Certificates

Share
03. 09. 2019

Basic configuration and requirements

  • Certificates are issued by the Let’s Encrypt certification authority.
  • First, it is necessary for the DNS records for the Administration interface and Client portal to be set correctly.
  • Second, HTTP (80) and HTTPS (443) must be enabled in Settings / Syst. settings / Security.
  • Last but not least, it is vital to set ServerName for each of the domains in the Apache2 web server configuration.
nano /etc/apache2/sites-available/ispadmin.conf
  • Administration interface:
### ISP admin#
<VirtualHost *:80>
  ServerName admin.mydomain.tld
  DocumentRoot "/data/support_nossl/"
 <Directory /data/support_nossl/>
    Options FollowSymLinks MultiViews
    AllowOverride all
    Require all granted
</Directory>

</VirtualHost>

## ISP Admin SSL
<VirtualHost *:443>
  ServerName admin.mydomain.tld
  DocumentRoot "/data/support/ispadmin/new/www/"
  AddDefaultCharset UTF-8
   <Directory /data/support/ispadmin/new/www/>
    Options +ExecCGI
    Options FollowSymLinks MultiViews
    AllowOverride all
    Require all granted
  </Directory>
  CustomLog /var/log/apache2/access_support_ispadmin.log combined
  AddType application/x-httpd-php .php
  php_admin_value open_basedir "/data/support/:/tmp/:/data/:/usr/local/script/ispadmin/:/data/backup/:/usr/local/nagios/share/"
  php_admin_value include_path ".:/usr/local/lib/php/:/tmp/:/data/support/:/usr/local/script/ispadmin/"
  php_admin_value disable_functions  "pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_ha$
  php_admin_value display_errors "On"
  php_admin_value safe_mode "Off"
  php_admin_value safe_mode_exec_dir "/usr/local/script/ispadmin/"
  php_admin_value safe_mode_allowed_env_vars none
  php_admin_value safe_mode_include_dir ".:/usr/local/lib/php/:/tmp/:/data/support/:/usr/local/script/ispadmin/"
  php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f webmaster@ispadmin.cz"

  SSLEngine on
  SSLCertificateFile /etc/apache2/certs/ispadmin.eu/ispadmin.crt
  SSLCertificateKeyFile /etc/apache2/certs/ispadmin.eu/private.key
 # SSLCertificateChainFile /etc/apache2/certs/ispadmin.eu/ca.pem
</VirtualHost>
  • Client portal:
## ISP dmin support
<VirtualHost *:80>

  DocumentRoot "/data/support/ispadmin/new/www/clientinterface"
  ServerName clientportal.mydomain.tld

  AddDefaultCharset UTF-8
  <Directory /data/support/ispadmin/new/www/clientinterface>
    Options ExecCGI
    Options FollowSymLinks MultiViews
    AllowOverride all
    Require all granted

  </Directory>
  CustomLog /var/log/apache2/access_support_ispadmin_support.log combined
  AddType application/x-httpd-php .php
  php_admin_value open_basedir "/data/support/:/tmp/:/data/:/usr/local/script/ispadmin/:/data/backup/"
  php_admin_value include_path ".:/usr/local/lib/php/"
  php_admin_value disable_functions  "pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_ha$
  php_admin_value display_errors "On"
  php_admin_value safe_mode "Off"

#  SSLEngine on
#  SSLCertificateFile /etc/apache2/certs/ispadmin.eu/ispadmin.crt
#  SSLCertificateKeyFile /etc/apache2/certs/ispadmin.eu/private.key
#  SSLCertificateChainFile /etc/apache2/certs/ispadmin.eu/ca.pem

</VirtualHost>
  • You can test the configuration using the following command:
apachectl configtest
  • If the configuration is found to be all right (without typos), you can restart the Apache server:
systemctl restart apache2
  • If everything is set up correctly, you should be able to see the Administration interface as well as the Client portal. You will also see certificate alerts.

Certificate installation

  • Certificate installation is launched using this command:
/usr/local/script/ispadmin/bin/certificate.pl
  • Enter the DNS records for the Administration interface and the Client portal.
  • Check whether the listed IP addresses correspond to the IP address of the server.
  • If there is a discrepancy, it is necessary to change the DNS records accordingly. Enter n and launch the script again.
  • If everything is all right, the requested certificates are created.
  • At this point, you are asked whether you want the certificates to be installed to the Apache server.
  • If no changes have been made to the Apache server configuration (no custom configuration), you can enter y.
  • If you, for whatever reason, want to install the certificates manually, you can see on the screen the 3 locations where the individual parts are to be found. Enter n and set the certificates up manually in /etc/apache2/sites-available/ispadmin.conf.
  • If you entered y, the certificates were installed, an Apache configuration backup created and the server restarted.
  • Now the certificates are valid. Https is displayed in the address bar of your browser.
  • If everything is set up correctly, the certificates will be renewed automatically every three months.

Automatic certificate renewal failure

If the certificates have not been renewed automatically, check the following:

  • Does Apache use the standard ports?
  • Is global http and https access from the Internet allowed?
  • Is the server online all the time?
  • Does /etc/crontab contain the following line?
00 05 * * 7     root    /data/ispadmin_cert/acme/acme.sh  --apache --renewAll --home /data/ispadmin_cert/acme --certhome  /data/ispadmin_cert #letsencrypt renew ?

If the automatic certificate renewal process has failed repeatedly, try upgrading the acme utility:

/data/ispadmin_cert/acme/acme.sh --upgrade 

Then, perform manual certificate renewal.

If even that fails, try reinstalling the acme utility:

rm -r /root/.acme.sh
rm -r /root/acme.sh
rm -r /data/ispadmin_cert/acme

Then, run the certificate installation script:

/usr/local/script/ispadmin/bin/certificate.pl

Manual certificate renewal

  • Manual renewal:
/data/ispadmin_cert/acme/acme.sh --apache --renewAll --home  /data/ispadmin_cert/acme --certhome /data/ispadmin_cert
  • Forced manual renewal:
/data/ispadmin_cert/acme/acme.sh --apache --renewAll  --home /data/ispadmin_cert/acme --certhome /data/ispadmin_cert --force 

Did this article help you?