Secure Sentora Domains with Let's Encrypt

[TGates]

Let's Encrypt for Domains:
(Also found in our documentation HERE.)

Process done as ROOT user.

NOTICE: For CentOS servers replace apt-get with yum and replace apache2 with httpd

Installing git & Let’s Encrypt
Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.

Check to make sure mod_ssl is installed:
On Sentora Panel go to Admin -> PHPinfo -> View Full PHP Configuration -> Search for mod_ssl
If not, install it:
NOTICE: For CentOS replace apt-get with yum
Code:

Code:

apt-get install mod_ssl

Check to make sure openssl is installed:  (openssl does not mandate the install of mod_ssl in CentOS 6.x)
On Sentora Panel go to Admin -> PHPinfo -> View Full PHP Configuration -> Search for openssl
If not, install it:
NOTICE: For CentOS replace apt-get with yum
Code:

Code:

apt-get install openssl

REQUIRED for CentOS: Edit /etc/httpd/conf.d/ssl.conf and change Listen 443 to

#Listen

443

Next, install git and Let's Encrypt:
NOTICE: For CentOS replace apt-get with yum

Code:

apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Creating a Certificate for your domain
You need to turn off apache before creating a certificate or you will get something like

The program httpd (process ID XXXX) is already listening on TCP port 80. This will prevent us from binding to that port. Please stop the httpd program temporarily and then try again.

REMINDER: Replace domain.com by your domain URL.
NOTICE: For CentOS replace apache2 with httpd

Code:

service apache2 stop
./letsencrypt-auto certonly --standalone -d domain.com -d www.domain.com
service apache2 start

Changing Sentora port:
On Sentora Panel go to Admin -> Module Admin -> Apache Config > Override a Virtualhost [Select VHost] ->
Tick Port Override.
Forward Port 80 to Overriden Port: 443
Custom Entry:

(Don't forget to replace domain.com with your domain's URL below

Code:

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
# Keeping bellow for future upgrades.
# Requires Apache >= 2.4
SSLCompression off

Save Vhost.

Wait on daemon update or run it manually and restart apache.
NOTICE: For CentOS replace apache2 with httpd

Code:

php -q /etc/sentora/panel/bin/daemon.php
service apache2 restart

Your domain should now be secured by SSL.
You can test it here: https://www.ssllabs.com/ssltest/

[Me.B]

Notice you need to chmod ./letsencrypt-auto so you can execute or run
bash ./letsencrypt-auto --help ( permission are there by default when repo cloned).

Also ./letsencrypt-auto --help will install openssl if missing so no need for yum/apt_get

[Me.B]

You can also avoid stopping apache if you use 
option: challenges http-01 --http-01-port 9999
where you set challenge port to 9999 but you need then to ensure the port is not firewall.

Code:

letsencrypt-auto --agree-dev-preview --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 --server https://acme-v01.api.letsencrypt.org/directory certonly -d

This could help to avoid shutting a production server. ( notice the command line that skip the TOS question).

same if you want to use port 81

Code:

letsencrypt-auto --agree-dev-preview --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 81--server https://acme-v01.api.letsencrypt.org/directory certonly -d

You can also change defaults for let's encrypt:
/etc/letsencrypt/cli.ini

like:

Code:

authenticator = webroot                                                                                                                        
webroot-path = /var/www/                                                                                                                       
server = https://acme-v01.api.letsencrypt.org/directory                                                                                        
domains = mydomain.foo                                                                                                                       
renew-by-default                                                                                                                               
agree-dev-preview

Also I don't like the current override for activating SSL . I usually leave the default vhost setting and create an ssl.conf under /sentora/configs/apache and include it in apache.

I drop there the new ssl vhost config ( until we automate it).

Example of full Vhost under SSL.conf:

Code:

# DOMAIN: domain
<virtualhost *:443>
ServerName domain
ServerAlias  www.domain

ServerAdmin user@localhost

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
SSLCompression off

DocumentRoot "/var/sentora/hostdata/user/public_html/domain_com"
php_admin_value open_basedir "/var/sentora/hostdata/user/public_html/domain_com:/var/sentora/temp/:/dev/urandom:/var/sentora/sessions:/tmp"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/user/domain-error.log"
CustomLog "/var/sentora/logs/domains/user/domain-access.log" combined
CustomLog "/var/sentora/logs/domains/user/domain-bandwidth.log" common
<Directory "/var/sentora/hostdata/user/public_html/domain_com">
 Options +FollowSymLinks -Indexes
 AllowOverride All
 Require all granted
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 404 /_errorpages/404.html
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 510 /_errorpages/510.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)

# Custom VH settings (if any exist)

</virtualhost>

M B

[jeremyotten]

I did all of it but after the last apache restart i get this error

Invalid command 'SSLCompression', perhaps misspelled or defined by a module not included in the server configuration

and as apache won't start I have no way to get back to my hostpanel

[jeremyotten]

I managed to solve that error but now i get this

[root@hostpanel letsencrypt]# service httpd start
/etc/sysconfig/httpd: line 33: “export: command not found
Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:443

[NicolaiVdS]

for those who gets this error:

Code:

error: command 'x86_64-linux-gnu-gcc' failed with exit status 4

it means you don't have enough ram, To fix this you need to add a swap file.
Here is how to do it :

Code:

sudo dd if=/dev/zero of=/swapfile bs=1024 count=524288
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

This worked for me on smallest digital ocean machine

[NicolaiVdS]

aslo when i'm doing this i got the error that port 443 allready was in use so i edited

Code:

httpd-vhosts.conf

and uncomented following line :

Code:

Listen 443

is there a way to prevent that from happening ?

[TGates]

Yes, look in the httpd.conf file and make sure LISTEN 443 is not in there also.

[lexsusdk]

aslo when i'm doing this i got the error that port 443 allready was in use so i edited

Code:

httpd-vhosts.conf

and uncomented following line :

Code:

Listen 443

is there a way to prevent that from happening ?

I get the same error. has removed 443 from all httpd.conf and yet after some time it is again in httpd-vhosts.conf then apache stops with error

[TGates]

You will need to scan through all the related conf files. Somehow it is getting loaded twice. Once in the httpd-vhosts.conf (If you are using port override) which is normal, and in one of the other conf files. If you have included manually ssl.conf, then it is probably in there...