SSL 403 Error with Me.B solution (Please help)

[stiuvert0007]

First of all hello everyone. My name is Marcos
So far I love Sentora, it´s really simple and what I love the most is the low RAM usage.
I just have a big headache with SSL certs. The first thing I did was to read Sentora Docs SSL guide but that didn´t work for me.
After a long search in the forum I found Me.B solution. (I think that Sentora Docs should be updated)

When I use this solution I finally can use https://tilabmx.com but I get a 403 error.
I created a file under the name ssltilabmx.com.conf
With this inside:

Code:

Listen 443
<VirtualHost *:443>
ServerName tilabmx.com
ServerAlias  www.tilabmx.com
ServerAdmin hcmarcos@tilabmx.com
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/tilabmx_com"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/tilabmx_com:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid$
SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/tilabmx.com.key
SSLCertificateFile /etc/apache2/ssl/tilabmx_com.crt
SSLCertificateChainFile /etc/apache2/ssl/bundle.crt
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!A$
SSLHonorCipherOrder on
ErrorLog "/var/sentora/logs/domains/zadmin/tilabmx.com-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/tilabmx.com-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/tilabmx.com-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/tilabmx_com">
       Options FollowSymLinks Indexes
       AllowOverride All
       Order Allow,Deny
       Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 404 /_errorpages/404.html
ErrorDocument 510 /_errorpages/510.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
</virtualHost>

Then I added

Code:

Include /etc/sentora/configs/apache/ssltilabmx.com.conf

At the end of /etc/sentora/configs/apache/httpd.conf

When I saw the 403 error I tried to change the following (Thanks to elijahbate advice)

Code:

<Directory "/var/sentora/hostdata/zadmin/public_html/tilabmx_com">
       Options FollowSymLinks Indexes
       AllowOverride All
       Order Allow,Deny
       Allow from all
</Directory>

to

Code:

<Directory "/var/sentora/hostdata/zadmin/public_html/tilabmx_com">
Options +FollowSymLinks -Indexes
 AllowOverride All
 Require all granted
</Directory

And when I acces https://tilabmx.com/ it redirects to http://tilabmx.com/ Why?
Then I searched in google the error "The web server is setup to disable directory listings." and found a solution using .htacces file for enabling directory listings. I added

Code:

Options +Indexes

at the end of my .htacces file but it´s not working.

This is the guide I followed.

In few lines the best solution is:

1. create a new conf file that contain your SSL host that will look like this

<virtualhost *:443>
ServerName ssl.domain.com
ServerAlias ssl.domain.com
ServerAdmin you@domain.com
DocumentRoot "/var/zpanel/hostdata/zadmin/public_html/ssl.domain.com"
php_admin_value open_basedir "/var/zpanel/hostdata/zadmin/public_html/ssl.domain.com:/var/zpanel/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/zpanel/logs/domains/zadmin/ssl.domain.com-error.log"
CustomLog "/var/zpanel/logs/domains/zadmin/ssl.domain.com-access.log" combined
CustomLog "/var/zpanel/logs/domains/zadmin/ssl.domain.com-bandwidth.log" common
<Directory />
Options FollowSymLinks Indexes
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 404 /_errorpages/404.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
SSLEngine On
SSLCertificateFile /var/zpanel/logs/domains/zadmin/ssl/secure1.pem
SSLCertificateKeyFile /var/zpanel/logs/domains/zadmin/ssl/secure1.key
</virtualhost>

All zpanel path's should be replaced by sentora.

You will need first to create a normal ssl.domain.com ( sub domain) could a be domain so replace ssl.domain.com with the correct URL you will use.

Notice the path for the SSL certificates that you can change.

Once you create this config file as ssl.domain.com.conf place it in
/etc/zpanel/config/apache/ ( or /etc/sentora/ )

Then check your apache main config file & add include the new conf file you created.

Restart apache. If your SSL certficate is ok ( take care to remove the password or apache will request it after each restart), you should now have
http://ssl.domain.com working &
https://ssl.domain.com both pointing same root.

Then add a .htaccess to enforce https only if you need that or you can keep both working.

I think the old way in the wiki should not be used & hope in next release we auto generate the ssl host instead of having this manual setup. The wiki how to fail to explain the need for override. As once you enable ssl the default domain/subdomain with SSL will no longer work on HTTP & this is why you will be required to add a vhost port override to avoid nasty errors. My way will allow both SSL & non SSL working but require a lot more manual admin off panel.

This topic is FOR EXPERIENCED ADMIN.

M B

BTW what do you mean with

If your SSL certficate is ok ( take care to remove the password or apache will request it after each restart)

What password?

And sorry for my bad english. I´ll appreciate your help. Please I´ve been trying to solve this problem since last saturday.

UPDATE:
This is my error domain log when I get 403:

Code:

[Wed Jun 24 19:32:22.700073 2015] [authz_core:error] [pid 7136] [client 177.245.212.76:50757] AH01630: client denied by server configuration: /var/sentora/hostdata/zadmin/public_html/tilabmx_com/

And this is my apache error log with the 403:

Code:

[Wed Jun 24 19:32:18.748596 2015] [mpm_prefork:notice] [pid 5947] AH00169: caught SIGTERM, shutting down
[Wed Jun 24 19:32:19.498147 2015] [:notice] [pid 7131] mod_bw : Memory Allocated 0 bytes (each conf takes 48 bytes)
[Wed Jun 24 19:32:19.498261 2015] [:notice] [pid 7131] mod_bw : Version 0.92 - Initialized [0 Confs]
[Wed Jun 24 19:32:19.533561 2015] [mpm_prefork:notice] [pid 7131] AH00163: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal operations
[Wed Jun 24 19:32:19.533629 2015] [core:notice] [pid 7131] AH00094: Command line: '/usr/sbin/apache2'

[Me.B]

Hi,

To make simpler check your apache config files from your existing domain generated already by sentora for your vhost /etc/sentora/config/apache

Pick the default config and add:

SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/tilabmx.com.key
SSLCertificateFile /etc/apache2/ssl/tilabmx_com.crt
SSLCertificateChainFile /etc/apache2/ssl/bundle.crt
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!A$
SSLHonorCipherOrder on

right as my example.

And see if it works.

Take care don't setup any override as sentora docs says! Disable them.

M B

[stiuvert0007]

I don´t know what was happening. I spent all day trying to get this done right and I even deleted my droplet and installed Sentora again.
Now it is working!!
I changed to Centos 7, installed Sentora, followed your guide Me.B, and the only problem that I had was because of the Listen 443 in my ssltilabmx.com.conf file. I deleted it because there was already a Listen 443 in the conf.d file and httpd.service can´t restart because of this.
Now everything works! Thank you Me.B for your guide and elijahbate because he even offered me help with Teamviewer.
There is a ssl_module but I didn´t want to use it because I like to know what was happening, love to learn and the satisfaction to know that I made it lol Even if it is simple for some experienced users.
Hope to contribute in this forum!

[Me.B]

Great to see it works.

The doc should be changed to implement SSL this way currently more manual work but works fine. Until we added into the core as it should be.

M B