How to enable LetsEncrypt with Centmin Mod

How to enable LetsEncrypt with Centmin Mod?

Posted on

Today, a website installed with ssl certificate is no stranger to us. Not only does it make the site look secure, it also helps with SEO. If you have installed Centmin Mod on your VPS, you don’t know how to enable LetsEncrypt with Centmin Mod?

Ok, it’s no problem, we will guide you how to enable LetsEncrypt with Centmin Mod on your VPS.

How to enable LetsEncrypt with Centmin Mod?

Step 1. Enable Let’s Encrypt with custom Config.

Right now acmetool.sh is in beta testing so is disabled by default. To enable it, edit or create your persistent config file at /etc/centminmod/custom_config.inc and add the below variable to enable acmetool.sh.

LETSENCRYPT_DETECT='y'

Step 2. Install acmetool

Then use acmetool.sh to install the acme.sh Letsencrypt client and the automated auto Letsencrypt SSL renewal cronjob script which will auto renew your Letsencrypt SSL certificate every 60 days.

cd /usr/local/src/centminmod/addons
./acmetool.sh acmeinstall

After pressing enter you will be notified acmetool is in the testing phase, if any errors during use can respond via the link.

https://centminmod.com/acmetool

-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://centminmod.com/acmetool
-------------------------------------------------

continue [y/n] ? y

Click “y” to continue installing acmetool.
After pressing “y” the installation process will begin.

Step 3. Issue a free Letsencrypt SSL certificate

Now you can proceed to use acmetool.sh to create the Nginx vhost site demo.howvps.com + issue a free Letsencrypt SSL certificate via the underlying acme.sh client.

cd /usr/local/src/centminmod/addons
./acmetool.sh issue demo.howvps.com lived

If you need to force a reissue of Letsencrypt SSL certificate before it’s expiry date, use reissue command instead.

cd /usr/local/src/centminmod/addons
./acmetool.sh reissue demo.howvps.com lived

Below is an example of successfull Letsencrypt SSL certificate issuance and Centmin Mod Nginx HTTP/2 based HTTPS default site creation as well as saved to log files in /etc/centminlogs. You can use https://dev.ssllabs.com/ssltest/ to test the site’s HTTPS setup for errors etc. Note, if you’re behind Cloudflare and use HTTPS default site setup, you would want to switch from Cloudflare Flexible SSL to Full SSL or Full SSL (strict).

./acmetool.sh issue demo.howvps.com lived

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
[Tue Jan 24 07:21:38 UTC 2017] Installing to /root/.acme.sh
[Tue Jan 24 07:21:38 UTC 2017] Installed to /root/.acme.sh/acme.sh
[Tue Jan 24 07:21:38 UTC 2017] Installing alias to '/root/.bashrc'
[Tue Jan 24 07:21:38 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Tue Jan 24 07:21:38 UTC 2017] Installing alias to '/root/.cshrc'
[Tue Jan 24 07:21:38 UTC 2017] Installing alias to '/root/.tcshrc'
[Tue Jan 24 07:21:38 UTC 2017] Installing cron job
59 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Tue Jan 24 07:21:38 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Jan 24 07:21:38 UTC 2017] OK
https://github.com/Neilpang/acme.sh
v2.6.6
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------

demo.howvps.com nginx vhost + pureftp virtual ftp user setup

/usr/bin/nv -d demo.howvps.com -s ydle -u *********
---------------------------------------------------------------
Nginx Vhost Setup...
---------------------------------------------------------------

FTP password auto generated: *********

Password: 
Enter it again: 
---------------------------------------------------------------
SSL Vhost Setup...
---------------------------------------------------------------

---------------------------------------------------------------
Generating self signed SSL certificate...
CSR file can also be used to be submitted for paid SSL certificates
If using for paid SSL certificates be sure to keep both private key and CSR safe
creating CSR File: demo.howvps.com.csr
creating private key: demo.howvps.com.key
creating self-signed SSL certificate: demo.howvps.com.crt
Generating a 2048 bit RSA private key
................................................+++
...+++
writing new private key to 'demo.howvps.com.key'
-----
No value provided for Subject Attribute C, skipped
No value provided for Subject Attribute ST, skipped
No value provided for Subject Attribute L, skipped
Signature ok
subject=/O=demo.howvps.com/OU=demo.howvps.com/CN=demo.howvps.com
Getting Private key

---------------------------------------------------------------
Generating backup CSR and private key for HTTP Public Key Pinning...
creating CSR File: demo.howvps.com-backup.csr
creating private key: demo.howvps.com-backup.key
Generating a 2048 bit RSA private key
.................+++
...........................................................................................+++
writing new private key to 'demo.howvps.com-backup.key'
-----

---------------------------------------------------------------
Generating dhparam.pem file - can take a few minutes...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...++*++*
dhparam file generation time: 106.744755009

-------------------------------------------------------------
/usr/local/src/centminmod/tools/autoprotect.sh
generated nginx include file [same]: /usr/local/nginx/conf/autoprotect/demo.howvps.com/autoprotect-demo.howvps.com.conf

autoprotect.sh run completed skipped nginx restart...

Restarting nginx (via systemctl):  [  OK  ]
systemctl restart pure-ftpd.service

-------------------------------------------------------------
FTP hostname : 107.170.215.183
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for demo.howvps.com : *********
FTP password created for demo.howvps.com : *********
-------------------------------------------------------------
vhost for demo.howvps.com created successfully

domain: http://demo.howvps.com
vhost conf file for demo.howvps.com created: /usr/local/nginx/conf/conf.d/demo.howvps.com.conf

vhost ssl for demo.howvps.com created successfully

domain: https://demo.howvps.com
vhost ssl conf file for demo.howvps.com created: /usr/local/nginx/conf/conf.d/demo.howvps.com.ssl.conf
/usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.crt.key.conf created
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.crt
SSL Private Key: /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.key
SSL CSR File: /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-backup.csr

upload files to /home/nginx/domains/demo.howvps.com/public
vhost log files directory is /home/nginx/domains/demo.howvps.com/log

-------------------------------------------------------------
Current vhost listing at: /usr/local/nginx/conf/conf.d/

                       
Dec 27  15:58   2.5K   virtual.conf
Jan 24  07:23   2.1K   demo.howvps.com.conf
Jan 24  07:23   3.2K   demo.howvps.com.ssl.conf

-------------------------------------------------------------
Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/demo.howvps.com

                       
Jan 24  07:21   1.7K   demo.howvps.com.key
Jan 24  07:21   989    demo.howvps.com.csr
Jan 24  07:21   1.2K   demo.howvps.com.crt
Jan 24  07:21   1.7K   demo.howvps.com-backup.key
Jan 24  07:21   989    demo.howvps.com-backup.csr
Jan 24  07:21   45     hpkp-info-primary-pin.txt
Jan 24  07:21   45     hpkp-info-secondary-pin.txt
Jan 24  07:23   424    dhparam.pem
Jan 24  07:23   374    demo.howvps.com.crt.key.conf

-------------------------------------------------------------
Commands to remove demo.howvps.com

 pure-pw userdel *********
 rm -rf /usr/local/nginx/conf/conf.d/demo.howvps.com.conf
 rm -rf /usr/local/nginx/conf/conf.d/demo.howvps.com.ssl.conf
 rm -rf /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.crt
 rm -rf /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.key
 rm -rf /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.csr
 rm -rf /usr/local/nginx/conf/ssl/demo.howvps.com
 rm -rf /home/nginx/domains/demo.howvps.com
 service nginx restart

-------------------------------------------------------------
vhost for demo.howvps.com setup successfully
demo.howvps.com setup info log saved at: 
/root/centminlogs/centminmod_240117-072138_nginx_addvhost_nv.log
-------------------------------------------------------------


backup & remove /usr/local/nginx/conf/conf.d/demo.howvps.com.conf

[self-signed ssl cert check] required by acmetool.sh

[self-signed ssl] /usr/local/nginx/conf/ssl/demo.howvps.com/dhparam.pem exists
[self-signed ssl] /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.crt exists
[self-signed ssl] /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.key exists

[sslvhostsetup] create /usr/local/nginx/conf/conf.d/demo.howvps.com.ssl.conf

[non-wp] backup & remove /usr/local/nginx/conf/conf.d/demo.howvps.com.conf
cat /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.crt.key.conf
  ssl_dhparam /usr/local/nginx/conf/ssl/demo.howvps.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.key;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-trusted.crt;
Reloading nginx configuration (via systemctl):  [  OK  ]
grep 'root' /usr/local/nginx/conf/conf.d/demo.howvps.com.conf
  root /home/nginx/domains/demo.howvps.com/public;
grep 'root' /usr/local/nginx/conf/conf.d/demo.howvps.com.ssl.conf
  root /home/nginx/domains/demo.howvps.com/public;

-----------------------------------------------------------
issue & install letsencrypt ssl certificate for demo.howvps.com
-----------------------------------------------------------
testcert value = lived
/root/.acme.sh/acme.sh --issue --days 60 -d demo.howvps.com -w /home/nginx/domains/demo.howvps.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-240117-072132.log --log-level 2
[Tue Jan 24 07:23:52 UTC 2017] Single domain='demo.howvps.com'
[Tue Jan 24 07:23:52 UTC 2017] Getting domain auth token for each domain
[Tue Jan 24 07:23:52 UTC 2017] Getting webroot for domain='demo.howvps.com'
[Tue Jan 24 07:23:52 UTC 2017] _w='/home/nginx/domains/demo.howvps.com/public'
[Tue Jan 24 07:23:52 UTC 2017] Getting new-authz for domain='demo.howvps.com'
[Tue Jan 24 07:23:54 UTC 2017] The new-authz request is ok.
[Tue Jan 24 07:23:54 UTC 2017] Verifying:demo.howvps.com
[Tue Jan 24 07:23:56 UTC 2017] Success
[Tue Jan 24 07:23:56 UTC 2017] Verify finished, start to sign.
[Tue Jan 24 07:23:57 UTC 2017] Cert success.
-----BEGIN CERTIFICATE-----
MIIFDDCCA/SgAwIBAgISA1PXrpSKk854XylKViUSb8TdMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAxMjQwNjI0MDBaFw0x
NzA0MjQwNjI0MDBaMB8xHTAbBgNVBAMTFGh0dHAyLmNlbnRtaW5tb2QuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy3CLTa0ITCPO0ATzSPurBxIT
77z1+UjqgcO0u+Zpwbr1fhNINcmtsfeo3UrNntD42RH8UqZEVdjMFQ0aMxb2WTlm
yLIB67G0N4X0RDl++90EcSzWZv4n60NFFybNGyNmXagtl+0ys5mlP37VhlrXd7c1
Il4mpB9PivYlQgxuAw59FjCy1mizjrJqrA4xZGtwXLoHP+VtAN5EUbc5WXcAJlHn
WcF2hYpTHFgHciyGwreXjEyC+r1r+xc67yghw3daFxdRqKpGVZ6/hf5+LgfuJBSd
X2Gk70CV7fQ6YQRfFy6hSQN+iCOUzVuxMSfRvP70+uWpU2aiIRDQKS58KvO60wID
AQABo4ICFTCCAhEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTWUhSbkoj1Xj2mXOAe
pl7b7IEqgzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBwBggrBgEF
BQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
cnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnLzAfBgNVHREEGDAWghRodHRwMi5jZW50bWlubW9kLmNvbTCB/gYD
VR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyB
m1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVs
eWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2Vy
dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3Jn
L3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBTWRwGwUjnWeaj8ifm7Apg
OZw7L2bRP8EGepjFwnxfHf38EC0GYRyYcv0taF3BuIDpn37ICbUaUkK4dvF/K4VE
pAUpdS0c0ikfAhu2rHqrhF2CR7L87EUke5Df3QFEZib5kjbXRIYBpo7C0gglGaQx
3R6vuqWjMceso9dFfixkGcrdAxeIlN5jrsHJyXpA9yZOj1Krr1lmbPD4B1947wgW
wPuLMqWm1+91zZl08LdvPFHfOsibQL+0UNX/Kh7ijVEn1Y2+kr6TyIOWXcdzUqEW
WOI8wta1FRJLvAlZQ8/X89HHIaQ9JlTZE35RCU0Uh4RX7g7pIIYcoqRUj8P9ESXI
-----END CERTIFICATE-----
[Tue Jan 24 07:23:57 UTC 2017] Your cert is in  /root/.acme.sh/demo.howvps.com/demo.howvps.com.cer 
[Tue Jan 24 07:23:57 UTC 2017] Your cert key is in  /root/.acme.sh/demo.howvps.com/demo.howvps.com.key 
[Tue Jan 24 07:23:57 UTC 2017] The intermediate CA cert is in  /root/.acme.sh/demo.howvps.com/ca.cer 
[Tue Jan 24 07:23:57 UTC 2017] And the full chain certs is there:  /root/.acme.sh/demo.howvps.com/fullchain.cer 

switch to HTTPS default after verification


setting HTTPS default in /usr/local/nginx/conf/conf.d/demo.howvps.com.ssl.conf

sed -i 's|^##x# HTTPS-DEFAULT|#x# HTTPS-DEFAULT|g' /usr/local/nginx/conf/conf.d/demo.howvps.com.ssl.conf

remove /usr/local/nginx/conf/conf.d/demo.howvps.com.conf

LECHECK = 0
  ssl_dhparam /usr/local/nginx/conf/ssl/demo.howvps.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.key;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.cer;

-----------------------------------------------------------
install cert
-----------------------------------------------------------
/root/.acme.sh/acme.sh --installcert -d demo.howvps.com --certpath /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.cer --keypath /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.key --capath /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-fullchain-acme.key
[Tue Jan 24 07:23:57 UTC 2017] Installing cert to:/usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.cer
[Tue Jan 24 07:23:57 UTC 2017] Installing CA to:/usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.cer
[Tue Jan 24 07:23:57 UTC 2017] Installing key to:/usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.key
[Tue Jan 24 07:23:57 UTC 2017] Installing full chain to:/usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-fullchain-acme.key
[Tue Jan 24 07:23:57 UTC 2017] Run Le_ReloadCmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl):  [  OK  ]
[Tue Jan 24 07:23:58 UTC 2017] Reload success

letsencrypt ssl certificate setup completed
ssl certs located at: /usr/local/nginx/conf/ssl/demo.howvps.com

openssl x509 -noout -text < /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:53:d7:ae:94:8a:93:ce:78:5f:29:4a:56:25:12:6f:c4:dd
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Jan 24 06:24:00 2017 GMT
            Not After : Apr 24 06:24:00 2017 GMT
        Subject: CN=demo.howvps.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cb:70:8b:4d:ad:08:4c:23:ce:d0:04:f3:48:fb:
                    ab:07:12:13:ef:bc:f5:f9:48:ea:81:c3:b4:bb:e6:
                    69:c1:ba:f5:7e:13:48:35:c9:ad:b1:f7:a8:dd:4a:
                    cd:9e:d0:f8:d9:11:fc:52:a6:44:55:d8:cc:15:0d:
                    1a:33:16:f6:59:39:66:c8:b2:01:eb:b1:b4:37:85:
                    f4:44:39:7e:fb:dd:04:71:2c:d6:66:fe:27:eb:43:
                    45:17:26:cd:1b:23:66:5d:a8:2d:97:ed:32:b3:99:
                    a5:3f:7e:d5:86:5a:d7:77:b7:35:22:5e:26:a4:1f:
                    4f:8a:f6:25:42:0c:6e:03:0e:7d:16:30:b2:d6:68:
                    b3:8e:b2:6a:ac:0e:31:64:6b:70:5c:ba:07:3f:e5:
                    6d:00:de:44:51:b7:39:59:77:00:26:51:e7:59:c1:
                    76:85:8a:53:1c:58:07:72:2c:86:c2:b7:97:8c:4c:
                    82:fa:bd:6b:fb:17:3a:ef:28:21:c3:77:5a:17:17:
                    51:a8:aa:46:55:9e:bf:85:fe:7e:2e:07:ee:24:14:
                    9d:5f:61:a4:ef:40:95:ed:f4:3a:61:04:5f:17:2e:
                    a1:49:03:7e:88:23:94:cd:5b:b1:31:27:d1:bc:fe:
                    f4:fa:e5:a9:53:66:a2:21:10:d0:29:2e:7c:2a:f3:
                    ba:d3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                D6:52:14:9B:92:88:F5:5E:3D:A6:5C:E0:1E:A6:5E:DB:EC:81:2A:83
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:demo.howvps.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

    Signature Algorithm: sha256WithRSAEncryption
         53:59:1c:06:c1:48:e7:59:e6:a3:f2:27:e6:ec:0a:60:39:9c:
         3b:2f:66:d1:3f:c1:06:7a:98:c5:c2:7c:5f:1d:fd:fc:10:2d:
         06:61:1c:98:72:fd:2d:68:5d:c1:b8:80:e9:9f:7e:c8:09:b5:
         1a:52:42:b8:76:f1:7f:2b:85:44:a4:05:29:75:2d:1c:d2:29:
         1f:02:1b:b6:ac:7a:ab:84:5d:82:47:b2:fc:ec:45:24:7b:90:
         df:dd:01:44:66:26:f9:92:36:d7:44:86:01:a6:8e:c2:d2:08:
         25:19:a4:31:dd:1e:af:ba:a5:a3:31:c7:ac:a3:d7:45:7e:2c:
         64:19:ca:dd:03:17:88:94:de:63:ae:c1:c9:c9:7a:40:f7:26:
         4e:8f:52:ab:af:59:66:6c:f0:f8:07:5f:78:ef:08:16:c0:fb:
         8b:32:a5:a6:d7:ef:75:cd:99:74:f0:b7:6f:3c:51:df:3a:c8:
         9b:40:bf:b4:50:d5:ff:2a:1e:e2:8d:51:27:d5:8d:be:92:be:
         93:c8:83:96:5d:c7:73:52:a1:16:58:e2:3c:c2:d6:b5:15:12:
         4b:bc:09:59:43:cf:d7:f3:d1:c7:21:a4:3d:26:54:d9:13:7e:
         51:09:4d:14:87:84:57:ee:0e:e9:20:86:1c:a2:a4:54:8f:c3:
         fd:11:25:c8

log files saved at /root/centminlogs
-rw-r--r-- 1 root root  1.2K Jan 24 07:23 centminmod_240117-072138_nginx_addvhost_nv-remove-cmds-demo.howvps.com.log
-rw-r--r-- 1 root root   18K Jan 24 07:23 centminmod_240117-072138_nginx_addvhost_nv.log
-rw-r--r-- 1 root root   29K Jan 24 07:23 acmetool.sh-debug-log-240117-072132.log
-rw-r--r-- 1 root root   30K Jan 24 07:23 acmesh-issue_240117-072132.log

The resulting output lists the log files as well:

log files saved at /root/centminlogs
-rw-r--r-- 1 root root  1.2K Jan 24 07:23 centminmod_240117-072138_nginx_addvhost_nv-remove-cmds-demo.howvps.com.log
-rw-r--r-- 1 root root   18K Jan 24 07:23 centminmod_240117-072138_nginx_addvhost_nv.log
-rw-r--r-- 1 root root   29K Jan 24 07:23 acmetool.sh-debug-log-240117-072132.log
-rw-r--r-- 1 root root   30K Jan 24 07:23 acmesh-issue_240117-072132.log

Part of logged output is also the Nginx vhost site details, path to web root, log file path, self-signed SSL certificate info and pure-ftpd virtual ftp username/password which is generated before Letsencrypt SSL cert.

-------------------------------------------------------------
FTP hostname : 107.170.215.183
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for demo.howvps.com : *********
FTP password created for demo.howvps.com : *********
-------------------------------------------------------------
vhost for demo.howvps.com created successfully

domain: http://demo.howvps.com
vhost conf file for demo.howvps.com created: /usr/local/nginx/conf/conf.d/demo.howvps.com.conf

vhost ssl for demo.howvps.com created successfully

domain: https://demo.howvps.com
vhost ssl conf file for demo.howvps.com created: /usr/local/nginx/conf/conf.d/demo.howvps.com.ssl.conf
/usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.crt.key.conf created
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.crt
SSL Private Key: /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.key
SSL CSR File: /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-backup.csr

upload files to /home/nginx/domains/demo.howvps.com/public
vhost log files directory is /home/nginx/domains/demo.howvps.com/log

-------------------------------------------------------------

After Letsencrypt SSL issuance, additional Letsencrypt SSL certificate files are generated at /root/.acme.sh/demo.howvps.com/

-----END CERTIFICATE-----
[Tue Jan 24 07:23:57 UTC 2017] Your cert is in  /root/.acme.sh/demo.howvps.com/demo.howvps.com.cer 
[Tue Jan 24 07:23:57 UTC 2017] Your cert key is in  /root/.acme.sh/demo.howvps.com/demo.howvps.com.key 
[Tue Jan 24 07:23:57 UTC 2017] The intermediate CA cert is in  /root/.acme.sh/demo.howvps.com/ca.cer 
[Tue Jan 24 07:23:57 UTC 2017] And the full chain certs is there:  /root/.acme.sh/demo.howvps.com/fullchain.cer

Which is that copied from /root/.acme.sh/demo.howvps.com/ to Nginx site’s directory at /usr/local/nginx/conf/ssl/demo.howvps.com/. And your Nginx vhost /usr/local/nginx/conf/conf.d/demo.howvps.com.ssl.conf is automatically updated for correct paths.

  ssl_dhparam /usr/local/nginx/conf/ssl/demo.howvps.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.key;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.cer;

Example of Centmin Mod Nginx HTTP/2 HTTPS vhost auto generated contents with only a 302 temporarily redirect for HTTP to HTTPS. Once you confirm all is working you can change return 302 to permanent 301 redirect return 301:

#x# HTTPS-DEFAULT
server {
  
  server_name demo.howvps.com www.demo.howvps.com;
  return 302 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name demo.howvps.com www.demo.howvps.com;

  include /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
  
  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/demo.howvps.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/demo.howvps.com/log/error.log;

  include /usr/local/nginx/conf/autoprotect/demo.howvps.com/autoprotect-demo.howvps.com.conf;
  root /home/nginx/domains/demo.howvps.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  location / {
  include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centminmod.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

Which contains an include file which lists the actual paths to Letsencrypt SSL certificates at /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com.crt.key.conf.

  ssl_dhparam /usr/local/nginx/conf/ssl/demo.howvps.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.key;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/demo.howvps.com/demo.howvps.com-acme.cer;

How to use acmetool in Centmin Mod Menu

After installing acmetool successfully to create an SSL certificate from Let’s Encrypt, to use this tool still in the Centon Mod addon folder you use the command.

./acmetool.sh acme-menu

After using the above command, a menu will appear

--------------------------------------------------------
        SSL Management              
--------------------------------------------------------
1).  acemtool.sh install
2).  acmetool.sh update
3).  acmetool.sh setup
4).  Issue SSL Management
5).  Renew SSL Management
6).  Reissue SSL Management
7).  Renew All Staging /Test Certs
8).  Renew ALL Live Certs 
9).  Renew All Live Certs HTTPS Default
10). Exit
--------------------------------------------------------
Enter option [ 1 - 10 ] 

This menu will include the functionality of the installed acmetool. In it to create an SSL certificate from Let’s Encrypt we use function number 4.

--------------------------------------------------------
Enter option [ 1 - 10 ] 4
--------------------------------------------------------

...

--------------------------------------------------------
        SSL Issue Management              
--------------------------------------------------------
1).  Issue SSL Cert Staging/Test
2).  Issue SSL Cert Staging/Test HTTPS Default
3).  Issue SSL Cert Live
4).  Issue SSL Cert Live HTTPS Default
5).  Custom Webroot Issue SSL Cert Staging/Test
6).  Custom Webroot Issue SSL Cert Staging/Test HTTPS Default
7).  Custom Webroot Issue SSL Cert Live
8).  Custom Webroot Issue SSL Cert Live HTTPS Default
9).  S3 Issue SSL Cert
10). S3 Issue SSL Cert
11). S3 Issue SSL Cert
12). S3 Issue SSL Cert
13). Exit
--------------------------------------------------------
Enter option [ 1 - 13 ] 

In the section for managing and creating SSL certificates, you only need to care about function number 3 or 4. I will try to create an SSL certificate using menu number 4 for testcentmin.ml domain.

Note: before creating the certificate, make sure that the domain points to the IP of the VPS.

--------------------------------------------------------
        SSL Issue Management              
--------------------------------------------------------
1).  Issue SSL Cert Staging/Test
2).  Issue SSL Cert Staging/Test HTTPS Default
3).  Issue SSL Cert Live
4).  Issue SSL Cert Live HTTPS Default
5).  Custom Webroot Issue SSL Cert Staging/Test
6).  Custom Webroot Issue SSL Cert Staging/Test HTTPS Default
7).  Custom Webroot Issue SSL Cert Live
8).  Custom Webroot Issue SSL Cert Live HTTPS Default
9).  S3 Issue SSL Cert
10). S3 Issue SSL Cert
11). S3 Issue SSL Cert
12). S3 Issue SSL Cert
13). Exit
--------------------------------------------------------
Enter option [ 1 - 13 ] 4
--------------------------------------------------------

...

Enter SSL certificate domain name you want without www. prefix host: testcentmin.ml


-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://centminmod.com/acmetool
-------------------------------------------------

continue [y/n] ? y

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
Cloning into 'acme.sh'...
[Tue Sep 24 09:07:13 UTC 2019] It is recommended to install socat first.
[Tue Sep 24 09:07:13 UTC 2019] We use socat for standalone server if you use standalone mode.
[Tue Sep 24 09:07:13 UTC 2019] If you don't use standalone mode, just ignore this warning.
[Tue Sep 24 09:07:13 UTC 2019] Installing to /root/.acme.sh
[Tue Sep 24 09:07:13 UTC 2019] Installed to /root/.acme.sh/acme.sh
[Tue Sep 24 09:07:13 UTC 2019] Installing alias to '/root/.bashrc'
[Tue Sep 24 09:07:13 UTC 2019] OK, Close and reopen your terminal to start using acme.sh
[Tue Sep 24 09:07:13 UTC 2019] Installing alias to '/root/.cshrc'
[Tue Sep 24 09:07:13 UTC 2019] Installing alias to '/root/.tcshrc'
[Tue Sep 24 09:07:13 UTC 2019] Installing cron job
29 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Tue Sep 24 09:07:13 UTC 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Sep 24 09:07:14 UTC 2019] OK
https://github.com/Neilpang/acme.sh
v2.8.3
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------

testcentmin.ml nginx vhost + pureftp virtual ftp user setup

/usr/bin/nv -d testcentmin.ml -s ydle -u QPECW1F3oQstbNN
---------------------------------------------------------------
Nginx Vhost Setup...
---------------------------------------------------------------


FTP password auto generated: 1I}6M4K^zx.|bi)%7DFvu

Password: 
Enter it again: 
---------------------------------------------------------------
SSL Vhost Setup...
---------------------------------------------------------------

--2019-09-24 09:07:18--  https://support.cloudflare.com/hc/en-us/article_attachments/201243967/origin-pull-ca.pem
Resolving support.cloudflare.com... 104.16.51.111, 104.16.55.111, 104.16.54.111, ...
Connecting to support.cloudflare.com|104.16.51.111|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2151 (2.1K) [application/x-x509-ca-cert]
Saving to: ‘/usr/local/nginx/conf/ssl/cloudflare/testcentmin.ml/origin.crt’

     0K ..                                                    100% 14.5M=0s

2019-09-24 09:07:18 (14.5 MB/s) - ‘/usr/local/nginx/conf/ssl/cloudflare/testcentmin.ml/origin.crt’ saved [2151/2151]

---------------------------------------------------------------
Generating self signed SSL certificate...
CSR file can also be used to be submitted for paid SSL certificates
If using for paid SSL certificates be sure to keep both private key and CSR safe
creating CSR File: testcentmin.ml.csr
creating private key: testcentmin.ml.key
creating self-signed SSL certificate: testcentmin.ml.crt

[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = California
L = Los Angeles
O = testcentmin.ml
OU = testcentmin.ml
CN = testcentmin.ml
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = testcentmin.ml
DNS.2 = www.testcentmin.ml

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = testcentmin.ml
DNS.2 = www.testcentmin.ml

Generating a 2048 bit RSA private key
..................+++
..................+++
writing new private key to 'testcentmin.ml.key'
-----
                DNS:testcentmin.ml, DNS:www.testcentmin.ml
Signature ok
subject=/C=US/ST=California/L=Los Angeles/O=testcentmin.ml/OU=testcentmin.ml/CN=testcentmin.ml
Getting Private key

---------------------------------------------------------------
Generating dhparam.pem file - can take a few minutes...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
................................................................................................................+.............................................................................................................+...............................................................................................................+...............................................................................................+.................................................................................................+...............................................................................................................................+..............................................................................................................................................+..............................................................................................................................+.......................................................................+..+...............................+...............................................+.....................................................................................................................++*++*
dhparam file generation time: 12.546216351

-------------------------------------------------------------
/usr/local/src/centminmod/tools/autoprotect.sh
generated nginx include file [same]: /usr/local/nginx/conf/autoprotect/demodomain.com/autoprotect-demodomain.com.conf
generated nginx include file [initial]: /usr/local/nginx/conf/autoprotect/testcentmin.ml/autoprotect-testcentmin.ml.conf

autoprotect.sh run completed skipped nginx reload...

Reloading nginx configuration (via systemctl):  [  OK  ]
Restarting nginx (via systemctl):  [  OK  ]

-------------------------------------------------------------
FTP hostname : 45.77.154.110
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for testcentmin.ml : QPECW1F3oQstbNN
FTP password created for testcentmin.ml : 1I}6M4K^zx.|bi)%7DFvu
-------------------------------------------------------------
vhost for testcentmin.ml created successfully

domain: http://testcentmin.ml
vhost conf file for testcentmin.ml created: /usr/local/nginx/conf/conf.d/testcentmin.ml.conf

vhost ssl for testcentmin.ml created successfully

domain: https://testcentmin.ml
vhost ssl conf file for testcentmin.ml created: /usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf
/usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.crt.key.conf created
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.crt
SSL Private Key: /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.key
SSL CSR File: /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.csr
Backup SSL Private Key: /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-backup.key
Backup SSL CSR File: /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-backup.csr

upload files to /home/nginx/domains/testcentmin.ml/public
vhost log files directory is /home/nginx/domains/testcentmin.ml/log

-------------------------------------------------------------
Current vhost listing at: /usr/local/nginx/conf/conf.d/

                       
Sep 21  16:34   1.1K   demodomain.com.conf
Sep 21  16:59   1.4K   virtual.conf
Sep 24  09:07   2.2K   testcentmin.ml.conf
Sep 24  09:07   3.7K   testcentmin.ml.ssl.conf

-------------------------------------------------------------
Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/testcentmin.ml

                       
Sep 24  09:07   1.7K   testcentmin.ml.key
Sep 24  09:07   1.2K   testcentmin.ml.csr
Sep 24  09:07   1.6K   testcentmin.ml.crt
Sep 24  09:07   424    dhparam.pem
Sep 24  09:07   332    testcentmin.ml.crt.key.conf

-------------------------------------------------------------
Commands to remove testcentmin.ml

 pure-pw userdel QPECW1F3oQstbNN
 rm -rf /usr/local/nginx/conf/conf.d/testcentmin.ml.conf
 rm -rf /usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf
 rm -rf /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.crt
 rm -rf /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.key
 rm -rf /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.csr
 rm -rf /usr/local/nginx/conf/ssl/testcentmin.ml
 rm -rf /home/nginx/domains/testcentmin.ml
 rm -rf /root/.acme.sh/testcentmin.ml
 rm -rf /root/.acme.sh/testcentmin.ml_ecc
 rm -rf /usr/local/nginx/conf/pre-staticfiles-local-testcentmin.ml.conf
 service nginx restart

-------------------------------------------------------------
vhost for testcentmin.ml setup successfully
testcentmin.ml setup info log saved at: 
/root/centminlogs/centminmod_240919-090714_nginx_addvhost_nv.log
-------------------------------------------------------------


backup & remove /usr/local/nginx/conf/conf.d/testcentmin.ml.conf

[self-signed ssl cert check] required by acmetool.sh

[self-signed ssl] /usr/local/nginx/conf/ssl/testcentmin.ml/dhparam.pem exists
[self-signed ssl] /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.crt exists
[self-signed ssl] /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.key exists

[sslvhostsetup] create /usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf

[non-wp] backup & remove /usr/local/nginx/conf/conf.d/testcentmin.ml.conf
cat /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.crt.key.conf
  ssl_dhparam /usr/local/nginx/conf/ssl/testcentmin.ml/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml.key;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-trusted.crt;
Reloading nginx configuration (via systemctl):  [  OK  ]
grep 'root' /usr/local/nginx/conf/conf.d/testcentmin.ml.conf
  root /home/nginx/domains/testcentmin.ml/public;
grep 'root' /usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf
  root /home/nginx/domains/testcentmin.ml/public;

-----------------------------------------------------------
issue & install letsencrypt ssl certificate for testcentmin.ml
-----------------------------------------------------------
testcert value = lived
/root/.acme.sh/acme.sh --issue -d testcentmin.ml -d www.testcentmin.ml --days 60 -w /home/nginx/domains/testcentmin.ml/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-240919-090709.log --log-level 2
[Tue Sep 24 09:07:49 UTC 2019] Create account key ok.
[Tue Sep 24 09:07:49 UTC 2019] Registering account
[Tue Sep 24 09:17:50 UTC 2019] Registered
[Tue Sep 24 09:17:50 UTC 2019] ACCOUNT_THUMBPRINT='gXdjBkF1QcrNqtOTutlC5hSJxkHMdVs3hztWqLwH-GI'
[Tue Sep 24 09:17:50 UTC 2019] Creating domain key
[Tue Sep 24 09:17:50 UTC 2019] The domain key is here: /root/.acme.sh/testcentmin.ml/testcentmin.ml.key
[Tue Sep 24 09:17:50 UTC 2019] Multi domain='DNS:testcentmin.ml,DNS:www.testcentmin.ml'
[Tue Sep 24 09:17:50 UTC 2019] Getting domain auth token for each domain
[Tue Sep 24 09:17:52 UTC 2019] Getting webroot for domain='testcentmin.ml'
[Tue Sep 24 09:17:53 UTC 2019] Getting webroot for domain='www.testcentmin.ml'
[Tue Sep 24 09:17:53 UTC 2019] Verifying: testcentmin.ml
[Tue Sep 24 09:17:57 UTC 2019] Success
[Tue Sep 24 09:17:57 UTC 2019] Verifying: www.testcentmin.ml
[Tue Sep 24 09:18:00 UTC 2019] Success
[Tue Sep 24 09:18:00 UTC 2019] Verify finished, start to sign.
[Tue Sep 24 09:18:00 UTC 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/67157997/1150853613
[Tue Sep 24 09:18:02 UTC 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/04f3ac1bd1f956de5c7899ca7785e70f5f0d
[Tue Sep 24 09:18:02 UTC 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgISBPOsG9H5Vt5ceJnKd4XnD18NMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MjQwODE4MDBaFw0x
OTEyMjMwODE4MDBaMBkxFzAVBgNVBAMTDnRlc3RjZW50bWluLm1sMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQg5zKiaLNC2GruutG2n/p0QVh4pL8K9
GZ8GkqkPUiZEmQFe85PG+wOBIVFJOQaynL5/GcONRwm/AdQtsfDGrNPymnwRS2TF
z+/B+dtIqZcWjHgk55Yw49xs8Qz46JkzpNT1G7sIQH5/V7XiIkvzUYMxIh3EDJcQ
i8PcChGuL58v3372OxBB5/gytF2nCRJmsBmxCGfcxr9jqYcZCsCOiNzYHBfUiia2
u3zbH+UsjX9nkZIeweDHFaiSzh2cUMsU4rgRf2Rk0dKY6zncGuoO6CcogcSmrDmK
tqR8cPkdldenWhCtuaoxV3cDxFefl6RX4y363VnvKRILhrlRIn+1kQIDAQABo4IC
eDCCAnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTuCPDZ8ECfnIxL3EvZhRfDJrnp
NzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMC0GA1UdEQQmMCSCDnRlc3RjZW50bWluLm1sghJ3d3cudGVzdGNlbnRtaW4u
bWwwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQC
BIH2BIHzAPEAdgB0ftqDMa0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAW1i
kDQ5AAAEAwBHMEUCIQDGt1BopnZ2QK29hY6uzATwwMGB9/zGvFTt5b5GcQyXpgIg
CmBpQA2mFE5dnLXYacBoLJEAnlxvzKT8vL86VfyVtzUAdwBj8tvN6DvMLM8LcoQn
V2szpI1hd4+9daY4scdoVEvYjQAAAW1ikDQuAAAEAwBIMEYCIQD9CnVYIMwCnRDP
B2v3Uiw6nUUrmtIeFVZ6is06oo8mpwIhAKUzHxahsR9GRguCQgc09bQyRaORarIB
Lkbnm65KqMXVMA0GCSqGSIb3DQEBCwUAA4IBAQBxlio6bzX4FJ7m6bnP4ZO9OpG5
1K+eB4BkeLN0sA+bueF3rEsdixAx/j5NoBtHP9ltLrATwQqFmeMHigHo1sLb1dcp
Qf8l+uMpQPctc65wN0kuxlD7D8UOLMBQNTazTDdE5H5kFJQXedOVlpwn7hKwxBim
k0f3/abu3zpk11YUZ/m9tY8VzFc4aggFkcd+dls9asOWXVaEVD8kBSpRsjxMkuLj
MOBAZCrYOZFMleGhqHMvs6A2npM+ner5g9ACYnNhKWAw+CehDXS/8HCdqRgQb/Sk
uYNFfyqyJ4pam8aLqFL0wYv6daNReRY1y4UgSfSWQmyb/eXTAqlt0DsbqN9h
-----END CERTIFICATE-----
[Tue Sep 24 09:18:02 UTC 2019] Your cert is in  /root/.acme.sh/testcentmin.ml/testcentmin.ml.cer 
[Tue Sep 24 09:18:02 UTC 2019] Your cert key is in  /root/.acme.sh/testcentmin.ml/testcentmin.ml.key 
[Tue Sep 24 09:18:02 UTC 2019] The intermediate CA cert is in  /root/.acme.sh/testcentmin.ml/ca.cer 
[Tue Sep 24 09:18:02 UTC 2019] And the full chain certs is there:  /root/.acme.sh/testcentmin.ml/fullchain.cer 

switch to HTTPS default after verification


setting HTTPS default in /usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf

sed -i 's|^##x# HTTPS-DEFAULT|#x# HTTPS-DEFAULT|g' "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"
sed -i "s|#x# server {| server {|" "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"
sed -i "s|#x#   |   |" "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"
sed -i "s|#x#   server_name testcentmin.ml www.testcentmin.ml;|   server_name testcentmin.ml www.testcentmin.ml;|" "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"
sed -i "s|#x#   return 302 https://testcentmin.ml$request_uri;|   return 302 https://testcentmin.ml$request_uri;|" "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"
sed -i "s|#x#   include \/usr\/local\/nginx\/conf\/staticfiles.conf;|   include \/usr\/local\/nginx\/conf\/staticfiles.conf;|" "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"
sed -i "s|#x# }| }|" "/usr/local/nginx/conf/conf.d/testcentmin.ml.ssl.conf"

remove /usr/local/nginx/conf/conf.d/testcentmin.ml.conf

LECHECK = 0
  ssl_dhparam /usr/local/nginx/conf/ssl/testcentmin.ml/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.key;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer;

-----------------------------------------------------------
install cert
-----------------------------------------------------------
/root/.acme.sh/acme.sh --installcert -d testcentmin.ml -d www.testcentmin.ml --certpath /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer --keypath /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.key --capath /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-fullchain-acme.key
[Tue Sep 24 09:18:03 UTC 2019] Installing cert to:/usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer
[Tue Sep 24 09:18:03 UTC 2019] Installing CA to:/usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer
[Tue Sep 24 09:18:03 UTC 2019] Installing key to:/usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.key
[Tue Sep 24 09:18:03 UTC 2019] Installing full chain to:/usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-fullchain-acme.key
[Tue Sep 24 09:18:03 UTC 2019] Run reload cmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl):  [  OK  ]
[Tue Sep 24 09:18:03 UTC 2019] Reload success

letsencrypt ssl certificate setup completed
ssl certs located at: /usr/local/nginx/conf/ssl/testcentmin.ml

openssl x509 -noout -text < /usr/local/nginx/conf/ssl/testcentmin.ml/testcentmin.ml-acme.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:f3:ac:1b:d1:f9:56:de:5c:78:99:ca:77:85:e7:0f:5f:0d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Sep 24 08:18:00 2019 GMT
            Not After : Dec 23 08:18:00 2019 GMT
        Subject: CN=testcentmin.ml
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a9:08:39:cc:a8:9a:2c:d0:b6:1a:bb:ae:b4:6d:
                    a7:fe:9d:10:56:1e:29:2f:c2:bd:19:9f:06:92:a9:
                    0f:52:26:44:99:01:5e:f3:93:c6:fb:03:81:21:51:
                    49:39:06:b2:9c:be:7f:19:c3:8d:47:09:bf:01:d4:
                    2d:b1:f0:c6:ac:d3:f2:9a:7c:11:4b:64:c5:cf:ef:
                    c1:f9:db:48:a9:97:16:8c:78:24:e7:96:30:e3:dc:
                    6c:f1:0c:f8:e8:99:33:a4:d4:f5:1b:bb:08:40:7e:
                    7f:57:b5:e2:22:4b:f3:51:83:31:22:1d:c4:0c:97:
                    10:8b:c3:dc:0a:11:ae:2f:9f:2f:df:7e:f6:3b:10:
                    41:e7:f8:32:b4:5d:a7:09:12:66:b0:19:b1:08:67:
                    dc:c6:bf:63:a9:87:19:0a:c0:8e:88:dc:d8:1c:17:
                    d4:8a:26:b6:bb:7c:db:1f:e5:2c:8d:7f:67:91:92:
                    1e:c1:e0:c7:15:a8:92:ce:1d:9c:50:cb:14:e2:b8:
                    11:7f:64:64:d1:d2:98:eb:39:dc:1a:ea:0e:e8:27:
                    28:81:c4:a6:ac:39:8a:b6:a4:7c:70:f9:1d:95:d7:
                    a7:5a:10:ad:b9:aa:31:57:77:03:c4:57:9f:97:a4:
                    57:e3:2d:fa:dd:59:ef:29:12:0b:86:b9:51:22:7f:
                    b5:91
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                EE:08:F0:D9:F0:40:9F:9C:8C:4B:DC:4B:D9:85:17:C3:26:B9:E9:37
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:testcentmin.ml, DNS:www.testcentmin.ml
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
                                C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
                    Timestamp : Sep 24 09:18:00.761 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:C6:B7:50:68:A6:76:76:40:AD:BD:85:
                                8E:AE:CC:04:F0:C0:C1:81:F7:FC:C6:BC:54:ED:E5:BE:
                                46:71:0C:97:A6:02:20:0A:60:69:40:0D:A6:14:4E:5D:
                                9C:B5:D8:69:C0:68:2C:91:00:9E:5C:6F:CC:A4:FC:BC:
                                BF:3A:55:FC:95:B7:35
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
                                A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
                    Timestamp : Sep 24 09:18:00.750 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:FD:0A:75:58:20:CC:02:9D:10:CF:07:
                                6B:F7:52:2C:3A:9D:45:2B:9A:D2:1E:15:56:7A:8A:CD:
                                3A:A2:8F:26:A7:02:21:00:A5:33:1F:16:A1:B1:1F:46:
                                46:0B:82:42:07:34:F5:B4:32:45:A3:91:6A:B2:01:2E:
                                46:E7:9B:AE:4A:A8:C5:D5
    Signature Algorithm: sha256WithRSAEncryption
         71:96:2a:3a:6f:35:f8:14:9e:e6:e9:b9:cf:e1:93:bd:3a:91:
         b9:d4:af:9e:07:80:64:78:b3:74:b0:0f:9b:b9:e1:77:ac:4b:
         1d:8b:10:31:fe:3e:4d:a0:1b:47:3f:d9:6d:2e:b0:13:c1:0a:
         85:99:e3:07:8a:01:e8:d6:c2:db:d5:d7:29:41:ff:25:fa:e3:
         29:40:f7:2d:73:ae:70:37:49:2e:c6:50:fb:0f:c5:0e:2c:c0:
         50:35:36:b3:4c:37:44:e4:7e:64:14:94:17:79:d3:95:96:9c:
         27:ee:12:b0:c4:18:a6:93:47:f7:fd:a6:ee:df:3a:64:d7:56:
         14:67:f9:bd:b5:8f:15:cc:57:38:6a:08:05:91:c7:7e:76:5b:
         3d:6a:c3:96:5d:56:84:54:3f:24:05:2a:51:b2:3c:4c:92:e2:
         e3:30:e0:40:64:2a:d8:39:91:4c:95:e1:a1:a8:73:2f:b3:a0:
         36:9e:93:3e:9d:ea:f9:83:d0:02:62:73:61:29:60:30:f8:27:
         a1:0d:74:bf:f0:70:9d:a9:18:10:6f:f4:a4:b9:83:45:7f:2a:
         b2:27:8a:5a:9b:c6:8b:a8:52:f4:c1:8b:fa:75:a3:51:79:16:
         35:cb:85:20:49:f4:96:42:6c:9b:fd:e5:d3:02:a9:6d:d0:3b:
         1b:a8:df:61

log files saved at /root/centminlogs
-rw-r--r-- 1 root root 1.3K Sep 24 09:07 centminmod_240919-090714_nginx_addvhost_nv-remove-cmds-testcentmin.ml.log
-rw-r--r-- 1 root root 8.2K Sep 24 09:07 centminmod_240919-090714_nginx_addvhost_nv.log
-rw-r--r-- 1 root root  64K Sep 24 09:18 acmetool.sh-debug-log-240919-090709.log
-rw-r--r-- 1 root root  23K Sep 24 09:18 acmesh-issue_240919-090709.log

Above, I instructed you to install and use acmetool to create an SSL certificate from Let’s Encrypt for Centmin Mod. Because this addon is still in the testing process, so there is an error during use, you can comment below or go to the forum centmin mod to report an error.

Leave a Reply

Your email address will not be published. Required fields are marked *