL Vhost Setup...
---------------------------------------------------------------

--2019-09-24 09:07:18--  https://support.cloudflare.com/hc/en-us/article_attachments/201243967/origin-pull-ca.pem
Resolving support.cloudflare.com... 104.16.51.111, 104.16.55.111, 104.16.54.111, ...
Connecting to support.cloudflare.com|104.16.51.111|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2151 (2.1K) [application/x-x509-ca-cert]
Saving to: ‘/usr/local/nginx/conf/ssl/cloudflare/testcentmin.ml/origin.crt’

     0K ..                                                    100% 14.5M=0s

2019-09-24 09:07:18 (14.5 MB/s) - ‘/usr/local/nginx/conf/ssl/cloudflare/testcentmin.ml/origin.crt’ saved [2151/2151]

---------------------------------------------------------------
Generating self signed SSL certificate...
CSR file can also be used to be submitted for paid SSL certificates
If using for paid SSL certificates be sure to keep both private key and CSR safe
creating CSR File: testcentmin.ml.csr
creating private key: testcentmin.ml.key
creating self-signed SSL certificate: testcentmin.ml.crt

[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = California
L = Los Angeles
O = testcentmin.ml
OU = testcentmin.ml
CN = testcentmin.ml
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = testcentmin.ml
DNS.2 = www.testcentmin.ml

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = testcentmin.ml
DNS.2 = www.testcentmin.ml

Generating a 2048 bit RSA private key
..................+++
..................+++
writing new private key to 'testcentmin.ml.key'
-----
                DNS:testcentmin.ml, DNS:www.testcentmin.ml
Signature ok
subject=/C=US/ST=California/L=Los Angeles/O=testcentmin.ml/OU=testcentmin.ml/CN=testcentmin.ml
Getting Private key

---------------------------------------------------------------
Generating dhparam.pem file - can take a few minutes...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
................................................................................................................+.............................................................................................................+...............................................................................................................+...............................................................................................+.................................................................................................+...............................................................................................................................+..............................................................................................................................................+..............................................................................................................................+.......................................................................+..+...............................+...............................................+.....................................................................................................................++*++*
dhparam file generation time: 12.546216351

-------------------------------------------------------------
/usr/local/src/centminmod/tools/autoprotect.sh
generated nginx include file [same]: /usr/local/nginx/conf/autoprotect/demodomain.com/autoprotect-demodomain.com.conf
generated nginx include file [initial]: /usr/local/nginx/conf/autoprotect/testcentmin.ml/autoprotect-testcentmin.ml.conf

autoprotect.sh run completed skipped nginx reload...

Reloading nginx configuration (via systemctl):  [  OK  ]
Restarting nginx (via systemctl):  [  OK  ]

-------------------------------------------------------------
FTP hostname : 45.77.154.110
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for testcentmin.ml : QPECW1F3oQstbNN
FTP password created for testcentmin.ml : 1I}6M4K^zx.|bi)%7DFvu
-------------------------------------------------------------
vhost for testcentmin.ml created successfully

domain: http://testcentmin.ml
vhost conf file for testcentmin.ml created: /usr/local/nginx/conf/conf.d/testcentmin.ml.conf

vhost ssl for testcentmin.ml created successfully

domain: https://testcentmin.ml
vhost ssl conf file for testcentmin.ml created: /usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf
/usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.crt.key.conf created
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.crt
SSL Private Key: /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.key
SSL CSR File: /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-backup.csr

upload files to /home/nginx/domains/testcentmin.ml/public
vhost log files directory is /home/nginx/domains/testcentmin.ml/log

-------------------------------------------------------------
Current vhost listing at: /usr/local/nginx/conf/conf.d/

                       
Sep 21  16:34   1.1K   demodomain.com.conf
Sep 21  16:59   1.4K   virtual.conf
Sep 24  09:07   2.2K   testcentmin.ml.conf
Sep 24  09:07   3.7K   testcentmin.ml.ssl.conf

-------------------------------------------------------------
Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/testcentmin.ml

                       
Sep 24  09:07   1.7K   testcentmin.ml.key
Sep 24  09:07   1.2K   testcentmin.ml.csr
Sep 24  09:07   1.6K   testcentmin.ml.crt
Sep 24  09:07   424    dhparam.pem
Sep 24  09:07   332    testcentmin.ml.crt.key.conf

-------------------------------------------------------------
Commands to remove testcentmin.ml

 pure-pw userdel QPECW1F3oQstbNN
 rm -rf /usr/local/nginx/conf/conf.d/testcentmin.ml.conf
 rm -rf /usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf
 rm -rf /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.crt
 rm -rf /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.key
 rm -rf /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.csr
 rm -rf /usr/local/nginx/conf/ssl/testcentmin.ml
 rm -rf /home/nginx/domains/testcentmin.ml
 rm -rf /root/.acme.sh/testcentmin.ml
 rm -rf /root/.acme.sh/testcentmin.ml_ecc
 rm -rf /usr/local/nginx/conf/pre-staticfiles-local-testcentmin.ml.conf
 service nginx restart

-------------------------------------------------------------
vhost for testcentmin.ml setup successfully
testcentmin.ml setup info log saved at: 
/root/centminlogs/centminmod_240919-090714_nginx_addvhost_nv.log
-------------------------------------------------------------


backup & remove /usr/local/nginx/conf/conf.d/testcentmin.ml.conf

[self-signed ssl cert check] required by acmetool.sh

[self-signed ssl] /usr/local/nginx/conf/ssl/testcentmin.ml/dhparam.pem exists
[self-signed ssl] /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.crt exists
[self-signed ssl] /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.key exists

[sslvhostsetup] create /usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf

[non-wp] backup & remove /usr/local/nginx/conf/conf.d/testcentmin.ml.conf
cat /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.crt.key.conf
  ssl_dhparam /usr/local/nginx/conf/ssl/testcentmin.ml/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.key;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-trusted.crt;
Reloading nginx configuration (via systemctl):  [  OK  ]
grep 'root' /usr/local/nginx/conf/conf.d/testcentmin.ml.conf
  root /home/nginx/domains/testcentmin.ml/public;
grep 'root' /usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf
  root /home/nginx/domains/testcentmin.ml/public;

-----------------------------------------------------------
issue & install letsencrypt ssl certificate for testcentmin.ml
-----------------------------------------------------------
testcert value = lived
/root/.acme.sh/acme.sh --issue -d testcentmin.ml -d www.testcentmin.ml --days 60 -w /home/nginx/domains/testcentmin.ml/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-240919-090709.log --log-level 2
[Tue Sep 24 09:07:49 UTC 2019] Create account key ok.
[Tue Sep 24 09:07:49 UTC 2019] Registering account
[Tue Sep 24 09:17:50 UTC 2019] Registered
[Tue Sep 24 09:17:50 UTC 2019] ACCOUNT_THUMBPRINT='gXdjBkF1QcrNqtOTutlC5hSJxkHMdVs3hztWqLwH-GI'
[Tue Sep 24 09:17:50 UTC 2019] Creating domain key
[Tue Sep 24 09:17:50 UTC 2019] The domain key is here: /root/.acme.sh/testcentmin.ml/testcentmin.ml.key
[Tue Sep 24 09:17:50 UTC 2019] Multi domain='DNS:testcentmin.ml,DNS:www.testcentmin.ml'
[Tue Sep 24 09:17:50 UTC 2019] Getting domain auth token for each domain
[Tue Sep 24 09:17:52 UTC 2019] Getting webroot for domain='testcentmin.ml'
[Tue Sep 24 09:17:53 UTC 2019] Getting webroot for domain='www.testcentmin.ml'
[Tue Sep 24 09:17:53 UTC 2019] Verifying: testcentmin.ml
[Tue Sep 24 09:17:57 UTC 2019] Success
[Tue Sep 24 09:17:57 UTC 2019] Verifying: www.testcentmin.ml
[Tue Sep 24 09:18:00 UTC 2019] Success
[Tue Sep 24 09:18:00 UTC 2019] Verify finished, start to sign.
[Tue Sep 24 09:18:00 UTC 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/67157997/1150853613
[Tue Sep 24 09:18:02 UTC 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/04f3ac1bd1f956de5c7899ca7785e70f5f0d
[Tue Sep 24 09:18:02 UTC 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgISBPOsG9H5Vt5ceJnKd4XnD18NMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MjQwODE4MDBaFw0x
OTEyMjMwODE4MDBaMBkxFzAVBgNVBAMTDnRlc3RjZW50bWluLm1sMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQg5zKiaLNC2GruutG2n/p0QVh4pL8K9
GZ8GkqkPUiZEmQFe85PG+wOBIVFJOQaynL5/GcONRwm/AdQtsfDGrNPymnwRS2TF
z+/B+dtIqZcWjHgk55Yw49xs8Qz46JkzpNT1G7sIQH5/V7XiIkvzUYMxIh3EDJcQ
i8PcChGuL58v3372OxBB5/gytF2nCRJmsBmxCGfcxr9jqYcZCsCOiNzYHBfUiia2
u3zbH+UsjX9nkZIeweDHFaiSzh2cUMsU4rgRf2Rk0dKY6zncGuoO6CcogcSmrDmK
tqR8cPkdldenWhCtuaoxV3cDxFefl6RX4y363VnvKRILhrlRIn+1kQIDAQABo4IC
eDCCAnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTuCPDZ8ECfnIxL3EvZhRfDJrnp
NzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMC0GA1UdEQQmMCSCDnRlc3RjZW50bWluLm1sghJ3d3cudGVzdGNlbnRtaW4u
bWwwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQC
BIH2BIHzAPEAdgB0ftqDMa0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAW1i
kDQ5AAAEAwBHMEUCIQDGt1BopnZ2QK29hY6uzATwwMGB9/zGvFTt5b5GcQyXpgIg
CmBpQA2mFE5dnLXYacBoLJEAnlxvzKT8vL86VfyVtzUAdwBj8tvN6DvMLM8LcoQn
V2szpI1hd4+9daY4scdoVEvYjQAAAW1ikDQuAAAEAwBIMEYCIQD9CnVYIMwCnRDP
B2v3Uiw6nUUrmtIeFVZ6is06oo8mpwIhAKUzHxahsR9GRguCQgc09bQyRaORarIB
Lkbnm65KqMXVMA0GCSqGSIb3DQEBCwUAA4IBAQBxlio6bzX4FJ7m6bnP4ZO9OpG5
1K+eB4BkeLN0sA+bueF3rEsdixAx/j5NoBtHP9ltLrATwQqFmeMHigHo1sLb1dcp
Qf8l+uMpQPctc65wN0kuxlD7D8UOLMBQNTazTDdE5H5kFJQXedOVlpwn7hKwxBim
k0f3/abu3zpk11YUZ/m9tY8VzFc4aggFkcd+dls9asOWXVaEVD8kBSpRsjxMkuLj
MOBAZCrYOZFMleGhqHMvs6A2npM+ner5g9ACYnNhKWAw+CehDXS/8HCdqRgQb/Sk
uYNFfyqyJ4pam8aLqFL0wYv6daNReRY1y4UgSfSWQmyb/eXTAqlt0DsbqN9h
-----END CERTIFICATE-----
[Tue Sep 24 09:18:02 UTC 2019] Your cert is in  /root/.acme.sh/testcentmin.ml/testcentmin.ml.cer 
[Tue Sep 24 09:18:02 UTC 2019] Your cert key is in  /root/.acme.sh/testcentmin.ml/testcentmin.ml.key 
[Tue Sep 24 09:18:02 UTC 2019] The intermediate CA cert is in  /root/.acme.sh/testcentmin.ml/ca.cer 
[Tue Sep 24 09:18:02 UTC 2019] And the full chain certs is there:  /root/.acme.sh/testcentmin.ml/fullchain.cer 

switch to HTTPS default after verification


setting HTTPS default in /usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf

sed -i 's|^##x# HTTPS-DEFAULT|#x# HTTPS-DEFAULT|g' "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"
sed -i "s|#x# server {| server {|" "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"
sed -i "s|#x#   |   |" "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"
sed -i "s|#x#   server_name testcentmin.ml www.testcentmin.ml;|   server_name testcentmin.ml www.testcentmin.ml;|" "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"
sed -i "s|#x#   return 302 https://testcentmin.ml$request_uri;|   return 302 https://testcentmin.ml$request_uri;|" "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"
sed -i "s|#x#   include \/usr\/local\/nginx\/conf\/staticfiles.conf;|   include \/usr\/local\/nginx\/conf\/staticfiles.conf;|" "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"
sed -i "s|#x# }| }|" "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"

remove /usr/local/nginx/conf/conf.d/testcentmin.ml.conf

LECHECK = 0
  ssl_dhparam /usr/local/nginx/conf/ssl/testcentmin.ml/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.key;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer;

-----------------------------------------------------------
install cert
-----------------------------------------------------------
/root/.acme.sh/acme.sh --installcert -d testcentmin.ml -d www.testcentmin.ml --certpath /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer --keypath /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.key --capath /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-fullchain-acme.key
[Tue Sep 24 09:18:03 UTC 2019] Installing cert to:/usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer
[Tue Sep 24 09:18:03 UTC 2019] Installing CA to:/usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer
[Tue Sep 24 09:18:03 UTC 2019] Installing key to:/usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.key
[Tue Sep 24 09:18:03 UTC 2019] Installing full chain to:/usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-fullchain-acme.key
[Tue Sep 24 09:18:03 UTC 2019] Run reload cmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl):  [  OK  ]
[Tue Sep 24 09:18:03 UTC 2019] Reload success

letsencrypt ssl certificate setup completed
ssl certs located at: /usr/local/nginx/conf/ssl/testcentmin.ml

openssl x509 -noout -text < /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:f3:ac:1b:d1:f9:56:de:5c:78:99:ca:77:85:e7:0f:5f:0d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Sep 24 08:18:00 2019 GMT
            Not After : Dec 23 08:18:00 2019 GMT
        Subject: CN=testcentmin.ml
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a9:08:39:cc:a8:9a:2c:d0:b6:1a:bb:ae:b4:6d:
                    a7:fe:9d:10:56:1e:29:2f:c2:bd:19:9f:06:92:a9:
                    0f:52:26:44:99:01:5e:f3:93:c6:fb:03:81:21:51:
                    49:39:06:b2:9c:be:7f:19:c3:8d:47:09:bf:01:d4:
                    2d:b1:f0:c6:ac:d3:f2:9a:7c:11:4b:64:c5:cf:ef:
                    c1:f9:db:48:a9:97:16:8c:78:24:e7:96:30:e3:dc:
                    6c:f1:0c:f8:e8:99:33:a4:d4:f5:1b:bb:08:40:7e:
                    7f:57:b5:e2:22:4b:f3:51:83:31:22:1d:c4:0c:97:
                    10:8b:c3:dc:0a:11:ae:2f:9f:2f:df:7e:f6:3b:10:
                    41:e7:f8:32:b4:5d:a7:09:12:66:b0:19:b1:08:67:
                    dc:c6:bf:63:a9:87:19:0a:c0:8e:88:dc:d8:1c:17:
                    d4:8a:26:b6:bb:7c:db:1f:e5:2c:8d:7f:67:91:92:
                    1e:c1:e0:c7:15:a8:92:ce:1d:9c:50:cb:14:e2:b8:
                    11:7f:64:64:d1:d2:98:eb:39:dc:1a:ea:0e:e8:27:
                    28:81:c4:a6:ac:39:8a:b6:a4:7c:70:f9:1d:95:d7:
                    a7:5a:10:ad:b9:aa:31:57:77:03:c4:57:9f:97:a4:
                    57:e3:2d:fa:dd:59:ef:29:12:0b:86:b9:51:22:7f:
                    b5:91
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                EE:08:F0:D9:F0:40:9F:9C:8C:4B:DC:4B:D9:85:17:C3:26:B9:E9:37
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:testcentmin.ml, DNS:www.testcentmin.ml
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
                                C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
                    Timestamp : Sep 24 09:18:00.761 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:C6:B7:50:68:A6:76:76:40:AD:BD:85:
                                8E:AE:CC:04:F0:C0:C1:81:F7:FC:C6:BC:54:ED:E5:BE:
                                46:71:0C:97:A6:02:20:0A:60:69:40:0D:A6:14:4E:5D:
                                9C:B5:D8:69:C0:68:2C:91:00:9E:5C:6F:CC:A4:FC:BC:
                                BF:3A:55:FC:95:B7:35
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
                                A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
                    Timestamp : Sep 24 09:18:00.750 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:FD:0A:75:58:20:CC:02:9D:10:CF:07:
                                6B:F7:52:2C:3A:9D:45:2B:9A:D2:1E:15:56:7A:8A:CD:
                                3A:A2:8F:26:A7:02:21:00:A5:33:1F:16:A1:B1:1F:46:
                                46:0B:82:42:07:34:F5:B4:32:45:A3:91:6A:B2:01:2E:
                                46:E7:9B:AE:4A:A8:C5:D5
    Signature Algorithm: sha256WithRSAEncryption
         71:96:2a:3a:6f:35:f8:14:9e:e6:e9:b9:cf:e1:93:bd:3a:91:
         b9:d4:af:9e:07:80:64:78:b3:74:b0:0f:9b:b9:e1:77:ac:4b:
         1d:8b:10:31:fe:3e:4d:a0:1b:47:3f:d9:6d:2e:b0:13:c1:0a:
         85:99:e3:07:8a:01:e8:d6:c2:db:d5:d7:29:41:ff:25:fa:e3:
         29:40:f7:2d:73:ae:70:37:49:2e:c6:50:fb:0f:c5:0e:2c:c0:
         50:35:36:b3:4c:37:44:e4:7e:64:14:94:17:79:d3:95:96:9c:
         27:ee:12:b0:c4:18:a6:93:47:f7:fd:a6:ee:df:3a:64:d7:56:
         14:67:f9:bd:b5:8f:15:cc:57:38:6a:08:05:91:c7:7e:76:5b:
         3d:6a:c3:96:5d:56:84:54:3f:24:05:2a:51:b2:3c:4c:92:e2:
         e3:30:e0:40:64:2a:d8:39:91:4c:95:e1:a1:a8:73:2f:b3:a0:
         36:9e:93:3e:9d:ea:f9:83:d0:02:62:73:61:29:60:30:f8:27:
         a1:0d:74:bf:f0:70:9d:a9:18:10:6f:f4:a4:b9:83:45:7f:2a:
         b2:27:8a:5a:9b:c6:8b:a8:52:f4:c1:8b:fa:75:a3:51:79:16:
         35:cb:85:20:49:f4:96:42:6c:9b:fd:e5:d3:02:a9:6d:d0:3b:
         1b:a8:df:61

log files saved at /root/centminlogs
-rw-r--r-- 1 root root 1.3K Sep 24 09:07 centminmod_240919-090714_nginx_addvhost_nv-remove-cmds-testcentmin.ml.log
-rw-r--r-- 1 root root 8.2K Sep 24 09:07 centminmod_240919-090714_nginx_addvhost_nv.log
-rw-r--r-- 1 root root  64K Sep 24 09:18 acmetool.sh-debug-log-240919-090709.log
-rw-r--r-- 1 root root  23K Sep 24 09:18 acmesh-issue_240919-090709.log

Như bạn thấy quá trình tạo chứng chỉ đã thành công, ngoài ra khi tạo chứng chỉ SSL Centmin Mod cũng tạo luôn một vhost cho domain testcentmin.ml.

Thử truy cập vào trang testcentmin.ml xem nhé.

Domain dùng để test của mình giờ là một trang web giới thiệu của Centmin Mod, tuy nhiên cũng có ổ khoá xanh của chứng chỉ SSL.

Kích hoạt acmetool để tạo chứng chỉ SSL từ Let's Encrypt khi tạo Vhost bằng Centmin Mod.

Mặc định acmetool addon sẽ không được kích hoạt khi tạo Vhost, và khi tạo Vhost bằng chức năng số 2 hoặc 22 có thể bạn sẽ thấy thông báo như:

Important Information
---------------------------------------------------------------

You are about to create an Nginx vhost site account with/without
HTTPS/SSL support. Details of this process are outlined on site
at centminmod.com/nginx_domain_dns_setup.html. Also read the
continually updated Getting Started Guide for Centmin Mod usage
at centminmod.com/getstarted.html which covers the pure-ftpd
ftp username that is auto generated with the Nginx vhost site.
---------------------------------------------------------------
403 Permission denied message handling
if after vhost site setup you encounter 403 permission denied errors,
check https://community.centminmod.com/threads/7308/ to see if your
site needs tools/autoprotect.sh tweaking/whitelisting
---------------------------------------------------------------
[ LETSENCRYPT_DETECT is not enabled ]
Ignore this message if you do not want HTTPS based web site otherwise
read below carefully.

Free letsencrypt SSL certificates integration is in beta testing if
you want to obtain free letsencrypt SSL certificate for HTTPS site,
you will need to manually enable LETSENCRYPT_DETECT='y' outlined
at https://centminmod.com/acmetool so exit this vhost routine first
set LETSENCRYPT_DETECT='y' and update domain DNS A record first
then re-run vhost site creation menu option
---------------------------------------------------------------

Do you want to continue with Nginx vhost site creation ? [y/n] n

Như vậy là là acmetool chưa được kích hoạt khi tạo Nginx Vhost, để kích hoạt ta mở file custom_config.inc bằng lệnh

nano /etc/centminmod/custom_config.inc

thêm đoạn sau vào nội dung của file, nhớ lưu lại nhé..

LETSENCRYPT_DETECT='y'

Bây giờ sử dụng lại chức năng tạo Nginx Vhost, sẽ thấy thêm một dòng nữa hỏi rằng bạn có muốn tạo chứng chỉ SSL từ Let’s Encrypt hay không.

Do you want to continue with Nginx vhost site creation ? [y/n] y

Enter vhost domain name to add (without www. prefix): testcentmin.tk

Create a self-signed SSL certificate Nginx vhost? [y/n]: n
Get Letsencrypt SSL certificate Nginx vhost? [y/n]:y

Trên đây mình đã hướng dẫn cài đặt và sử dụng acmetool để tạo chứng chỉ SSL từ Let’s Encrypt cho Centmin Mod. Vì addon này vẫn đang trong quá trình thử nghiệm nên trong quá trình sử dụng có phát sinh lỗi, các bạn có thể comment bên dưới hoặc vào forum centmin mod để báo lỗi nhé.

5 1 vote

Đánh giá bài viết