Let’s Encrypt Plugin in cPanel

To use Let’s Encrypt in cPanel, you need to install a special plugin.
To do this, connect to the server by SSH and execute the command from the root user:

/scripts/install_lets_encrypt_autossl_provider

After installing the Let’s Encrypt plug-in, you can use it in the AutoSSL management menu (WHM >> Home >> SSL/TLS >> Manage AutoSSL).

If you need to remove the plugin, then run the command:

/usr/local/cpanel/scripts/uninstall_lets_encrypt_autossl_provider

See also:
Установка Certbot в Ubuntu

Installing Certbot in Ubuntu

On the test I will install ACME client Certbot in Ubuntu 16.04 (xenial), which will help to get Free SSL certificates Let’s Encrypt for 90 days and automatically update them.
For other versions of Ubuntu, the Certbot client is installed similarly.

The first step is to add the Certbot repository and perform the installation:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache

Now run Certbot to get an SSL certificate:

sudo certbot --apache

To manually change the configuration of Apache2 and Certbot did not change it, you can run the following command:

sudo certbot --apache certonly

After running the command, you must select the site for which you want to request an SSL certificate.

After receiving the certificate, the following information was displayed:

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-08-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

A separate site configuration file for HTTPS was created, but in that lines that redirected from HTTP to HTTPS were added, the general similar changes as I described in this article – Installing and Configuring Let’s Encrypt SSL.

To update automatically, run the following command:

sudo certbot renew

You can also add a command to Cron for automatic updates, see my article – Using and configuring CRON

Example of adding to Cron (every Monday at 3:15):

sudo crontab -e
15 3 * * 1 certbot renew >> /var/log/certbot-renew.log

Or to /etc/crontab:

15 7 * * 1 root certbot renew >> /var/log/certbot-renew.log

For a test update, you can run a command (configuration and certificates will not be affected):

sudo certbot renew --dry-run

If the certificate expires and the update is run, nothing will happen.
To update certificates, apache2 should also work on port 80.

To update the version of Certbot itself, run the following commands:

sudo apt update
sudo apt install certbot

See also my article:
How to change email after registering Certbot (Let’s Encrypt)

Installing and Configuring Let’s Encrypt SSL

On the test I will install Let’s Encrypt which allows you to install free SSL certificates for 90 days and automatically re-issue them.

Let’s say that Apache2 is installed on Ubuntu Server and there is one site for which we configured one configuration file /etc/apache2/sites-available/test.conf and turned it on:

sudo a2ensite test
sudo service apache2 restart

See the configuration example in my article – Installing and Configuring the Apache2 Web Server
The site works by HTTP on 80, now we start installation of Let’s Encrypt:

sudo apt-get update
sudo apt-get install git
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Let’s move to the directory with Let’s Encrypt and ask for a certificate for the site:

cd /opt/letsencrypt
sudo ./letsencrypt-auto --apache -d example.com

You can also request for a www subdomain:

sudo ./letsencrypt-auto --apache -d example.com -d www.example.com

I replaced in the article the real name of the site on example.com. To receive a certificate, the site must be accessible by domain name from the Internet.
For resources within the network, with gray IP, you can not get a certificate.

After receiving the certificate, another configuration file /etc/apache2/sites-available/test-le-ssl.conf was created and activated with the following contents:

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ServerName example.com
     DocumentRoot /var/www/test/

     <Directory /var/www/test>
     Options -Indexes
     AllowOverride All
     Order allow,deny
     allow from all
     </Directory>

     ErrorLog /var/log/test.error.log
     CustomLog /var/log/test.access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Since during the receipt of the certificate I agreed to forward HTTP requests to HTTPS, at the end of my configuration file /etc/apache2/sites-available/test.conf the following was added:

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

After the certificate expires, you can update it with the command:

sudo /opt/letsencrypt/letsencrypt-auto renew

You can also add a command to Cron for automatic updates, see my article – Using and configuring CRON

Example of adding to Cron (every Monday at 3:15):

sudo crontab -e
15 3 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt-renew.log

If the certificate expires and the update command is executed, nothing happens:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
——————————————————————————-
Processing /etc/letsencrypt/renewal/example.com.conf
——————————————————————————-
Cert not yet due for renewal
——————————————————————————-
The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem expires on 2018-08-01 (skipped)
No renewals were attempted.
——————————————————————————-

See also:
Installing Certbot in Ubuntu

How to configure SSL and HTTPS for WordPress

I recently set up SSL certificates on several WordPress sites.

The sites were hosted on a dedicated server under the control of Ubuntu, on this first thing I created a directory for certificates and switched to it:

sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl

Enable the SSL module for Apache2 if it is not enabled:

sudo a2enmod ssl

Then I generated the certificate:

sudo openssl req -nodes -newkey rsa:2048 -keyout /etc/apache2/ssl/example.com.key -out /etc/apache2/ssl/example.com.csr

In the process of generation, several questions had to be answered:
Country Name (2 letter code) [AU]: UA (code of the country)
State or Province Name (full name) [Some-State]: Sumy
Locality Name (eg, city) []: Romny
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Private person
Organizational Unit Name (eg, section) []: (empty or the name of the department)
Common Name (e.g. server FQDN or YOUR name) []: example.com (domain name, without http and https)
Email Address []: admin@example.com

You can also sign the generated certificate (this is the contents of example.com.csr) from some kind of domain registrar.
The procedure is cheap and after it is connected will not display a message that the certificate is not signed.

Since there are several sites, the configuration files for each of them are located in the directory /etc/apache2/sites-enabled/.
I’ll choose one of them and at the very end after the standard directive:

<VirtualHost *:80> ...</VirtualHost>

we will add one more, but with 443 port and we will specify ways to certificates:

<VirtualHost *:443>
ServerAdmin admin@example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/
        <Directory />
                Options -Indexes
                AllowOverride All
        </Directory>
        <Directory /var/www/example.com/>
                Options -Indexes
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example_com.key
SSLCertificateChainFile /etc/apache2/ssl/example_com.ca-bundle
ErrorLog /var/log/apache2/example_error-ssl.log
LogLevel warn
CustomLog /var/log/apache2/example_access-ssl.log combined
</VirtualHost>

After the changes, check the configuration and restart apache2:

sudo apachectl configtest 
sudo service apache2 restart

To be able to log in to WordPress and admin on HTTPS only in wp-config.php, uncomment the following parameters:

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

You can also change the address of the site from http:// to https:// in the admin panel, in the “Settings” – “General”.
In robots.txt we will specify the site address with https, for example:

Host: https://ixnfo.com

Also in sitemap.xml there should be links with https.
In search engines need to apply for re-indexing the site map, in Yandex.Webmaster submit an application to the “Move the site” by ticking the “Add HTTPS”.
In Google Search Console, you need to add the same site with https, it will be indexed separately from http.

Done, now the site can be opened by https.

See also my article – Redirecting requests to SSL

Solving the SSL problem “Connection is not secure – Parts of this page are not secure (such as images)”

I noticed once one site with a signed SSL certificate, a message from the Mozilla Firefox browser:

Connection is not secure – Parts of this page are not secure (such as images)

As it turned out, images from other sources were inserted on the site, so the connection can be considered not protected, and to solve this problem, you need to upload images to the current site and change the link on the pages, necessarily starting with https://.

If the site works on http:// and https://, and the pictures are on it, then the links should be changed for example from:

<img src="http://www.ixnfo.com/img.jpg">

to

<img src="/img.jpg">

Done.