Secure Sentora Domains with Let's Encrypt

[Me.B]

You can also avoid stopping apache if you use 
option: challenges http-01 --http-01-port 9999
where you set challenge port to 9999 but you need then to ensure the port is not firewall.

Code:

letsencrypt-auto --agree-dev-preview --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 --server https://acme-v01.api.letsencrypt.org/directory certonly -d

This could help to avoid shutting a production server. ( notice the command line that skip the TOS question).

same if you want to use port 81

Code:

letsencrypt-auto --agree-dev-preview --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 81--server https://acme-v01.api.letsencrypt.org/directory certonly -d

You can also change defaults for let's encrypt:
/etc/letsencrypt/cli.ini

like:

Code:

authenticator = webroot                                                                                                                        
webroot-path = /var/www/                                                                                                                       
server = https://acme-v01.api.letsencrypt.org/directory                                                                                        
domains = mydomain.foo                                                                                                                       
renew-by-default                                                                                                                               
agree-dev-preview

Also I don't like the current override for activating SSL . I usually leave the default vhost setting and create an ssl.conf under /sentora/configs/apache and include it in apache.

I drop there the new ssl vhost config ( until we automate it).

Example of full Vhost under SSL.conf:

Code:

# DOMAIN: domain
<virtualhost *:443>
ServerName domain
ServerAlias  www.domain

ServerAdmin user@localhost

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
SSLCompression off

DocumentRoot "/var/sentora/hostdata/user/public_html/domain_com"
php_admin_value open_basedir "/var/sentora/hostdata/user/public_html/domain_com:/var/sentora/temp/:/dev/urandom:/var/sentora/sessions:/tmp"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/user/domain-error.log"
CustomLog "/var/sentora/logs/domains/user/domain-access.log" combined
CustomLog "/var/sentora/logs/domains/user/domain-bandwidth.log" common
<Directory "/var/sentora/hostdata/user/public_html/domain_com">
 Options +FollowSymLinks -Indexes
 AllowOverride All
 Require all granted
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 404 /_errorpages/404.html
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 510 /_errorpages/510.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)

# Custom VH settings (if any exist)

</virtualhost>

M B