[SPLIT] Secure Sentora Login with Let's Encrypt

[TGates]

Meaning, you can't log into your panel to remove the SSL edits?

You can log in through SSH and edit the /etc/sentora/configs/apache/httpd-vhosts.conf file manually and change the panel's vhost entry to:

Code:

Listen 443
Listen 80

# Configuration for Sentora control panel.
<VirtualHost *:80>
ServerAdmin postmaster@yourdomain.com
DocumentRoot "/etc/sentora/panel/"
ServerName panel.yourdomain.com
ErrorLog "/var/sentora/logs/sentora-error.log"
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
   AllowOverride All
   Require all granted
</Directory>

# Custom settings are loaded below this line (if any exist)

</VirtualHost>

Remember to change panel.yourdomain.com to your panel's proper login domain.
Restart apache.
Log into your panel and go to Module Admin > Apache Config and remove any custom entries you added for SSL and save. Wait for the daemon to run and test again.

[worksmarter]

This procedure breaks Apache 2.2 on Centos 6.8.

After I enter this:

Code:

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/helium12.domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/helium12.domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/helium12.domain.com/chain.pem
# Keeping bellow for future upgrades.
# Requires Apache >= 2.4

#SSLCompression

off

As soon as I click on "Save" in Sentora Apache breaks with a reply to my submission of "REFUSED TO CONNECT"

Here is what Apache says when issuing a restart:

Code:

[root@helium12 letsencrypt]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:443
                                                          [FAILED]

Can anyone give me a hand with this? I have hours in this and cannot come to a stable fix (one that the daemon does not simply revert...)

BTW, I used the --debug flag also this time when creating the certificates.

Here is my output of "grep -ir "^listen" /etc/httpd/*" even with Apache not running.

Code:

/etc/httpd/conf.d/ssl.conf:Listen 443

Commenting out "Listen 443" in ssl.config just changes Apache's restart failure to "Failed" with no error dialogue. And renaming the file so it will not load at all does allow Apache to run, but I cannot reach the Sentora panel at all still.

[worksmarter]

Would posting my steps executed on this CentOS 6.8 box be helpful? Here goes...
These don't work BTW, see previous post above.

Code:

yum install -y mod_ssl openssl

yum install -y git

git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt

./letsencrypt-auto --help

service httpd stop

./letsencrypt-auto certonly --standalone -d helium12.domain.com --debug

service httpd start

Changing Sentora port:
On Sentora Panel go to Admin -> Sentora Config -> Sentora Apache Port change to 443 and Save.

Adding a Custom Entry to the Sentora Virtual Host
On Sentora Panel go to Admin -> Module Admin -> Apache Config > Global Sentora Entry

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/helium12.domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/helium12.domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/helium12.domain.com/chain.pem
# Keeping bellow for future upgrades.
# Requires Apache >= 2.4

#SSLCompression

off

It is this last step in the Sentora Global Entry when everything goes south.

[TGates]

Ok, check your httpd-vhosts.conf for Listen 443 and also check httpd.conf for Listen 443

If it is in your httpd-vhosts.conf, comment it out in the httpd.conf


ssl.conf should be disabled by default after a fresh install. It is not used in any of the tutorials either since we use custom vhost entries or custom files in the tutorials.

[worksmarter]

Ok, check your httpd-vhosts.conf for Listen 443 and also check httpd.conf for Listen 443

If it is in your httpd-vhosts.conf, comment it out in the httpd.conf


ssl.conf should be disabled by default after a fresh install. It is not used in any of the tutorials either since we use custom vhost entries or custom files in the tutorials.

OK... I restored to a pre-failure backup. What follows is likely the cause of all the problems. You unkowingly are telling CentOS 6.x users to install the ssl.conf file.

Code:

Ok, check your httpd-vhosts.conf for Listen 443 and also check httpd.conf for Listen 443

Nope not contained in either of those files...

Code:

If it is in your httpd-vhosts.conf, comment it out in the httpd.conf

Nope not there either...

You should change your tutorial either with the proper instructions for CentOS, or simply don't say it is compatible only with switching apt-get's for yum and apache2's for httpd - this is not the case.

Installing mod_ssl on CentOS 6.x creates the file ssl.conf in this address. --->

Code:

/etc/httpd/conf.d/ssl.conf

Now I am screwed as I used up all of my privileges at Let'sEncrypt. FYI to others, while I can and will write a working procedure for CentOS 6.x, I cannot even attempt it for I believe ten days of waiting??? Hopefully fellow CentOS users read this after the tutorial and don't end up loosing the services of Let'sEncrypt as I did.

Until I am able to address and correct this problem when Let'sEncrypt will allow me to register the panel/domain again, I would highly recommend no one using CentOS 6.x follow the outlined procedure in post Forum Add-ons and Usage until I or someone else can address this and get a proper procedure.

Thank you for trying to assist TGates.

[TGates]

Just installed it on CentOS. The only addition I need to make to the tutorial is to edit /etc/httpd/conf.d/ssl.conf and comment out the line: Listen 443 and save. Restart apache.
Simple fix based off my explaining to find Listen 443 and comment it out (Since it should be in your httpd-vhosts.conf from doing the Sentora apache port change).

Tutorial updated.

[worksmarter]

Just installed it on CentOS. The only addition I need to make to the tutorial is to edit /etc/httpd/conf.d/ssl.conf and comment out the line: Listen 443 and save. Restart apache.
Simple fix based off my explaining to find Listen 443 and comment it out (Since it should be in your httpd-vhosts.conf from doing the Sentora apache port change).

Tutorial updated.

OK, whatever. Very unprofessional to edit your prior posts to me as you did to align with your response/findings. - (Like your response that there should be no ssl.conf on my machine at all.)

[worksmarter]

Just installed it on CentOS. The only addition I need to make to the tutorial is to edit /etc/httpd/conf.d/ssl.conf and comment out the line: Listen 443 and save. Restart apache.
Simple fix based off my explaining to find Listen 443 and comment it out (Since it should be in your httpd-vhosts.conf from doing the Sentora apache port change).

Tutorial updated.

Also do keep in mind on my first post I indicated I tried commenting out the Listen:443 inside of ssl.conf

The result? Apache failed to start, but no longer had a verbose error response - merely "failed" (to start). That behavior must have been unique to just one of my CentOS 6.8 servers?

[worksmarter]

Hey TGates, nice job on the tutorial fix. Things still work differently than expected, but I am having to go through all of this again, so I will leave you with the modifications I needed to make to get Sentora to work right with Let'sEncrypt.

[TGates]

Right on, I will add your findings to the tutorial to help complete the CentOS instructions. I may also set up a CentOS VM and see how that goes, if I can make the time.