Let’s Encrypt Plugin in cPanel

To use Let’s Encrypt in cPanel, you need to install a special plugin.
To do this, connect to the server by SSH and execute the command from the root user:

/scripts/install_lets_encrypt_autossl_provider

After installing the Let’s Encrypt plug-in, you can use it in the AutoSSL management menu (WHM >> Home >> SSL/TLS >> Manage AutoSSL).

If you need to remove the plugin, then run the command:

/usr/local/cpanel/scripts/uninstall_lets_encrypt_autossl_provider

See also:
Установка Certbot в Ubuntu

Installing Certbot in Ubuntu

On the test I will install ACME client Certbot in Ubuntu 16.04 (xenial), which will help to get Free SSL certificates Let’s Encrypt for 90 days and automatically update them.
For other versions of Ubuntu, the Certbot client is installed similarly.

The first step is to add the Certbot repository and perform the installation:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache

If nginx is used instead of apache2, then instead of the last command, execute:

sudo apt-get install python-certbot-nginx

Now run Certbot to get an SSL certificate:

sudo certbot --apache

Or:

sudo certbot --nginx

To manually change the configuration of Apache2 and Certbot did not change it, you can run the following command:

sudo certbot --apache certonly

Or:

sudo certbot --nginx certonly

After running the command, you must select the site for which you want to request an SSL certificate.

After receiving the certificate, the following information was displayed:

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-08-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

A separate site configuration file for HTTPS was created, but in that lines that redirected from HTTP to HTTPS were added, the general similar changes as I described in this article – Installing and Configuring Let’s Encrypt SSL.

To update automatically, run the following command:

sudo certbot renew

You can also add a command to Cron for automatic updates, see my article – Using and configuring CRON

Example of adding to Cron (every Monday at 3:15):

sudo crontab -e
15 3 * * 1 certbot renew >> /var/log/certbot-renew.log

Or to /etc/crontab:

15 7 * * 1 root certbot renew >> /var/log/certbot-renew.log

If the certificates are also specified in Postfix and Dovecot, then these services must be restarted in order to load the new certificate, this can be done by adding to the command:

15 7 * * 1 root certbot renew --post-hook "service postfix restart; service dovecot restart" >> /var/log/certbot-renew.log

For a test update, you can run a command (configuration and certificates will not be affected):

sudo certbot renew --dry-run

If the certificate expires and the update is run, nothing will happen.
To update certificates, apache2 should also work on port 80.

To update the version of Certbot itself, run the following commands:

sudo apt update
sudo apt install certbot

If certbot was installed for example with apache2, and then apache2 was uninstalled and installed nginx, then in the files /etc/letsencrypt/renewal/* you need to change the “authenticator” and “installer”.

See also my articles:
Redirecting requests to SSL
How to change email after registering Certbot (Let’s Encrypt)
The problem with multiple SSL on the same IP

How to configure SSL and HTTPS for WordPress

I recently set up SSL certificates on several WordPress sites.

The sites were hosted on a dedicated server under the control of Ubuntu, on this first thing I created a directory for certificates and switched to it:

sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl

Enable the SSL module for Apache2 if it is not enabled:

sudo a2enmod ssl

Then I generated the certificate:

sudo openssl req -nodes -newkey rsa:2048 -keyout /etc/apache2/ssl/example.com.key -out /etc/apache2/ssl/example.com.csr

In the process of generation, several questions had to be answered:
Country Name (2 letter code) [AU]: UA (code of the country)
State or Province Name (full name) [Some-State]: Sumy
Locality Name (eg, city) []: Romny
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Private person
Organizational Unit Name (eg, section) []: (empty or the name of the department)
Common Name (e.g. server FQDN or YOUR name) []: example.com (domain name, without http and https)
Email Address []: admin@example.com

You can also sign the generated certificate (this is the contents of example.com.csr) from some kind of domain registrar.
The procedure is cheap and after it is connected will not display a message that the certificate is not signed.

Since there are several sites, the configuration files for each of them are located in the directory /etc/apache2/sites-enabled/.
I’ll choose one of them and at the very end after the standard directive:

<VirtualHost *:80> ...</VirtualHost>

we will add one more, but with 443 port and we will specify ways to certificates:

<VirtualHost *:443>
ServerAdmin admin@example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/
        <Directory />
                Options -Indexes
                AllowOverride All
        </Directory>
        <Directory /var/www/example.com/>
                Options -Indexes
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example_com.key
SSLCertificateChainFile /etc/apache2/ssl/example_com.ca-bundle
ErrorLog /var/log/apache2/example_error-ssl.log
LogLevel warn
CustomLog /var/log/apache2/example_access-ssl.log combined
</VirtualHost>

After the changes, check the configuration and restart apache2:

sudo apachectl configtest 
sudo service apache2 restart

To be able to log in to WordPress and admin on HTTPS only in wp-config.php, uncomment the following parameters:

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

You can also change the address of the site from http:// to https:// in the admin panel, in the “Settings” – “General”.
In robots.txt we will specify the site address with https, for example:

Host: https://ixnfo.com

Also in sitemap.xml there should be links with https.
In search engines need to apply for re-indexing the site map, in Yandex.Webmaster submit an application to the “Move the site” by ticking the “Add HTTPS”.
In Google Search Console, you need to add the same site with https, it will be indexed separately from http.

Done, now the site can be opened by https.

See also my article – Redirecting requests to SSL

Solving the SSL problem “Connection is not secure – Parts of this page are not secure (such as images)”

I noticed once one site with a signed SSL certificate, a message from the Mozilla Firefox browser:

Connection is not secure – Parts of this page are not secure (such as images)

As it turned out, images from other sources were inserted on the site, so the connection can be considered not protected, and to solve this problem, you need to upload images to the current site and change the link on the pages, necessarily starting with https://.

If the site works on http:// and https://, and the pictures are on it, then the links should be changed for example from:

<img src="http://www.ixnfo.com/img.jpg">

to

<img src="/img.jpg">

Done.

Redirecting requests to SSL

I will describe several options for redirecting requests from HTTP to HTTPS, the first and second methods are the most reliable:

1) Across virtual hosts.
In the site configuration, add the line “Redirect”, for example, when an SSL certificate was installed on the site and you need to redirect all requests to HTTPS:

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName ixnfo.com
   ServerAlias www.ixnfo.com
   Redirect / https://ixnfo.com/
</VirtualHost>

<VirtualHost *:443>
   ServerName ixnfo.com
   ServerAlias www.ixnfo.com
   DocumentRoot /var/www/html
   SSLEngine On
   ...
</VirtualHost>

If you want to redirect only some requests:

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName ixnfo.com
   ServerAlias www.ixnfo.com
   Redirect /forum https://forum.ixnfo.com/
</VirtualHost>

<VirtualHost *:443>
   ServerName ixnfo.com
   ServerAlias www.ixnfo.com
   DocumentRoot /var/www/html
   SSLEngine On
   ...
</VirtualHost>

2) Redirecting using .htaccess.
Similarly, as in the first version, put the .htaccess file in the desired directory of the site and add a line to it (so that the web server takes into account the .htaccess file, you need to specify the option AllowOverride All in the site configuration above):

Redirect /forum https://forum.ixnfo.com/

3) And not the recommended way, using mod_rewrite, the content should be added to the .htaccess file:

# Enabling the Rewrite function
RewriteEngine On
# Verify that the connection is not HTTPS
RewriteCond %{HTTPS} !=on
# We are sending to the same place, but already HTTPS:
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Another example:

<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_USER_AGENT} ^(.+)$
RewriteCond %{SERVER_NAME} ^ixnfo\.com$ [OR]
RewriteCond %{SERVER_NAME} ^www\.ixnfo\.com$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
Header add Strict-Transport-Security "max-age=300"
</IfModule>

To allow some pages to open via http and https, add the following in the top example:

RewriteCond %{REQUEST_URI} !^/dir/
RewriteCond %{REQUEST_URI} !^/dir/file.php

See also:
Using .htaccess
How to configure SSL and HTTPS for WordPress
Installing Certbot in Ubuntu