Forums

Resolved
0 votes
Hello,

I am very much new to ClearOS. We have been using ClearOS to host our website and email accounts IN-HOUSE for several years now and We love it. :) Thank you so much ClearOS for a fine product. Since the guy who took care of the system left, I have been in charge of it and learning the system as I work on it on a needed basis.

Just recently, I am told to make our website's connection secure and I don't know where to begin or start. I have been looking on the Internet for simple and straight forward solution or answer, but they are all over the place that I can't seem get going with this. As a start I looked into the server setting on the server's webconfig. It shows me that under https://192.168.1.95:81/app/web_server/sites/edit/our-domain-name SSL Certificate is set for Self-Signed - Default Certificate. Plus, I also checked https://192.168.1.95:81/app/certificate_manager and found the following two certificates were found in the list.


Certificate Authority ca-cert.pem
Default Certificate sys-0-cert.pem
[b]

I don't know if this means SSL certificate is installed and up and running to provide secure connection for our website traffic. I have tested our website and it still says [b]Unsecure connection


Should I be following [HOWTO] Letsencrypt Free Certficates for clearOS 7.3 posting and the original posters instruction to do what I am looking to do.

I am running ClearOS 7.2-1.

For right now, all I want to do is use a FREE SSL Certificate for our web secure connection.
Please, could someone give me a step by step instructions. I would appreciate it.
Thank you.
Wednesday, December 12 2018, 05:07 PM
Share this post:

Accepted Answer

Wednesday, December 12 2018, 05:35 PM - #Permalink
Resolved
0 votes
Nothing so complicated. There is now a Let's Encrypt app in the marketplace and the certificates are integrated with the Web Server app (there is a dropdown box in the Web Server app). You can also use the certificate for the Webconfig.

Before you create the certificate, think of which domains you'd like it to cover. It can cover all domains as long as they resolve back to your WAN IP.

One thing to note with Let's Encrypt certificate. They auto-renew every two months and for the few seconds of the renewal process you web server gets taken down. This is usually overnight, but if you need your site to have almost permanent availability you'll need to purchase a longer lasting certificate.
The reply is currently minimized Show
Responses (6)
  • Accepted Answer

    Wednesday, December 12 2018, 08:44 PM - #Permalink
    Resolved
    0 votes
    Thank you for your reply.

    That is awesome... The only problem is that I cannot find Let's Encrypt app in my Marketplace. We do have paid subscription. I don't understand why... Our ClearOS is 7.2-1.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 12 2018, 10:31 PM - #Permalink
    Resolved
    0 votes
    You should not be on 7.2. If you have automatic updates enabled you should be at 7.5. What is the contents of /etc/clearos-release? If it is really on 7.2, can you try a "yum update" to bring it up to date?

    Filtering the Marketplace on "certificate" should find it.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, December 13 2018, 01:38 PM - #Permalink
    Resolved
    0 votes
    cat /etc/clearos-release
    says ClearOs release 7.2.0 (final)

    If I do start the update of ClearOS while it is running or serving websites and emails, will it stop running for the duration of the update or run in the background seamlessly. Also, will I have to do any major changes to ClearOS manually once it is updated for it to run like before?

    I did filter the Marketplace and all I got was Certificate Manager (which is already installed) and bunch of other apps that did not include Let's Encrypt App.

    Sorry for all the question. I just want to make sure. Thanks.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, December 13 2018, 01:54 PM - #Permalink
    Resolved
    0 votes
    A manual "yum update" may briefly restart services at the end. They do not go down for the duration. Normally you'd leave updates automatically enabled and they happen overnight - between 2am and 4am. If you wanted just to enable automatic updates so it can run tonight, you may want to pre-emptively run:
    yum upgrade app-base
    It should bring in another couple of packages. You should not have to do anythng manually afterwards, although a reboot may be a good idea to get the latest kernel into use

    Note that by running 7.2 without updates you will be missing a number of security fixes including for the Meltdown and Spectre vulnerabilities.

    Also note that it is possible you'll have issues doing an update. A few systems were affected, I think, when going from 7.3 to 7.4, which needed manual intervention to fix, but the number was only about 10 out of all the installations. It also depends if your previous sysadmin did any manual changes such as installing kmod NIC drivers. All issues should be readily fixable.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, December 13 2018, 07:39 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    I followed your suggestions and recommendations to the teeth. I was able to upgrade the Marketplace and update the whole server to 7.5.0 or to the latest. I was even brave enough to go ahead and reboot the system... lol...

    Thankfully, everything is working as it should with no error mainly - email server and the website. :) Then, I was able to run through the Marketplace and find and install Let's Encrypt app successfully. I was little confused as to how to proceed from here. I found the WikiSuite tutorial on how to install Let's encrypt and assign Certificate. Again, everything worked as it should. I am able to check the web connection to be secure by simply visiting our website on Firefox. However, I have few questions to ask if you don't mind.

    1.) What if I want to go back to Self-Signed - SSL Certificate?
    Once I added my email address and the domain names with and without www. it created a free Let's Encrypt SSL after few seconds and then displayed when it will expire. However, I noticed that I can longer switch back to Self-Signed Certificate, because edit and/or delete button disappeared. All I can do is VIEW. How would I do that?

    2.) Why does my browser say Secure Connection for the main domain name ONLY and not for all the other webpages within that domain?
    When I go to our main domain name or URL, web browser says web connection is secure with the lock icon in green. However, once I click or visit any webpages within our website, my browser says web connection is not secure. Did I forget to do something?

    3.) How do I automatically renew Let's Encrypt Free SSL after it expires after 30 days?
    After the Free Let's Encrypt SSL expires, I want to automatically renew it. Is there away to do it?

    Thanks,
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, December 13 2018, 08:44 PM - #Permalink
    Resolved
    0 votes
    Did you try clicking on the documentation icon (slanted book) in the webconfig for instructions. They should cover the full set up.

    Answering your questions:
    1 - The self-signed certificate is still there and being used by default. Now go into the Web Server app and select the certificate you want to use for your web site.
    2 - See 1) and go to the Web Server app
    3 - The app looks after itself. The certificates expire after 90 days but will automatically try to renew themselves every day from 60 days.
    The reply is currently minimized Show
Your Reply