Are you looking for steps to secure osTicket with Let’s Encrypt SSL Certificates? Take a peek at this blog.

Here at Bobcares, we have seen several such Let’s Encrypt SSL-related queries as part of our Server Management Services for web hosts and online service providers.

Today we’ll take a look at how to secure osTicket with Let’s Encrypt SSL Certificates.

How to secure osTicket with Let’s Encrypt SSL Certificates

Now let’s take a look at how our Support Engineers secure osTicket.

Here we are making use of Certbot to request SSL certificates from the Let’s Encrypt Certificate Authority. Since the tool is not available by default, we need to install it manually.

Step 1: Install certbot certificate generation tool

We run the below command to install certbot on Ubuntu /Debian:

# Install certbot on Ubuntu /Debian
sudo apt update

# Apache
sudo apt-get install python-certbot-apache

# Nginx
sudo apt-get install python-certbot-nginx

If you are using CentOS, then you can install certbot on CentOS 8 / CentOS 7 by running the below command.

# CentOS 8
## For Apache
sudo yum -y install python3-certbot-apache

## For Nginx
sudo yum -y install python3-certbot-nginx

# CentOS 7
## For Apache
sudo yum -y install python2-certbot-apache

## For Nginx
sudo yum -y install python2-certbot-nginx

Step 2: Updating osTicket Apache Configurations

We run the below command to obtain a single certificate using the /var/www/osTicket/upload webroot directory.

sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.bobcares.com

Then we enter an email address used for urgent renewal and security notices:

$ sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.bobcares.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): webmaster@bobcares.com

After that, we read and accept the terms of service by typing Y and hitting Enter.

Optionally, we can agree to share the email address with the Electronic Frontier Foundation:

Now the Let’s Encrypt certificate generation process should begin.

Then we update the Web Server osTicket configuration file to look as below:

$ cat /etc/httpd/conf.d/osticket.conf
<VirtualHost *:80>
ServerAdmin webmaster@bobcares.com
DocumentRoot /var/www/osTicket/upload
ServerName osticket.bobcares.com
ServerAlias www.osticket.bobcares.com
<Directory /var/www/osTicket/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>

ErrorLog /var/log/httpd/osticket_error.log
CustomLog /var/log/httpd/osticket_access.log combined
</VirtualHost>

We then back up the HTTP config file:

sudo cp /etc/httpd/conf.d/osticket.conf{,.bak}

After that, we open the file for editing by running the below command.

sudo vim /etc/httpd/conf.d/osticket.conf

Into it we paste the below contents to update the configuration:

# osTicket configuration using Let's Encrypt SSL
<VirtualHost *:80>
ServerName osticket.bobcares.com
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</virtualhost>
<VirtualHost *:443>
ServerAdmin webmaster@bobcares.com
DocumentRoot /var/www/osTicket/upload
ServerName osticket.bobcares.com
<Directory /var/www/osTicket/upload/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
ErrorLog /var/log/httpd/osticket_error.log
CustomLog /var/log/httpd/osticket_access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/osticket.bobcares.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/osticket.bobcares.com/privkey.pem
</VirtualHost>

Then we confirm configuration syntax is okay:

$ sudo /usr/sbin/httpd -t
Syntax OK

We then restart the webserver. Here is the command for it.

# Ubuntu / Debian
$ sudo a2enmod rewrite expires
$ sudo systemctl restart apache2

# CentOS / RHEL
$ sudo systemctl restart httpd

As a result, the service should return Running status:

$ systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Wed 2021-03-31 12:30:26 UTC; 8s ago
Docs: man:httpd.service(8)
Main PID: 9299 (httpd)
Status: "Started, listening on: port 443, port 80"
Tasks: 213 (limit: 11232)
Memory: 27.7M
CGroup: /system.slice/httpd.service
├─9299 /usr/sbin/httpd -DFOREGROUND
├─9301 /usr/sbin/httpd -DFOREGROUND
├─9302 /usr/sbin/httpd -DFOREGROUND
├─9303 /usr/sbin/httpd -DFOREGROUND
└─9304 /usr/sbin/httpd -DFOREGROUND

Mar 31 12:30:26 osticket.bobcares.com systemd[1]: httpd.service: Succeeded.
Mar 31 12:30:26 osticket.bobcares.com systemd[1]: Stopped The Apache HTTP Server.
Mar 31 12:30:26 osticket.bobcares.com systemd[1]: Starting The Apache HTTP Server...
Mar 31 12:30:26 osticket.bobcares.com systemd[1]: Started The Apache HTTP Server.
Mar 31 12:30:26 osticket.bobcares.com httpd[9299]: Server configured, listening on: port 443, port 80

Then we run the below command to renew the certificate.

$ sudo /usr/bin/certbot renew

Step 3: Access osTicket Web Portal

We open osTicket web portal to confirm if the website is loaded with https.

If we click on the lock button then we can see if the connection is secure or not.

We can click on “More Information” to get more details about the certificate. We can see the SSL details and confirm the installation of the SSL certificate.

[Need any further assistance with Let’s Encrypt SSL-related queries? – We’re available 24*7]

Conclusion

Today, we saw how our Support Engineers secure osTicket with Let’s Encrypt SSL Certificates.