Let’s Encrypt all the things!

In my last post about encryption, I managed to set up SSL using Let’s Encrypt on the control panel subdomain.

Now while I have talked about this twice before, here and here, and converting WordPress to SSL. This is a new easy solution, that is far far less hacky!!!! (not that I am not happy to hack).

Things we need to know:

• Desired domain name – skippy.org.uk
• Where the webroot is – skippy_org_uk

So same as my last post using Let’s Encrypt, we need to log in to the server as Root and get a bash prompt:

cd ~/letsencrypt/
./letsencrypt-auto certonly --webroot -w /var/sentora/hostdata/philip/public_html/skippy_org_uk/ -d skippy.org.uk -d www.skippy.org.uk

This is made up by calling the let’s encrypt application:

• certonly – Because we don’t know how apache is setup, it is worth taking some precautions,  especially since we need to modify the vhost file managed by sentora.
• –webroot – this allows the use of the webroot to certify that the server we are working with.
• -w – the location of the webroot “/var/sentora/hostdata/philip/public_html/skippy_org_uk/”
• -d – the domain that you want the certificate for, in this case both the www. and the non www. (While I hate WWW. some people type it).

And that is it, the certificates are generated, and stored in “/etc/letsencrypt/live/skippy.org.uk/”.

To make use of these, you will need to log into sentora as an Admin level user, Sentora -> Admin -> Module Admin -> Apache Config -> Scroll to the bottom to the section named “Override a Virtual Host Setting” -> select the domain from the VHost list.

You will want to insert something like this into the Custom Entry box:

Redirect Permanent / https://skippy.org.uk/
</VirtualHost>

# DOMAIN: skippy.org.uk:443
<VirtualHost *:443>
    ServerName skippy.org.uk
    ServerAlias www.skippy.org.uk
    ServerAdmin [email protected]
    DocumentRoot "/var/sentora/hostdata/philip/public_html/skippy_org_uk"
    php_admin_value open_basedir "/var/sentora/hostdata/philip/public_html/skippy_org_uk:/var/sentora/temp/"
    php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
    ErrorLog "/var/sentora/logs/domains/philip/skippy.org.uk-error.log"
    CustomLog "/var/sentora/logs/domains/philip/skippy.org.uk-access.log" combined
    CustomLog "/var/sentora/logs/domains/philip/skippy.org.uk.log" common
    AddType application/x-httpd-php .php
    <Directory "/var/sentora/hostdata/philip/public_html/skippy_org_uk">
        Options +FollowSymLinks -Indexes
        AllowOverride All
        Require all granted
    </Directory>
    AddType application/x-httpd-php .php3 .php
    ErrorDocument 403 /_errorpages/403.html
    ErrorDocument 500 /_errorpages/500.html
    ErrorDocument 510 /_errorpages/510.html
    ErrorDocument 404 /_errorpages/404.html
    DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCertificateFile /etc/letsencrypt/live/skippy.org.uk/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/skippy.org.uk/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/skippy.org.uk/fullchain.pem

It is made up as follows:

• The first line tells anyone visiting via http:// to redirect to https://skippy.org.uk connection,
• The second line closes the default vhost generated by sentora.
• # DOMAIN: skippy.org.uk:443 – a comment telling me what the next bit is about (reading /etc/sentora/configs/apache/httpd-vhosts.conf can get a little hard without additional clues).
• <VirtualHost *:443> – Tells Apache that we are in a New Virtual host section *:443 tells it to listen on all ip addresses, on port 433 (SSL)
• The rest of the stuff down till SSLEngine On is copied directly from the section generated by Sentora,
• SSLEngine On – Turn SSL on for this VHost
• SSLProtocol all -SSLv2 -SSLv3 – Use all protocols but not SSLv2 or SSLv3
  • As this is set up according to SSL Labs you only get a B

  • SSLHonorCipherOrder On
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
    

    – Would get you a better grade.

  • SSLHonorCipherOrder On
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
    

    – This would get an even better score, due to being more secure, if you don’t mind removing support for Internet Explorer 8

• SSLCertificateFile /etc/letsencrypt/live/skippy.org.uk/cert.pem – path to the certificate .pem file
• SSLCertificateKeyFile /etc/letsencrypt/live/skippy.org.uk/privkey.pem – path to the private key  file
• SSLCertificateChainFile /etc/letsencrypt/live/skippy.org.uk/fullchain.pem – path to the chain file
• We don’t need to close the file with a </VirtualHost> as this is being set by sentora on save.

Once that is all done, we need to run the Sentora demon, and restart apache.

php -q /etc/sentora/panel/bin/daemon.php
service apache2 restart