Skip to main content

CWP: How to Configure Let's Encrypt SSL Certificate for your server Hostname/FQDN on CWP7.admin

I wrote a blog on http://forum.centos-webpanel.com regarding Let's Encrypt SSL Certificate for CentOS Web Panel when "Letsencrypt Manager"  option was exist under Apache Settings >> Letsencrypt Manager >> Install Letsencrypt .

At Present CWP Team has been removed "Letsencrypt Manager"  that's why it will not renew any cert automatic . They made Auto SSL by default but Auto SSL grade is B and I'm not satisfied with Auto SSL.

Previous Article Link Install Letsencrypt SSL Certificate for your Server Hostname/FQDN, 100% Working 

N.B: I am using the below cipherlist 
https://cipherli.st/
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=intermediate&openssl-version=1.0.2k-fips
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://ssldecoder.org/

So now I am writing this solution again for all of guys and I hope that it will be 100% working again on your CentOS-Webpanel as mine .

Environment Details:
CPU Model: Intel(R) Xeon(R) CPU X3440 @ 2.53GHz
CPU Details: 2 Core (2527 MHz)
Distro Name: CentOS Linux release 7.6.1810 (Core)
Kernel Version: 3.10.0-957.1.3.el7.x86_64
CentOS-Web Panel version: CWP7.admin
CWP version: 0.9.8.757
RAM: 4 GB
Type: VPS
WebServer: Apache Only (Apache/2.4.34 (Unix) OpenSSL/1.0.1e-fips)
# hostname
host.datahead.biz

# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core)  

# getenforce 
Disabled

# systemctl status firewalld
รข firewalld.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

Must have proper DNS Records  
Install Certbot
# yum install epel-release (if not installed)
# yum update -y
# yum install certbot 
Check both are installed or not
# yum info mod_ssl openssl 
In my case, mod_ssl is not installed , No issue if openssl is installed , then it would be okay.
To avoid duplicating code create the following two configurations snippets:
# vi /usr/local/apache/conf.d/letsencrypt.conf
Generate SSL using certbot
# certbot certonly --agree-tos --email admin@datahead.biz --webroot -w /usr/local/apache/autossl_tmp/ -d host.datahead.biz

Press (Yes): y

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for host.datahead.biz
Using the webroot path /usr/local/apache/autossl_tmp for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/host.datahead.biz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/host.datahead.biz/privkey.pem
   Your cert will expire on 2019-02-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
 
Backup the original file
# cp /usr/local/apache/conf.d/ssl.conf /usr/local/apache/conf.d/bak.ssl.conf.orig 
Edit the file and paste the code & save it
# vi /usr/local/apache/conf.d/ssl.conf

Check the apache syntax and restart the httpd & reload cwpsrv

# /usr/local/cwpsrv/bin/cwpsrv –t
# systemctl restart httpd
# sh /scripts/reload_cwpsrv  
Uncomment the module & save
# vi /usr/local/apache/conf/httpd.conf

LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so 
Now goto apache log directory (/usr/local/apache/logs) and create the below file:
# touch "stapling-cache(150000)"
# touch "ssl_scache(512000)"

Check the apache syntax again and restart the httpd & reload cwpsrv , If you get any error , Please fix the issue . I didn't get any error
# /usr/local/cwpsrv/bin/cwpsrv –t
# systemctl restart httpd
# sh /scripts/reload_cwpsrv  
Now Fix The Permission :
User Account >> Fix Permissions

Now Edit the following File and save it as below:
# vi /usr/local/apache/conf.d/hostname-ssl.conf  
Finally reload the server

# /usr/local/cwpsrv/bin/cwpsrv –t
# systemctl restart httpd
# sh /scripts/restart_cwpsrv  
Now the Final stage is Here:
For NGINX
ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 
For Admin Panel
# vi /usr/local/cwpsrv/conf/cwpsrv.conf

Find the below code : 
ssl_certificate     /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

And replace with:
ssl_certificate     /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols       TLSv1.2;

#For Apache
#ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; 
#For NGINX
ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
:x 
For User Panel
# vi /usr/local/cwpsrv/conf.d/users.conf 

Find the below code : 
ssl_certificate     /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

And replace with:
ssl_certificate     /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols       TLSv1.2;
#For Apache
#ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
#For NGINX
ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
:x 
For Webmail
# vi /usr/local/cwpsrv/conf.d/webmail.conf 

Find the below code : 
ssl_certificate     /etc/pki/tls/certs/hostname.crt;
ssl_certificate_key /etc/pki/tls/private/hostname.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

And replace with:
ssl_certificate     /etc/letsencrypt/live/host.datahead.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.datahead.biz/privkey.pem;
ssl_protocols       TLSv1.2;
#For Apache
#ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
#For NGINX
ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
:x 
Now Browse all the link and you will not get any warning
CWP Admin Panel Link (by hostname)
CWP Admin Panel Link: http://host.datahead.biz:2030
CWP Admin Panel Link: http://host.datahead.biz:2086
CWP Admin Panel SSL Link: https://host.datahead.biz:2031
CWP Admin Panel SSL Link: https://host.datahead.biz:2087

CWP User Panel Link (by hostname)
CWP User Panel Link: http://host.datahead.biz:2082
CWP User Panel SSL Link: https://host.datahead.biz:2083
Check your SSL setting:
https://www.ssllabs.com/ssltest/
https://www.sslshopper.com/
For Any kind of Assistance:
Email: dna[at]mdrubelhossain.com

Comments