Tech

Let’s Encrypt your OnApp Control Panel, and enforce SSL

Zack Grindall

Zack Grindall
Cloud Architect

Let’s Encrypt is a fast and free way to obtain SSL certificates. In this guide I’ll be showing you how to obtain a Let’s Encrypt certificate for your OnApp Control Panel – in under 2 minutes!

I’ve also included instructions for forcing all traffic over HTTPS at the bottom of this article.

This guide is split into two parts – instructions for OnApp running on CentOS 7, and for OnApp running on CentOS 6.

 

 

 

CentOS 7

For the purposes of this article, we will use the Certbot client, as it automates the Let’s Encrypt certificate issuing process. To use Certbot, you must first enable the EPEL repository:

yum install epel-release

After doing this, you can install Certbot by running:

sudo yum install certbot-apache

Now we can obtain a SSL certificate. You should replace ‘testlab1cp.onappdev.com’ with the FQDN you are using for the OnApp CP.

sudo certbot --authenticator standalone --installer apache -d testlab1cp.onappdev.com --pre-hook "service httpd stop" --post-hook "service httpd start"

You’ll be asked for a few basic details during the first part of this process.

When you’re asked what virtual host you’ll like to use, you should select the onapp.conf VirtualHost, displaying HTTPS. I have included an example below:

During the last part of the process, you’ll be asked if you want to redirect HTTP to HTTPS traffic. If you would like to redirect all HTTP traffic, i recommend doing this manually. Instructions for doing this are located at the bottom of the article.

Let’s Encrypt certificates expire after 90 days, so let’s add a cron which will run at noon and midnight every day:

echo "0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" >> /etc/crontab

(It won’t do anything until your certificate is due for renewal or revoked, but running it regularly would give your OnApp CP a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason)

 

CentOS 6

For the purposes of this article, we will use the Certbot client as it automates the Let’s Encrypt certificate issuing process. However, since CentOS 6 doesn’t seem to have a packaged version of Certbot, you should use this certbot-auto script to get a copy:

wget https://dl.eff.org/certbot-auto

chmod a+x certbot-auto

Now we can obtain a SSL certificate. You should replace ‘testlab1cp.onappdev.com’ with the FQDN you are using for the OnApp CP.

sudo ./path/to/certbot-auto --authenticator standalone --installer apache -d testlab1cp.onappdev.com --pre-hook "service httpd stop" --post-hook "service httpd start"

You’ll be asked for a few basic details during the first part of this process.

When you’re asked what virtual host you’ll like to use, you should select the onapp.conf VirtualHost, displaying HTTPS. I have included an example below:

During the last part of the process, you’ll be asked if you want to redirect HTTP to HTTPS traffic. If you would like to redirect all HTTP traffic, i recommend doing this manually. Instructions for doing this are located at the bottom of the article.

An example cron job might look like this, which will run at noon and midnight every day:

echo "0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && ./path/to/certbot-auto renew" >> /etc/crontab

(It won’t do anything until your certificate is due for renewal or revoked, but running it regularly would give your OnApp CP a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason)

That’s it!

Please note: The TLS-SNI challenge has been disabled by Let’s Encrypt at time of writing, so i have added pre-hook and post-hook commands to stop the web server during the certificate creation process and start the web server again once the certificate has been created.

 

Force all HTTP traffic over HTTPS

You should open /etc/httpd/conf.d/onapp.conf in your preferred editor and replace the following:

<VirtualHost *:80>

ServerName CP01.testlab1

RailsAppSpawnerIdleTime 0

DocumentRoot /onapp/interface/public

LimitRequestBody 1073741824

<Directory /onapp/interface/public>

AllowOverride all

Options -MultiViews

Require all granted

</Directory>

</VirtualHost>

with this:

<VirtualHost *:80>

RewriteEngine On

RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

</VirtualHost>

 

Once you’ve saved those changes, please restart the web server:

service httpd restart

 

I hope that helps!