This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Secure Sentora Domains with Let's Encrypt
#11
RE: Secure Sentora Domains with Let's Encrypt
(04-07-2016, 05:31 AM)jeremyotten Wrote: I did all of it but after the last apache restart i get this error

Invalid command 'SSLCompression', perhaps misspelled or defined by a module not included in the server configuration

and as apache won't start I have no way to get back to my hostpanel

I have now exactly the same error, how did you maintain to solve this problem?

EDIT: I have just now deleted exactly the line "SSLCompression off", because the apache docs says it is anyways set off by default, right?
(Here actually where i read that it is off by default -> https://httpd.apache.org/docs/2.4/mod/mo...ompression)

Then i got the same error:
Code:
[root@hostpanel letsencrypt]# service httpd start
/etc/sysconfig/httpd: line 33: “export: command not found
Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:443

So i deleted the line "Listen 443" in the ssl.conf file which is in the path  "etc/httpd/conf.d/ssl.conf".
Now it seems to work.

But now when I use https to connect to my panel as example, i still get a warning and have to accept the certificate manually, why?
Reply
Thanks given by:
#12
RE: Secure Sentora Domains with Let's Encrypt
In case you want SSL but still use cloudflare:

https://support.cloudflare.com/hc/en-us/...CloudFlare

As this method would be also interesting for creating SSL certificates without the need to restart apache. The first method will require you stop apache and use the standalone builtin server to validate the certificate.

So in my case let's say I have a user: myuser and domain: mydomain.com. I wish to generate an SSL certificate for www.mydomain.com and mydomain.com as SSL certificates are bind to specific url's.

I can do that in 1 command without restarting apache as let's encrypt client will set a fil in webroot to validate the domain and then generate the SSL certificate ( could work so here behind cloudflare or any reverse proxy).

Code:
./letsencrypt-auto certonly --webroot --webroot-path /var/sentora/hostdata/myuser/public_html/mydomain --renew-by-default --email me@email.com --text --agree-tos -d mydomain.com -d www.mydomain.com

You can even create a shell script that would grab the var myuser and mydomain. Notice the /var/sentora/hostdata/myuser/public_html/mydomain must be the root path for your domain.

In case we want to create an SSL for sentora then all we have to do is changing the root path and domain:

Code:
./letsencrypt-auto certonly --webroot --webroot-path /etc/sentora/panel --renew-by-default --email me@email.com --text --agree-tos -d panel.mydomain.com

Don't forget to restart apache after you validate/renew the certificate.

Also for a all certificates renewal later all you have to do is :

Code:
./letsencrypt renew --dry-run

This will work fine as long you did the pervious method, as let's encrypt client will keep in DB the old certificates root and will try to renew them.

Also if you don't use any more a certificate you can revoke it, so it's no more renewed:


Code:
./letsencrypt-auto revoke --cert-path /etc/letsencrypt/live/mydomain.com/cert.pem
rm -rf /etc/letsencrypt/renewal/mydomain.conf

So you revoke the certificate and remove it from renewal pool. If you want it back you can recreate it.


M B

TGates may be we should update the first how to no?

Please notice you will face issues if your webdomain is not public in case in intranet or URL is requiring authentification or using ip authentification. In case you have IP white-listing or realm all you have to is set public: .well-known/ folder in your website that will fix it. For intranet may be using a reverse proxy will help over that.

Docs: (PDF)
https://media.readthedocs.org/pdf/letsen...ncrypt.pdf
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by: james_d
#13
RE: Secure Sentora Domains with Let's Encrypt
(05-06-2016, 03:22 AM)Me.B Wrote: In case you want SSL but still use cloudflare:

https://support.cloudflare.com/hc/en-us/...CloudFlare

As this method would be also interesting for creating SSL certificates without the need to restart apache. The first method will require you stop apache and use the standalone builtin server to validate the certificate.

So in my case let's say I have a user: myuser and domain: mydomain.com. I wish to generate an SSL certificate for www.mydomain.com and mydomain.com as SSL certificates are bind to specific url's.

I can do that in 1 command without restarting apache as let's encrypt client will set a fil in webroot to validate the domain and then generate the SSL certificate ( could work so here behind cloudflare or any reverse proxy).

Code:
./letsencrypt-auto certonly --webroot --webroot-path /var/sentora/hostdata/myuser/public_html/mydomain --renew-by-default --email me@email.com --text --agree-tos -d mydomain.com -d www.mydomain.com

You can even create a shell script that would grab the var myuser and mydomain. Notice the /var/sentora/hostdata/myuser/public_html/mydomain must be the root path for your domain.

In case we want to create an SSL for sentora then all we have to do is changing the root path and domain:

Code:
./letsencrypt-auto certonly --webroot --webroot-path /etc/sentora/panel --renew-by-default --email me@email.com --text --agree-tos -d panel.mydomain.com

Don't forget to restart apache after you validate/renew the certificate.

Also for a all certificates renewal later all you have to do is :

Code:
./letsencrypt renew --dry-run

This will work fine as long you did the pervious method, as let's encrypt client will keep in DB the old certificates root and will try to renew them.

Also if you don't use any more a certificate you can revoke it, so it's no more renewed:


Code:
./letsencrypt-auto revoke --cert-path /etc/letsencrypt/live/mydomain.com/cert.pem
rm -rf /etc/letsencrypt/renewal/mydomain.conf

So you revoke the certificate and remove it from renewal pool. If you want it back you can recreate it.


M B

@[TGates] may be we should update the first how to no?

Please notice you will face issues if your webdomain is not public in case in intranet or URL is requiring authentification or using ip authentification. In case you have IP white-listing or realm all you have to is set public: .well-known/ folder in your website that will fix it. For intranet may be using a reverse proxy will help over that.

Docs: (PDF)
https://media.readthedocs.org/pdf/letsen...ncrypt.pdf

Is your how-to cloudflare specific or will it work on all domains? If cloudflare, then make another How-To but for cloudflare Wink
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#14
RE: Secure Sentora Domains with Let's Encrypt
okay i am lost, i have all my hosted domains dns running through cloudflare, and i want sentora, webmin and all others to be SSL'd by lets encrypt, so how do i go about this?
Reply
Thanks given by:
#15
RE: Secure Sentora Domains with Let's Encrypt
Can i secure mail/tls with Let's Encrypt?
Reply
Thanks given by:
#16
RE: Secure Sentora Domains with Let's Encrypt
(05-06-2016, 03:22 AM)Me.B Wrote: In case you want SSL but still use cloudflare:

.......

Code:
./letsencrypt-auto certonly --webroot --webroot-path /var/sentora/hostdata/myuser/public_html/mydomain --renew-by-default --email me@email.com --text --agree-tos -d mydomain.com -d www.mydomain.com

Hi Me.B i followed your code advice regarding the Cloudflare and I was able to get the ssl work. 

But when customer go's to the website it doesn't go to the secure https, is there a way how i can enable this?
Reply
Thanks given by:
#17
RE: Secure Sentora Domains with Let's Encrypt
(06-24-2016, 06:06 PM)james_d Wrote: Hi Me.B i followed your code advice regarding the Cloudflare and I was able to get the ssl work. 

But when customer go's to the website it doesn't go to the secure https, is there a way how i can enable this?

Use .htaccess in the domain's root folder:
Code:
RewriteEngine On

# Force SSL - Always first!
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by: james_d
#18
RE: Secure Sentora Domains with Let's Encrypt
i have follow everything, but when on browser i always got this
   

and when i run this command
Code:
./letsencrypt-auto certonly --webroot --webroot-path /etc/sentora/panel --renew-by-default --email me@email.com --text --agree-tos -d panel.mydomain.com

it always failed

Code:
[root@panel letsencrypt]# ./letsencrypt-auto certonly --webroot --webroot-path /etc/sentora/panel --renew-by-default --email myemail@myemail.com --text --agree-tos -d panel.mydomain.com
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
 DeprecationWarning
Failed authorization procedure. panel.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://panel.mydomain.com/.well-known/acme-challenge/R8r4U5m18WFzD8hWZp7V0BrWnZFayA6W_uZtOLXT9U8

IMPORTANT NOTES:
- The following errors were reported by the server:

  Domain: panel.mydomain.com
  Type:   connection
  Detail: Could not connect to
  http://panel.mydomain.com/.well-known/acme-challenge/R8r4U5m18WFzD8hWZp7V0BrWnZFayA6W_uZtOLXT9U8

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

iam sure everything has been set, and i can ping my panel.mydomain.com to the right IP on my VPS

-------------------- UPDATE 2:28 AM GMT+7 --------------------------------------
seems i almost found the right way. but i just reach limit, so i must wait for a week
Reply
Thanks given by:
#19
RE: Secure Sentora Domains with Let's Encrypt
It works fine for me the above code for let's encrypt. I just checked it.

BUT it will always fail if your dns don't resolve or point to local ip's!

Let's encrypt support only local ip's.

Also don't forget to update let's encrypt scripts using:

Code:
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
In case you installed it in /opt/letsencrypt
M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by:
#20
RE: Secure Sentora Domains with Let's Encrypt
(01-26-2016, 07:14 PM)TGates Wrote:
Quote:Let's Encrypt for Domains:
(Also found in our documentation HERE.)

Process done as ROOT user.


NOTICE: For CentOS servers replace apt-get with yum and replace apache2 with httpd

Installing git & Let’s Encrypt
Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.

Check to make sure mod_ssl is installed:
On Sentora Panel go to Admin -> PHPinfo -> View Full PHP Configuration -> Search for mod_ssl
If not, install it:
NOTICE: For CentOS replace apt-get with yum
Code:
apt-get install openssl

Next, install git and Let's Encrypt:

NOTICE: For CentOS replace apt-get with yum
Code:
apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Creating a Certificate for your domain
You need to turn off apache before creating a certificate or you will get something like

Quote:The program httpd (process ID XXXX) is already listening on TCP port 80. This will prevent us from binding to that port. Please stop the httpd program temporarily and then try again.

REMINDER: Replace domain.com by your domain URL.
NOTICE: For CentOS replace apache2 with httpd
Code:
service apache2 stop
./letsencrypt-auto certonly --standalone -d domain.com
service apache2 start

Changing Sentora port:
On Sentora Panel go to Admin -> Module Admin -> Apache Config > Override a Virtualhost [Select VHost] ->
Tick Port Override.
Forward Port 80 to Overriden Port: 443
Custom Entry:

(Don't forget to replace domain.com with your domain's URL belowSmile
Code:
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
# Keeping bellow for future upgrades.
# Requires Apache >= 2.4
SSLCompression off

Save Vhost.

Wait on daemon update or run it manually and restart apache.
NOTICE: For CentOS replace apache2 with httpd
Code:
php -q /etc/sentora/panel/bin/daemon.php
service apache2 restart

Your domain should now be secured by SSL.
You can test it here: https://www.ssllabs.com/ssltest/

 Just thought to mention that even after installing the openssl


Code:
apt-get install openssl

 some systems require another command to actually enable it:
Code:
a2enmod ssl

 Just throwing that out there. Also to make things easier for people

On Ubuntu (not sure about centos):

 Add letsencrypt-auto to commands so we can issue shorter commands (in my case):
Code:
ln -s /letsencrypt/letsencrypt-auto /usr/bin/local/letsencrypt
 
 then all I have to literally type:
Code:
letsencrypt certonly --standalone -d domain.tld
Reply
Thanks given by: TGates


Possibly Related Threads…
Thread Author Replies Views Last Post
Secure Sentora With SSLForFree Chris L 1 5 ,332 01-22-2020, 09:19 PM
Last Post: ralphharder
Fail2ban for Sentora (Centos 7) bbspike 14 48 ,760 01-14-2020, 07:32 AM
Last Post: Vedran B
Timeout for Sentora Admin Panel minufreelance 12 48 ,904 11-24-2018, 12:33 PM
Last Post: fearworks

Forum Jump:


Users browsing this thread: 1 Guest(s)