[SPLIT] Secure Sentora Login with Let's Encrypt

[worksmarter]

Right on, I will add your findings to the tutorial to help complete the CentOS instructions. I may also set up a CentOS VM and see how that goes, if I can make the time.

I would be more than happy to contribute, but this is behaving badly again. Right after changing the Global Sentora port from 80 to 443 and hit save, it crashed Apache 2.2

This is what Apache is now saying, but I don't know how to proceed.

I am pretty sure you will know how to assist me after looking at the Apache error log. I had no real luck with Google.

Code:

-- resuming normal operations
[Fri Dec 09 06:10:29 2016] [notice] caught SIGTERM, shutting down
[Fri Dec 09 06:17:59 2016] [notice] Digest: generating secret for digest authentication ...
[Fri Dec 09 06:17:59 2016] [notice] Digest: done
[Fri Dec 09 06:17:59 2016] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Fri Dec 09 06:20:02 2016] [notice] SIGHUP received.  Attempting to restart
[Fri Dec 09 06:20:02 2016] [notice] Digest: generating secret for digest authentication ...
[Fri Dec 09 06:20:02 2016] [notice] Digest: done
[Fri Dec 09 06:20:02 2016] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri Dec 09 06:21:26 2016] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri Dec 09 06:24:39 2016] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri Dec 09 06:35:02 2016] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

You can see in the last entries while I tried to start Apache and get the [failed] response in the cli.

Incidentally this same mystery error, while it appeared all on its own, is what induced me to reinstall fresh - both I need stability as well to have it function. I will search on this error this week end.

Also for more info, my post about breaking Apache on page four would seem to be the same issue. In the end there I had to restore to a backup and then it worked, but it did some automated stuff with the ssl.conf file naming.

Hmm I am wondering what the difference was between the one that worked and this one which was some automated changes to ssl.conf. Looking at ssl.conf says the certificates should be in .pki and such. Could this be the issue and if so, how do we prevent it in the future?

[TGates]

I found several ideas on Google, not sure if you tried any or if you did and none of them worked? (Mostly from serverfault.com)


Just in case I'll post some of the things to check while I have it fresh in my memory

D below is possibly the culprit in this issue since I wrote the tutorial using apache 2.4

A- Make sure SSLEngine on is ONLY listed inside virtual host containers that include SSL. (No 'stray' SSLEngine on's anywhere else.)
B- Make sure that a vhost entry that is not SSL is on port 80 (<VirtualHost *:80>) and not port 443 (<VirtualHost *:443>) by accident.
C- Try using Listen 443 http instead of just Listen 443
D- Change SSLCertificateChainFile (apache 2.4+) to SSLCACertificatePath (apache 2.2)

[worksmarter]

Thanks, that is a good start.What I plan on doing is using two identical servers and writing a script. Why might I do this? Well because the success or failure of this is illogcal. I will add anything to the thread I can find.

Generally I found the same sort of stuff on Google too now I just need to get rid of all the variables.

BTW if anyone wants to add the sub-domain "www" to their address I have not had any success with that.

(Which is fine for a control panel and I am guessing the other tutorial covers this? Yes/No)

Will keep you updated Thanks TGates,

[TGates]

Right on, looking forward to your findings!

[worksmarter]

Bottom line for CentOS 6.x (and likely Ubuntu)

You MUST INSTALL mod_ssl as well as openssl - openssl does not mandate the install of mod_ssl in CentOS 6.x.

A) This should be  your command in CentOS - (use apt-get for Ubuntu):

Code:

yum install mod_ssl openssl

B) No if and or buts about it. ssl.conf at this location "/etc/httpd/conf.d" ssl.conf WILL have Listen 443 in it that MUST BE COMMENTED OUT THERE!

If you do this along with TGates procedures, be them for the panel, or a domain you should have success. I can post back after I test a cert on a new domain, but for now this is based on just securing the panel; the topic of this thread.

Although I would not be shocked to have to revisit this while securing domains, but since this is done during the install of mod_ssl - I would like to think the other procedure does not over-write the ssl.conf file - but that is a fight for a new day and different guide... But I have not followed that guide yet, so if you are trying to secure a site first and you install openssl and mod-ssl, you will likely be facing the same issue. TGates, maybe in this and/or the other guide should we be telling people to expect this behavior of Apache breaking down and tell them from the get go they will need to modify their ssl.conf no matter what??? Your call Sir.  

[TGates]

Edited tutorial to clarify the installation mod_ssl and openssl and added your note about ssl.conf

[worksmarter]

Edited tutorial to clarify the installation mod_ssl and openssl and added your note about ssl.conf

That looks great T. What I think my erratic troubles involved was that you can comment the Listen 443 out of the httpd-vhosts.conf file @ /etc/sentora/configs/apache. If you comment that one out it works until the job runs that breaks it again and I was left scratching my head.

I feel like a boob for not noticing this from the get-go, but that happens. I think your guide should be 100% on the money now for CentOS and Ubuntu. Thanks for the great guide as well as the patience.  

[TGates]

Thanks! I did forget some steps too. Glad we got that sorted out! I also used it to update the one for regular domains also and in the docs sites

I will split the post so people don't get confused reading 5 pages of trial and error fixes.