Lets Encrypt SSL on main control panel URL.

[Skippy]

This is all done on a BigV instance on Bytemark

1. Spin up a new server on BigV
   
2. Install Ubuntu 14.04.
   
3. I have changed the reverse DNS to njoror.squashedfly.eu
   
4. set up SSH Key login
   
5. visit http://docs.sentora.org/?node=22 and follow the instructions:
   Code:

   bash <(curl -L -Ss http://sentora.org/install)
   (you will need to double check the subdomain, and ipV4 address)
   
6. update the DNS
   • Our DNS is hosted with Cloudflare because it makes sense,
     
   • A record to njoror to the ipV4 and AAAA record for ipV6 this allows direct access to njoror.squashedfly.eu (don't pass this domain via the CDN cloud), will also want the MX sorted some how.
     

## Let's Encript

1. following the instructions at http://forums.sentora.org/showthread.php?tid=688&page=3 as a start point…
   
   Code:

   apt-get install git
cd ~
git clone https://github.com/letsencrypt/letsencryptcd letsencrypt

now we have the Let's Encrypt package installed we set it up on the panel address

Code:

./letsencrypt-auto certonly --webroot -w /etc/sentora/panel/ -d njoror.squashedfly.eu

you will be asked for an email address… Make sure that it is one that you will not lose access to!.

the SSL certificates are located in `/etc/letsencrypt/live/njoror.squashedfly.eu`

• cert.pem
  
• chain.pem
  
• fullchain.pem
  
• privkey.pem
  

Activate SSL (if not yet)

Code:

a2enmod ssl

Restart apache

Code:

service apache2 restart

go to Sentora -> Admin -> Module Admin -> Apache Config

Under Global Sentora Entry:

Code:

</VirtualHost>
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/letsencrypt/live/njoror.squashedfly.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem
DocumentRoot "/etc/sentora/panel/"
ServerName njoror.squashedfly.eu
ErrorLog "/var/sentora/logs/sentora-error.log"
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
   AllowOverride All
   Require all granted
</Directory>
</VirtualHost>

Code:

restart apache - sudo service apache2 restart

If you add

Code:

Redirect Permanent / https://njoror.squashedfly.eu/

before the first </VirtualHost> it will always forward to the HTTPS page

[jacobg830]

Is that the full global sentora entry? If so, it appears Apache isn't listening on port 443 (ssl).

Try adding the following to the top of global sentora entry:

Code:

NameVirtualHost *:443
Listen 443

And then restart Apache.

Ref: http://docs.sentora.org/?node=21

Also, please make sure OpenSSL is installed (check with command "openssl version") and port 443 is open on any firewall.

For support of the newer TLS protocols (and disable BEAST attack) replace the line:

Code:

SSLProtocol SSLv3

with:

Code:

SSLProtocol all -SSLv2 -SSLv3

[Skippy]

I was trying to work along with "http://docs.sentora.org/?node=21"

openssl version gives OpenSSL 1.0.1f 6 Jan 2014

However edits I am making on http://njoror.squashedfly.eu/?module=apa...acheConfig are not being reflected in /etc/sentora/configs/apache/httpd-vhosts.conf even when clicking Force Update and running -- remember that the content of Apache VHOST Conf should be

Code:

/etc/sentora/configs/apache/httpd-vhosts.conf

- Do not empty it… by accident

Code:

php -q /etc/zpanel/panel/bin/daemon.php
service apache2 restart

the code is now

Code:

# Configuration for Sentora control panel on 443
NameVirtualHost *:443
Listen 443


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3

SSLEngine on
SSLProtocol SSLv3
SSLCertificateFile /etc/letsencrypt/live/njoror.squashedfly.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem
# SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/chain.pem # try this first
ServerAdmin zadmin@localhost
DocumentRoot "/etc/sentora/panel/"
ServerName njoror.squashedfly.eu
ServerAlias njoror.squashedfly.eu

And now I get "This webpage is not available ERR_CONNECTION_REFUSED" on port 80 and https,

Output of config test was:

Code:

AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/sentora/configs/apache/httpd-vhosts.conf:28
AH00526: Syntax error on line 29 of /etc/sentora/configs/apache/httpd-vhosts.conf:
Listen cannot occur within <VirtualHost> section
Action 'configtest' failed.
The Apache error log may have more information.

[TGates]

I think you need to remove:

Code:

ServerAdmin zadmin@localhost
DocumentRoot "/etc/sentora/panel/"
ServerName njoror.squashedfly.eu
ServerAlias njoror.squashedfly.eu

From your first post since the default sentora FQDN entry already includes this. Unless I mis-read what you entered.

[jacobg830]

Also remove the "Listen 443" - it seems it can only be added to the apache config and cannot be added as a global sentora entry.

[Skippy]

using the above, the code generated in /etc/sentora/configs/apache/httpd-vhosts.conf is

Code:

################################################################
# Apache VHOST configuration file
# Automatically generated by Sentora 1.0.3
# Generated on: 23:03 10th Jan 2016 UTC
#==== YOU MUST NOT EDIT THIS FILE : IT WILL BE OVERWRITTEN ====
# Use Sentora Menu -> Admin -> Module Admin -> Apache config
################################################################

Listen 80

# Configuration for Sentora control panel.
<VirtualHost *:80>
ServerAdmin zadmin@localhost
DocumentRoot "/etc/sentora/panel/"
ServerName njoror.squashedfly.eu
ErrorLog "/var/sentora/logs/sentora-error.log"
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
    AllowOverride All
    Require all granted
</Directory>

# Custom settings are loaded below this line (if any exist)
# Configuration for Sentora control panel on 443
NameVirtualHost *:443


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3

SSLEngine on
SSLProtocol SSLv3
SSLCertificateFile /etc/letsencrypt/live/njoror.squashedfly.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem
# SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/chain.pem # try this first
</VirtualHost>

################################################################
# Sentora generated VHOST configurations below.....
################################################################

I am getting No data received ERR_EMPTY_RESPONSE, to allow me to get back into the page I have to remove

Code:

# Configuration for Sentora control panel on 443
NameVirtualHost *:443


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3

SSLEngine on
SSLProtocol SSLv3
SSLCertificateFile /etc/letsencrypt/live/njoror.squashedfly.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem
# SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/chain.pem # try this first

then restart apache - sudo service apache2 restart

to keep it happy have to then empty "Global Sentora Entry" in the control panel.

[jacobg830]

NameVirtualHost *:443 is removed from Apache 2.4 so we'll have to create another vhost.

Okay, in Global Sentorra Entry try entering exactly:

Code:

</VirtualHost>
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/letsencrypt/live/njoror.squashedfly.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem
DocumentRoot "/etc/sentora/panel/"
ServerName njoror.squashedfly.eu
ErrorLog "/var/sentora/logs/sentora-error.log"
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
    AllowOverride All
    Require all granted
</Directory>

Try removing Listen 443 again if it doesn't work. Nothing like some good old trial and error.

[Skippy]

That works

Original post has been updated to reflect the full process.

[Skippy]

Ok update --

Looking at my SSL cert using SSL Labs, my ipV4 gets a B - https://www.ssllabs.com/ssltest/analyze....38.113.144 however ipV6 gets nothing - https://www.ssllabs.com/ssltest/analyze....%3a0%3a144

so two things, is there a way to improve the IPv4 and what do I need to do to get ipv6 working better? http://ipv6-test.com/validate.php lists that "This website is not ready for IPv6"

[jacobg830]

It seems Sentora does not support IPv6 out of the box. I am unable to test properly because my connection is IPv4 only

For IPv6 support, add the following below "</VirtualHost>":

Code:

Listen [::]:80
Listen [::]:443

This should also enable IPv6 support for your Sentora websites as well.

For a higher grade in SSLLabs, add this below "SSLCertificateChainFile":

Code:

SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

or if you don't mind removing support for Internet Explorer 8 (this is more secure):

Code:

SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"