Login     Register
Get Social
Posts tagged with: ssl

How to configure Let’s Encrypt on the VestaCP admin interface (8083 port) with CA use

It is assumed that you have a valid domain (the so-called FQDN), which you can use to enter the admin area. In my case, OVH provided a free domain of the form ns123456.ip-x-y-z.eu, which means that I can use it to enter the admin area: https://ns123456.ip-x-y-z.eu:8083/

Step-by-step set up Let’s Encrypt on the VestaCP admin panel (8083 port)

Step 1 – create a domain and find let’s encrypt files

First, in the admin panel, create your domain, if it is not already created. You can use the default user – admin, or any other. Include the use of ssl and let’s encrypt – you will get about the same as in the screenshot:

Let’s encrypt generates SSL certificate files and stores them in /home/[USERNAME]/conf/web (/home/admin/conf/web – in my case)

There is file list :

ssl.ns123456.ip-x-y-z.eu.crt
ssl.ns123456.ip-x-y-z.eu.ca
ssl.ns123456.ip-x-y-z.eu.key
ssl.ns123456.ip-x-y-z.eu.pem

2 Step – find where VestaCP stores its SSL files

It is not necessary to search, we simply know, that they is stored here 🙂

/usr/local/vesta/ssl

and files look so:

certificate.crt
certificate.key

You can carefully rename VestaCP old certificate files (although what prevents our simply removing them?):

mv /usr/local/vesta/ssl/certificate.crt /usr/local/vesta/ssl/certificate_old.crt
mv /usr/local/vesta/ssl/certificate.key /usr/local/vesta/ssl/certificate_old.key

These 2 files are set in the form https://ns123456.ip-x-y-z.eu:8083/edit/server/ -> Vesta SSL

3 step – force the Vesta-Nginx service to use SSL from your domain

Now you probably thought – we’ll just create symbolic links and everything will be fine … But …

But did you notice the problem? In the first case, we have 4 files, and although you can not pay attention to .pem – in the first form we have 3 fields: for CRT, KEY and CA, and in the second – only 2: for CRT and KEY.

Let’s Encrypt has a CA file that is reflected in the field: SSL Certificate Authority / Intermediate

How can this be taken into account in the VestaCP admin on port 8083?

I found for myself such a decision:

Make 1 symbolic link for the KEY file:

ln -s /home/admin/conf/web/ssl.ns123456.ip-x-y-z.eu.key /usr/local/vesta/ssl/certificate.key

and in the second case – you can run this command:

sudo cat /home/admin/conf/web/ssl.ns123456.ip-x-y-z.eu.{crt,ca} > /usr/local/vesta/ssl/certificate.crt

{crt, ca} is a regular expression on bash – it will defend you from writing 2 times the path to the file. It is very important that there is such a sequence – first crt, then ca. If you do the opposite – in the end, the vesta service will not work.

4 step – manually restart Vesta CP and check that everything works in the browser

Restart service:

service vesta restart

Open your domain in the browser with port 8083 and now SSL must be “protected”.

Step 5 – add the “certificate.crt” update task to the cron scheduler

We need to add the following task to the cron scheduler:

30 5 * * * sudo cat /home/admin/conf/web/ssl.ns123456.ip-x-y-z.eu.{crt,ca} > /usr/local/vesta/ssl/certificate.crt && sudo service vesta restart

(look at what time the system cron “let’s encrypt update” task works and you’ll see something like this:

15 5 * * * sudo /usr/local/vesta/bin/v-update-letsencrypt-ssl

it is logical, if our task will be carried out later)

Done!

How to configure Nginx in Vesta CP and get an A+ rating on ssllabs

image - Как настроить Nginx в Vesta CP, чтобы получить A+ рейтинг на ssllabs

Task: setup SSL (https) settings in Nginx config file in order to get grade A+ there: https://www.ssllabs.com/ssltest/

Best way – edit the /usr/local/vesta/data/templates/web/nginx/default.stpl
(the more, so if you will edit something from the panel, than Vesta CP will overwrite any changes made manually in the configuration)

Open in your favorite editor (of course nano :))
nano /usr/local/vesta/data/templates/web/nginx/default.stpl

Add next 4 fragments:

1. Add to field %ip%:%proxy_ssl_port% (in the same line):

ssl http2

2. After server_name:

add_header Strict-Transport-Security "max-age=31536000;" always;
ssl_stapling on;
ssl_stapling_verify on;

3. After ssl_certificate_key %ssl_key%;
ssl_dhparam /home/admin/conf/web/dhparams.pem;
(first you need to generate dhparams.pem and put it in the right folder:
openssl dhparam -out /home/admin/conf/web/dhparams.pem 4096
)

4. (This fragment cannot just be copied from the browser, check for line breaks)

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

we get something like the following:

server {
listen %ip%:%proxy_ssl_port% ssl http2;
server_name %domain_idn% %alias_idn%;
add_header Strict-Transport-Security "max-age=31536000;" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
# ssl_dhparam /home/admin/conf/web/dhparams.pem;
error_log /var/log/%web_system%/domains/%domain%.error.log error;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

location / {
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(%proxy_extentions%)$ {
root %sdocroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}
}

location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}

location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}

location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}

include %home%/%user%/conf/web/snginx.%domain%.conf*;
}