Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
SSL / Re: Unable to restart http service after SSL installation
« on: January 02, 2016, 02:31:24 PM »Hi,
thanks a lot for your answer.
indeed, i see several error on error_log :
RSA server certificate CommonName (CN) 'www.mydomain.net' does not match server name !?
But when i use the command "hostname" i get the right servername : www.mydomain.net
so, I need to recreate a private key and a CSR to reedit the certificate ?
best regards,
N.B
Hi NB,
I apologize for the late response but in your vhosts-ssl.conf where it says
Code: [Select]
<VirtualHost 192.168.23.100:443>
ServerName reports.website.com
Could you ensure that ServerName doesn't have :443 after it for the domain in question?
2
SSL / Short Let's Encrypt guide on CentOS 6.x
« on: January 02, 2016, 12:38:29 PM »
This is a short guide to get Let's Encrypt setup and issue a certificate. This assumes you've used CWP to assign a self generated certificate to the domain(s) in question so that Apache is already setup to serve it via SSL. After the certificate is issued, you'll create a crontab to run every 30 days as the root user to renew the certificate(s) and copy the files to keep everything up-to-date.
!!! NOTE : IF YOU WANT TO INSTALL PYTHON 2.7 ALONGSIDE PYTHON 2.6 AND NOT HAVE TO WORRY ABOUT THE EPEL REPO THEN FOLLOW THE INSTRUCTIONS HERE : https://community.letsencrypt.org/t/redhat-centos-6-x-users-need-python-2-7/2190 : ETON !!!
To get everything setup for Let's Encrypt you'll need to install a few things since CentOS 6 is using an old version of Python and we're missing some modules. Let's Encrypt does not like the Python 2.6 version included with this version of CentOS but it will still run.
!!! NOTE : IF YOU WANT TO INSTALL PYTHON 2.7 ALONGSIDE PYTHON 2.6 AND NOT HAVE TO WORRY ABOUT THE EPEL REPO THEN FOLLOW THE INSTRUCTIONS HERE : https://community.letsencrypt.org/t/redhat-centos-6-x-users-need-python-2-7/2190 : ETON !!!
After the EPEL repo is installed you'll need to checkout the Let's Encrypt client.
Now let's get the certificate(s) we need and copy all the files over to their respective directories. This command will use the public_html folder of the domain in question to verify everything is legitimate, so change the info as required so it can check in with your domain and verify it before providing the certificate. You also need to provide a valid email address for recovery purposes later on if it's ever required.
After that has run successfully you can verify now that the certificate on your server has changed from unsigned to signed and it won't prompt you to bypass the security risk.
For automatic updates of the certificate from Let's Encrypt you'll need to do the following (as the root account still) and change everything to match your domain. The command itself is the same as the one used to retrieve the cert above so you can paste it after the "01 3 1 * *" part to save time :
Please let me know if you run in to any issues or any of the above commands are mis-typed or incorrect for whatever reason. They worked successfully on my CentOS 6.7 VPS just a few hours ago.
!!! NOTE : IF YOU WANT TO INSTALL PYTHON 2.7 ALONGSIDE PYTHON 2.6 AND NOT HAVE TO WORRY ABOUT THE EPEL REPO THEN FOLLOW THE INSTRUCTIONS HERE : https://community.letsencrypt.org/t/redhat-centos-6-x-users-need-python-2-7/2190 : ETON !!!
To get everything setup for Let's Encrypt you'll need to install a few things since CentOS 6 is using an old version of Python and we're missing some modules. Let's Encrypt does not like the Python 2.6 version included with this version of CentOS but it will still run.
Code: [Select]
yum install epel-release -y!!! NOTE : IF YOU WANT TO INSTALL PYTHON 2.7 ALONGSIDE PYTHON 2.6 AND NOT HAVE TO WORRY ABOUT THE EPEL REPO THEN FOLLOW THE INSTRUCTIONS HERE : https://community.letsencrypt.org/t/redhat-centos-6-x-users-need-python-2-7/2190 : ETON !!!
After the EPEL repo is installed you'll need to checkout the Let's Encrypt client.
Code: [Select]
cd /root && git clone https://github.com/letsencrypt/letsencryptNow let's get the certificate(s) we need and copy all the files over to their respective directories. This command will use the public_html folder of the domain in question to verify everything is legitimate, so change the info as required so it can check in with your domain and verify it before providing the certificate. You also need to provide a valid email address for recovery purposes later on if it's ever required.
Code: [Select]
cd /root/letsencrypt/ && ./letsencrypt-auto certonly --email your@email.com --agree-tos --renew-by-default --webroot -w /home/www.domain.com/public_html/ -d www.domain.com && cp -f /etc/letsencrypt/live/www.domain.com/fullchain.pem /etc/pki/tls/certs/www.domain.com.crt && cp -f /etc/letsencrypt/live/www.domain.com/privkey.pem /etc/pki/tls/private/www.domain.com.key && cp -f /etc/letsencrypt/live/www.domain.com/chain.pem /etc/pki/tls/certs/www.domain.com.bundleAfter that has run successfully you can verify now that the certificate on your server has changed from unsigned to signed and it won't prompt you to bypass the security risk.
For automatic updates of the certificate from Let's Encrypt you'll need to do the following (as the root account still) and change everything to match your domain. The command itself is the same as the one used to retrieve the cert above so you can paste it after the "01 3 1 * *" part to save time :
Code: [Select]
Edit the crontab with "crontab -e", press "i" to enter "Insert Mode" and then paste this :
01 3 1 * * cd /root/letsencrypt/ && ./letsencrypt-auto certonly --email your@email.com --agree-tos --renew-by-default --webroot -w /home/www.domain.com/public_html/ -d www.domain.com && cp -f /etc/letsencrypt/live/www.domain.com/fullchain.pem /etc/pki/tls/certs/www.domain.com.crt && cp -f /etc/letsencrypt/live/www.domain.com/privkey.pem /etc/pki/tls/private/www.domain.com.key && cp -f /etc/letsencrypt/live/www.domain.com/chain.pem /etc/pki/tls/certs/www.domain.com.bundle
Press Ctrl+C and then :wq! followed by enter.
Please let me know if you run in to any issues or any of the above commands are mis-typed or incorrect for whatever reason. They worked successfully on my CentOS 6.7 VPS just a few hours ago.
3
Mod_Security / phpMyAdmin 403 resolution
« on: January 02, 2016, 11:04:02 AM »
I see some people had 403 errors with phpMyAdmin after enabling mod_security. Thankfully you can disable it per URL with a simple config file. You'll need to create the file and restart httpd after you've created it.
Create file '/usr/local/apache/modsecurity-crs/base_rules/00_custom_exclude.conf' and put the following code in it :
then do "service httpd restart" and you'll be able to use phpMyAdmin with no issues. You can add more rules here on a per folder/file, IP or domain basis by following the guide at the Atomic Secured Linux website : http://www.atomicorp.com/wiki/index.php/Mod_security
Create file '/usr/local/apache/modsecurity-crs/base_rules/00_custom_exclude.conf' and put the following code in it :
Code: [Select]
<LocationMatch /phpMyAdmin/>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</LocationMatch>
then do "service httpd restart" and you'll be able to use phpMyAdmin with no issues. You can add more rules here on a per folder/file, IP or domain basis by following the guide at the Atomic Secured Linux website : http://www.atomicorp.com/wiki/index.php/Mod_security
Pages: [1]
