Thought I'd share a quick and easy tutorial on how to turn your non-secured (HTTP) Apache UGCC install into a secured and encrypted (HTTPS) Apache UGCC install. This tutorial will take approximately 10-15 minutes to complete and is only needed on the system running the web panel.
*IMPORTANT: Throughout this tutorial I will be using a dummy domain name of ugcc.example.com, replace this with the domain name for your panel in any of the commands that are going to be issued.Requirements:
- FQDN (Fully Qualified Domain Name. Eg: ugcc.example.com)
- Terminal acccess with root account or a user account that has sudo privileges
- The Apache web server installed with one or more domain names properly configured through Virtual Hosts that specify ServerName
- Some Linux command line knowledge (I'll try to make it copy / paste)
We'll be using a free certificate provider called LetsEncrypt: https://letsencrypt.org/. LetsEncrypt has been around for a couple years now and offers a free service for issuing certificates and acting as a Certificate Authority. It also supports an auto-renew feature so that your certificates are always valid and won't expire.
Step 1 - Installing LetsEncrypt
Install the LetsEncrypt client from the official repositories. Issue the following commands to update your apt package indexes and install LetsEncrypt
Code: Select all
sudo apt update
sudo apt install -y python-letsencrypt-apache
Step 2 - Setting Up The SSL Certificate
Generating the SSL Certificate for Apache using the Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
To execute the interactive installation and obtain a certificate that covers only a single domain, run the letsencrypt command as follows, where ugcc.example.com is your domain:
Code: Select all
sudo letsencrypt --apache -d ugcc.example.com
Code: Select all
sudo letsencrypt --apache -d example.com -d ugcc.example.com
After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http and https access or forcing all requests to redirect to https. It is usually safest to require https, unless you have a specific need for unencrypted http traffic.
When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live. Apache is restarted as part of the LetsEncrypt installation process, but I like to do it again for good measure.
Code: Select all
sudo service apache2 restart
Code: Select all
https://www.ssllabs.com/ssltest/analyze.html?d=ugcc.example.com&latest
Step 3 - Set Up Auto Renewal
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
To trigger the renewal process for all installed domains, you should run:
Code: Select all
sudo letsencrypt renew
Code: Select all
Processing /etc/letsencrypt/renewal/example.com.conf
The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.
Let's edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:
Code: Select all
sudo crontab -e
Scroll to the end of your crontab file and paste the following:
Code: Select all
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
Conclusion
In this tutorial we discussed what LetsEncrypt is and what it can do for your UGCC install. We installed the LetsEncrypt client and configured it to work with your Apache install. We issued a certificate for your panel domain and tested that it worked. We then configured a Crontab job to auto-renew your certificate every Monday at 2:30am so that it doesn't expire.
I hope this helps some of you, and for anyone using this software for commercial purposes using an HTTPS connection to your panel will give your users peace of mind knowing that their credentials will be secure and safe.