How to protect osTicket by encrypting the SSL certificate

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatshut down

We have already had an article discussing installing the osTicket system on CentOS 8 and Ubuntu Linux systems. In the installation guide, the Apache web server is configured to provide services for the osTicket system by ensuring the HTTP protocol.

If the target audience of the osTicket system is the public, which can be accessed via the Internet, you need to use SSL/TLS to protect the security of the application. In this guide, we will explain all the steps required to use the free Let’s Encrypt SSL certificate to protect osTicket installation.

We will use Certbot Request an SSL certificate from our encryption certificate authority. This tool is not available by default and needs to be installed manually.

Step 1: Install certbot certificate generation tool

Install certbot on Ubuntu/Debian:

# Install certbot on Ubuntu /Debian
sudo apt update

# Apache
sudo apt-get install python-certbot-apache

# Nginx
sudo apt-get install python-certbot-nginx

Install certbot on CentOS 8 / CentOS 7:

On CentOS systems, run one of the following commands:

# CentOS 8
## For Apache
sudo yum -y install python3-certbot-apache

## For Nginx
sudo yum -y install python3-certbot-nginx

# CentOS 7
## For Apache
sudo yum -y install python2-certbot-apache

## For Nginx
sudo yum -y install python2-certbot-nginx

Step 2: Update osTicket Apache configuration

Modify and run the next command, which will use /var/www/osTicket/upload webroot directory.

sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.computingforgeeks.com

where is it:

  • /var/www/osTicket/upload is osTicket webroot
  • osticket.computingforgeeks.com is a domain with a valid DNS, pointing to a record of the host server

Enter the email address used for emergency updates and security notifications:

$ sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.computingforgeeks.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [email protected]

Read and accept the terms of service:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

(Optional) Agree to share your email address with the Electronic Frontier Foundation:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.

Let’s start the encryption certificate generation process:

Requesting a certificate for osticket.computingforgeeks.com and www.osticket.computingforgeeks.com
Performing the following challenges:
http-01 challenge for osticket.computingforgeeks.com
http-01 challenge for www.osticket.computingforgeeks.com
Using the webroot path /var/www/osTicket/upload for all unmatched domains.
Waiting for verification...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for osticket.computingforgeeks.com
Subscribe to the EFF mailing list (email: [email protected]).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/osticket.computingforgeeks.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/osticket.computingforgeeks.com/privkey.pem
   Your certificate will expire on 2021-06-27. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Update the Web Server osTicket configuration file as follows:

The original web server configuration file of osTicket:

$ cat /etc/httpd/conf.d/osticket.conf
<VirtualHost *:80>
     ServerAdmin [email protected]
     DocumentRoot /var/www/osTicket/upload
     ServerName osticket.computingforgeeks.com
     ServerAlias www.osticket.computingforgeeks.com
     <Directory /var/www/osTicket/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted
     </Directory>

     ErrorLog /var/log/httpd/osticket_error.log
     CustomLog /var/log/httpd/osticket_access.log combined
</VirtualHost>

Back up the http configuration file:

sudo cp /etc/httpd/conf.d/osticket.conf{,.bak}

Open the file for editing:

sudo vim /etc/httpd/conf.d/osticket.conf

Paste and modify the following to update the configuration:

# osTicket configuration using Let's Encrypt SSL
<VirtualHost *:80>
        ServerName osticket.computingforgeeks.com
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</virtualhost>
<VirtualHost *:443>
        ServerAdmin [email protected]
        DocumentRoot /var/www/osTicket/upload
        ServerName osticket.computingforgeeks.com
        <Directory /var/www/osTicket/upload/>
	  Options Indexes FollowSymLinks MultiViews
	  AllowOverride All
 	  Order allow,deny
	  allow from all
          Require all granted
        </Directory>
        ErrorLog  /var/log/httpd/osticket_error.log
        CustomLog /var/log/httpd/osticket_access.log combined
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/osticket.computingforgeeks.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/osticket.computingforgeeks.com/privkey.pem
</VirtualHost>

Confirm that the configuration syntax can:

$ sudo /usr/sbin/httpd -t
Syntax OK

Restart the httpd or apache2 service, depending on your operating system

# Ubuntu / Debian
$ sudo a2enmod rewrite expires
$ sudo systemctl restart apache2

# CentOS / RHEL
$ sudo systemctl restart httpd

The service should return to running status:

$ systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
           └─php-fpm.conf
   Active: active (running) since Mon 2021-03-29 12:30:26 UTC; 8s ago
     Docs: man:httpd.service(8)
 Main PID: 9299 (httpd)
   Status: "Started, listening on: port 443, port 80"
    Tasks: 213 (limit: 11232)
   Memory: 27.7M
   CGroup: /system.slice/httpd.service
           ├─9299 /usr/sbin/httpd -DFOREGROUND
           ├─9301 /usr/sbin/httpd -DFOREGROUND
           ├─9302 /usr/sbin/httpd -DFOREGROUND
           ├─9303 /usr/sbin/httpd -DFOREGROUND
           └─9304 /usr/sbin/httpd -DFOREGROUND

Mar 29 12:30:26 osticket.computingforgeeks.com systemd[1]: httpd.service: Succeeded.
Mar 29 12:30:26 osticket.computingforgeeks.com systemd[1]: Stopped The Apache HTTP Server.
Mar 29 12:30:26 osticket.computingforgeeks.com systemd[1]: Starting The Apache HTTP Server...
Mar 29 12:30:26 osticket.computingforgeeks.com systemd[1]: Started The Apache HTTP Server.
Mar 29 12:30:26 osticket.computingforgeeks.com httpd[9299]: Server configured, listening on: port 443, port 80

For Nginx configuration, please check osTicket Nginx recipe.

Certificate renewal:

 $ sudo /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/osticket.computingforgeeks.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/osticket.computingforgeeks.com/fullchain.pem expires on 2021-06-27 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Use automatic renewal via cron

# Ubuntu / Debian
$ sudo /usr/bin/certbot renew --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"

# CentOS
$ sudo /usr/bin/certbot renew --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"

Step 3: Visit the osTicket web portal

Open the osTicket web portal to confirm whether the website has been loaded with https.

If you click the lock button, it will tell you that the connection to the site is secure.Install osTicket CentOS 8 06

Click “More Information” to get more detailed information about the certificate.Install osTicket CentOS 8 05

Now, your osTicket installation is protected by Let’s Encrypt SSL certificate.We hope this guide is helpful to you

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatshut down

Sidebar