ENCRYPT ALL THE THINGS

ENCRYPT ALL THE THINGS

With the passing of ZPanel into the dark, and hopefuly being reborn as Sentora, one of the things that would be a nice to have built in to Sentora would be support for letsencrypt.org:

Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.
Arriving Summer 2015

but until then if you use ZPanel or Sentora you will have to play things sadly a little differently.

To follow these instructions you will need to have SSH access to the server, and have Admin access to the ZPanel / Sentora panel.

first off you will need to get a CSR (Certificate Signing Request) for your server, Digicert have a nice online aid for this at digicert.com/easy-csr

SSL Form

SSL Form

This then gives me

openssl req -new -newkey rsa:4096 -nodes -out skippy_org_uk.csr -keyout skippy_org_uk.key -subj "/C=GB/ST=Utah/L=TARDIS/O=Skippy/OU=Dpt of Sexy/CN=//skippy.org.uk"

to type into my (SSH) terminal.

Heading over to 123-reg to pick up a cheapish SSL certificate (£11.99 inc VAT), I needed to set up [email protected]//skippy.org.uk to keep 123-reg / AlphaSSL happy, the enrolment takes about 12 hours, and will result in a fair few emails being sent to you (you will need your .csr file).

One of the emails from 123 Reg will read like this:

Dear Skippy,

Great news! Your SSL certificate has been issued and is now active.

———————————————–

Certificate details

Product type: 123-SSL
Domain: //skippy.org.uk
Valid for: 1years

———————————————–

What happens now?

You will now need to manually install your SSL certificate by following the instructions below.

Please note: Your SSL and intermediate certificates can found at the bottom of this email. Both certificates must be installed on your server.
———————————————–
Installation Guide
1) Using a text editor, copy the intermediate ctext from the bottom of this email, (including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines) and Save As gs_intermediate_ca.crt on your server desktop.

2) Using a text editor, copy the SSL certificate text, from the bottom of this email (including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines) and Save As yourdomain.crt on your
server desktop.

3) For instructions on installing your certificate on your web server (different methods are required, depending on your web server and SSL certificate type) and information on backing up your certificate and private key, please see the following link: http://www.123-reg.co.uk/support/category/SSL-Certificates
———————————————–

MUST BE INSTALLED ON YOUR WEB SERVER:

Your Intermediate Certificate

—–BEGIN CERTIFICATE—–

…lots of text…

—–END CERTIFICATE—–

Your SSL Certificate (Formatted for the majority of web server software including IIS and Apache based servers):

—–BEGIN CERTIFICATE—–

…lots of text…

—–END CERTIFICATE—–
———————————————–

Getting help

If you need any help, please visit our support site. There you will find useful guides and answers to common queries. You can also use the Contact Us option which sends a query email to our expert support staff.

All the best,

The 123-reg team
www.123-reg.co.uk

SSH into your server, and make a folder for your certificates, as I am going to SSL //skippy.org.uk  I will make my folder at /etc/ssl/certs//skippy.org.uk

in this folder you will need to put the following:

  • gs_intermediate_ca.crt (comes via email from 123-SSL).
  • root.crt (perhaps not needed, but downloaded from AlphaSSL anyway)
  • root.der (perhaps not needed, but downloaded from AlphaSSL anyway)
  • root.pem (perhaps not needed, but downloaded from AlphaSSL anyway)
  • //skippy.org.uk.crt (comes via email from 123-SSL).
  • //skippy.org.uk.csr (generated by command at the beginning)
  • //skippy.org.uk.key (generated by command at the beginning)

I needed to copy the files from Alpha SSL and the two I made above into etc/ssl/certs//skippy.org.uk

Log into the ZPanel CP and find Module Admin:

You need to have at least this Icon to play this game

You need to have at least this icon to play this game

Apache Configuration

And this one

And this one

All the way to Force Update and beyond

All the way to the bottom (I also ticked "Force Update - Force vhost.conf to be updated on next daemon run. Any change in settings also triggers vhost.conf to be updated."

All the way to the bottom (I also ticked “Force Update – Force vhost.conf to be updated on next daemon run. Any change in settings also triggers vhost.conf to be updated.”

Override a Virtual Host Setting

Select a Virtual Host (in this case //skippy.org.uk).

Select a Virtual Host (in this case //skippy.org.uk).

Clicking on select Vhost brings up this screen

Selected Vhost

Selected Vhost

Now for the parts that make this SSL enabled:

SSLEngine On
SSLCertificateFile      /etc/ssl/certs//skippy.org.uk//skippy.org.uk.crt
SSLCertificateKeyFile   /etc/ssl/certs//skippy.org.uk//skippy.org.uk.key
SSLCACertificateFile    /etc/ssl/certs//skippy.org.uk/gs_root.pem
SSLCertificateChainFile /etc/ssl/certs//skippy.org.uk/gs_intermediate_ca.crt

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder on
SSLCipherSuite HIGH:!aNULL:!MD5
ZPannel VHost Overide Settings

ZPannel VHost Overide Settings

Once you have saved the above, you will want to ssh back into the server and run
sudo php -q /etc/zpanel/panel/bin/daemon.php
and
sudo apachectl restart
If there are any configuration errors (or files can't be found) you will need to look into why.

Further to setting the above up, I visited a SSL test website, and it only gave me a C rating, so I changed

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder on
SSLCipherSuite HIGH:!aNULL:!MD5

to

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

but that doesnt seem to have fixed it yet :S