Skip to main content

CWP: How to Configure Let's Encrypt SSL Certificate for your server Hostname/FQDN on CWP7.admin

I wrote a blog on http://forum.centos-webpanel.com regarding Let's Encrypt SSL Certificate for CentOS Web Panel when "Letsencrypt Manager"  option was exist under Apache Settings >> Letsencrypt Manager >> Install Letsencrypt .

At Present CWP Team has been removed "Letsencrypt Manager"  that's why it will not renew any cert automatic . They made Auto SSL by default but Auto SSL grade is B and I'm not satisfied with Auto SSL.

Previous Article Link Install Letsencrypt SSL Certificate for your Server Hostname/FQDN, 100% Working 

N.B: I am using the below cipherlist 
https://cipherli.st/
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=intermediate&openssl-version=1.0.2k-fips
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://ssldecoder.org/

So now I am writing this solution again for all of guys and I hope that it will be 100% working again on your CentOS-Webpanel as mine .

Environment Details:
CPU Model: Intel(R) Xeon(R) CPU X3440 @ 2.53GHz
CPU Details: 2 Core (2527 MHz)
Distro Name: CentOS Linux release 7.6.1810 (Core)
Kernel Version: 3.10.0-957.1.3.el7.x86_64
CentOS-Web Panel version: CWP7.admin
CWP version: 0.9.8.757
RAM: 4 GB
Type: VPS
WebServer: Apache Only (Apache/2.4.34 (Unix) OpenSSL/1.0.1e-fips)
# hostname
host.datahead.biz

# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core)  

# getenforce 
Disabled

# systemctl status firewalld
รข firewalld.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

Must have proper DNS Records
Install Certbot
# yum install epel-release (if not installed)
# yum update -y
# yum install certbot
Check both are installed or not
# yum info mod_ssl openssl
In my case, mod_ssl is not installed , No issue if openssl is installed , then it would be okay.
To avoid duplicating code create the following two configurations snippets:
# vi /usr/local/apache/conf.d/letsencrypt.conf
Generate SSL using certbot
# certbot certonly --agree-tos --email admin@datahead.biz --webroot -w /usr/local/apache/autossl_tmp/ -d host.datahead.biz

Press (Yes): y

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for host.datahead.biz
Using the webroot path /usr/local/apache/autossl_tmp for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/host.datahead.biz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/host.datahead.biz/privkey.pem
   Your cert will expire on 2019-02-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
Backup the original file
# cp /usr/local/apache/conf.d/ssl.conf /usr/local/apache/conf.d/bak.ssl.conf.orig
Edit the file and paste the code & save it
# vi /usr/local/apache/conf.d/ssl.conf

Check the apache syntax and restart the httpd & reload cwpsrv

# /usr/local/cwpsrv/bin/cwpsrv –t
# systemctl restart httpd
# sh /scripts/reload_cwpsrv
Uncomment the module & save
# vi /usr/local/apache/conf/httpd.conf

LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Now goto apache log directory (/usr/local/apache/logs) and create the below file:
# touch "stapling-cache(150000)"
# touch "ssl_scache(512000)"

Check the apache syntax again and restart the httpd & reload cwpsrv , If you get any error , Please fix the issue . I didn't get any error
# /usr/local/cwpsrv/bin/cwpsrv –t
# systemctl restart httpd
# sh /scripts/reload_cwpsrv
Now Fix The Permission :
User Account >> Fix Permissions

Now Edit the following File and save it as below:
# vi /usr/local/apache/conf.d/hostname-ssl.conf
Finally reload the server

# /usr/local/cwpsrv/bin/cwpsrv –t
# systemctl restart httpd
# sh /scripts/restart_cwpsrv
Now the Final stage is Here:
For NGINX
ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
For Admin Panel
# vi /usr/local/cwpsrv/conf/cwpsrv.conf

Find the below code : 
ssl_certificate     /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

And replace with:
ssl_certificate     /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols       TLSv1.2;

#For Apache
#ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; 
#For NGINX
ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
:x
For User Panel
# vi /usr/local/cwpsrv/conf.d/users.conf 

Find the below code : 
ssl_certificate     /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

And replace with:
ssl_certificate     /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols       TLSv1.2;
#For Apache
#ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
#For NGINX
ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
:x
For Webmail
# vi /usr/local/cwpsrv/conf.d/webmail.conf 

Find the below code : 
ssl_certificate     /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

And replace with:
ssl_certificate     /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols       TLSv1.2;
#For Apache
#ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
#For NGINX
ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
:x
Now Browse all the link and you will not get any warning
CWP Admin Panel Link (by hostname)
CWP Admin Panel Link: http://host.datahead.biz:2030
CWP Admin Panel Link: http://host.datahead.biz:2086
CWP Admin Panel SSL Link: https://host.datahead.biz:2031
CWP Admin Panel SSL Link: https://host.datahead.biz:2087

CWP User Panel Link (by hostname)
CWP User Panel Link: http://host.datahead.biz:2082
CWP User Panel SSL Link: https://host.datahead.biz:2083
Check your SSL setting:
https://www.ssllabs.com/ssltest/
https://www.sslshopper.com/
For Any kind of Assistance:
Email: dna[at]mdrubelhossain.com
Labels:

Comments

Post a Comment

You are always welcome to comment here, but your remarks should be relevant to the conversation. To keep the exchanges focused and engaging, we reserve the right to remove off-topic comments, or self-promoting URLs and vacuous messages.

We will try to reply to your queries as soon as time allows.



Regards,
Admin