Install Let'sEncrypt for Admin Panel & User Panel Again, 100% Working

Hello Everybody,

I wrote a blog on http://forum.centos-webpanel.com regarding Let's Encrypt SSL Certificate for CentOS Web Panel when "Letsencrypt Manager"  option was exist under Apache Settings >> Letsencrypt Manager >> Install Letsencrypt .

At Present CWP Team has been removed "Letsencrypt Manager"  that's why it will not renew any cert automatic . They made Auto SSL by default but Auto SSL grade is B and I'm not satisfied with Auto SSL.

Previous Article Link : http://forum.centos-webpanel.com/ssl/install-letsencrypt-ssl-certificate-for-your-server-hostnamefqdn-100-working/
So Previous Tutorial will not work any more on New version of CWP . And It's very awkward for all when some popular feature has been removed from CWP

N.B: I am using the below cipherlist
https://cipherli.st/
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://wiki.mozilla.org/Security/Server_Side_TLS

So now I am writing this solution again for all of guys and I hope that it will be 100% working again on your CentOS-Webpanel as mine .
Environment Details:
CPU Model: Intel(R) Xeon(R) CPU X3440 @ 2.53GHz
CPU Details: 2 Core (2527 MHz)
Distro Name: CentOS Linux release 7.6.1810 (Core)
Kernel Version: 3.10.0-957.1.3.el7.x86_64
CentOS-Web Panel version: CWP7.admin
CWP version: 0.9.8.757
RAM: 4 GB
Type: VPS

Code: [Select]

# hostname
host.datahead.biz

# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core) 

# getenforce
Disabled

# systemctl status firewalld
â firewalld.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

Before issuing SSL , You must have proper DNS Records

Install Certbot

Code: [Select]

# yum install epel-release (if not installed)
# yum update -y
# yum install certbot
Check both are installed or not

Code: [Select]

# yum info mod_ssl openssl In my case, mod_ssl is not installed , No issue if openssl is installed , then it would be okay.

To avoid duplicating code create the following two configurations snippets:

Code: [Select]

# vi /usr/local/apache/conf.d/letsencrypt.conf

Alias /.well-known/acme-challenge/ "/usr/local/apache/autossl_tmp/.well-known/acme-challenge/"
<Directory "/usr/local/apache/autossl_tmp/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

:x
Generate SSL using certbot

Code: [Select]

# certbot certonly --agree-tos --email admin@datahead.biz --webroot -w /usr/local/apache/autossl_tmp/ -d host.datahead.biz
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for host.datahead.biz
Using the webroot path /usr/local/apache/autossl_tmp for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/host.datahead.biz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/host.datahead.biz/privkey.pem
   Your cert will expire on 2019-02-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
Backup the original file

Code: [Select]

# cp /usr/local/apache/conf.d/ssl.conf /usr/local/apache/conf.d/bak.ssl.conf.orig

Edit the file and paste the code & save it

Code: [Select]

# vi /usr/local/apache/conf.d/ssl.conf
<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off


SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

#NameVirtualHost server_ip:443

Check the apache syntax and restart the httpd & reload cwpsrv

Code: [Select]

# /usr/local/cwpsrv/bin/cwpsrv –t
# systemctl restart httpd
# sh /scripts/reload_cwpsrv 

Uncomment the module & save

Code: [Select]

# vi /usr/local/apache/conf/httpd.conf
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

Check the apache syntax again and restart the httpd & reload cwpsrv , If you get any error , Please fix the issue . I didn't get any error

Code: [Select]

# /usr/local/cwpsrv/bin/cwpsrv –t
# systemctl restart httpd
# sh /scripts/reload_cwpsrv 
Now Fix The Permission :
User Account >> Fix Permissions

Now Edit the following File and save it as below:

Code: [Select]

# vi /usr/local/apache/conf.d/hostname-ssl.conf 
# vhost_start host.datahead.biz
<VirtualHost *:443>
        ServerName host.datahead.biz
        ServerAdmin webmaster@datahead.biz
        DocumentRoot /usr/local/apache/htdocs/

        SSLEngine on
        SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLCertificateFile /etc/letsencrypt/live/host.datahead.biz/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/host.datahead.biz/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/host.datahead.biz/fullchain.pem
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

        <IfModule mod_suexec.c>
                SuexecUserGroup nobody nobody
        </IfModule>

        <IfModule mod_suphp.c>
                suPHP_UserGroup nobody nobody
                suPHP_ConfigPath /home/nobody
        </IfModule>

        <Directory "/usr/local/apache/htdocs/">
        AllowOverride All
        </Directory>

</VirtualHost>
# vhost_end host.datahead.biz

Finally reload the server

Code: [Select]

# /usr/local/cwpsrv/bin/cwpsrv –t
# systemctl restart httpd
# sh /scripts/restart_cwpsrv 
Now the Final stage is Here:
For Admin Panel

Code: [Select]

# vi /usr/local/cwpsrv/conf/cwpsrv.conf

Find the below code :
ssl_certificate     /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

And replace with:
ssl_certificate     /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols       TLSv1.2;
ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

:x

For User Panel

Code: [Select]

# vi /usr/local/cwpsrv/conf.d/users.conf

Find the below code :
ssl_certificate     /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

And replace with:
ssl_certificate     /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols       TLSv1.2;
ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

:x
For Webmail

Code: [Select]

# vi /usr/local/cwpsrv/conf.d/webmail.conf

Find the below code :
ssl_certificate     /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

And replace with:
ssl_certificate     /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols       TLSv1.2;
ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

:x
Now Browse all the link and you will not get any warning
CWP Admin Panel Link (by hostname)
CWP Admin Panel Link: http://host.domain.biz:2030
CWP Admin Panel Link: http://host.domain.biz:2086
CWP Admin Panel SSL Link: https://host.domain.biz:2031
CWP Admin Panel SSL Link: https://host.domain.biz:2087


CWP User Panel Link (by hostname)
CWP User Panel Link: http://host.domain.biz:2082
CWP User Panel SSL Link: https://host.domain.biz:2083


Check your SSL setting:
https://www.ssllabs.com/ssltest/
https://www.sslshopper.com/

Please comment and share , If you have any difficulties

For Any kind of Assistance :
Email: glorency[at]outlook.com
VPS : Dedicated Server: Email Solution

Hi
during following above steps
@ this commnad certbot certonly --agree-tos --email nomdelivery@gmail.com --webroot -w /usr/local/apache/autossl_tmp/ -d srv1.foodiebaba.in
I got error "NO module named requests.packeges.urllib3"
Also Exceptions import invalid url
Can you help me I strugling to install ssl to hostname from months. I have other domain my configuration is here
https://forum.centos-webpanel.com/ssl/ssl-and-hostname-correct-setup/msg21060/#msg21060
Thanks

Hello

Share the details snahoot of that error and also
Print the log:
# tail -f /var/log/letsencrypt/letsencrypt.log

Hi,

Works great but there is an issue, the configuration on the /usr/local/cwpsrv/conf.d files is lost after running an sh /scripts/update_cwp

Would there be a way to make them more permanent?

Thanks,
Santi

Hi,

This is all manual process. AutoSSL should work from panel itself. If you have steps to accomplish this share us.

I've managed to successfully install Let's encrypt for my web server, and SSLshopper says that everything is okay, but unfortunately i'm still getting invalid certificate warning in web browsers when visiting CWP admin, Roundcube or user control panel pages... What can be wrong?

Clear the cache in the browser? What port are you using? 2087 works for me.

I've managed to successfully install Let's encrypt for my web server, and SSLshopper says that everything is okay, but unfortunately i'm still getting invalid certificate warning in web browsers when visiting CWP admin, Roundcube or user control panel pages... What can be wrong?

Share your server url and share the log

It was my mistake, i was trying to access secure page via my IP address instead of FQDN (https://123.456.123.456:2087 instead of https://server.hostname.com). Of course, SSL certificate is installed for FQDN, not for an IP address.

So, everything works well now
Thanks!

It was my mistake, i was trying to access secure page via my IP address instead of FQDN (https://123.456.123.456:2087 instead of https://server.hostname.com). Of course, SSL certificate is installed for FQDN, not for an IP address.

So, everything works well now
Thanks!

Great to know that it's working

Thanks for the tutorial,

However, all works for me except for the webmail.

I currently don't have webmail but mail in my records.

Do I need to create webmail on my DNS?

outlook connects but not via ssl.

Work do I need to change

Hello,

i CWP has AutoSSL which works for both Admin panel and user panel and website

For Admin and User panel:
CWP.Admin -> server settings -> Enter hostname -> click change hostname. This will set hostname and install SSL for the hostname which can be used for admin panels and user panel

For website:
CWP.Admin -> Webserver settings -> SSL certificates -> AutoSSL -> select user and domain and click install SSL

Hello

At present date 05/04/2020, having CentOS Linux release 7.7.1908 (Core) and CWPpro version: 0.9.8.954, both updated at latest version, this tutorial does not work anymore.

The -t option for the command  /usr/local/cwpsrv/bin/cwpsrv –t is not recognized

After following the whole procedure anyway there are syntax errors in the configuration files, stapling is not possible to be used and a few other things go wrong, the result is that the service apache cannot be started, I stopped there as not being expert I have no clue about what should be done.

Anyone knows how to change this tutorial to updated cwp and centos or anyway how do is possible to get a A+ grade letsencrypt certificate and have it automatically renewed for every Vhost?

Thank you

Hello

At present date 05/04/2020, having CentOS Linux release 7.7.1908 (Core) and CWPpro version: 0.9.8.954, both updated at latest version, this tutorial does not work anymore.

The -t option for the command  /usr/local/cwpsrv/bin/cwpsrv –t is not recognized

After following the whole procedure anyway there are syntax errors in the configuration files, stapling is not possible to be used and a few other things go wrong, the result is that the service apache cannot be started, I stopped there as not being expert I have no clue about what should be done.

Anyone knows how to change this tutorial to updated cwp and centos or anyway how do is possible to get a A+ grade letsencrypt certificate and have it automatically renewed for every Vhost?

Thank you

HI David,

I have checked that both Syntax are correct , Please don't copy and paste to your terminal .


I will post for SSL stapling later .