[How To] Secure Your Linux Apache UGCC Install With HTTPS For Free Using LetsEncrypt

Having problems with the panel? Have questions? Post here!
Post Reply
canuckbrian
Posts: 18
Joined: Sun Mar 26, 2017 12:56 am
Location: Vancouver, BC

[How To] Secure Your Linux Apache UGCC Install With HTTPS For Free Using LetsEncrypt

Post by canuckbrian »

Hello everyone,

Thought I'd share a quick and easy tutorial on how to turn your non-secured (HTTP) Apache UGCC install into a secured and encrypted (HTTPS) Apache UGCC install. This tutorial will take approximately 10-15 minutes to complete and is only needed on the system running the web panel.
Requirements:
  • FQDN (Fully Qualified Domain Name. Eg: ugcc.example.com)
  • Terminal acccess with root account or a user account that has sudo privileges
  • The Apache web server installed with one or more domain names properly configured through Virtual Hosts that specify ServerName
  • Some Linux command line knowledge (I'll try to make it copy / paste)
*IMPORTANT: Throughout this tutorial I will be using a dummy domain name of ugcc.example.com, replace this with the domain name for your panel in any of the commands that are going to be issued.

We'll be using a free certificate provider called LetsEncrypt: https://letsencrypt.org/. LetsEncrypt has been around for a couple years now and offers a free service for issuing certificates and acting as a Certificate Authority. It also supports an auto-renew feature so that your certificates are always valid and won't expire.

Step 1 - Installing LetsEncrypt

Install the LetsEncrypt client from the official repositories. Issue the following commands to update your apt package indexes and install LetsEncrypt

Code: Select all

sudo apt update
sudo apt install -y python-letsencrypt-apache
After this completes the LetsEncrypt client should be ready to use.

Step 2 - Setting Up The SSL Certificate

Generating the SSL Certificate for Apache using the Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.

To execute the interactive installation and obtain a certificate that covers only a single domain, run the letsencrypt command as follows, where ugcc.example.com is your domain:

Code: Select all

sudo letsencrypt --apache -d ugcc.example.com
If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases:

Code: Select all

sudo letsencrypt --apache -d example.com -d ugcc.example.com
For this example, the base domain will be example.com followed by the subdomain for the panel of ugcc.example.com.

After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http and https access or forcing all requests to redirect to https. It is usually safest to require https, unless you have a specific need for unencrypted http traffic.

When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live. Apache is restarted as part of the LetsEncrypt installation process, but I like to do it again for good measure.

Code: Select all

sudo service apache2 restart
You can verify the status of your SSL certificate with the following link (don’t forget to replace ugcc.example.com with your panel domain):

Code: Select all

https://www.ssllabs.com/ssltest/analyze.html?d=ugcc.example.com&latest
You should now be able to access your website using a https prefix.

Step 3 - Set Up Auto Renewal

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

To trigger the renewal process for all installed domains, you should run:

Code: Select all

sudo letsencrypt renew
Because we recently installed the certificate, the command will only check for the expiration date and print a message informing that the certificate is not due to renewal yet. The output should look similar to this:

Code: Select all

Processing /etc/letsencrypt/renewal/example.com.conf

   The following certs are not due for renewal yet:
     /etc/letsencrypt/live/example.com/fullchain.pem (skipped)
     No renewals were attempted.
Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal should be valid for all domains included in this certificate.

A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.

Let's edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:

Code: Select all

sudo crontab -e
If prompted to select an editor, use nano as it's the most user friendly.

Scroll to the end of your crontab file and paste the following:

Code: Select all

30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
Save and exit. This will create a new cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at /var/log/le-renewal.log.

Conclusion
In this tutorial we discussed what LetsEncrypt is and what it can do for your UGCC install. We installed the LetsEncrypt client and configured it to work with your Apache install. We issued a certificate for your panel domain and tested that it worked. We then configured a Crontab job to auto-renew your certificate every Monday at 2:30am so that it doesn't expire.

I hope this helps some of you, and for anyone using this software for commercial purposes using an HTTPS connection to your panel will give your users peace of mind knowing that their credentials will be secure and safe.
KillerServers.io
Killer Servers, Killer Pricing
Post Reply