This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Set up SSL manually
#1
Set up SSL manually
Here is the much anticipated tutorial on how to add SSL MANUALLY to any domain on your Sentora server.

Notes:
  • This tutorial is for advanced users only. (Use at your own risk!)
  • This tutorial is based on the fact that OpenSSL is installed AND enabled for Apache.
  • This tutorial was created on an Ubuntu 14.04 server. (May be variations for CentOS)
  • I also used WinSCP for editing and creating files and folders. (Not command line)
  • This will show how to do one domain on the zadmin account, but can be edited for multiple domains/sub domains.
  • Let's Encrypt certificates are also used. You may need to change the certificate paths to match your setup.
  • ALWAYS MAKE BACKUPS OF ORIGINAL FILES BEFORE MAKING CHANGES!
  • If you try this using the command line, you are on your own. Hit up Google for help with that...
Log in through SSH as ROOT user and navigate to:
Code:
/etc/sentora/configs/apache
Make a new folder called 'ssl':
Code:
/etc/sentora/configs/apache/ssl

Create a new file to hold your domain's SSL information (domain_com.conf in this example):
(Make one file for each domain - makes it easier.)
Code:
/etc/sentora/configs/apache/ssl/domain_com.conf
Open this new file and add your domain's SSL information:
Code:
<virtualhost *:443>
ServerName domain.com
ServerAlias  www.domain.com
ServerAdmin webmaster@domain.com
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/domain_com"
ErrorLog "/var/sentora/logs/domains/zadmin/domain.com-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/domain.com-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/domain.com-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/domain_com">
  Options +FollowSymLinks -Indexes
  AllowOverride All
  Require all granted
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 404 /_errorpages/404.html
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 500 /_errorpages/500.html
DirectoryIndex index.php index.html index.htm index.asp index.aspx index.jsp index.jspa index.shtml index.shtm

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
# Keeping below for future upgrades.
# Requires Apache >= 2.4
SSLCompression off
</VirtualHost>

Save and exit.

Don't forget to set the proper file and folder permissions for the new folder and it's files! They should be the same as

Code:
/etc/sentora/configs/apache/

Open:
Code:
/etc/sentora/configs/apache/httpd.conf

Scroll all the way to the end and after:
Code:
# Now we include the generic VHOST configuration file that holds all Sentora user hosted vhost data
Include /etc/sentora/configs/apache/httpd-vhosts.conf

Add:
Code:
# Include all SSL vhosts AFTER including the default generic VHOST configuration file
Listen 443
Include /etc/sentora/configs/apache/ssl/*.conf

So it looks like this:
Code:
# Now we include the generic VHOST configuration file that holds all Sentora user hosted vhost data
Include /etc/sentora/configs/apache/httpd-vhosts.conf

# Include all SSL vhosts AFTER including the default generic VHOST configuration file
Listen 443
Include /etc/sentora/configs/apache/ssl/*.conf

Restart apache according to your OS.

If all your paths and certificate names are correct you should have both http and https for this domain.
If you have errors, go back and double check your work! (Filenames, certificate names, file paths, etc.)

FORCE HTTPS ONLY:
If you wish to use https only for the domain, add or edit the .htaccess file in the root of the domain's public folder:
Code:
/var/sentora/hostdata/zadmin/public_html/domain_com/.htaccess

.htaccess file content:
Code:
RewriteEngine On

# Force SSL - Always first Rewrite Rule!
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

Now your domain will redirect to https.

.htaccess file for Sentora panel login: (/etc/sentora/panel/)
Code:
RewriteEngine on

# Force SSL - Always first Rewrite Rule!
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://panel.domain.com/$1 [R,L]

# Standard Sentora ... blah blah blah

CentOS NOTE:
There was an issue with a default install on CentOS where unused (by Sentora) .conf files were being loaded that caused an issue with SSL.

Code:
/etc/httpd/conf/httpd.conf

Comment out this line (near the bottom):

Code:
#IncludeOptional conf.d/*.conf

Good luck!

Donations for any of my modules or forum help can be sent to HERE Thanks!
-TGates - Head of Support

SEARCH the Forums or read the DOCUMENTATION before posting!
Modules Maintained: 13 - Module Installs: 108k+

Find my support helpful? Donate HERE
Help me to help you by getting your domains using this link:
GoDaddy - Domains
Reply
Thanks given by: Bobses , kamzo , kellenw
#2
RE: Set up SSL manually
This method is really nice. Can confirm it working( TGates played a big role in this). He did find an issue with apache that was loading older config files, but it works perfectly now. Maybe listing the issue could help others if it occurs on their servers
Reply
Thanks given by:
#3
RE: Set up SSL manually
Tutorial updated to include CentOS fix if others have an issue with it.
-TGates - Head of Support

SEARCH the Forums or read the DOCUMENTATION before posting!
Modules Maintained: 13 - Module Installs: 108k+

Find my support helpful? Donate HERE
Help me to help you by getting your domains using this link:
GoDaddy - Domains
Reply
Thanks given by: kamzo
#4
RE: Set up SSL manually
Hey TGates,

I followed this tutorial and it works great so far. The only issue is that I would like to have the sentora panel as well as the webmail under ssh. I do not understand which .htaccess file to put this code in.

Code:
RewriteEngine on

# Force SSL - Always first!
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://panel.domain.com/$1 [R,L]

# Standard Sentora ... blah blah blah

As far as webmail I suspect that I need to create a file in the ssl folder and just edit the info to point to roundcube. If that is correct please let me know. I am going to try it and see if I can get that to work.

Edit:

I was able to get the sentora panel and webmail working under ssl and sentora uses the modrewrite properly. Now the issue I have is that webmail.domain.tld is going to https://panel.sentora-panel.tld. So it seems like the .htaccess in the webmail is not forwarding correctly. Any Ideas?
Russ
Co-Owner
KTMGaming.net
Reply
Thanks given by:
#5
RE: Set up SSL manually
Are you using https://webmail... or http://webmail...? both redirect to https://panel... ?
-TGates - Head of Support

SEARCH the Forums or read the DOCUMENTATION before posting!
Modules Maintained: 13 - Module Installs: 108k+

Find my support helpful? Donate HERE
Help me to help you by getting your domains using this link:
GoDaddy - Domains
Reply
Thanks given by:
#6
RE: Set up SSL manually
Hello TGates,

We have a wildcard cert so we like to use sub-domains. The wish is to have https://webmail... work. I have set up in the .htaccess file in /etc/sentora/panel/etc/apps/webmail with the rewrite info for the main domain (edited for webmail). I used this same config on other subdomains without issue. Where it goes wrong is if you type in http://webmail... it forwards to https://panel... instead of https://webmail... I cannot figure out where it is being redirected from.
Russ
Co-Owner
KTMGaming.net
Reply
Thanks given by:
#7
RE: Set up SSL manually
I just updated the tutorial because another member was having the same issue.

In the ssl-vhosts.conf, make sure the panel Include is LAST and all others are before it. Restart apache.
-TGates - Head of Support

SEARCH the Forums or read the DOCUMENTATION before posting!
Modules Maintained: 13 - Module Installs: 108k+

Find my support helpful? Donate HERE
Help me to help you by getting your domains using this link:
GoDaddy - Domains
Reply
Thanks given by: kamzo
#8
Set up SSL manually
Hello TGates,

I already had the ssl-vhosts.conf set up that way. I don't think it's an issue with the .conf file but an issue with the .htaccess file for webmail. The mod rewrite is changing the url from http://webmail to https://panel. The ssl part works perfectly otherwise.

Sent from my SM-N910T3 using Tapatalk
Russ
Co-Owner
KTMGaming.net
Reply
Thanks given by:
#9
RE: Set up SSL manually
(09-15-2016, 04:46 AM)HogensHero Wrote: Hello TGates,

I already had the ssl-vhosts.conf set up that way. I don't think it's an issue with the .conf file but an issue with the .htaccess file for webmail. The mod rewrite is changing the url from http://webmail to https://panel. The ssl part works perfectly otherwise.

Sent from my SM-N910T3 using Tapatalk

It should be something like:
Code:
# AddDefaultCharset    UTF-8
AddType text/x-component .htc

<IfModule mod_php5.c>
php_flag    display_errors    Off
php_flag    log_errors    On
# php_value    error_log    logs/errors

#Disable override if you require less memory size/process & upload size!
#Default was 5M / 6M / 64M
php_value    upload_max_filesize    25M
php_value    post_max_size        26M
php_value    memory_limit        128M

php_flag    register_globals    Off
php_flag    zlib.output_compression        Off
php_flag    magic_quotes_gpc        Off
php_flag    magic_quotes_runtime        Off
php_flag    zend.ze1_compatibility_mode    Off
php_flag     suhosin.session.encrypt     Off

#php_value    session.cookie_path        /
php_flag    session.auto_start    Off
php_value    session.gc_maxlifetime    21600
php_value    session.gc_divisor    500
php_value    session.gc_probability    1
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On
# -- added by TGates - Start
# Force SSL - Always first!
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
# -- added by TGates - End
RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico

# security rules:
# - deny access to files not containing a dot or starting with a dot
#   in all locations except installer directory
RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
# - deny access to some locations
RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
# - deny access to some documentation files
RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F]
</IfModule>

<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
</IfModule>

<IfModule mod_headers.c>
# replace 'append' with 'merge' for Apache version 2.2.9 and later
#Header append Cache-Control public env=!NO_CACHE
</IfModule>

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>

FileETag MTime Size

<IfModule mod_autoindex.c>
Options -Indexes
</ifModule>
-TGates - Head of Support

SEARCH the Forums or read the DOCUMENTATION before posting!
Modules Maintained: 13 - Module Installs: 108k+

Find my support helpful? Donate HERE
Help me to help you by getting your domains using this link:
GoDaddy - Domains
Reply
Thanks given by:
#10
RE: Set up SSL manually
(09-15-2016, 05:20 AM)TGates Wrote:
(09-15-2016, 04:46 AM)HogensHero Wrote: Hello TGates,

I already had the ssl-vhosts.conf set up that way. I don't think it's an issue with the .conf file but an issue with the .htaccess file for webmail. The mod rewrite is changing the url from http://webmail to https://panel. The ssl part works perfectly otherwise.

Sent from my SM-N910T3 using Tapatalk

It should be something like:
Code:
# AddDefaultCharset    UTF-8
AddType text/x-component .htc

<IfModule mod_php5.c>
php_flag    display_errors    Off
php_flag    log_errors    On
# php_value    error_log    logs/errors

#Disable override if you require less memory size/process & upload size!
#Default was 5M / 6M / 64M
php_value    upload_max_filesize    25M
php_value    post_max_size        26M
php_value    memory_limit        128M

php_flag    register_globals    Off
php_flag    zlib.output_compression        Off
php_flag    magic_quotes_gpc        Off
php_flag    magic_quotes_runtime        Off
php_flag    zend.ze1_compatibility_mode    Off
php_flag     suhosin.session.encrypt     Off

#php_value    session.cookie_path        /
php_flag    session.auto_start    Off
php_value    session.gc_maxlifetime    21600
php_value    session.gc_divisor    500
php_value    session.gc_probability    1
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On
# -- added by TGates - Start
# Force SSL - Always first!
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
# -- added by TGates - End
RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico

# security rules:
# - deny access to files not containing a dot or starting with a dot
#   in all locations except installer directory
RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
# - deny access to some locations
RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
# - deny access to some documentation files
RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F]
</IfModule>

<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
</IfModule>

<IfModule mod_headers.c>
# replace 'append' with 'merge' for Apache version 2.2.9 and later
#Header append Cache-Control public env=!NO_CACHE
</IfModule>

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>

FileETag MTime Size

<IfModule mod_autoindex.c>
Options -Indexes
</ifModule>

Hello TGates,

I edited my .htaccess to match the one you posted below. There was only one issue that I found and that was where I put in the rewrite rules for ssl. I moved the lines and same issue. Here is my current config for the .htaccess for webmail. I will also post the ssl-vhost.conf and the includes.

.htaccess
Code:
# AddDefaultCharset UTF-8
AddType text/x-component .htc

<IfModule mod_php5.c>
php_flag display_errors Off
php_flag log_errors On
# php_value error_log logs/errors

#Disable override if you require less memory size/process & upload size!
#Default was 5M / 6M / 64M
php_value upload_max_filesize 25M
php_value post_max_size 26M
php_value memory_limit 128M

php_flag register_globals Off
php_flag zlib.output_compression Off
php_flag magic_quotes_gpc Off
php_flag magic_quotes_runtime Off
php_flag zend.ze1_compatibility_mode Off
php_flag suhosin.session.encrypt Off

#php_value session.cookie_path /
php_flag session.auto_start Off
php_value session.gc_maxlifetime 21600
php_value session.gc_divisor 500
php_value session.gc_probability 1
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On
# Force SSL - Always first!
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico



# security rules:
# - deny access to files not containing a dot or starting with a dot
#   in all locations except installer directory
RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
# - deny access to some locations
RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
# - deny access to some documentation files
RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F]
</IfModule>

<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
</IfModule>

<IfModule mod_headers.c>
# replace 'append' with 'merge' for Apache version 2.2.9 and later
#Header append Cache-Control public env=!NO_CACHE
</IfModule>

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>

FileETag MTime Size

<IfModule mod_autoindex.c>
Options -Indexes
</ifModule>

ssl-vhosts.conf
Code:
Listen 443
# Main domain SSL
Include /etc/sentora/configs/apache/ssl/ktmgaming_net.conf
Include /etc/sentora/configs/apache/ssl/panel_ktmgaming_net.conf
Include /etc/sentora/configs/apache/ssl/webmail_ktmgaming_net.conf
Include /etc/sentora/configs/apache/ssl/wp_ktmgaming_net.conf

includes
Code:
<virtualhost *:443>
ServerName webmail.ktmgaming.net
ServerAlias  www.domain.com
ServerAdmin admin@ktmgaming.net
DocumentRoot "/etc/sentora/panel/etc/apps/webmail"
ErrorLog "/var/sentora/logs/domains/zadmin/ktmgaming.net-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/ktmgaming.net-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/ktmgaming.net-bandwidth.log" common
<Directory "/etc/sentora/panel/etc/apps/webmail">
 Options +FollowSymLinks -Indexes
 AllowOverride All
 Require all granted
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 404 /_errorpages/404.html
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 500 /_errorpages/500.html
DirectoryIndex index.php index.html index.htm index.asp index.aspx index.jsp index.jspa index.shtml index.shtm

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /my/crt/file
SSLCertificateKeyFile /my/key/file
SSLCertificateChainFile /my/bundle/file
# Keeping below for future upgrades.
# Requires Apache >= 2.4
SSLCompression off
</VirtualHost>
Russ
Co-Owner
KTMGaming.net
Reply
Thanks given by:


Possibly Related Threads...
Thread Author Replies Views Last Post
How Update phpMyAmin [manually] Cantalupo 8 5,505 05-29-2015, 07:10 PM
Last Post: iraqiboy90

Forum Jump:


Users browsing this thread: 1 Guest(s)