Let's Encrypt all the things!

In my last post about encryption, I managed to set up SSL using Let’s Encrypt on the control panel subdomain.

Now while I have talked about this twice before, here and here, and converting WordPress to SSL. This is a new easy solution, that is far far less hacky!!!! (not that I am not happy to hack).

Things we need to know:

Desired domain name – skippy.org.uk
Where the webroot is – skippy_org_uk

So same as my last post using Let’s Encrypt, we need to log in to the server as Root and get a bash prompt:

cd ~/letsencrypt/
./letsencrypt-auto certonly --webroot -w /var/sentora/hostdata/philip/public_html/skippy_org_uk/ -d skippy.org.uk -d www.skippy.org.uk

This is made up by calling the let’s encrypt application:

certonly – Because we don’t know how apache is setup, it is worth taking some precautions, especially since we need to modify the vhost file managed by sentora.
–webroot – this allows the use of the webroot to certify that the server we are working with.
-w – the location of the webroot “/var/sentora/hostdata/philip/public_html/skippy_org_uk/”
-d – the domain that you want the certificate for, in this case both the www. and the non www. (While I hate WWW. some people type it).

And that is it, the certificates are generated, and stored in “/etc/letsencrypt/live/skippy.org.uk/”.

To make use of these, you will need to log into sentora as an Admin level user, Sentora -> Admin -> Module Admin -> Apache Config -> Scroll to the bottom to the section named “Override a Virtual Host Setting” -> select the domain from the VHost list.

You will want to insert something like this into the Custom Entry box:

Redirect Permanent / https://skippy.org.uk/
</VirtualHost>

# DOMAIN: skippy.org.uk:443
<VirtualHost *:443>
    ServerName skippy.org.uk
    ServerAlias www.skippy.org.uk
    ServerAdmin [email protected]
    DocumentRoot "/var/sentora/hostdata/philip/public_html/skippy_org_uk"
    php_admin_value open_basedir "/var/sentora/hostdata/philip/public_html/skippy_org_uk:/var/sentora/temp/"
    php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
    ErrorLog "/var/sentora/logs/domains/philip/skippy.org.uk-error.log"
    CustomLog "/var/sentora/logs/domains/philip/skippy.org.uk-access.log" combined
    CustomLog "/var/sentora/logs/domains/philip/skippy.org.uk.log" common
    AddType application/x-httpd-php .php
    <Directory "/var/sentora/hostdata/philip/public_html/skippy_org_uk">
        Options +FollowSymLinks -Indexes
        AllowOverride All
        Require all granted
    </Directory>
    AddType application/x-httpd-php .php3 .php
    ErrorDocument 403 /_errorpages/403.html
    ErrorDocument 500 /_errorpages/500.html
    ErrorDocument 510 /_errorpages/510.html
    ErrorDocument 404 /_errorpages/404.html
    DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCertificateFile /etc/letsencrypt/live/skippy.org.uk/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/skippy.org.uk/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/skippy.org.uk/fullchain.pem

It is made up as follows:

The first line tells anyone visiting via http:// to redirect to https://skippy.org.uk connection,
The second line closes the default vhost generated by sentora.
# DOMAIN: skippy.org.uk:443 – a comment telling me what the next bit is about (reading /etc/sentora/configs/apache/httpd-vhosts.conf can get a little hard without additional clues).
<VirtualHost *:443> – Tells Apache that we are in a New Virtual host section *:443 tells it to listen on all ip addresses, on port 433 (SSL)
The rest of the stuff down till SSLEngine On is copied directly from the section generated by Sentora,
SSLEngine On – Turn SSL on for this VHost

SSLProtocol all -SSLv2 -SSLv3 – Use all protocols but not SSLv2 or SSLv3

As this is set up according to SSL Labs you only get a B

SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

– Would get you a better grade.

SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

– This would get an even better score, due to being more secure, if you don’t mind removing support for Internet Explorer 8

SSLCertificateFile /etc/letsencrypt/live/skippy.org.uk/cert.pem – path to the certificate .pem file
SSLCertificateKeyFile /etc/letsencrypt/live/skippy.org.uk/privkey.pem – path to the private key file
SSLCertificateChainFile /etc/letsencrypt/live/skippy.org.uk/fullchain.pem – path to the chain file
We don’t need to close the file with a </VirtualHost> as this is being set by sentora on save.

Once that is all done, we need to run the Sentora demon, and restart apache.

php -q /etc/sentora/panel/bin/daemon.php
service apache2 restart

Skippy's Random Ramblings

Skippy's Random Ramblings

Let’s Encrypt all the things!

Like this:

Related

Like this:

Like this:

Like this:

Like this:

Leave a Reply Cancel reply

Share this:

Like this:

Related

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Leave a Reply Cancel reply