This blog post was migrated from ServerManage.guide. This WordPress site was created using Centmin Mod’s centmin.sh menu option 22 automatic WordPress installer routine and hosted on a Upcloud.com KVM VPS server running Centmin Mod Nginx, PHP-FPM, MariaDB MySQL on CentOS 7 64bit server paired with Cloudflare free plan.
The following guide illustrates how to use the latest Centmin Mod 123.09beta01’s centmin.sh menu option 22 WordPress installer which will install Nginx HTTP/2 HTTPS site with TLS 1.3 support via integrated free Letsencrypt SSL certificates in dual RSA 2048bit + ECDSA 256bit SSL certificate mode and automatically install WordPress and configure the site optimally for both performance and security.
Step 1.
Ensure you’re using Centmin Mod 123.09beta01 or newer version with integrated free Letsencrypt SSL certificates via addons/acmetool.sh which uses underlying acme.sh client developed by Neil Pang and that you have enabled Letsencrypt SSL support via persistent configuration file /etc/centminmod/custom_config.inc variables below.
- The first variable LETSENCRYPT_DETECT=’y’ enables regular RSA 2048bit SSL certificates via Letsencrypt.
- While second variable DUALCERTS=’y’ enables dual RSA 2048bit + ECDSA 256bit SSL certificate mode with a second Letsencrypt SSL certificated being obtained that is ECDSA 256bit based. Dual SSL certificates allow Centmin Mod Nginx to serve better performance based ECDSA 256bit SSL certificates to web browser and clients that support such certificates while falling back to traditional standard RSA 2048bit SSL certificates for older web browser and clients that do not support ECDSA 256bit. In the context of usage with Cloudflare, that means Cloudflare’s connection to Centmin Mod Nginx origin server is optimal as Cloudflare can now communicate with Centmin Mod Nginx origin using faster performing ECDSA 256bit SSL certificates as well as communicate between Cloudflare and Centmin Mod Nginx origin using better performing TLS 1.3 protocol which reduced the connection by 1-RTT – round trip time compared to communicating over older TLS 1.0/1.1/1.2 protocol. That 1-RTT savings can result in as much as 300+ milliseconds faster connection over slow mobile internet connections.
- When these variables are enabled, centmin.sh menu options 2, 22 and nv command line options to create Nginx vhost sites enable an additional menu options to support obtaining Letsencrypt free SSL certificates. If these variables are not enabled, centmin.sh menu options 2, 22 and nv command line will only provide self-signed SSL certificate for testing purpose.
# enable letsencrypt ssl certificate + dual RSA+ECDSA ssl certs https://centminmod.com/acmetool/ echo "LETSENCRYPT_DETECT='y'" >> /etc/centminmod/custom_config.inc echo "DUALCERTS='y'" >> /etc/centminmod/custom_config.inc
DUALCERTS=’y’ mode was enabled for this WordPress site via the advanced customisation Centmin Mod installation guide already.
Step 2
Update your intended WordPress site’s domain name DNS A records to point to server’s IP address. You’d need to do that for both non-www and www version of your domain name or intended subdomain as by default addons/acmetool.sh and Letsencrypt SSL certificate integration uses webroot domain validation to verify your domain name before Letsencrypt issues your free SSL certificates. Screenshot is from Cloudflare DNS tab dashboard.
Cloudflare and Letsencrypt webroot authentication
At this stage though, you need to set Cloudflare DNS record as grey cloud not orange cloud proxy as Letsencrypt issuance needs to be able to communicate with your Centmin Mod Nginx origin server for webroot authentication and validation of your domain. If you select Centmin Mod Nginx default HTTPS, then you won’t have a non-HTTPS Nginx vhost origin for Cloudflare Flexible SSL to speak with at this stage, so Letsencrypt webroot authentication will fail unless instead of selecting below option 4 for Letsencrypt Nginx default HTTPS, you select option 3 for Nginx HTTP + HTTPS vhost so both non-HTTPS port 80 and HTTPS port 443 can be communicated to for Letsencrypt webroot authentication. Once Nginx vhost is created you can change your DNS record to orange proxy cloud and change to HTTPS default and Cloudflare Full SSL mode.
Step 3
Run centmin.sh menu option 22 to start the Nginx vhost site generator which will automatically install and configure WordPress as well. A series of question prompts will ask you about how you would like to the Nginx vhost site and WordPress setup to be configured. The WordPress auto installer utilises WP-CLI command line too to do the heavy lifting for the actual WordPress installation.
-------------------------------------------------------- Centmin Mod Menu 123.09beta01 centminmod.com -------------------------------------------------------- 1). Centmin Install 2). Add Nginx vhost domain 3). NSD setup domain name DNS 4). Nginx Upgrade / Downgrade 5). PHP Upgrade / Downgrade 6). XCache Re-install 7). APC Cache Re-install 8). XCache Install 9). APC Cache Install 10). Memcached Server Re-install 11). MariaDB MySQL Upgrade & Management 12). Zend OpCache Install/Re-install 13). Install/Reinstall Redis PHP Extension 14). SELinux disable 15). Install/Reinstall ImagicK PHP Extension 16). Change SSHD Port Number 17). Multi-thread compression: zstd,pigz,pbzip2,lbzip2 18). Suhosin PHP Extension install 19). Install FFMPEG and FFMPEG PHP Extension 20). NSD Install/Re-Install 21). Update - Nginx + PHP-FPM + Siege 22). Add WordPress Nginx vhost + Cache Plugin 23). Update Centmin Mod Code Base 24). Exit -------------------------------------------------------- Enter option [ 1 - 24 ] 22 --------------------------------------------------------
The installation of WP-CLI follows if not detected as installed yet. On subsequent centmin.sh menu option 22 runs, WP-CLI will always be updated before proceeding further to ensure WP-CLI is always the latest version used for every WordPress installation.
------------------------------------------------------------ Installing wpcli.sh ------------------------------------------------------------ installing... ------------------------------------------------------------- wp-cli info OS: Linux 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 Shell: /bin/bash PHP binary: /usr/local/bin/php PHP version: 7.3.7 php.ini used: /usr/local/lib/php.ini WP-CLI root dir: phar://wp-cli.phar/vendor/wp-cli/wp-cli WP-CLI vendor dir: phar://wp-cli.phar/vendor WP_CLI phar path: /usr/local/src/centminmod/addons WP-CLI packages dir: /root/.wp-cli/packages/ WP-CLI global config: WP-CLI project config: WP-CLI version: 2.2.0 ------------------------------------------------------------- ------------------------------------------------------------- wp-cli install completed Read http://wp-cli.org/ for full usage info
Followed by some information notices and prompt for your desired domain name (without www prefix) and whether you want to install self-signed SSL certificates and/or Letsencrypt SSL certificates on Nginx vhost site. Here I choose option 4 for live trusted Letsencrypt SSL certificates with HTTPS default (the non-https to https redirect is automatically configured for you).
------------------------------------------------------------- Setup full Nginx vhost + WordPress + WP Plugins ------------------------------------------------------------- --------------------------------------------------------------- Important Information --------------------------------------------------------------- You are about to create an WordPress based Nginx vhost site with or without HTTPS/SSL support. Also read the continually updated Getting Started Guide at centminmod.com/getstarted.html if you haven't already --------------------------------------------------------------- 403 Permission denied message handling if after vhost site setup you encounter 403 permission denied errors, check https://community.centminmod.com/threads/11215/ to see if your site needs tools/autoprotect.sh tweaking & whitelisting --------------------------------------------------------------- Do you want to continue with Nginx vhost site creation ? [y/n] y Enter vhost domain name you want to add (without www. prefix): servermanager.guide Create a self-signed SSL certificate Nginx vhost? [y/n]: n Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y You have 4 options: 1. issue staging test cert with HTTP + HTTPS (untrusted) 2. issue staging test cert with HTTPS default (untrusted) 3. issue live cert with HTTP + HTTPS (trusted) 4. issue live cert with HTTPS default (trusted) Enter option number 1-4: 4
There’s other question prompts for optional extras like switching from Gutenberg editor to WordPress Classic editor, installing Autoptimize Gzip companion plugin which works with Autoptimize WordPress plugin to automatically pre-compress optimised CSS/JS assets, and whether to allow WordPress installer to automatically generate the desired WordPress admin username/password and whether or now WordPress login page gets HTTP password protected. And lastly your desired WordPress admin user’s email address.
Theme Setup: Install CyberChimps Responsive Theme (cyberchimps.com/responsive-theme/) [y/n]: n Wordpress Setup: Not a fan of Gutenberg Editor ? You can switch to Classic Editor If you run into Gutenberg Editor issues, you can later switch to the Classic Editor https://wordpress.org/plugins/classic-editor/ Install Classic Editor WordPress Plugin ? [y/n]: y Autoptimize WP Plugin is installed by default. Do you want to install companion Autoptimize Gzip Plugin to precompresses js/css optimized files details at https://community.centminmod.com/threads/15314/ Install Autoptimize Gzip Companion WordPress Plugin ? [y/n]: y Set custom WP Admin Display Name ? [y/n]: y Enter Custom WP Admin Display Name: George Install WordPress in subdirectory /blog ? [y/n]: n Disable Auto Generated WP Admin Username / Password ? [y/n]: n Disable wp-login.php password protection ? (less security) [y/n]: n Enter email address for Admin User for WordPress Installation: MYEMAIL_ADDRESS
Next up is WordPress installer provides users with a choice full page WordPress caching options for better performance. The first 3 are available out of the box as of writing while the 4th option for PHP-FPM fastcgi_cache based full page caching is currently available via a switch for private development and testing. For this blog and testing purposes the choice for option 4 for PHP-FPM fastcgi_cache based full page caching was made. For 99% of usage cases for best performance with least issues and problems, choosing KeyCDN Cache Enabler for static HTML full page caching is the recommended option as it’s a faster and less problematic version of WordPress Super Cache plugin.
Default is to install KeyCDN WP Cache Enabler Plugin as it is more stable and reliable than WP Super Cache and Redis Cache. Redis cache may have issues with caching due to long 6hr cache TTL Fastcgi_cache (PHP-FPM) will have best performance You can select which caching method to use below: -------------------------------------------------------- Wordpress Caching -------------------------------------------------------- 1) KeyCDN Cache Enabler 2) Redis Nginx Level Caching 3) WordPress Super Cache 4) Fastcgi_cache (PHP-FPM) -------------------------------------------------------- Enter option [ 1 - 4 ] 4 you selected option 4 (Fastcgi_cache PHP-FPM) [wpscache=fastcgicache]
Next up is creating the Pure-ftpd virtual FTP username/password and if you opted for, the HTTP password protection for WordPress login page.
Create FTP username for vhost domain (enter username): FTPUSERNAME Do you want to auto generate FTP password (recommended) [y/n]: y FTP username you entered: FTPUSERNAME FTP password auto generated: FTPPASSWORD Password: Enter it again: /usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/servermanager.guide/htpasswd_wplogin HTTP_USERNAME HTTP_PASSWORD /home/nginx/domains/servermanager.guide/htpasswd_wplogin contents: HTTP_USERNAME:$ap******S3gN0bY2.NPw******
Then PHP-FPM fastcgi_cache related Nginx include and configuration files are created and populated. Pay particular attention to the path to /usr/local/nginx/conf/wpfastcgi_cache_map_debug.conf as it allows you to add your ISP IP address to it to reveal and expose some additional hidden Nginx response headers for PHP-FPM fastcgi_cache diagnostics.
touch /usr/local/nginx/conf/wpfastcgi_cache_map_debug.conf touch /usr/local/nginx/conf/wpfastcgi_cache_map_include_mobile.conf touch /usr/local/nginx/conf/wpfastcgi_cache_map_include_nocachecookie.conf touch /usr/local/nginx/conf/wpfastcgi_cache_map_include_nocacheuri.conf include file /usr/local/nginx/conf/wpfastcgi_cache_path_includes.conf add to nginx.conf include file /usr/local/nginx/conf/wpfastcgi_cache_map.conf add to nginx.conf include file /usr/local/nginx/conf/wpcacheenabler_map.conf add to nginx.conf
Contents of where I added my ISP IP address into the include file at /usr/local/nginx/conf/wpfastcgi_cache_map_debug.conf and set it’s to value of 1 which corresponds to Nginx mapped variable called $fastcgi_debug.
cat /usr/local/nginx/conf/wpfastcgi_cache_map_debug.conf YOUR_ISP_IP_ADDR 1;
The include file is part of another include file at /usr/local/nginx/conf/wpfastcgi_cache_map.conf which maps the visitor’s IP address to $fastcgi_debug variable which decides whether a listed ISP IP address is allowed to see the additional hidden Nginx PHP-FPM fastcgi_cache response headers.
map $remote_addr $fastcgi_debug { default 0; include /usr/local/nginx/conf/wpfastcgi_cache_map_debug.conf; # YOUR_ISP_IP_ADDR 1; }
With your ISP IP added to enable $fastcgi_debug mapped variable, additional Nginx response headers are available which include, PHP-FPM fastcgi_cache cache status – HIT or BYPASS, as well as x-fpmcache-skip header to give the reason why cache was bypassed and other x-fpmcache headers and request processing time headers.
Next part is related to SSL certificate setup and configuration. First is that Centmin Mod Nginx generation routines for HTTPS will also setup Cloudflare Authenticated Origin Pulls TLS client certificates on your Nginx HTTPS site but disable them by default – but the configuration is ready to be enabled just by editing your Nginx vhost configuration file at yourdomain.com.ssl.conf by uncommenting a few lines. This is the part which downloads Cloudflare Authenticated Origin Pulls TLS client certificates.
--------------------------------------------------------------- SSL Vhost Setup... --------------------------------------------------------------- --2019-07-12 22:20:01-- https://support.cloudflare.com/hc/en-us/article_attachments/201243967/origin-pull-ca.pem Resolving support.cloudflare.com... 104.16.55.111, 104.16.51.111, 104.16.52.111, ... Connecting to support.cloudflare.com|104.16.55.111|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2151 (2.1K) [application/x-x509-ca-cert] Saving to: ‘/usr/local/nginx/conf/ssl/cloudflare/servermanager.guide/origin.crt’ 0K .. 100% 26.8M=0s 2019-07-12 22:20:01 (26.8 MB/s) - ‘/usr/local/nginx/conf/ssl/cloudflare/servermanager.guide/origin.crt’ saved [2151/2151]
The Nginx vhost configuration file /usr/local/nginx/conf/conf.d/servermanager.guide.ssl.conf has a commented out (disabled) directive for Cloudflare Authenticated Origin Pulls TLS client certificates ready to be enabled if you choose to enable such feature.
# cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/ #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/servermanager.guide/origin.crt; #ssl_verify_client on;
To enable, uncomment the 2 directive lines by removing the hash # and then restart Nginx service.
# cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/ ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/servermanager.guide/origin.crt; ssl_verify_client on;
Then in your Cloudflare Crypto dashboard tab, enable Cloudflare Authenticated Origin Pulls TLS client certificates.
Next part is regardless of whether you choose to enable self-signed SSL certificates, the Centmin Mod HTTPS routine will generate them automatically as they are also used as fallback in case your Letsencrypt SSL certificate domain verification and issuance fail for whatever reason.
Generating self signed SSL certificate... CSR file can also be used to be submitted for paid SSL certificates If using for paid SSL certificates be sure to keep both private key and CSR safe creating CSR File: servermanager.guide.csr creating private key: servermanager.guide.key creating self-signed SSL certificate: servermanager.guide.crt
Next is actual WordPress installation and PHP-FPM fastcgi_cache setup process.
------------------------------------------------------------ Setup Fastcgi_cache PHP-FPM for servermanager.guide ------------------------------------------------------------ Using full static page caching may cause problems for mobile & tablet device visitors depending on your WP themes used so you may want to exclude those Do you want to exclude mobile/tablet devices from Cache Enabler caching ? [y/n]: y Downloading WordPress 5.2.2 (en_US)... md5 hash verified: aea5bb5e4fd51034f67c85e6d8bc6bbf Success: WordPress downloaded. Success: Generated 'wp-config.php' file. 13 23 * * * /usr/local/src/centminmod/tools/autoprotect.sh >/dev/null 2>&1 0 */4 * * * /usr/bin/cminfo_updater 2>/dev/null 23 */12 * * * /usr/local/src/centminmod/tools/csfcf.sh auto >/dev/null 2>&1 7 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null #*/15 * * * * sleep 248s ; wget -4 -O - -q -t 1 http://servermanager.guide/wp-cron.php?doing_wp_cron > /dev/null 2>&1 Success: WordPress installed successfully. Success: Updated user 2**2***. Success: Rewrite structure set. Success: Rewrite rules flushed. ------------------------------------------------------------
Then some additional WordPress plugins are automatically installed and activated via WP-CLI command line tool. These include
- Autoptimize WordPress Plugin
- Autoptimize Gzip companion WordPress Plugin
- Classic Editor WordPress Plugin
- Disable-XML-RPC WordPress Plugin
- Nginx Helper WordPress Plugin for managing PHP-FPM fastcgi_cache full page caching
- Sucuri WordPress Plugin
------------------------------------------------------------ Installing Nginx Helper (2.0.3) Downloading installation package from https://downloads.wordpress.org/plugin/nginx-helper.2.0.3.zip... Unpacking the package... Installing the plugin... Plugin installed successfully. Activating 'nginx-helper'... Plugin 'nginx-helper' activated. Success: Installed 1 of 1 plugins. Success: Updated 'rt_wp_nginx_helper_options' option. {"enable_purge":1,"cache_method":"enable_fastcgi","enable_map":0,"enable_log":0,"enable_stamp":1,"purge_homepage_on_edit":1,"purge_homepage_on_del":1,"purge_archive_on_edit":1,"purge_archive_on_del":1,"purge_archive_on_new_comment":1,"purge_archive_on_deleted_comment":1,"purge_page_on_mod":1,"purge_page_on_new_comment":1,"purge_page_on_deleted_comment":1,"purge_method":"unlink_files","purge_url":"","redis_hostname":"127.0.0.1","redis_port":"6379","redis_prefix":"nginx-cache:"} ------------------------------------------------------------ Installing Autoptimize (2.5.1) Downloading installation package from https://downloads.wordpress.org/plugin/autoptimize.2.5.1.zip... Unpacking the package... Installing the plugin... Plugin installed successfully. Activating 'autoptimize'... Plugin 'autoptimize' activated. Success: Installed 1 of 1 plugins. option_name option_value autoptimize_service_availablity a:2:{s:12:"extra_imgopt";a:3:{s:6:"status";s:2:"up";s:5:"hosts";a:1:{i:1;s:26:"https://cdn.shortpixel.ai/";}s:16:"launch-threshold";s:4:"4096";}s:7:"critcss";a:2:{s:6:"status";s:2:"up";s:5:"hosts";a:1:{i:1;s:24:"https://criticalcss.com/";}}} autoptimize_version 2.5.1 configure autoptimize-gzip https://community.centminmod.com/threads/15314/ 2019-07-12 22:20:40 URL:https://raw.githubusercontent.com/centminmod/autoptimize-gzip/master/autoptimize-gzip.php [573/573] -> "/home/nginx/domains/servermanager.guide/public/wp-content/plugins/autoptimize-gzip/autoptimize-gzip.php" [1] 2019-07-12 22:20:40 URL:https://raw.githubusercontent.com/centminmod/autoptimize-gzip/master/index.html [192/192] -> "/home/nginx/domains/servermanager.guide/public/wp-content/plugins/autoptimize-gzip/index.html" [1] 2019-07-12 22:20:41 URL:https://github.com/centminmod/autoptimize-gzip/blob/master/readme.md [84801] -> "/home/nginx/domains/servermanager.guide/public/wp-content/plugins/autoptimize-gzip/readme.md" [1] 2019-07-12 22:20:41 URL:https://raw.githubusercontent.com/centminmod/autoptimize-gzip/master/LICENSE [18026/18026] -> "/home/nginx/domains/servermanager.guide/public/wp-content/plugins/autoptimize-gzip/LICENSE" [1] Plugin 'autoptimize-gzip' activated. Success: Activated 1 of 1 plugins. Plugin autoptimize-gzip details: Name: Autoptimize Gzip Status: Active Version: 0.1 Author: George Liu Description: Hook into Frank Goossens (futtta) Autoptimize API to pre-compress CSS/JS files ------------------------------------------------------------ ------------------------------------------------------------ Installing Classic Editor (1.5) Downloading installation package from https://downloads.wordpress.org/plugin/classic-editor.1.5.zip... Unpacking the package... Installing the plugin... Plugin installed successfully. Activating 'classic-editor'... Plugin 'classic-editor' activated. Success: Installed 1 of 1 plugins. ------------------------------------------------------------ ------------------------------------------------------------ Installing Sucuri Security – Auditing, Malware Scanner and Security Hardening (1.8.21) Downloading installation package from https://downloads.wordpress.org/plugin/sucuri-scanner.1.8.21.zip... Unpacking the package... Installing the plugin... Plugin installed successfully. Activating 'sucuri-scanner'... Plugin 'sucuri-scanner' activated. Success: Installed 1 of 1 plugins. ------------------------------------------------------------ Installing Disable XML-RPC (1.0.1) Downloading installation package from https://downloads.wordpress.org/plugin/disable-xml-rpc.1.0.1.zip... Unpacking the package... Installing the plugin... Plugin installed successfully. Activating 'disable-xml-rpc'... Plugin 'disable-xml-rpc' activated. Success: Installed 1 of 1 plugins. Uninstalled and deleted 'hello' plugin. Success: Uninstalled 1 of 1 plugins. Success: Plugin already updated. 7 installed plugins: I akismet 4.1.2 A autoptimize 2.5.1 A autoptimize-gzip 0.1 A classic-editor 1.5 A disable-xml-rpc 1.0.1 A nginx-helper 2.0.3 A sucuri-scanner 1.8.21 Legend: I = Inactive, A = Active ------------------------------------------------------------
Then the creation of WordPress Nginx site uninstaller and WordPress automatic update cron job scheduler which auto updates WordPress plugins via WP-CLI command line too every 8 hrs. And also creation of autoprotect.sh include file and cronjob schedule which basically checks entire Centmin Mod LEMP stack server’s Nginx vhost site’s public web accessible directories for .htaccess files with DENY ALL directives that exist. Then grabbing their directory path to .htaccess file and auto generating an Nginx equivalent location match and deny all setup to prevent accidental exposure of directories which the web author intended to be private under Apache .htaccess. But Nginx doesn’t support .htaccess so automatic Nginx deny rules are generated to protect your Nginx site.
------------------------------------------------------------ Created uninstall script /root/tools/wp_uninstall_servermanager.guide.sh ------------------------------------------------------------ ------------------------------------------------------------ Created wp_updater_servermanager.guide.sh script /root/tools/wp_updater_servermanager.guide.sh ------------------------------------------------------------ 173 17 final 173 final 17 13 23 * * * /usr/local/src/centminmod/tools/autoprotect.sh >/dev/null 2>&1 0 */4 * * * /usr/bin/cminfo_updater 2>/dev/null 23 */12 * * * /usr/local/src/centminmod/tools/csfcf.sh auto >/dev/null 2>&1 7 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null #*/15 * * * * sleep 248s ; wget -4 -O - -q -t 1 http://servermanager.guide/wp-cron.php?doing_wp_cron > /dev/null 2>&1 0 */8 * * * sleep 173s ;/root/tools/wp_updater_servermanager.guide.sh >/dev/null 2>&1 ------------------------------------------------------------- generated nginx include file [initial]: /usr/local/nginx/conf/autoprotect/demodomain.com/autoprotect-demodomain.com.conf generated nginx include file [initial]: /usr/local/nginx/conf/autoprotect/servermanager.guide/autoprotect-servermanager.guide.conf autoprotect.sh run completed...
Now comes the Letsencrypt SSL certificate issuance stage. You’ll need to confirm you want to proceed with this during the beta testing
------------------------------------------------------------- ok: /usr/local/src/centminmod/addons/acmetool.sh /usr/local/src/centminmod/addons/acmetool.sh issue servermanager.guide wplived ------------------------------------------------- acmetool.sh is in beta testing phase please read & provide bug reports & feedback for this tool via the forums https://centminmod.com/acmetool ------------------------------------------------- continue [y/n] ? y
Then Centmin Mod will always automatically update the underlying acme.sh client to latest version before proceeding.
----------------------------------------------------- updating acme.sh client... ----------------------------------------------------- Cloning into 'acme.sh'... [Fri Jul 12 22:28:11 UTC 2019] It is recommended to install socat first. [Fri Jul 12 22:28:11 UTC 2019] We use socat for standalone server if you use standalone mode. [Fri Jul 12 22:28:11 UTC 2019] If you don't use standalone mode, just ignore this warning. [Fri Jul 12 22:28:11 UTC 2019] Installing to /root/.acme.sh [Fri Jul 12 22:28:11 UTC 2019] Installed to /root/.acme.sh/acme.sh [Fri Jul 12 22:28:12 UTC 2019] Installing alias to '/root/.bashrc' [Fri Jul 12 22:28:12 UTC 2019] OK, Close and reopen your terminal to start using acme.sh [Fri Jul 12 22:28:12 UTC 2019] Installing alias to '/root/.cshrc' [Fri Jul 12 22:28:12 UTC 2019] Installing alias to '/root/.tcshrc' [Fri Jul 12 22:28:12 UTC 2019] Installing cron job 7 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null [Fri Jul 12 22:28:12 UTC 2019] Good, bash is found, so change the shebang to use bash as preferred. [Fri Jul 12 22:28:12 UTC 2019] OK https://github.com/Neilpang/acme.sh v2.8.2 ----------------------------------------------------- acme.sh updated -----------------------------------------------------
Then Letsencrypt SSL issuance and domain validation via webroot authentication begins. As dual RSA 2048bit + ECDSA 256bit SSL certificate mode was enabled, you will see 2 sets of Letsencrypt SSL issuance and domain validation occur – one for RSA 2048bit SSL certificate issuance and domain validation and a second for ECDSA 256bi SSL certificate issuance and domain validation.
First RSA 2048bit SSL certificate issuance and domain validation
----------------------------------------------------------- issue & install letsencrypt ssl certificate for servermanager.guide ----------------------------------------------------------- testcert value = wplived wp routine detected use reissue instead via --force /root/.acme.sh/acme.sh --force --issue -d servermanager.guide -d www.servermanager.guide --days 60 -w /home/nginx/domains/servermanager.guide/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-120719-222049.log --log-level 2 [Fri Jul 12 22:28:13 UTC 2019] Creating domain key [Fri Jul 12 22:28:13 UTC 2019] The domain key is here: /root/.acme.sh/servermanager.guide/servermanager.guide.key [Fri Jul 12 22:28:13 UTC 2019] Multi domain='DNS:servermanager.guide,DNS:www.servermanager.guide' [Fri Jul 12 22:28:13 UTC 2019] Getting domain auth token for each domain [Fri Jul 12 22:28:14 UTC 2019] Getting webroot for domain='servermanager.guide' [Fri Jul 12 22:28:14 UTC 2019] Getting webroot for domain='www.servermanager.guide' [Fri Jul 12 22:28:14 UTC 2019] Verifying: servermanager.guide [Fri Jul 12 22:28:17 UTC 2019] Success [Fri Jul 12 22:28:17 UTC 2019] Verifying: www.servermanager.guide [Fri Jul 12 22:28:19 UTC 2019] Success [Fri Jul 12 22:28:19 UTC 2019] Verify finished, start to sign. [Fri Jul 12 22:28:19 UTC 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/61131839/708977128 [Fri Jul 12 22:28:20 UTC 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03ef148cda5dec70396114e521233f6d996f [Fri Jul 12 22:28:20 UTC 2019] Cert success. -----BEGIN CERTIFICATE----- MIds= -----END CERTIFICATE----- [Fri Jul 12 22:28:20 UTC 2019] Your cert is in /root/.acme.sh/servermanager.guide/servermanager.guide.cer [Fri Jul 12 22:28:20 UTC 2019] Your cert key is in /root/.acme.sh/servermanager.guide/servermanager.guide.key [Fri Jul 12 22:28:20 UTC 2019] The intermediate CA cert is in /root/.acme.sh/servermanager.guide/ca.cer [Fri Jul 12 22:28:20 UTC 2019] And the full chain certs is there: /root/.acme.sh/servermanager.guide/fullchain.cer
Then second for ECDSA 256bit SSL issuance and domain validation
get 2nd SSL cert issued for dual ssl cert config /root/.acme.sh/acme.sh --force --issue -d servermanager.guide -d www.servermanager.guide --days 60 -w /home/nginx/domains/servermanager.guide/public -k ec-256 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-120719-222049.log --log-level 2 [Fri Jul 12 22:28:21 UTC 2019] Creating domain key [Fri Jul 12 22:28:21 UTC 2019] The domain key is here: /root/.acme.sh/servermanager.guide_ecc/servermanager.guide.key [Fri Jul 12 22:28:21 UTC 2019] Multi domain='DNS:servermanager.guide,DNS:www.servermanager.guide' [Fri Jul 12 22:28:21 UTC 2019] Getting domain auth token for each domain [Fri Jul 12 22:28:22 UTC 2019] Getting webroot for domain='servermanager.guide' [Fri Jul 12 22:28:22 UTC 2019] Getting webroot for domain='www.servermanager.guide' [Fri Jul 12 22:28:22 UTC 2019] servermanager.guide is already verified, skip http-01. [Fri Jul 12 22:28:22 UTC 2019] www.servermanager.guide is already verified, skip http-01. [Fri Jul 12 22:28:22 UTC 2019] Verify finished, start to sign. [Fri Jul 12 22:28:22 UTC 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/61131839/708977583 [Fri Jul 12 22:28:23 UTC 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03d967dbf195e3017d41159bd7188fa9443d [Fri Jul 12 22:28:23 UTC 2019] Cert success. -----BEGIN CERTIFICATE----- Mvy7s= -----END CERTIFICATE----- [Fri Jul 12 22:28:23 UTC 2019] Your cert is in /root/.acme.sh/servermanager.guide_ecc/servermanager.guide.cer [Fri Jul 12 22:28:23 UTC 2019] Your cert key is in /root/.acme.sh/servermanager.guide_ecc/servermanager.guide.key [Fri Jul 12 22:28:24 UTC 2019] The intermediate CA cert is in /root/.acme.sh/servermanager.guide_ecc/ca.cer [Fri Jul 12 22:28:24 UTC 2019] And the full chain certs is there: /root/.acme.sh/servermanager.guide_ecc/fullchain.cer success: 2nd SSL cert issued for dual ssl cert config
Then once Letsencrypt SSL certificates are issued, then need to be installed by acme.sh client to locations which Nginx will look for them.
Letsencrypt RSA 2048bit SSL certificate installation
----------------------------------------------------------- install cert ----------------------------------------------------------- /root/.acme.sh/acme.sh --installcert -d servermanager.guide -d www.servermanager.guide --certpath /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-acme.cer --keypath /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-acme.key --capath /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-fullchain-acme.key [Fri Jul 12 22:28:24 UTC 2019] Installing cert to:/usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-acme.cer [Fri Jul 12 22:28:24 UTC 2019] Installing CA to:/usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-acme.cer [Fri Jul 12 22:28:24 UTC 2019] Installing key to:/usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-acme.key [Fri Jul 12 22:28:24 UTC 2019] Installing full chain to:/usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-fullchain-acme.key [Fri Jul 12 22:28:24 UTC 2019] Run reload cmd: /usr/bin/ngxreload Reloading nginx configuration (via systemctl): [ OK ] [Fri Jul 12 22:28:24 UTC 2019] Reload success
Letsencrypt ECDSA 256bit SSL certificate installation
install 2nd SSL cert issued for dual ssl cert config /root/.acme.sh/acme.sh --installcert -d servermanager.guide -d www.servermanager.guide --certpath /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-acme-ecc.cer --keypath /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-acme-ecc.key --capath /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-acme-ecc.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-fullchain-acme-ecc.key --ecc [Fri Jul 12 22:28:24 UTC 2019] Installing cert to:/usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-acme-ecc.cer [Fri Jul 12 22:28:24 UTC 2019] Installing CA to:/usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-acme-ecc.cer [Fri Jul 12 22:28:24 UTC 2019] Installing key to:/usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-acme-ecc.key [Fri Jul 12 22:28:24 UTC 2019] Installing full chain to:/usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-fullchain-acme-ecc.key [Fri Jul 12 22:28:24 UTC 2019] Run reload cmd: /usr/bin/ngxreload Reloading nginx configuration (via systemctl): [ OK ] [Fri Jul 12 22:28:24 UTC 2019] Reload success setup ssl_trusted_certificate dual cert version: /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-dualcert-rsa-ecc.cer letsencrypt ssl certificate setup completed ssl certs located at: /usr/local/nginx/conf/ssl/servermanager.guide
Then the Pure-ftpd virtual FTP user details are displayed
------------------------------------------------------------- FTP hostname : SERVER_IP FTP port : 21 FTP mode : FTP (explicit SSL) FTP Passive (PASV) : ensure is checked/enabled FTP username created for servermanager.guide : FTPUSERNAME FTP password created for servermanager.guide : FTPPASSWORD -------------------------------------------------------------
Then Nginx vhost details are displayed for Nginx vhost configuration file at yourdomain.com.ssl.cof
vhost for servermanager.guide created successfully vhost ssl for servermanager.guide created successfully domain: https://servermanager.guide vhost ssl conf file for servermanager.guide created: /usr/local/nginx/conf/conf.d/servermanager.guide.ssl.conf /usr/local/nginx/conf/ssl_include.conf created Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide.crt SSL Private Key: /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide.key SSL CSR File: /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide.csr Backup SSL Private Key: /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-backup.key Backup SSL CSR File: /usr/local/nginx/conf/ssl/servermanager.guide/servermanager.guide-backup.csr upload files to /home/nginx/domains/servermanager.guide/public vhost log files directory is /home/nginx/domains/servermanager.guide/log
Location of WordPress uninstaller and auto WordPress updater cronjob are displayed
------------------------------------------------------------ SSH commands to uninstall created WordPress install and Nginx vhost: /root/tools/wp_uninstall_servermanager.guide.sh ------------------------------------------------------------ ------------------------------------------------------------ Wordpress Auto Updater created at: /root/tools/wp_updater_servermanager.guide.sh cronjob set for every 8 hours update (3x times per day) ------------------------------------------------------------
Then WordPress configuration and database info and WordPress admin user info is displayed
WordPress domain: servermanager.guide Wordpress DB Name: **********_***** Wordpress DB User: ***************** Wordpress DB Pass: ***************** Wordpress Admin User ID: 2**2*** Wordpress Admin User: *********** Wordpress Admin Pass: *********** Wordpress Admin Email: MYEMAIL_ADDRESS Wordpress Admin Display Name: George Wordpress wp-login.php password protection info: wp-login.php protection file /home/nginx/domains/servermanager.guide/htpasswd_wplogin wp-login.php protection Username: HTTP_USERNAME wp-login.php protection Password: HTTP_PASSWORD https://HTTP_USERNAME:HTTP_PASSWORD@servermanager.guide/wp-login.php Resetting wp-login.php protection: Step 1. remove protection file at /home/nginx/domains/servermanager.guide/htpasswd_wplogin rm -rf /home/nginx/domains/servermanager.guide/htpasswd_wplogin Step 2. run command: /usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/servermanager.guide/htpasswd_wplogin YOURUSERNAME YOURPASSWORD Step 3. restart Nginx + PHP-FPM services nprestart
Then Nginx vhost directory and site’s Nginx SSL directory contents are displayed
------------------------------------------------------------- Current vhost listing at: /usr/local/nginx/conf/conf.d/ Jul 12 19:12 1.1K demodomain.com.conf Jul 12 19:25 1.4K virtual.conf Jul 12 19:40 3.2K virtual.ssl.conf Jul 12 22:28 5.9K servermanager.guide.ssl.conf ------------------------------------------------------------- Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/servermanager.guide Jul 12 22:20 1.7K servermanager.guide.key Jul 12 22:20 1.2K servermanager.guide.csr Jul 12 22:20 1.7K servermanager.guide.crt Jul 12 22:20 424 dhparam.pem Jul 12 22:28 375 acme-vhost-config.txt Jul 12 22:28 3.6K servermanager.guide-acme.cer Jul 12 22:28 1.7K servermanager.guide-acme.key Jul 12 22:28 3.6K servermanager.guide-fullchain-acme.key Jul 12 22:28 3.3K servermanager.guide-acme-ecc.cer Jul 12 22:28 302 servermanager.guide-acme-ecc.key Jul 12 22:28 3.3K servermanager.guide-fullchain-acme-ecc.key Jul 12 22:28 805 servermanager.guide.crt.key.conf Jul 12 22:28 6.8K servermanager.guide-dualcert-rsa-ecc.cer
Then setup steps to complete WordPress install are displayed
------------------------------------------------------------ To complete setup: 1. Enable Permalinks (DO NOT use links with .html extensions for performance reasons) i.e. /%post_id%/%postname%/ 2. Settings Menu > Nginx Helper set options and hit Save All Changes 3. Settings Menu > Autoptimize Main Tab set options and hit Save Changes 4. Settings Menu > Autoptimize Extra Tab set options and hit Save Changes ------------------------------------------------------------
Then the centmin.sh menu option 22 run entire output logged file is displayed – here you can inspect the log to get any of Nginx site and WordPress install and setup information.
------------------------------------------------------------- vhost for servermanager.guide wordpress setup successfully servermanager.guide setup info log saved at: /root/centminlogs/centminmod_123.09beta01.b203_120719-221749_wordpress_addvhost.log -------------------------------------------------------------
Finally, a wpinfo.sh script is created which when run, outputs all relevant WordPress install info WP-CLI version installed, including database name, database admin users, WordPress file and database versions, WordPress plugins installed, WordPress themes installed etc.
------------------------------------------------------------- wpinfo.sh script saved at: /usr/local/nginx/conf/wpincludes/servermanager.guide/wpinfo.sh -------------------------------------------------------------
Step 4
As Cloudflare is used in front of your Centmin Mod Nginx created WordPress site, you will need to ensure visitor’s real IP address is detected by Nginx instead of Cloudflare’s proxy IPs and to ensure Cloudflare’s IP addresses are whitelisted in Centmin Mod CSF Firewall. Centmin Mod 123.09beta01 and newer can do this via tools/csfcf.sh script. Manual steps are also outlined in Getting Started Guide step 5 – link directly to Nginx Cloudflare & Incapsula (reverse proxy HttpRealIpModule).
In your WordPress site’s Nginx vhost config file at /usr/local/nginx/conf/conf.d/servermanager.guide.ssl.conf find the commented out disabled include file, /usr/local/nginx/conf/cloudflare.conf for
# uncomment cloudflare.conf include if using cloudflare for # server and/or vhost site #include /usr/local/nginx/conf/cloudflare.conf;
remove the hash in front of the include line to uncomment and enable the include file
# uncomment cloudflare.conf include if using cloudflare for # server and/or vhost site include /usr/local/nginx/conf/cloudflare.conf;
Then manually run the tools/csfcf.sh script with auto flag once which will grab latest known Cloudflare IP addresses and whitelist them in CSF Firewall and also populate the include file at /usr/local/nginx/conf/cloudflare.conf with the Nginx settings to allow Nginx to see visitor’s real IP addresses instead of Cloudflare’s proxy IP addresses.
/usr/local/src/centminmod/tools/csfcf.sh auto
Then add to your server’s cronjob the following to run once per day via crontab -e command. You can use crontab -l to view current cronjobs and crontab -e command to invoke nano text editor see guide at HowTo: Add Jobs To cron Under Linux or UNIX?
23 */36 * * * /usr/local/src/centminmod/tools/csfcf.sh auto >/dev/null 2>&1
Example of the auto populated include file /usr/local/nginx/conf/cloudflare.conf contents below:
include /usr/local/nginx/conf/cloudflare_customips.conf; set_real_ip_from 173.245.48.0/20; set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 108.162.192.0/18; set_real_ip_from 190.93.240.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 162.158.0.0/15; set_real_ip_from 104.16.0.0/12; set_real_ip_from 172.64.0.0/13; set_real_ip_from 131.0.72.0/22; #set_real_ip_from 2400:cb00::/32; #set_real_ip_from 2606:4700::/32; #set_real_ip_from 2803:f800::/32; #set_real_ip_from 2405:b500::/32; #set_real_ip_from 2405:8100::/32; #set_real_ip_from 2a06:98c0::/29; #set_real_ip_from 2c0f:f248::/32; real_ip_header X-Forwarded-For;
Then restart Nginx server
service nginx restart
or via Centmin Mod command shortcut
ngxrestart
Cloudflare and Letsencrypt webroot authentication
Finally at this stage, you can opt to switch and set Cloudflare DNS record from grey cloud to orange cloud proxy as first time Letsencrypt issuance has been validated with your Centmin Mod Nginx origin server for webroot authentication. If you select Centmin Mod Nginx default HTTPS, then select Cloudflare Full SSL mode.
If you have questions or feedback suggestions regarding this WordPress installer guide, head on over to the official Centmin Mod Community forum’s Blog & CMS subforum.