This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

[SPLIT] Secure Sentora Login with Let's Encrypt
#31
RE: Secure Sentora Login with Let's Encrypt
Meaning, you can't log into your panel to remove the SSL edits?

You can log in through SSH and edit the /etc/sentora/configs/apache/httpd-vhosts.conf file manually and change the panel's vhost entry to:
Code:
Listen 443
Listen 80

# Configuration for Sentora control panel.
<VirtualHost *:80>
ServerAdmin postmaster@yourdomain.com
DocumentRoot "/etc/sentora/panel/"
ServerName panel.yourdomain.com
ErrorLog "/var/sentora/logs/sentora-error.log"
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
   AllowOverride All
   Require all granted
</Directory>

# Custom settings are loaded below this line (if any exist)

</VirtualHost>
Remember to change panel.yourdomain.com to your panel's proper login domain.
Restart apache.
Log into your panel and go to Module Admin > Apache Config and remove any custom entries you added for SSL and save. Wait for the daemon to run and test again.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#32
RE: Secure Sentora Login with Let's Encrypt
This procedure breaks Apache 2.2 on Centos 6.8.

After I enter this:

Code:
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/helium12.domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/helium12.domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/helium12.domain.com/chain.pem
# Keeping bellow for future upgrades.
# Requires Apache >= 2.4
#SSLCompression
off

As soon as I click on "Save" in Sentora Apache breaks with a reply to my submission of "REFUSED TO CONNECT"

Here is what Apache says when issuing a restart:

Code:
[root@helium12 letsencrypt]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:443
                                                          [FAILED]

Can anyone give me a hand with this? I have hours in this and cannot come to a stable fix (one that the daemon does not simply revert...)

BTW, I used the --debug flag also this time when creating the certificates.

Here is my output of "grep -ir "^listen" /etc/httpd/*" even with Apache not running.

Code:
/etc/httpd/conf.d/ssl.conf:Listen 443

Commenting out "Listen 443" in ssl.config just changes Apache's restart failure to "Failed" with no error dialogue. And renaming the file so it will not load at all does allow Apache to run, but I cannot reach the Sentora panel at all still.
Everyone makes mistakes, but to truly screw up it takes the root password!
Reply
Thanks given by:
#33
RE: Secure Sentora Login with Let's Encrypt
Would posting my steps executed on this CentOS 6.8 box be helpful? Here goes...
These don't work BTW, see previous post above.

Code:
yum install -y mod_ssl openssl

yum install -y git

git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt

./letsencrypt-auto --help

service httpd stop

./letsencrypt-auto certonly --standalone -d helium12.domain.com --debug

service httpd start

Changing Sentora port:
On Sentora Panel go to Admin -> Sentora Config -> Sentora Apache Port change to 443 and Save.

Adding a Custom Entry to the Sentora Virtual Host
On Sentora Panel go to Admin -> Module Admin -> Apache Config > Global Sentora Entry

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/helium12.domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/helium12.domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/helium12.domain.com/chain.pem
# Keeping bellow for future upgrades.
# Requires Apache >= 2.4
#SSLCompression
off

It is this last step in the Sentora Global Entry when everything goes south.
Everyone makes mistakes, but to truly screw up it takes the root password!
Reply
Thanks given by:
#34
RE: Secure Sentora Login with Let's Encrypt
Ok, check your httpd-vhosts.conf for Listen 443 and also check httpd.conf for Listen 443

If it is in your httpd-vhosts.conf, comment it out in the httpd.conf Wink


ssl.conf should be disabled by default after a fresh install. It is not used in any of the tutorials either since we use custom vhost entries or custom files in the tutorials.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#35
RE: Secure Sentora Login with Let's Encrypt
(11-20-2016, 06:26 AM)TGates Wrote: Ok, check your httpd-vhosts.conf for Listen 443 and also check httpd.conf for Listen 443

If it is in your httpd-vhosts.conf, comment it out in the httpd.conf Wink


ssl.conf should be disabled by default after a fresh install. It is not used in any of the tutorials either since we use custom vhost entries or custom files in the tutorials.

OK... I restored to a pre-failure backup. What follows is likely the cause of all the problems. You unkowingly are telling CentOS 6.x users to install the ssl.conf file.

Code:
Ok, check your httpd-vhosts.conf for Listen 443 and also check httpd.conf for Listen 443

Nope not contained in either of those files...

Code:
If it is in your httpd-vhosts.conf, comment it out in the httpd.conf

Nope not there either...

You should change your tutorial either with the proper instructions for CentOS, or simply don't say it is compatible only with switching apt-get's for yum and apache2's for httpd - this is not the case.

Installing mod_ssl on CentOS 6.x creates the file ssl.conf in this address. --->

Code:
/etc/httpd/conf.d/ssl.conf

Now I am screwed as I used up all of my privileges at Let'sEncrypt. FYI to others, while I can and will write a working procedure for CentOS 6.x, I cannot even attempt it for I believe ten days of waiting??? Hopefully fellow CentOS users read this after the tutorial and don't end up loosing the services of Let'sEncrypt as I did.

Until I am able to address and correct this problem when Let'sEncrypt will allow me to register the panel/domain again, I would highly recommend no one using CentOS 6.x follow the outlined procedure in post Forum Add-ons and Usage until I or someone else can address this and get a proper procedure.

Thank you for trying to assist TGates.
Everyone makes mistakes, but to truly screw up it takes the root password!
Reply
Thanks given by:
#36
RE: Secure Sentora Login with Let's Encrypt
Just installed it on CentOS. The only addition I need to make to the tutorial is to edit /etc/httpd/conf.d/ssl.conf and comment out the line: Listen 443 and save. Restart apache.
Simple fix based off my explaining to find Listen 443 and comment it out (Since it should be in your httpd-vhosts.conf from doing the Sentora apache port change).

Tutorial updated.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#37
RE: Secure Sentora Login with Let's Encrypt
(11-22-2016, 06:15 AM)TGates Wrote: Just installed it on CentOS. The only addition I need to make to the tutorial is to edit /etc/httpd/conf.d/ssl.conf and comment out the line: Listen 443 and save. Restart apache.
Simple fix based off my explaining to find Listen 443 and comment it out (Since it should be in your httpd-vhosts.conf from doing the Sentora apache port change).

Tutorial updated.

OK, whatever. Very unprofessional to edit your prior posts to me as you did to align with your response/findings. - (Like your response that there should be no ssl.conf on my machine at all.)
Everyone makes mistakes, but to truly screw up it takes the root password!
Reply
Thanks given by:
#38
RE: Secure Sentora Login with Let's Encrypt
(11-22-2016, 06:15 AM)TGates Wrote: Just installed it on CentOS. The only addition I need to make to the tutorial is to edit /etc/httpd/conf.d/ssl.conf and comment out the line: Listen 443 and save. Restart apache.
Simple fix based off my explaining to find Listen 443 and comment it out (Since it should be in your httpd-vhosts.conf from doing the Sentora apache port change).

Tutorial updated.

Also do keep in mind on my first post I indicated I tried commenting out the Listen:443 inside of ssl.conf

The result? Apache failed to start, but no longer had a verbose error response - merely "failed" (to start). That behavior must have been unique to just one of my CentOS 6.8 servers?
Everyone makes mistakes, but to truly screw up it takes the root password!
Reply
Thanks given by:
#39
RE: Secure Sentora Login with Let's Encrypt
Hey TGates, nice job on the tutorial fix. Things still work differently than expected, but I am having to go through all of this again, so I will leave you with the modifications I needed to make to get Sentora to work right with Let'sEncrypt.
Everyone makes mistakes, but to truly screw up it takes the root password!
Reply
Thanks given by:
#40
RE: Secure Sentora Login with Let's Encrypt
Right on, I will add your findings to the tutorial to help complete the CentOS instructions. I may also set up a CentOS VM and see how that goes, if I can make the time.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Secure Sentora Domains with Let's Encrypt TGates 27 97 ,304 06-08-2024, 05:06 PM
Last Post: andykimpe
Secure Sentora With SSLForFree Chris L 1 5 ,332 01-22-2020, 09:19 PM
Last Post: ralphharder
Fail2ban for Sentora (Centos 7) bbspike 14 48 ,758 01-14-2020, 07:32 AM
Last Post: Vedran B

Forum Jump:


Users browsing this thread: 1 Guest(s)