How To Secure osTicket with Let’s Encrypt SSL Certificates

Posted on 21 views

We already have articles that discussed on the installation of osTicket system on CentOS 8 and Ubuntu Linux systems. In the installation guides Apache web server was configured to serve osTicket system over insure HTTP protocol.

If target audience of osTicket system is the general public, accessing over the internet, then there is a need to secure the applications using SSL/TLS. In this guide we will explain all the steps required to secure osTicket installation using free Let’s Encrypt SSL Certificates.

We’ll use the Certbot to request for SSL certificates from Let’s Encrypt Certificate Authority. The tool is not available by default and will need to be installed manually.

Step 1: Install certbot certificate generation tool

Install certbot on Ubuntu /Debian:

# Install certbot on Ubuntu /Debian
sudo apt update

## Apache
sudo apt install python-certbot-apache

## Nginx
sudo apt install python-certbot-nginx

Install certbot on CentOS 8 / CentOS 7:

On a CentOS system run either of the following commands:

# RHEL 8 and Apache
sudo yum -y install python3-certbot-apache

# RHEL 8 and Nginx
sudo yum -y install python3-certbot-nginx

# CentOS 7 and Apache
sudo yum -y install python2-certbot-apache

# CentOS 7 and Nginx
sudo yum -y install python2-certbot-nginx

Step 2: Update osTicket Apache Configurations

Modify and run the next command which would obtain a single certificate using the /var/www/osTicket/upload webroot directory.

sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.computingpost.com

Where:

  • /var/www/osTicket/upload is osTicket webroot
  • osticket.computingpost.com is domain with valid DNS A record pointing to hosting server

Enter an email address used for urgent renewal and security notices:

$ sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.computingpost.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [email protected]

Read and Accept terms of service:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Optionally agree to share your email address with the Electronic Frontier Foundation:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.

Let’s Encrypt certificate generation process should begin:

Requesting a certificate for osticket.computingpost.com and www.osticket.computingpost.com
Performing the following challenges:
http-01 challenge for osticket.computingpost.com
http-01 challenge for www.osticket.computingpost.com
Using the webroot path /var/www/osTicket/upload for all unmatched domains.
Waiting for verification...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for osticket.computingpost.com
Subscribe to the EFF mailing list (email: [email protected]).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/osticket.computingpost.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/osticket.computingpost.com/privkey.pem
   Your certificate will expire on 2021-06-27. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Update Web Server osTicket configuration file to look like this:

Original web server configuration file for osTicket:

$ sudo vim /etc/httpd/conf.d/osticket.conf

     ServerAdmin [email protected]
     DocumentRoot /var/www/osTicket/upload
     ServerName osticket.computingpost.com
     
          Options FollowSymlinks
          AllowOverride All
          Require all granted
     

     ErrorLog /var/log/httpd/osticket_error.log
     CustomLog /var/log/httpd/osticket_access.log combined

Backup http config file:

sudo cp /etc/httpd/conf.d/osticket.conf,.bak

Open the file for editing:

sudo vim /etc/httpd/conf.d/osticket.conf

Paste and modify below contents to update the configuration:

# osTicket configuration using Let's Encrypt SSL

        ServerName osticket.computingpost.com
        RewriteEngine On
        RewriteCond %HTTPS !=on
        RewriteRule ^/?(.*) https://%SERVER_NAME/$1 [R=301,L]


        ServerAdmin [email protected]
        DocumentRoot /var/www/osTicket/upload
        ServerName osticket.computingpost.com
        
	  Options Indexes FollowSymLinks MultiViews
	  AllowOverride All
 	  Order allow,deny
	  allow from all
          Require all granted
        
        ErrorLog  /var/log/httpd/osticket_error.log
        CustomLog /var/log/httpd/osticket_access.log combined
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/osticket.computingpost.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/osticket.computingpost.com/privkey.pem

Confirm configuration syntax is okay:

$ sudo /usr/sbin/httpd -t
Syntax OK

Restart httpd or apache2 service depending on your operating system

# Ubuntu / Debian
sudo a2enmod rewrite expires
sudo systemctl restart apache2

# CentOS / RHEL
sudo systemctl restart httpd

Service should return Running status:

$ systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
           └─php-fpm.conf
   Active: active (running) since Mon 2021-03-29 12:30:26 UTC; 8s ago
     Docs: man:httpd.service(8)
 Main PID: 9299 (httpd)
   Status: "Started, listening on: port 443, port 80"
    Tasks: 213 (limit: 11232)
   Memory: 27.7M
   CGroup: /system.slice/httpd.service
           ├─9299 /usr/sbin/httpd -DFOREGROUND
           ├─9301 /usr/sbin/httpd -DFOREGROUND
           ├─9302 /usr/sbin/httpd -DFOREGROUND
           ├─9303 /usr/sbin/httpd -DFOREGROUND
           └─9304 /usr/sbin/httpd -DFOREGROUND

Mar 29 12:30:26 osticket.computingpost.com systemd[1]: httpd.service: Succeeded.
Mar 29 12:30:26 osticket.computingpost.com systemd[1]: Stopped The Apache HTTP Server.
Mar 29 12:30:26 osticket.computingpost.com systemd[1]: Starting The Apache HTTP Server...
Mar 29 12:30:26 osticket.computingpost.com systemd[1]: Started The Apache HTTP Server.
Mar 29 12:30:26 osticket.computingpost.com httpd[9299]: Server configured, listening on: port 443, port 80

For Nginx configuration check the osTicket Nginx recipe.

Certificates renewal:

$ sudo /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/osticket.computingpost.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/osticket.computingpost.com/fullchain.pem expires on 2021-06-27 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

For automated renewals via cron use

# Ubuntu / Debian
sudo /usr/bin/certbot renew --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"

# RHEL Based systems
sudo /usr/bin/certbot renew --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"

Step 3: Access osTicket Web Portal

Open osTicket web portal to confirm if website is loaded with https.

 

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.