Saturday, December 28, 2024
Google search engine
HomeGuest BlogsHow To Secure osTicket with Let’s Encrypt SSL Certificates

How To Secure osTicket with Let’s Encrypt SSL Certificates

We already have articles that discussed on the installation of osTicket system on CentOS 8 and Ubuntu Linux systems. In the installation guides Apache web server was configured to serve osTicket system over insure HTTP protocol.

If target audience of osTicket system is the general public, accessing over the internet, then there is a need to secure the applications using SSL/TLS. In this guide we will explain all the steps required to secure osTicket installation using free Let’s Encrypt SSL Certificates.

We’ll use the Certbot to request for SSL certificates from Let’s Encrypt Certificate Authority. The tool is not available by default and will need to be installed manually.

Step 1: Install certbot certificate generation tool

Install certbot on Ubuntu /Debian:

# Install certbot on Ubuntu /Debian
sudo apt update

## Apache
sudo apt install python-certbot-apache

## Nginx
sudo apt install python-certbot-nginx

Install certbot on CentOS 8 / CentOS 7:

On a CentOS system run either of the following commands:

# RHEL 8 and Apache
sudo yum -y install python3-certbot-apache

# RHEL 8 and Nginx
sudo yum -y install python3-certbot-nginx

# CentOS 7 and Apache
sudo yum -y install python2-certbot-apache

# CentOS 7 and Nginx
sudo yum -y install python2-certbot-nginx

Step 2: Update osTicket Apache Configurations

Modify and run the next command which would obtain a single certificate using the /var/www/osTicket/upload webroot directory.

sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.geeksforgeeks.org

Where:

  • /var/www/osTicket/upload is osTicket webroot
  • osticket.geeksforgeeks.org is domain with valid DNS A record pointing to hosting server

Enter an email address used for urgent renewal and security notices:

$ sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.geeksforgeeks.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [email protected]

Read and Accept terms of service:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Optionally agree to share your email address with the Electronic Frontier Foundation:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.

Let’s Encrypt certificate generation process should begin:

Requesting a certificate for osticket.geeksforgeeks.org and www.osticket.geeksforgeeks.org
Performing the following challenges:
http-01 challenge for osticket.geeksforgeeks.org
http-01 challenge for www.osticket.geeksforgeeks.org
Using the webroot path /var/www/osTicket/upload for all unmatched domains.
Waiting for verification...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for osticket.geeksforgeeks.org
Subscribe to the EFF mailing list (email: [email protected]).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/osticket.geeksforgeeks.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/osticket.geeksforgeeks.org/privkey.pem
   Your certificate will expire on 2021-06-27. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Update Web Server osTicket configuration file to look like this:

Original web server configuration file for osTicket:

$ sudo vim /etc/httpd/conf.d/osticket.conf
<VirtualHost *:80>
     ServerAdmin [email protected]
     DocumentRoot /var/www/osTicket/upload
     ServerName osticket.geeksforgeeks.org
     <Directory /var/www/osTicket/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted
     </Directory>

     ErrorLog /var/log/httpd/osticket_error.log
     CustomLog /var/log/httpd/osticket_access.log combined
</VirtualHost>

Backup http config file:

sudo cp /etc/httpd/conf.d/osticket.conf{,.bak}

Open the file for editing:

sudo vim /etc/httpd/conf.d/osticket.conf

Paste and modify below contents to update the configuration:

# osTicket configuration using Let's Encrypt SSL
<VirtualHost *:80>
        ServerName osticket.geeksforgeeks.org
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</virtualhost>
<VirtualHost *:443>
        ServerAdmin [email protected]
        DocumentRoot /var/www/osTicket/upload
        ServerName osticket.geeksforgeeks.org
        <Directory /var/www/osTicket/upload/>
	  Options Indexes FollowSymLinks MultiViews
	  AllowOverride All
 	  Order allow,deny
	  allow from all
          Require all granted
        </Directory>
        ErrorLog  /var/log/httpd/osticket_error.log
        CustomLog /var/log/httpd/osticket_access.log combined
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/osticket.geeksforgeeks.org/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/osticket.geeksforgeeks.org/privkey.pem
</VirtualHost>

Confirm configuration syntax is okay:

$ sudo /usr/sbin/httpd -t
Syntax OK

Restart httpd or apache2 service depending on your operating system

# Ubuntu / Debian
sudo a2enmod rewrite expires
sudo systemctl restart apache2

# CentOS / RHEL
sudo systemctl restart httpd

Service should return Running status:

$ systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
           └─php-fpm.conf
   Active: active (running) since Mon 2021-03-29 12:30:26 UTC; 8s ago
     Docs: man:httpd.service(8)
 Main PID: 9299 (httpd)
   Status: "Started, listening on: port 443, port 80"
    Tasks: 213 (limit: 11232)
   Memory: 27.7M
   CGroup: /system.slice/httpd.service
           ├─9299 /usr/sbin/httpd -DFOREGROUND
           ├─9301 /usr/sbin/httpd -DFOREGROUND
           ├─9302 /usr/sbin/httpd -DFOREGROUND
           ├─9303 /usr/sbin/httpd -DFOREGROUND
           └─9304 /usr/sbin/httpd -DFOREGROUND

Mar 29 12:30:26 osticket.geeksforgeeks.org systemd[1]: httpd.service: Succeeded.
Mar 29 12:30:26 osticket.geeksforgeeks.org systemd[1]: Stopped The Apache HTTP Server.
Mar 29 12:30:26 osticket.geeksforgeeks.org systemd[1]: Starting The Apache HTTP Server...
Mar 29 12:30:26 osticket.geeksforgeeks.org systemd[1]: Started The Apache HTTP Server.
Mar 29 12:30:26 osticket.geeksforgeeks.org httpd[9299]: Server configured, listening on: port 443, port 80

For Nginx configuration check the osTicket Nginx recipe.

Certificates renewal:

$ sudo /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/osticket.neveropen.tech.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/osticket.geeksforgeeks.org/fullchain.pem expires on 2021-06-27 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

For automated renewals via cron use

# Ubuntu / Debian
sudo /usr/bin/certbot renew --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"

# RHEL Based systems
sudo /usr/bin/certbot renew --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"

Step 3: Access osTicket Web Portal

Open osTicket web portal to confirm if website is loaded with https.

Install osTicket CentOS 8 04

If you click on the lock button it will tell you the connection to the site is secure.

Install osTicket CentOS 8 06

Click on “More Information” to get more details about the certificate.

Install osTicket CentOS 8 05

Your osTicket installation is now secured with Let’s Encrypt SSL certificate. We hope this guide was helpful.

Here are more articles we have on Let’s Encrypt:

RELATED ARTICLES

Most Popular

Recent Comments