Secure Sentora Domains with Let's Encrypt

[sento]

I did all of it but after the last apache restart i get this error

Invalid command 'SSLCompression', perhaps misspelled or defined by a module not included in the server configuration

and as apache won't start I have no way to get back to my hostpanel

I have now exactly the same error, how did you maintain to solve this problem?

EDIT: I have just now deleted exactly the line "SSLCompression off", because the apache docs says it is anyways set off by default, right?
(Here actually where i read that it is off by default -> https://httpd.apache.org/docs/2.4/mod/mo...ompression)

Then i got the same error:

Code:

[root@hostpanel letsencrypt]# service httpd start
/etc/sysconfig/httpd: line 33: “export: command not found
Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:443

So i deleted the line "Listen 443" in the ssl.conf file which is in the path  "etc/httpd/conf.d/ssl.conf".
Now it seems to work.

But now when I use https to connect to my panel as example, i still get a warning and have to accept the certificate manually, why?

[Me.B]

In case you want SSL but still use cloudflare:

https://support.cloudflare.com/hc/en-us/...CloudFlare

As this method would be also interesting for creating SSL certificates without the need to restart apache. The first method will require you stop apache and use the standalone builtin server to validate the certificate.

So in my case let's say I have a user: myuser and domain: mydomain.com. I wish to generate an SSL certificate for www.mydomain.com and mydomain.com as SSL certificates are bind to specific url's.

I can do that in 1 command without restarting apache as let's encrypt client will set a fil in webroot to validate the domain and then generate the SSL certificate ( could work so here behind cloudflare or any reverse proxy).

Code:

./letsencrypt-auto certonly --webroot --webroot-path /var/sentora/hostdata/myuser/public_html/mydomain --renew-by-default --email me@email.com --text --agree-tos -d mydomain.com -d www.mydomain.com

You can even create a shell script that would grab the var myuser and mydomain. Notice the /var/sentora/hostdata/myuser/public_html/mydomain must be the root path for your domain.

In case we want to create an SSL for sentora then all we have to do is changing the root path and domain:

Code:

./letsencrypt-auto certonly --webroot --webroot-path /etc/sentora/panel --renew-by-default --email me@email.com --text --agree-tos -d panel.mydomain.com

Don't forget to restart apache after you validate/renew the certificate.

Also for a all certificates renewal later all you have to do is :

Code:

./letsencrypt renew --dry-run

This will work fine as long you did the pervious method, as let's encrypt client will keep in DB the old certificates root and will try to renew them.

Also if you don't use any more a certificate you can revoke it, so it's no more renewed:

Code:

./letsencrypt-auto revoke --cert-path /etc/letsencrypt/live/mydomain.com/cert.pem
rm -rf /etc/letsencrypt/renewal/mydomain.conf

So you revoke the certificate and remove it from renewal pool. If you want it back you can recreate it.


M B

TGates may be we should update the first how to no?

Please notice you will face issues if your webdomain is not public in case in intranet or URL is requiring authentification or using ip authentification. In case you have IP white-listing or realm all you have to is set public: .well-known/ folder in your website that will fix it. For intranet may be using a reverse proxy will help over that.

Docs: (PDF)
https://media.readthedocs.org/pdf/letsen...ncrypt.pdf

[TGates]

In case you want SSL but still use cloudflare:

https://support.cloudflare.com/hc/en-us/...CloudFlare

As this method would be also interesting for creating SSL certificates without the need to restart apache. The first method will require you stop apache and use the standalone builtin server to validate the certificate.

So in my case let's say I have a user: myuser and domain: mydomain.com. I wish to generate an SSL certificate for www.mydomain.com and mydomain.com as SSL certificates are bind to specific url's.

I can do that in 1 command without restarting apache as let's encrypt client will set a fil in webroot to validate the domain and then generate the SSL certificate ( could work so here behind cloudflare or any reverse proxy).

Code:

./letsencrypt-auto certonly --webroot --webroot-path /var/sentora/hostdata/myuser/public_html/mydomain --renew-by-default --email me@email.com --text --agree-tos -d mydomain.com -d www.mydomain.com

You can even create a shell script that would grab the var myuser and mydomain. Notice the /var/sentora/hostdata/myuser/public_html/mydomain must be the root path for your domain.

In case we want to create an SSL for sentora then all we have to do is changing the root path and domain:

Code:

./letsencrypt-auto certonly --webroot --webroot-path /etc/sentora/panel --renew-by-default --email me@email.com --text --agree-tos -d panel.mydomain.com

Don't forget to restart apache after you validate/renew the certificate.

Also for a all certificates renewal later all you have to do is :

Code:

./letsencrypt renew --dry-run

This will work fine as long you did the pervious method, as let's encrypt client will keep in DB the old certificates root and will try to renew them.

Also if you don't use any more a certificate you can revoke it, so it's no more renewed:

Code:

./letsencrypt-auto revoke --cert-path /etc/letsencrypt/live/mydomain.com/cert.pem
rm -rf /etc/letsencrypt/renewal/mydomain.conf

So you revoke the certificate and remove it from renewal pool. If you want it back you can recreate it.


M B

@[TGates] may be we should update the first how to no?

Please notice you will face issues if your webdomain is not public in case in intranet or URL is requiring authentification or using ip authentification. In case you have IP white-listing or realm all you have to is set public: .well-known/ folder in your website that will fix it. For intranet may be using a reverse proxy will help over that.

Docs: (PDF)
https://media.readthedocs.org/pdf/letsen...ncrypt.pdf

Is your how-to cloudflare specific or will it work on all domains? If cloudflare, then make another How-To but for cloudflare

[warmax356]

okay i am lost, i have all my hosted domains dns running through cloudflare, and i want sentora, webmin and all others to be SSL'd by lets encrypt, so how do i go about this?

[LaxeDLL]

Can i secure mail/tls with Let's Encrypt?

[james_d]

In case you want SSL but still use cloudflare:

.......

Code:

./letsencrypt-auto certonly --webroot --webroot-path /var/sentora/hostdata/myuser/public_html/mydomain --renew-by-default --email me@email.com --text --agree-tos -d mydomain.com -d www.mydomain.com

Hi Me.B i followed your code advice regarding the Cloudflare and I was able to get the ssl work. 

But when customer go's to the website it doesn't go to the secure https, is there a way how i can enable this?

[TGates]

Hi Me.B i followed your code advice regarding the Cloudflare and I was able to get the ssl work. 

But when customer go's to the website it doesn't go to the secure https, is there a way how i can enable this?

Use .htaccess in the domain's root folder:

Code:

RewriteEngine On

# Force SSL - Always first!
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

[hrace009]

i have follow everything, but when on browser i always got this
   

and when i run this command

Code:

./letsencrypt-auto certonly --webroot --webroot-path /etc/sentora/panel --renew-by-default --email me@email.com --text --agree-tos -d panel.mydomain.com

it always failed

Code:

[root@panel letsencrypt]# ./letsencrypt-auto certonly --webroot --webroot-path /etc/sentora/panel --renew-by-default --email myemail@myemail.com --text --agree-tos -d panel.mydomain.com
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
 DeprecationWarning
Failed authorization procedure. panel.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://panel.mydomain.com/.well-known/acme-challenge/R8r4U5m18WFzD8hWZp7V0BrWnZFayA6W_uZtOLXT9U8

IMPORTANT NOTES:
- The following errors were reported by the server:

  Domain: panel.mydomain.com
  Type:   connection
  Detail: Could not connect to
  http://panel.mydomain.com/.well-known/acme-challenge/R8r4U5m18WFzD8hWZp7V0BrWnZFayA6W_uZtOLXT9U8

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

iam sure everything has been set, and i can ping my panel.mydomain.com to the right IP on my VPS

-------------------- UPDATE 2:28 AM GMT+7 --------------------------------------
seems i almost found the right way. but i just reach limit, so i must wait for a week

[Me.B]

It works fine for me the above code for let's encrypt. I just checked it.

BUT it will always fail if your dns don't resolve or point to local ip's!

Let's encrypt support only local ip's.

Also don't forget to update let's encrypt scripts using:

Code:

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

In case you installed it in /opt/letsencrypt
M B

[BBuchanan]

Let's Encrypt for Domains:
(Also found in our documentation HERE.)

Process done as ROOT user.

NOTICE: For CentOS servers replace apt-get with yum and replace apache2 with httpd

Installing git & Let’s Encrypt
Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.

Check to make sure mod_ssl is installed:
On Sentora Panel go to Admin -> PHPinfo -> View Full PHP Configuration -> Search for mod_ssl
If not, install it:
NOTICE: For CentOS replace apt-get with yum

Code:

apt-get install openssl

Next, install git and Let's Encrypt:
NOTICE: For CentOS replace apt-get with yum

Code:

apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Creating a Certificate for your domain
You need to turn off apache before creating a certificate or you will get something like

The program httpd (process ID XXXX) is already listening on TCP port 80. This will prevent us from binding to that port. Please stop the httpd program temporarily and then try again.

REMINDER: Replace domain.com by your domain URL.
NOTICE: For CentOS replace apache2 with httpd

Code:

service apache2 stop
./letsencrypt-auto certonly --standalone -d domain.com
service apache2 start

Changing Sentora port:
On Sentora Panel go to Admin -> Module Admin -> Apache Config > Override a Virtualhost [Select VHost] ->
Tick Port Override.
Forward Port 80 to Overriden Port: 443
Custom Entry:

(Don't forget to replace domain.com with your domain's URL below

Code:

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
# Keeping bellow for future upgrades.
# Requires Apache >= 2.4
SSLCompression off

Save Vhost.

Wait on daemon update or run it manually and restart apache.
NOTICE: For CentOS replace apache2 with httpd

Code:

php -q /etc/sentora/panel/bin/daemon.php
service apache2 restart

Your domain should now be secured by SSL.
You can test it here: https://www.ssllabs.com/ssltest/

 Just thought to mention that even after installing the openssl

Code:

apt-get install openssl

 some systems require another command to actually enable it:

Code:

a2enmod ssl

 Just throwing that out there. Also to make things easier for people

On Ubuntu (not sure about centos):

 Add letsencrypt-auto to commands so we can issue shorter commands (in my case):

Code:

ln -s /letsencrypt/letsencrypt-auto /usr/bin/local/letsencrypt

 
 then all I have to literally type:

Code:

letsencrypt certonly --standalone -d domain.tld