In my last post about encryption, I managed to set up SSL using Let’s Encrypt on the control panel subdomain.
Things we need to know:
- Desired domain name – skippy.org.uk
- Where the webroot is – skippy_org_uk
So same as my last post using Let’s Encrypt, we need to log in to the server as Root and get a bash prompt:
cd ~/letsencrypt/ ./letsencrypt-auto certonly --webroot -w /var/sentora/hostdata/philip/public_html/skippy_org_uk/ -d skippy.org.uk -d www.skippy.org.uk
This is made up by calling the let’s encrypt application:
- certonly – Because we don’t know how apache is setup, it is worth taking some precautions, especially since we need to modify the vhost file managed by sentora.
- –webroot – this allows the use of the webroot to certify that the server we are working with.
- -w – the location of the webroot “/var/sentora/hostdata/philip/public_html/skippy_org_uk/”
- -d – the domain that you want the certificate for, in this case both the www. and the non www. (While I hate WWW. some people type it).
And that is it, the certificates are generated, and stored in “/etc/letsencrypt/live/skippy.org.uk/”.
To make use of these, you will need to log into sentora as an Admin level user, Sentora -> Admin -> Module Admin -> Apache Config -> Scroll to the bottom to the section named “Override a Virtual Host Setting” -> select the domain from the VHost list.
You will want to insert something like this into the Custom Entry box:
Redirect Permanent / https://skippy.org.uk/ </VirtualHost> # DOMAIN: skippy.org.uk:443 <VirtualHost *:443> ServerName skippy.org.uk ServerAlias www.skippy.org.uk ServerAdmin [email protected] DocumentRoot "/var/sentora/hostdata/philip/public_html/skippy_org_uk" php_admin_value open_basedir "/var/sentora/hostdata/philip/public_html/skippy_org_uk:/var/sentora/temp/" php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec" ErrorLog "/var/sentora/logs/domains/philip/skippy.org.uk-error.log" CustomLog "/var/sentora/logs/domains/philip/skippy.org.uk-access.log" combined CustomLog "/var/sentora/logs/domains/philip/skippy.org.uk.log" common AddType application/x-httpd-php .php <Directory "/var/sentora/hostdata/philip/public_html/skippy_org_uk"> Options +FollowSymLinks -Indexes AllowOverride All Require all granted </Directory> AddType application/x-httpd-php .php3 .php ErrorDocument 403 /_errorpages/403.html ErrorDocument 500 /_errorpages/500.html ErrorDocument 510 /_errorpages/510.html ErrorDocument 404 /_errorpages/404.html DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/letsencrypt/live/skippy.org.uk/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/skippy.org.uk/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/skippy.org.uk/fullchain.pem
It is made up as follows:
- The first line tells anyone visiting via http:// to redirect to https://skippy.org.uk connection,
- The second line closes the default vhost generated by sentora.
- # DOMAIN: skippy.org.uk:443 – a comment telling me what the next bit is about (reading /etc/sentora/configs/apache/httpd-vhosts.conf can get a little hard without additional clues).
- <VirtualHost *:443> – Tells Apache that we are in a New Virtual host section *:443 tells it to listen on all ip addresses, on port 433 (SSL)
- The rest of the stuff down till SSLEngine On is copied directly from the section generated by Sentora,
- SSLEngine On – Turn SSL on for this VHost
- SSLProtocol all -SSLv2 -SSLv3 – Use all protocols but not SSLv2 or SSLv3
- As this is set up according to SSL Labs you only get a B
SSLHonorCipherOrder On SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
– Would get you a better grade.
SSLHonorCipherOrder On SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
– This would get an even better score, due to being more secure, if you don’t mind removing support for Internet Explorer 8
- SSLCertificateFile /etc/letsencrypt/live/skippy.org.uk/cert.pem – path to the certificate .pem file
- SSLCertificateKeyFile /etc/letsencrypt/live/skippy.org.uk/privkey.pem – path to the private key file
- SSLCertificateChainFile /etc/letsencrypt/live/skippy.org.uk/fullchain.pem – path to the chain file
- We don’t need to close the file with a </VirtualHost> as this is being set by sentora on save.
Once that is all done, we need to run the Sentora demon, and restart apache.
php -q /etc/sentora/panel/bin/daemon.php service apache2 restart