This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Lets Encrypt SSL on main control panel URL.
#1
Lets Encrypt SSL on main control panel URL.
This is all done on a BigV instance on Bytemark

  1. Spin up a new server on BigV
  2. Install Ubuntu 14.04.
  3. I have changed the reverse DNS to njoror.squashedfly.eu
  4. set up SSH Key login
  5. visit http://docs.sentora.org/?node=22 and follow the instructions:
    Code:
    bash <(curl -L -Ss http://sentora.org/install)
    (you will need to double check the subdomain, and ipV4 address)
  6. update the DNS
    • Our DNS is hosted with Cloudflare because it makes sense,
    • A record to njoror to the ipV4 and AAAA record for ipV6 this allows direct access to njoror.squashedfly.eu (don't pass this domain via the CDN cloud), will also want the MX sorted some how.

## Let's Encript
  1. following the instructions at http://forums.sentora.org/showthread.php?tid=688&page=3 as a start point…
    Code:
    apt-get install git
    cd ~
    git clone https://github.com/letsencrypt/letsencryptcd letsencrypt

now we have the Let's Encrypt package installed we set it up on the panel address

Code:
./letsencrypt-auto certonly --webroot -w /etc/sentora/panel/ -d njoror.squashedfly.eu

you will be asked for an email address… Make sure that it is one that you will not lose access to!.

the SSL certificates are located in `/etc/letsencrypt/live/njoror.squashedfly.eu`
  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

Activate SSL (if not yet)
Code:
a2enmod ssl

Restart apache
Code:
service apache2 restart

go to Sentora -> Admin -> Module Admin -> Apache Config

Under Global Sentora Entry:
Code:
</VirtualHost>
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/letsencrypt/live/njoror.squashedfly.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem
DocumentRoot "/etc/sentora/panel/"
ServerName njoror.squashedfly.eu
ErrorLog "/var/sentora/logs/sentora-error.log"
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
   AllowOverride All
   Require all granted
</Directory>
</VirtualHost>

Code:
restart apache - sudo service apache2 restart

If you add
Code:
Redirect Permanent / https://njoror.squashedfly.eu/
before the first </VirtualHost> it will always forward to the HTTPS page Big Grin
Reply
Thanks given by:
#2
RE: Lets Encrypt SSL - not working yet
Is that the full global sentora entry? If so, it appears Apache isn't listening on port 443 (ssl).

Try adding the following to the top of global sentora entry:
Code:
NameVirtualHost *:443
Listen 443
And then restart Apache.

Ref: http://docs.sentora.org/?node=21

Also, please make sure OpenSSL is installed (check with command "openssl version") and port 443 is open on any firewall.

For support of the newer TLS protocols (and disable BEAST attack) replace the line:
Code:
SSLProtocol SSLv3
with:
Code:
SSLProtocol all -SSLv2 -SSLv3
Before posting, update your profile with your OS, Sentora version and server type!

Reply
Thanks given by:
#3
RE: Lets Encrypt SSL - not working yet
I was trying to work along with "http://docs.sentora.org/?node=21"

openssl version gives OpenSSL 1.0.1f 6 Jan 2014

However edits I am making on http://njoror.squashedfly.eu/?module=apa...acheConfig are not being reflected in /etc/sentora/configs/apache/httpd-vhosts.conf even when clicking Force Update and running -- remember that the content of Apache VHOST Conf should be
Code:
/etc/sentora/configs/apache/httpd-vhosts.conf
- Do not empty it… by accident

Code:
php -q /etc/zpanel/panel/bin/daemon.php
service apache2 restart

the code is now
Code:
# Configuration for Sentora control panel on 443
NameVirtualHost *:443
Listen 443


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3

SSLEngine on
SSLProtocol SSLv3
SSLCertificateFile /etc/letsencrypt/live/njoror.squashedfly.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem
# SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/chain.pem # try this first
ServerAdmin zadmin@localhost
DocumentRoot "/etc/sentora/panel/"
ServerName njoror.squashedfly.eu
ServerAlias njoror.squashedfly.eu

And now I get "This webpage is not available ERR_CONNECTION_REFUSED" on port 80 and https,

Output of config test was:
Code:
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/sentora/configs/apache/httpd-vhosts.conf:28
AH00526: Syntax error on line 29 of /etc/sentora/configs/apache/httpd-vhosts.conf:
Listen cannot occur within <VirtualHost> section
Action 'configtest' failed.
The Apache error log may have more information.
Reply
Thanks given by:
#4
RE: Lets Encrypt SSL - not working yet
I think you need to remove:

Code:
ServerAdmin zadmin@localhost
DocumentRoot "/etc/sentora/panel/"
ServerName njoror.squashedfly.eu
ServerAlias njoror.squashedfly.eu
From your first post since the default sentora FQDN entry already includes this. Unless I mis-read what you entered.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#5
RE: Lets Encrypt SSL - not working yet
Also remove the "Listen 443" - it seems it can only be added to the apache config and cannot be added as a global sentora entry.
Before posting, update your profile with your OS, Sentora version and server type!

Reply
Thanks given by:
#6
RE: Lets Encrypt SSL - not working yet
using the above, the code generated in /etc/sentora/configs/apache/httpd-vhosts.conf is

Code:
################################################################
# Apache VHOST configuration file
# Automatically generated by Sentora 1.0.3
# Generated on: 23:03 10th Jan 2016 UTC
#==== YOU MUST NOT EDIT THIS FILE : IT WILL BE OVERWRITTEN ====
# Use Sentora Menu -> Admin -> Module Admin -> Apache config
################################################################

Listen 80

# Configuration for Sentora control panel.
<VirtualHost *:80>
ServerAdmin zadmin@localhost
DocumentRoot "/etc/sentora/panel/"
ServerName njoror.squashedfly.eu
ErrorLog "/var/sentora/logs/sentora-error.log"
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
    AllowOverride All
    Require all granted
</Directory>

# Custom settings are loaded below this line (if any exist)
# Configuration for Sentora control panel on 443
NameVirtualHost *:443


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3

SSLEngine on
SSLProtocol SSLv3
SSLCertificateFile /etc/letsencrypt/live/njoror.squashedfly.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem
# SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/chain.pem # try this first
</VirtualHost>

################################################################
# Sentora generated VHOST configurations below.....
################################################################

I am getting No data received ERR_EMPTY_RESPONSE, to allow me to get back into the page I have to remove
Code:
# Configuration for Sentora control panel on 443
NameVirtualHost *:443


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3

SSLEngine on
SSLProtocol SSLv3
SSLCertificateFile /etc/letsencrypt/live/njoror.squashedfly.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem
# SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/chain.pem # try this first
then restart apache - sudo service apache2 restart

to keep it happy have to then empty "Global Sentora Entry" in the control panel.
Reply
Thanks given by:
#7
RE: Lets Encrypt SSL - not working yet
NameVirtualHost *:443 is removed from Apache 2.4 so we'll have to create another vhost.

Okay, in Global Sentorra Entry try entering exactly:
Code:
</VirtualHost>
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/letsencrypt/live/njoror.squashedfly.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/njoror.squashedfly.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/njoror.squashedfly.eu/fullchain.pem
DocumentRoot "/etc/sentora/panel/"
ServerName njoror.squashedfly.eu
ErrorLog "/var/sentora/logs/sentora-error.log"
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
    AllowOverride All
    Require all granted
</Directory>

Try removing Listen 443 again if it doesn't work. Nothing like some good old trial and error.
Before posting, update your profile with your OS, Sentora version and server type!

Reply
Thanks given by: Skippy
#8
RE: Lets Encrypt SSL - not working yet
That works Big Grin

Original post has been updated to reflect the full process.
Reply
Thanks given by:
#9
RE: Lets Encrypt SSL on main control panel URL.
Ok update --

Looking at my SSL cert using SSL Labs, my ipV4 gets a B - https://www.ssllabs.com/ssltest/analyze....38.113.144 however ipV6 gets nothing - https://www.ssllabs.com/ssltest/analyze....%3a0%3a144

so two things, is there a way to improve the IPv4 and what do I need to do to get ipv6 working better? http://ipv6-test.com/validate.php lists that "This website is not ready for IPv6"
Reply
Thanks given by:
#10
RE: Lets Encrypt SSL on main control panel URL.
It seems Sentora does not support IPv6 out of the box. I am unable to test properly because my connection is IPv4 only Sad

For IPv6 support, add the following below "</VirtualHost>":
Code:
Listen [::]:80
Listen [::]:443

This should also enable IPv6 support for your Sentora websites as well.

For a higher grade in SSLLabs, add this below "SSLCertificateChainFile":
Code:
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
or if you don't mind removing support for Internet Explorer 8 (this is more secure):
Code:
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
Before posting, update your profile with your OS, Sentora version and server type!

Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
https without certificate redirects to panel iraqiboy90 10 22 ,409 02-28-2021, 11:20 AM
Last Post: iraqiboy90
How to run multiple version PHP with Apache (use Sentora panel) on Centos ??? BigBang 4 9 ,178 12-23-2020, 03:31 PM
Last Post: djkashdui1
PLZ Help me install ssl in my own VPS Centos7 Sentora panel younessesoft 1 4 ,486 05-26-2020, 07:34 PM
Last Post: 5050

Forum Jump:


Users browsing this thread: 2 Guest(s)