HostVein
VestaCP Admin Panel Lets Encrypt HTTPS:// - Printable Version

+- HostVein (https://www.hostvein.com)
+-- Forum: General (https://www.hostvein.com/forumdisplay.php?fid=1)
+--- Forum: Tutorials (https://www.hostvein.com/forumdisplay.php?fid=10)
+--- Thread: VestaCP Admin Panel Lets Encrypt HTTPS:// (/showthread.php?tid=13)



VestaCP Admin Panel Lets Encrypt HTTPS:// - Mun - 09-29-2017

VestaCP by default doesn't give a valid https cert for the admin panel. This can be annoying for you, and your users. Further, it lowers your mail delivery rate.

So, what can you do about this? One option is to buy a SSL cert and smack it into the control panel. However, if you are like me and have no real reason to buy a valid certificate from one of the big companies to appease your clients than Lets Encrypt will do fine.

Step 1!

Login into your VestaCP control panel as your admin user. In there, go to the web section and create a new web domain using the name you are currently using for accessing your VestaCP admin panel. Make sure to remove the aliases that don't exist as entries in your DNS. i.e. (www.mypanel.example.com). Uncheck DNS support, and uncheck Mail support. Select SSL support, and then Lets Encrypt Support. Now "Add" the domain and wait for the ssl to be generated.

Step 2!

Go to your VestaCP domain without the 8083, and make sure you are getting a valid green certificate. Once your valid cert has been generated, go to the next step. If it hasn't and you have waited the 5 minutes for VestaCP to generate it. Go check out the logs, and try adding the SSL again. This is usually caused by a bad alias or the name you entered not being populated in DNS.

Step 3!

Login to SSH for your VestaCP, and get root access of the server.  Now change directories to the SSL store for the vestacp admin.

Code:
cd /usr/local/vesta/ssl


Now let's move the old certificates to a place for later.

Code:
mkdir backupCerts
mv certificate.* backupCerts/

Now, the big step! We are going to "pirate" that cert we made using the add domain. We are going to do this with a symbolic link. (Make sure to use the .pem for the .crt, and not the .crt for the .crt. If you do, it will result in a not fully valid SSL cert.)

Code:
ln -s /home/admin/conf/web/ssl.< Your VestaCP Domain >.key /usr/local/vesta/ssl/certificate.key

ln -s /home/admin/conf/web/ssl.< Your VestaCP Domain>.pem /usr/local/vesta/ssl/certificate.crt


Restart VestaCP. (This is for debian, and might be different for other operating systems.)

Code:
service vesta restart

Step 4!

Check your admin panel, and make sure you now have a valid cert in placement. If you do, Yay! If not, please double check all the steps. Do realize, we have the backup certs just in case and you can put them back in place.


Step 5! (( Maillllll Love! ))

If you are using VestaCP for mail, then we have created a small issue. Currently our mail can not access the cert to encrypt emails. However, this is a quick fix.

As root and using your SSH connection go to your admin conf folder.

Code:
cd /home/admin/conf/web/

Now the fun magic, we are going to make the cert have mail group privileges.

Code:
chown root:mail ssl.< Your VestaCP Domain >.*

Restart VestaCP, and exim4 again, and check to make sure SSL is still working.

Code:
service vesta restart

service exim4 restart


Step 6!

Validate your SSL is working for your admin panel. After it is working, make sure your mail is working too! You can check via https://www.checktls.com/perl/live/TestReceiver.pl. I usually use [email protected]< Your VestaCP Domain > for the test. Look through the logs and you should find:


Code:
[005.315]         Cert Hostname VERIFIED

At that point you are good to go!

Step Bugssssssss!

From my experience VestaCP deletes and recreates the certs. I have yet to have any issues with the admin panel, but it does remove the mail rights we added in step 5/6. So, you may have to repeat this on occasion.

I really hope this helps! I tested this all on VestaCP 0.9.8 R17.