Sentora virtual domains SSL setup – Let’s Encrypt Certificates
I won’t discuss here why you would want to use Let’s Encrypt Certificates, but 3 of the main reasons for me are:
- Certificates are free
- Certificates are automatically updated. So it becomes a set and forget affair. No more fiddling around every 1, 2 or 3 years.
- Automatic updates are done every 3 months. So the certificates are always fresh.
And now for the setup on a fully up-to-date Sentora Centos 6.7 server
Run
yum -y install mod_ssl wget nc netcat; wget -O - https://get.acme.sh | sh
This will install the stand alone certificate management software, that will get and update your certificates from Let’s Encrypt
This is how you use it (issue a certificate for example.com where the http site files are actually located in /home/wwwroot/example.com):
/root/.acme.sh/acme.sh --issue -d example.com -w /home/wwwroot/example.com
There will be an output containing a variety of information you will need to configure APACHE. Keep it.
Then just add this to your crontab:
So your certificates will be automatically updated/renewed
vim /etc/crontab 34 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
Now the APACHE setup
If you have SSL enabled on your Sentora admin panel disable it and see below how to integrate it again.
Add this to
# Custom SSL Apache config Include /etc/zpanel/configs/apache/httpd-ssl-vhosts.conf to: vim /etc/sentora/configs/apache/httpd.conf
create the file:
vim /etc/zpanel/configs/apache/httpd-ssl-vhosts.conf
And fill it with the details for your sites like this (Hint: You will find this in /etc/zpanel/configs/apache/httpd-vhosts.conf):
# This is need only once for multiple SSL/https virtual hosts NameVirtualHost *:443 # DOMAIN: example.com <virtualhost *:443> ServerName example.com ServerAdmin admin@example.com DocumentRoot "/var/sentora/hostdata/zadmin/public_html/example_com" php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/example_com:/var/sentora/temp/" php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec" ErrorLog "/var/sentora/logs/domains/zadmin/example.com-error.log" CustomLog "/var/sentora/logs/domains/zadmin/example.com-access.log" combined CustomLog "/var/sentora/logs/domains/zadmin/example.com-bandwidth.log" common <Directory "/var/sentora/hostdata/zadmin/public_html/example_com"> Options +FollowSymLinks -Indexes AllowOverride All Order Allow,Deny Allow from all </Directory> AddType application/x-httpd-php .php3 .php ErrorDocument 500 /_errorpages/500.html ErrorDocument 403 /_errorpages/403.html ErrorDocument 510 /_errorpages/510.html ErrorDocument 404 /_errorpages/404.html DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm # Custom Global Settings (if any exist) RewriteEngine on RewriteOptions inherit # Custom VH settings (if any exist) SSLEngine On SSLCertificateFile /etc/ssl/certs/domain_name.com/domain_name_com.crt SSLCertificateKeyFile /etc/ssl/certs/domain_name.com/domain_name_com.key SSLCACertificateFile /etc/ssl/certs/domain_name.com/gs_root.pem SSLCertificateChainFile /etc/ssl/certs/domain_name.com/gs_intermediate_ca.crt </virtualhost> # END DOMAIN: example.com
And now you can add the details for Sentora panel again and re-enable the redirection to ssl for the panel:
# This is need only once for multiple SSL/https virtual hosts NameVirtualHost *:443 #Configuration for Sentora control panel. <VirtualHost *:443> ServerAdmin admin@blue.net.au DocumentRoot "/etc/sentora/panel/" ServerName sentorapanel.example.com ErrorLog "/var/sentora/logs/sentora-error.log" CustomLog "/var/sentora/logs/sentora-access.log" combined CustomLog "/var/sentora/logs/sentora-bandwidth.log" common AddType application/x-httpd-php .php <Directory "/etc/sentora/panel/"> Options +FollowSymLinks -Indexes AllowOverride All Order allow,deny Allow from all </Directory> # Custom settings are loaded below this line (if any exist) SSLEngine On SSLCertificateFile /root/.acme.sh/sentorapanel.example.com/sentorapanel.example.com.cer SSLCertificateKeyFile /root/.acme.sh/sentorapanel.example.com/sentorapanel.example.com.key SSLCACertificateFile /root/.acme.sh/sentorapanel.example.com/ca.cer SSLCertificateChainFile /root/.acme.sh/sentorapanel.example.com/fullchain.cer </VirtualHost> # END Configuration for Sentora control panel. # DOMAIN: example.com <virtualhost *:443> ServerName example.com ServerAdmin admin@example.com DocumentRoot "/var/sentora/hostdata/zadmin/public_html/example_com" php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/example_com:/var/sentora/temp/" php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec" ErrorLog "/var/sentora/logs/domains/zadmin/example.com-error.log" CustomLog "/var/sentora/logs/domains/zadmin/example.com-access.log" combined CustomLog "/var/sentora/logs/domains/zadmin/example.com-bandwidth.log" common <Directory "/var/sentora/hostdata/zadmin/public_html/example_com"> Options +FollowSymLinks -Indexes AllowOverride All Order Allow,Deny Allow from all </Directory> AddType application/x-httpd-php .php3 .php ErrorDocument 500 /_errorpages/500.html ErrorDocument 403 /_errorpages/403.html ErrorDocument 510 /_errorpages/510.html ErrorDocument 404 /_errorpages/404.html DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm # Custom Global Settings (if any exist) RewriteEngine on RewriteOptions inherit # Custom VH settings (if any exist) SSLEngine On SSLCertificateFile /etc/ssl/certs/domain_name.com/domain_name_com.crt SSLCertificateKeyFile /etc/ssl/certs/domain_name.com/domain_name_com.key SSLCACertificateFile /etc/ssl/certs/domain_name.com/gs_root.pem SSLCertificateChainFile /etc/ssl/certs/domain_name.com/gs_intermediate_ca.crt </virtualhost> # END DOMAIN: example.com
You might also want to redirect all traffic to your https now.
Put this into your .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]