Author Topic: Install Let'sEncrypt for Admin Panel & User Panel Again, 100% Working  (Read 478 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Hello Everybody,

I wrote a blog on http://forum.centos-webpanel.com regarding Let's Encrypt SSL Certificate for CentOS Web Panel when "Letsencrypt Manager"  option was exist under Apache Settings >> Letsencrypt Manager >> Install Letsencrypt .

At Present CWP Team has been removed "Letsencrypt Manager"  that's why it will not renew any cert automatic . They made Auto SSL by default but Auto SSL grade is B and I'm not satisfied with Auto SSL.

Previous Article Link : http://forum.centos-webpanel.com/ssl/install-letsencrypt-ssl-certificate-for-your-server-hostnamefqdn-100-working/
So Previous Tutorial will not work any more on New version of CWP . And It's very awkward for all when some popular feature has been removed from CWP

N.B: I am using the below cipherlist
https://cipherli.st/
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://wiki.mozilla.org/Security/Server_Side_TLS

So now I am writing this solution again for all of guys and I hope that it will be 100% working again on your CentOS-Webpanel as mine .
Environment Details:
CPU Model: Intel(R) Xeon(R) CPU X3440 @ 2.53GHz
CPU Details: 2 Core (2527 MHz)
Distro Name: CentOS Linux release 7.6.1810 (Core)
Kernel Version: 3.10.0-957.1.3.el7.x86_64
CentOS-Web Panel version: CWP7.admin
CWP version: 0.9.8.757
RAM: 4 GB
Type: VPS

Code: [Select]
# hostname
host.datahead.biz

# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core) 

# getenforce
Disabled

# systemctl status firewalld
firewalld.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

Before issuing SSL , You must have proper DNS Records


Install Certbot
Code: [Select]
# yum install epel-release (if not installed)
# yum update -y
# yum install certbot

Check both are installed or not
Code: [Select]
# yum info mod_ssl openssl In my case, mod_ssl is not installed , No issue if openssl is installed , then it would be okay.

To avoid duplicating code create the following two configurations snippets:
Code: [Select]
# vi /usr/local/apache/conf.d/letsencrypt.conf

Alias /.well-known/acme-challenge/ "/usr/local/apache/autossl_tmp/.well-known/acme-challenge/"
<Directory "/usr/local/apache/autossl_tmp/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

:x

Generate SSL using certbot
Code: [Select]
# certbot certonly --agree-tos --email admin@datahead.biz --webroot -w /usr/local/apache/autossl_tmp/ -d host.datahead.biz
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for host.datahead.biz
Using the webroot path /usr/local/apache/autossl_tmp for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/host.datahead.biz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/host.datahead.biz/privkey.pem
   Your cert will expire on 2019-02-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Backup the original file
Code: [Select]
# cp /usr/local/apache/conf.d/ssl.conf /usr/local/apache/conf.d/bak.ssl.conf.orig

Edit the file and paste the code & save it
Code: [Select]
# vi /usr/local/apache/conf.d/ssl.conf
<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off


SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

#NameVirtualHost server_ip:443


Check the apache syntax and restart the httpd & reload cwpsrv
Code: [Select]
# /usr/local/cwpsrv/bin/cwpsrv t
# systemctl restart httpd
# sh /scripts/reload_cwpsrv 

Uncomment the module & save
Code: [Select]
# vi /usr/local/apache/conf/httpd.conf
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so


Check the apache syntax again and restart the httpd & reload cwpsrv , If you get any error , Please fix the issue . I didn't get any error
Code: [Select]
# /usr/local/cwpsrv/bin/cwpsrv t
# systemctl restart httpd
# sh /scripts/reload_cwpsrv 

Now Fix The Permission :
User Account >> Fix Permissions

Now Edit the following File and save it as below:
Code: [Select]
# vi /usr/local/apache/conf.d/hostname-ssl.conf 
# vhost_start host.datahead.biz
<VirtualHost *:443>
        ServerName host.datahead.biz
        ServerAdmin webmaster@datahead.biz
        DocumentRoot /usr/local/apache/htdocs/

        SSLEngine on
        SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLCertificateFile /etc/letsencrypt/live/host.datahead.biz/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/host.datahead.biz/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/host.datahead.biz/fullchain.pem
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

        <IfModule mod_suexec.c>
                SuexecUserGroup nobody nobody
        </IfModule>

        <IfModule mod_suphp.c>
                suPHP_UserGroup nobody nobody
                suPHP_ConfigPath /home/nobody
        </IfModule>

        <Directory "/usr/local/apache/htdocs/">
        AllowOverride All
        </Directory>

</VirtualHost>
# vhost_end host.datahead.biz


Finally reload the server
Code: [Select]
# /usr/local/cwpsrv/bin/cwpsrv t
# systemctl restart httpd
# sh /scripts/restart_cwpsrv 

Now the Final stage is Here:
For Admin Panel

Code: [Select]
# vi /usr/local/cwpsrv/conf/cwpsrv.conf

Find the below code :
ssl_certificate     /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

And replace with:
ssl_certificate     /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols       TLSv1.2;
ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

:x


For User Panel
Code: [Select]
# vi /usr/local/cwpsrv/conf.d/users.conf

Find the below code :
ssl_certificate     /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

And replace with:
ssl_certificate     /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols       TLSv1.2;
ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

:x

For Webmail
Code: [Select]
# vi /usr/local/cwpsrv/conf.d/webmail.conf

Find the below code :
ssl_certificate     /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

And replace with:
ssl_certificate     /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols       TLSv1.2;
ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

:x

Now Browse all the link and you will not get any warning
CWP Admin Panel Link (by hostname)

CWP Admin Panel Link: http://host.domain.biz:2030
CWP Admin Panel Link: http://host.domain.biz:2086
CWP Admin Panel SSL Link: https://host.domain.biz:2031
CWP Admin Panel SSL Link: https://host.domain.biz:2087


CWP User Panel Link (by hostname)
CWP User Panel Link: http://host.domain.biz:2082
CWP User Panel SSL Link: https://host.domain.biz:2083


Check your SSL setting:
https://www.ssllabs.com/ssltest/
https://www.sslshopper.com/

Please comment and share , If you have any difficulties

For Any kind of Assistance :
Email: glorency[at]outlook.com
VPS : Dedicated Server: Email Solution
« Last Edit: January 12, 2019, 07:41:01 PM by glorency »

Offline
*
Re: Install Let'sEncrypt for Admin Panel & User Panel Again, 100% Working
« Reply #1 on: January 14, 2019, 04:39:01 AM »
Hi
during following above steps
@ this commnad certbot certonly --agree-tos --email nomdelivery@gmail.com --webroot -w /usr/local/apache/autossl_tmp/ -d srv1.foodiebaba.in
I got error "NO module named requests.packeges.urllib3"
Also Exceptions import invalid url
Can you help me I strugling to install ssl to hostname from months. I have other domain my configuration is here
https://forum.centos-webpanel.com/ssl/ssl-and-hostname-correct-setup/msg21060/#msg21060
Thanks

Offline
*
Re: Install Let'sEncrypt for Admin Panel & User Panel Again, 100% Working
« Reply #2 on: January 14, 2019, 01:37:29 PM »
Hello

Share the details snahoot of that error and also
Print the log:
# tail -f /var/log/letsencrypt/letsencrypt.log