This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

SSL support in sentora
#1
SSL support in sentora
*** PLEASE thread for developers or if you have sys admin knowledge ***

We are currently planning to add SSL support.

Current draft will be rewrite apache admin module and I think I found interesting solution there even to get apache module easier to extend.

Adding SSL will not be the old way using port override but instead will create a second vhost with the exact same config and adding 6 lines
 
Code:
SLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem

The above example is over let's encrypt but we would have a new folder in config where we store all SSL:
/etc/sentora/config/ssl or apache/ssl.

We could add a tool to help generating let's encrypt SSL in the right folder or even auto generate it. Same over custom SSL self signed ( let's encrypt support only public servers).

Also I think we sould more and more restrict modules access to all folders in sentora. So it can't be done like Diablo925 did in his module. May be later splitting the sensistive work in a API outside of the panel that can have wider access, instead of mixing the GUI with more complexe scripts. 

We need to add ssl certificates validation in order to avoid that apache fails. May be a config test safe fail too and starting sentora eigther with old valid config too. Goal will less issues and users getting it the wrong way.

Uploading CSR, can be added too, but it may be later?

Mainly we need help, input and solutions. 

I'm checking Diablo925 module too, as it's the existing one covering this field. I can send you some of current alpha work.


Update 1: in GUI we could add
https://www.metachris.com/2015/12/compar...tpsforfree

Looks intersting.

Diablo925 bbspike

Also TGates 5050
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#2
RE: SSL support in sentora
I think creating a new ssl-vhosts.conf file is the right way. You can check Diablo925 first SSL module for that because it worked that way.

Storing all ssl files in one folder seems impractical. Adding the files to a seperate ssl folder within the account like the recent Diablo925 module makes more logic i think. That way account admins have acces to there files.

Automating Lets encrypt and selfsigned should be there. For account admins this should be one click setup. Sentora can run the lets encrypt script (wihout using the 80 port)  and even add a cron for automatic renewal.

I think there should be a apache check yes. Maybe using the sanitiecheck of apache something like this:

PHP Code:
 function restart() {
 
   $cmd str_replace(' graceful'' configtest'$this->apache_restart_cmd());

 
   if ($this->server->shell_exec($cmd)) {
 
     apache_log('Apache configuration is valid''ok');
 
     parent::restart();
 
   }
 
   else {
 
     // Set an error, so we'll roll-back.
etc
etc
etc 

First toughts there. gonna look deeper into it in the coming weekend.
[Image: logo2.png]

My being on this forum is all personal and all is done here by me has nothing to with the company Web Improved I work for Smile
Reply
Thanks given by:
#3
RE: SSL support in sentora
OK I almost have rewritten the apache_admin hook and I can do what ever I want. Either one file with SSL + vhost or One file per user or Http file and another for SSL. It's not an issue.

I have extracted the apache config in a template mode that can apply to http or https. I will show it soon.

I have to find the best balance for using let's encrypt or self signed. Checking Diablo925 SSL module. Notice too that I hope we tighten security and we should find solution to isolate totally the panel, one of the few key features we needed in the past zsudo was to restart apache ( again configtest here ).


For let's encrypt. Non public domain or not having correct DNS it will fail. As it works only for resolving domains. So we need to be sure that it worked. I saw a PHP ACME API but it's PHP 7!
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#4
RE: SSL support in sentora
Using the letsencrypt client's webroot authentication plugin will not require resolving domains
[Image: logo2.png]

My being on this forum is all personal and all is done here by me has nothing to with the company Web Improved I work for Smile
Reply
Thanks given by:
#5
RE: SSL support in sentora
(02-16-2016, 06:42 AM)bbspike Wrote: Using the letsencrypt client's webroot authentication plugin will not require resolving domains

https://community.letsencrypt.org/t/usin...ethod/1445

No it doesn't work if you domain is PRIVATE ( intranet or 192.168.x.x ) or DNS not setup. As each time it will request a call back to check if the file is at domain.com/keyfile.txt. The check will fail as domain.com is not public or badly configured.

See No no on reddit over that topic non public domain:

https://www.reddit.com/r/sysadmin/commen...ic_domain/

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#6
RE: SSL support in sentora
I have not enough knowledge and use of SSL configs to really add anything more on that.
Thank you to instanciate it, and thank you to everybody who may add comments more usefull than me !
Reply
Thanks given by:
#7
RE: SSL support in sentora
If a site is on intranet and not exposed to the WWW why would you need SSL? I am sure there may be a need for it at some point, but this should not be our concern right now and can be worked out further down the road.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#8
RE: SSL support in sentora
I can have tests on local. Any way let's encrypt is one solution a lot of people used ssl before.

So we need to think about the old way too.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#9
RE: SSL support in sentora
Yep, there's still a need for self-signed certs for intranet users and those tin-foil hat wearers who don't trust LE but I think the majority of Sentora users will appreciate Let's Encrypt support a lot more.

I believe we could be the first panel to include Let's Encrypt support by default?
Before posting, update your profile with your OS, Sentora version and server type!

Reply
Thanks given by:
#10
RE: SSL support in sentora
I've already done this years ago. How has it taken so long to implement my idea?

(02-15-2016, 09:05 PM)Me.B Wrote: *** PLEASE thread for developers or if you have sys admin knowledge ***

We are currently planning to add SSL support.

Current draft will be rewrite apache admin module and I think I found interesting solution there even to get apache module easier to extend.

Adding SSL will not be the old way using port override but instead will create a second vhost with the exact same config and adding 6 lines
 
Code:
SLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem

The above example is over let's encrypt but we would have a new folder in config where we store all SSL:
/etc/sentora/config/ssl or apache/ssl.

We could add a tool to help generating let's encrypt SSL in the right folder or even auto generate it. Same over custom SSL self signed ( let's encrypt support only public servers).

Also I think we sould more and more restrict modules access to all folders in sentora. So it can't be done like @[Diablo925] did in his module. May be later splitting the sensistive work in a API outside of the panel that can have wider access, instead of mixing the GUI with more complexe scripts. 

We need to add ssl certificates validation in order to avoid that apache fails. May be a config test safe fail too and starting sentora eigther with old valid config too. Goal will less issues and users getting it the wrong way.

Uploading CSR, can be added too, but it may be later?

Mainly we need help, input and solutions. 

I'm checking Diablo925 module too, as it's the existing one covering this field. I can send you some of current alpha work.


Update 1: in GUI we could add
https://www.metachris.com/2015/12/compar...tpsforfree

Looks intersting.

@[Diablo925] @[bbspike]

Also @[TGates] @[5050]
***Retail***
SCPH-39002, Running FCMB, HDD-OSD, Mini-OPL.
SCPH-30002 RSW (Automobile Collection Snow White)
SCPH-10000 x2
SCPH-15000
SCPH-18000 x2
DESR-7700
SCPH-2040X x2
Linux Kit
PSBBN V0.20, V0.30
HDD Utility V1.00, V1.01

***Dev***
DTL-H30102 Running FCMB, HDD-OSD, Mini-OPL.
DTL-H20400 - Boxed
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Update redirect to Sentora login to an error page if a sub domain does not exist TGates 0 1 ,269 01-28-2024, 06:20 AM
Last Post: TGates
Need Sentora HELP ? Alemiz 4 11 ,331 10-26-2018, 04:09 PM
Last Post: republicus
Sentora Feedback and Ideas Xversion 10 28 ,742 10-28-2017, 06:49 AM
Last Post: TGates

Forum Jump:


Users browsing this thread: 1 Guest(s)