This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Secure Sentora Domains with Let's Encrypt
#1
Secure Sentora Domains with Let's Encrypt
Quote:Let's Encrypt for Domains:
(Also found in our documentation HERE.)

Process done as ROOT user.


NOTICE: For CentOS servers replace apt-get with yum and replace apache2 with httpd

Installing git & Let’s Encrypt
Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.

Check to make sure mod_ssl is installed:
On Sentora Panel go to Admin -> PHPinfo -> View Full PHP Configuration -> Search for mod_ssl
If not, install it:
NOTICE: For CentOS replace apt-get with yum
Code:
Code:
apt-get install mod_ssl

Check to make sure openssl is installed:  (openssl does not mandate the install of mod_ssl in CentOS 6.x)
On Sentora Panel go to Admin -> PHPinfo -> View Full PHP Configuration -> Search for openssl
If not, install it:
NOTICE: For CentOS replace apt-get with yum
Code:
Code:
apt-get install openssl

REQUIRED for CentOS: Edit /etc/httpd/conf.d/ssl.conf and change Listen 443 to
#Listen
443

Next, install git and Let's Encrypt:
NOTICE: For CentOS replace apt-get with yum
Code:
apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Creating a Certificate for your domain
You need to turn off apache before creating a certificate or you will get something like

Quote:The program httpd (process ID XXXX) is already listening on TCP port 80. This will prevent us from binding to that port. Please stop the httpd program temporarily and then try again.

REMINDER: Replace domain.com by your domain URL.
NOTICE: For CentOS replace apache2 with httpd
Code:
service apache2 stop
./letsencrypt-auto certonly --standalone -d domain.com -d www.domain.com
service apache2 start

Changing Sentora port:
On Sentora Panel go to Admin -> Module Admin -> Apache Config > Override a Virtualhost [Select VHost] ->
Tick Port Override.
Forward Port 80 to Overriden Port: 443
Custom Entry:

(Don't forget to replace domain.com with your domain's URL belowSmile
Code:
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
# Keeping bellow for future upgrades.
# Requires Apache >= 2.4
SSLCompression off

Save Vhost.

Wait on daemon update or run it manually and restart apache.
NOTICE: For CentOS replace apache2 with httpd
Code:
php -q /etc/sentora/panel/bin/daemon.php
service apache2 restart

Your domain should now be secured by SSL.
You can test it here: https://www.ssllabs.com/ssltest/
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by: Me.B
#2
RE: Secure Sentora Domains with Let's Encrypt
Notice you need to chmod ./letsencrypt-auto so you can execute or run
bash ./letsencrypt-auto --help ( permission are there by default when repo cloned).

Also ./letsencrypt-auto --help will install openssl if missing so no need for yum/apt_get
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by: TGates
#3
RE: Secure Sentora Domains with Let's Encrypt
You can also avoid stopping apache if you use 
option: challenges http-01 --http-01-port 9999
where you set challenge port to 9999 but you need then to ensure the port is not firewall.

Code:
letsencrypt-auto --agree-dev-preview --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 --server https://acme-v01.api.letsencrypt.org/directory certonly -d
This could help to avoid shutting a production server. ( notice the command line that skip the TOS question).

same if you want to use port 81

Code:
letsencrypt-auto --agree-dev-preview --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 81--server https://acme-v01.api.letsencrypt.org/directory certonly -d



You can also change defaults for let's encrypt:
/etc/letsencrypt/cli.ini

like:

Code:
authenticator = webroot                                                                                                                        
webroot-path = /var/www/                                                                                                                       
server = https://acme-v01.api.letsencrypt.org/directory                                                                                        
domains = mydomain.foo                                                                                                                       
renew-by-default                                                                                                                               
agree-dev-preview


Also I don't like the current override for activating SSL . I usually leave the default vhost setting and create an ssl.conf under /sentora/configs/apache and include it in apache.

I drop there the new ssl vhost config ( until we automate it).

Example of full Vhost under SSL.conf:

Code:
# DOMAIN: domain
<virtualhost *:443>
ServerName domain
ServerAlias  www.domain

ServerAdmin user@localhost

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
SSLCompression off

DocumentRoot "/var/sentora/hostdata/user/public_html/domain_com"
php_admin_value open_basedir "/var/sentora/hostdata/user/public_html/domain_com:/var/sentora/temp/:/dev/urandom:/var/sentora/sessions:/tmp"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/user/domain-error.log"
CustomLog "/var/sentora/logs/domains/user/domain-access.log" combined
CustomLog "/var/sentora/logs/domains/user/domain-bandwidth.log" common
<Directory "/var/sentora/hostdata/user/public_html/domain_com">
 Options +FollowSymLinks -Indexes
 AllowOverride All
 Require all granted
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 404 /_errorpages/404.html
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 510 /_errorpages/510.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)

# Custom VH settings (if any exist)

</virtualhost>


M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by:
#4
RE: Secure Sentora Domains with Let's Encrypt
I did all of it but after the last apache restart i get this error

Invalid command 'SSLCompression', perhaps misspelled or defined by a module not included in the server configuration

and as apache won't start I have no way to get back to my hostpanel
Reply
Thanks given by:
#5
RE: Secure Sentora Domains with Let's Encrypt
I managed to solve that error but now i get this

[root@hostpanel letsencrypt]# service httpd start
/etc/sysconfig/httpd: line 33: “export: command not found
Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:443
Reply
Thanks given by:
#6
RE: Secure Sentora Domains with Let's Encrypt
for those who gets this error:
Code:
error: command 'x86_64-linux-gnu-gcc' failed with exit status 4
it means you don't have enough ram, To fix this you need to add a swap file.
Here is how to do it :
Code:
sudo dd if=/dev/zero of=/swapfile bs=1024 count=524288
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
This worked for me on smallest digital ocean machine
Reply
Thanks given by: TGates
#7
RE: Secure Sentora Domains with Let's Encrypt
aslo when i'm doing this i got the error that port 443 allready was in use so i edited
Code:
httpd-vhosts.conf
and uncomented following line :
Code:
Listen 443
is there a way to prevent that from happening ?
Reply
Thanks given by:
#8
RE: Secure Sentora Domains with Let's Encrypt
Yes, look in the httpd.conf file and make sure LISTEN 443 is not in there also.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#9
RE: Secure Sentora Domains with Let's Encrypt
(04-13-2016, 11:34 PM)NicolaiVdS Wrote: aslo when i'm doing this i got the error that port 443 allready was in use so i edited
Code:
httpd-vhosts.conf
and uncomented following line :
Code:
Listen 443
is there a way to prevent that from happening ?

I get the same error. has removed 443 from all httpd.conf and yet after some time it is again in httpd-vhosts.conf then apache stops with error
Reply
Thanks given by:
#10
RE: Secure Sentora Domains with Let's Encrypt
You will need to scan through all the related conf files. Somehow it is getting loaded twice. Once in the httpd-vhosts.conf (If you are using port override) which is normal, and in one of the other conf files. If you have included manually ssl.conf, then it is probably in there...
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Secure Sentora With SSLForFree Chris L 1 5 ,324 01-22-2020, 09:19 PM
Last Post: ralphharder
Fail2ban for Sentora (Centos 7) bbspike 14 48 ,694 01-14-2020, 07:32 AM
Last Post: Vedran B
Timeout for Sentora Admin Panel minufreelance 12 48 ,854 11-24-2018, 12:33 PM
Last Post: fearworks

Forum Jump:


Users browsing this thread: 4 Guest(s)