I wrote a blog on http://forum.centos-webpanel.com regarding Let's Encrypt SSL Certificate for CentOS Web Panel when "Letsencrypt Manager" option was exist under Apache Settings >> Letsencrypt Manager >> Install Letsencrypt .
At Present CWP Team has been removed "Letsencrypt Manager" that's why it will not renew any cert automatic . They made Auto SSL by default but Auto SSL grade is B and I'm not satisfied with Auto SSL.
Previous Article Link : Install Letsencrypt SSL Certificate for your Server Hostname/FQDN, 100% Working
N.B: I am using the below cipherlist
https://cipherli.st/
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=intermediate&openssl-version=1.0.2k-fips
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://ssldecoder.org/
So now I am writing this solution again for all of guys and I hope that it will be 100% working again on your CentOS-Webpanel as mine .
Environment Details:
CPU Model: Intel(R) Xeon(R) CPU X3440 @ 2.53GHz
CPU Details: 2 Core (2527 MHz)
Distro Name: CentOS Linux release 7.6.1810 (Core)
Kernel Version: 3.10.0-957.1.3.el7.x86_64
CentOS-Web Panel version: CWP7.admin
CWP version: 0.9.8.757
RAM: 4 GB
Type: VPS
WebServer: Apache Only (Apache/2.4.34 (Unix) OpenSSL/1.0.1e-fips)
To avoid duplicating code create the following two configurations snippets:
Check the apache syntax and restart the httpd & reload cwpsrv
# touch "stapling-cache(150000)"
# touch "ssl_scache(512000)"
Check the apache syntax again and restart the httpd & reload cwpsrv , If you get any error , Please fix the issue . I didn't get any error
User Account >> Fix Permissions
Now Edit the following File and save it as below:
For NGINX
CWP Admin Panel Link (by hostname)
CWP Admin Panel Link: http://host.datahead.biz:2030
CWP Admin Panel Link: http://host.datahead.biz:2086
CWP Admin Panel SSL Link: https://host.datahead.biz:2031
CWP Admin Panel SSL Link: https://host.datahead.biz:2087
CWP User Panel Link (by hostname)
CWP User Panel Link: http://host.datahead.biz:2082
CWP User Panel SSL Link: https://host.datahead.biz:2083
Check your SSL setting:
https://www.ssllabs.com/ssltest/
https://www.sslshopper.com/
For Any kind of Assistance:
Email: dna[at]mdrubelhossain.com
At Present CWP Team has been removed "Letsencrypt Manager" that's why it will not renew any cert automatic . They made Auto SSL by default but Auto SSL grade is B and I'm not satisfied with Auto SSL.
Previous Article Link : Install Letsencrypt SSL Certificate for your Server Hostname/FQDN, 100% Working
N.B: I am using the below cipherlist
https://cipherli.st/
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=intermediate&openssl-version=1.0.2k-fips
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://ssldecoder.org/
So now I am writing this solution again for all of guys and I hope that it will be 100% working again on your CentOS-Webpanel as mine .
Environment Details:
CPU Model: Intel(R) Xeon(R) CPU X3440 @ 2.53GHz
CPU Details: 2 Core (2527 MHz)
Distro Name: CentOS Linux release 7.6.1810 (Core)
Kernel Version: 3.10.0-957.1.3.el7.x86_64
CentOS-Web Panel version: CWP7.admin
CWP version: 0.9.8.757
RAM: 4 GB
Type: VPS
WebServer: Apache Only (Apache/2.4.34 (Unix) OpenSSL/1.0.1e-fips)
# hostname
host.datahead.biz
# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
# getenforce
Disabled
# systemctl status firewalld
รข firewalld.service
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
Must have proper DNS Records
Install Certbot# yum install epel-release (if not installed)
# yum update -y
# yum install certbot
Check both are installed or not# yum info mod_ssl openssl
In my case, mod_ssl is not installed , No issue if openssl is installed , then it would be okay.To avoid duplicating code create the following two configurations snippets:
# vi /usr/local/apache/conf.d/letsencrypt.conf
Generate SSL using certbot# certbot certonly --agree-tos --email admin@datahead.biz --webroot -w /usr/local/apache/autossl_tmp/ -d host.datahead.biz
Press (Yes): y
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for host.datahead.biz
Using the webroot path /usr/local/apache/autossl_tmp for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/host.datahead.biz/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/host.datahead.biz/privkey.pem
Your cert will expire on 2019-02-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Backup the original file# cp /usr/local/apache/conf.d/ssl.conf /usr/local/apache/conf.d/bak.ssl.conf.orig
Edit the file and paste the code & save it# vi /usr/local/apache/conf.d/ssl.conf
Check the apache syntax and restart the httpd & reload cwpsrv
# /usr/local/cwpsrv/bin/cwpsrv –t
# systemctl restart httpd
# sh /scripts/reload_cwpsrv
Uncomment the module & save# vi /usr/local/apache/conf/httpd.conf
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Now goto apache log directory (/usr/local/apache/logs) and create the below file:# touch "stapling-cache(150000)"
# touch "ssl_scache(512000)"
Check the apache syntax again and restart the httpd & reload cwpsrv , If you get any error , Please fix the issue . I didn't get any error
# /usr/local/cwpsrv/bin/cwpsrv –t
# systemctl restart httpd
# sh /scripts/reload_cwpsrv
Now Fix The Permission :User Account >> Fix Permissions
Now Edit the following File and save it as below:
# vi /usr/local/apache/conf.d/hostname-ssl.conf
Finally reload the server# /usr/local/cwpsrv/bin/cwpsrv –t
# systemctl restart httpd
# sh /scripts/restart_cwpsrv
Now the Final stage is Here:For NGINX
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
For Admin Panel# vi /usr/local/cwpsrv/conf/cwpsrv.conf
Find the below code :
ssl_certificate /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
And replace with:
ssl_certificate /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols TLSv1.2;
#For Apache
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
#For NGINX
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
:x
For User Panel# vi /usr/local/cwpsrv/conf.d/users.conf
Find the below code :
ssl_certificate /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
And replace with:
ssl_certificate /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols TLSv1.2;
#For Apache
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
#For NGINX
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
:x
For Webmail# vi /usr/local/cwpsrv/conf.d/webmail.conf
Find the below code :
ssl_certificate /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
And replace with:
ssl_certificate /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols TLSv1.2;
#For Apache
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
#For NGINX
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
:x
Now Browse all the link and you will not get any warningCWP Admin Panel Link (by hostname)
CWP Admin Panel Link: http://host.datahead.biz:2030
CWP Admin Panel Link: http://host.datahead.biz:2086
CWP Admin Panel SSL Link: https://host.datahead.biz:2031
CWP Admin Panel SSL Link: https://host.datahead.biz:2087
CWP User Panel Link (by hostname)
CWP User Panel Link: http://host.datahead.biz:2082
CWP User Panel SSL Link: https://host.datahead.biz:2083
Check your SSL setting:
https://www.ssllabs.com/ssltest/
https://www.sslshopper.com/
For Any kind of Assistance:
Email: dna[at]mdrubelhossain.com
Comments
Post a Comment