This document gives a step-by-step instruction on how to secure
your CP apache server with SSL.
- Create or choose a directory to store SSL-related files. E.g.:
#mkdir cert
Make this directory available only for root:
#chmod 700 cert
Go to this directory:
#cd cert
- Generate an SSL private key with the OpenSSL utility:
#openssl genrsa -des3 -out server.key 1024
When prompted for a pem phrase, enter any combination of 4 characters, e.g. 1234.
A unique private key will be generated into the server.key file.
For more on this, read modssl documentation.
- Important: Copy this file to a secure location. You will need it later.
- Make the newly generated file readable only by root:
#chmod 600 server.key
- To view the content of the private key file, use the command:
#openssl rsa -noout -text -in server.key
- Remove pass phrase from the private key:
#openssl rsa -in server.key -out server.key.unsecure
- Now you don't need the private key with the pass phrase any more.
Overwrite it with the private key without the pass phrase:
#cp server.key.unsecure server.key
- Generate an SSL certificate signing request based on the private key:
#openssl req -new -key server.key -out server.csr
You will have to answer many questions related to your company.
Your answers are required to be included in the certificate.
Note: Common name is the URL at which you want your control panel
to be available, e.g. cp.yourdomain.com (not yourdomain.com).
- Check the content of the certificate request file:
#openssl req -noout -text -in server.csr
If you find a mistake in the data you have submitted, you can re-generate
the request anew.
- Important: Make sure to back up your SSL files:
# mkdir backup
# chmod 700 backup
# cp ./*.* backup/
- Send the generated CSR file to a trusted Certificate Authority
for signing. They will send you back the certificate. Save it as
server.crt.
- To view the content of the certificate, run:
# openssl x509 -noout -text -in server.crt
- Save the private key and the certificate:
# cp -f ./server.key /hsphere/local/home/cpanel/apache/etc/ssl.key/
# cp -f ./server.crt /hsphere/local/home/cpanel/apache/etc/ssl.crt/
- Important: Make sure to back up the ssl.key and ssl.crt files to
a safe location. You might need them in the future.
- If your certificate was signed by a non-trusted certificate authority,
run the following command:
# cp -f ./ca-bundle.crt /hsphere/local/home/cpanel/apache/etc/ssl.crt/
- If your certificate was signed by a non-trusted certificate authority,
open the file httpd.conf:
# vi /hsphere/local/home/cpanel/apache/etc/httpd.conf
and find the following lines:
<VirtualHost _default_:8443>
DocumentRoot "/hsphere/local/home/cpanel/shiva/shiva-templates"
ServerName cp.domain.com
ServerAdmin root@domain.com
ErrorLog /hsphere/local/home/cpanel/apache/logs/error_log
TransferLog /hsphere/local/home/cpanel/apache/logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /hsphere/local/home/cpanel/apache/etc/ssl.crt/server.crt
SSLCertificateKeyFile /hsphere/local/home/cpanel/apache/etc/ssl.key/server.key
At the end of this block add the following line:
SSLCACertificateFile /hsphere/local/home/cpanel/apache/etc/ssl.crt/ca-bundle.crt
- Open the file hsphere.properties:
# vi /hsphere/local/home/cpanel/shiva/psoft_config/hsphere.properties
and change lines:
CP_PORT = 8080
CP_PROTOCOL=http://
to:
CP_PORT = 8443
CP_PROTOCOL=https://
- Restart Apache:
/etc/init.d/httpdcp stop
/etc/init.d/httpdcp start
FreeBSD users must restart apache with different commands:
/usr/local/etc/rc.d/apachecp.sh stop
/usr/local/etc/rc.d/apachecp.sh start
- check the log file:
# vi /hsphere/local/home/cpanel/apache/logs/ssl_engine_log
Now your control panel must be available at both http://cp.yourdomain.com:8080
and https://cp.yourdomain.com:8443
In order to disable http access and leave only https access available,
the following will suffice:
- Open the file ~cpanel/apache/etc/httpd.conf
- If you would like to exclude http access and use only secure connections,
comment out the line "Listen 8080" in the block IfDefine SSL.
Mind, though, that this will totally disable SiteStudio, as it doesn't work
with HTTPS.
- Change directory to /hsphere/shared/SiteStudio/psoft_config and in each file in
this directory find SS links containing port 8080 and replace this port to 8443.
- Restart apache
Note: you can't have your control panel available both by domain name and IP address.
You can have only one. To switch between IP and domain name control panel access:
1. Open the /hsphere/local/home/cpanel/shiva/psoft_config/hsphere.properties file.
2. Set the value of CP_HOST to your new CP URL/IP. Make sure not to change the value of the
PATH_SITE_STUDIO property.
3. Save and exit the file.
4. Restart your control panel.
-
Click here
for feedback from H-Sphere owners on how to use H-Sphere with POP3 SSL, IMAP SSL, SMTP SSL and SFTP.
|