We already have articles that discussed on the installation of osTicket system on CentOS 8 and Ubuntu Linux systems. In the installation guides Apache web server was configured to serve osTicket system over insure HTTP protocol.
If target audience of osTicket system is the general public, accessing over the internet, then there is a need to secure the applications using SSL/TLS. In this guide we will explain all the steps required to secure osTicket installation using free Let’s Encrypt SSL Certificates.
We’ll use the Certbot to request for SSL certificates from Let’s Encrypt Certificate Authority. The tool is not available by default and will need to be installed manually.
Step 1: Install certbot certificate generation tool
Install certbot on Ubuntu /Debian:
# Install certbot on Ubuntu /Debian
sudo apt update
## Apache
sudo apt install python-certbot-apache
## Nginx
sudo apt install python-certbot-nginx
Install certbot on CentOS 8 / CentOS 7:
On a CentOS system run either of the following commands:
# RHEL 8 and Apache
sudo yum -y install python3-certbot-apache
# RHEL 8 and Nginx
sudo yum -y install python3-certbot-nginx
# CentOS 7 and Apache
sudo yum -y install python2-certbot-apache
# CentOS 7 and Nginx
sudo yum -y install python2-certbot-nginx
Step 2: Update osTicket Apache Configurations
Modify and run the next command which would obtain a single certificate using the /var/www/osTicket/upload webroot directory.
sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.geeksforgeeks.org
Where:
- /var/www/osTicket/upload is osTicket webroot
- osticket.geeksforgeeks.org is domain with valid DNS A record pointing to hosting server
Enter an email address used for urgent renewal and security notices:
$ sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.geeksforgeeks.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [email protected]
Read and Accept terms of service:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Optionally agree to share your email address with the Electronic Frontier Foundation:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Let’s Encrypt certificate generation process should begin:
Requesting a certificate for osticket.geeksforgeeks.org and www.osticket.geeksforgeeks.org
Performing the following challenges:
http-01 challenge for osticket.geeksforgeeks.org
http-01 challenge for www.osticket.geeksforgeeks.org
Using the webroot path /var/www/osTicket/upload for all unmatched domains.
Waiting for verification...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for osticket.geeksforgeeks.org
Subscribe to the EFF mailing list (email: [email protected]).
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/osticket.geeksforgeeks.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/osticket.geeksforgeeks.org/privkey.pem
Your certificate will expire on 2021-06-27. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Update Web Server osTicket configuration file to look like this:
Original web server configuration file for osTicket:
$ sudo vim /etc/httpd/conf.d/osticket.conf
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /var/www/osTicket/upload
ServerName osticket.geeksforgeeks.org
<Directory /var/www/osTicket/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/log/httpd/osticket_error.log
CustomLog /var/log/httpd/osticket_access.log combined
</VirtualHost>
Backup http config file:
sudo cp /etc/httpd/conf.d/osticket.conf{,.bak}
Open the file for editing:
sudo vim /etc/httpd/conf.d/osticket.conf
Paste and modify below contents to update the configuration:
# osTicket configuration using Let's Encrypt SSL
<VirtualHost *:80>
ServerName osticket.geeksforgeeks.org
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</virtualhost>
<VirtualHost *:443>
ServerAdmin [email protected]
DocumentRoot /var/www/osTicket/upload
ServerName osticket.geeksforgeeks.org
<Directory /var/www/osTicket/upload/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
ErrorLog /var/log/httpd/osticket_error.log
CustomLog /var/log/httpd/osticket_access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/osticket.geeksforgeeks.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/osticket.geeksforgeeks.org/privkey.pem
</VirtualHost>
Confirm configuration syntax is okay:
$ sudo /usr/sbin/httpd -t
Syntax OK
Restart httpd or apache2 service depending on your operating system
# Ubuntu / Debian
sudo a2enmod rewrite expires
sudo systemctl restart apache2
# CentOS / RHEL
sudo systemctl restart httpd
Service should return Running status:
$ systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Mon 2021-03-29 12:30:26 UTC; 8s ago
Docs: man:httpd.service(8)
Main PID: 9299 (httpd)
Status: "Started, listening on: port 443, port 80"
Tasks: 213 (limit: 11232)
Memory: 27.7M
CGroup: /system.slice/httpd.service
├─9299 /usr/sbin/httpd -DFOREGROUND
├─9301 /usr/sbin/httpd -DFOREGROUND
├─9302 /usr/sbin/httpd -DFOREGROUND
├─9303 /usr/sbin/httpd -DFOREGROUND
└─9304 /usr/sbin/httpd -DFOREGROUND
Mar 29 12:30:26 osticket.geeksforgeeks.org systemd[1]: httpd.service: Succeeded.
Mar 29 12:30:26 osticket.geeksforgeeks.org systemd[1]: Stopped The Apache HTTP Server.
Mar 29 12:30:26 osticket.geeksforgeeks.org systemd[1]: Starting The Apache HTTP Server...
Mar 29 12:30:26 osticket.geeksforgeeks.org systemd[1]: Started The Apache HTTP Server.
Mar 29 12:30:26 osticket.geeksforgeeks.org httpd[9299]: Server configured, listening on: port 443, port 80
For Nginx configuration check the osTicket Nginx recipe.
Certificates renewal:
$ sudo /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/osticket.neveropen.tech.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/osticket.geeksforgeeks.org/fullchain.pem expires on 2021-06-27 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
For automated renewals via cron use
# Ubuntu / Debian
sudo /usr/bin/certbot renew --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"
# RHEL Based systems
sudo /usr/bin/certbot renew --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"
Step 3: Access osTicket Web Portal
Open osTicket web portal to confirm if website is loaded with https.
If you click on the lock button it will tell you the connection to the site is secure.
Click on “More Information” to get more details about the certificate.
Your osTicket installation is now secured with Let’s Encrypt SSL certificate. We hope this guide was helpful.
Here are more articles we have on Let’s Encrypt: