Are you trying to secure osTicket with Let’s Encrypt SSL Certificates?

This guide will help you.

Let's Encrypt is an open and automated certificate authority that uses the ACME (Automatic Certificate Management Environment ) protocol to provide free TLS/SSL certificates to any compatible client. 

These certificates can be used to encrypt communication between your web server and your users.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Let's Encrypt SSL related queries.

In this context, we shall look into how to secure osTicket with Let’s Encrypt SSL Certificates.

How to secure osTicket with Let's Encrypt SSL Certificates ?

Now let's take a look at how our Support Experts secure osTicket.

Here we are making use of Certbot to request SSL certificates from the Let’s Encrypt Certificate Authority.

Since the tool is not available by default, we need to install it manually.

Step 1: Install certbot certificate generation tool

We run the below command to install certbot on Ubuntu /Debian:

# Install certbot on Ubuntu /Debian

$ sudo apt update

# Apache

$ sudo apt-get install python-certbot-apache

# Nginx

$ sudo apt-get install python-certbot-nginx

If you are using CentOS, then you can install certbot on CentOS 8 / CentOS 7 by running the below command.

# CentOS 8

## For Apache

$ sudo yum -y install python3-certbot-apache

## For Nginx

$ sudo yum -y install python3-certbot-nginx

# CentOS 7

## For Apache

$ sudo yum -y install python2-certbot-apache

## For Nginx

$ sudo yum -y install python2-certbot-nginx

Step 2: Updating osTicket Apache Configurations

We run the below command to obtain a single certificate using the /var/www/osTicket/upload webroot directory:

$ sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.Ibmimedia.com

Then we enter an email address used for urgent renewal and security notices:

$ sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.Ibmimedia.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): webmaster@Ibmimedia.com

After that, we read and accept the terms of service by typing Y and hitting Enter.

Optionally, we can agree to share the email address with the Electronic Frontier Foundation:

Now the Let's Encrypt certificate generation process should begin.

Then we update the Web Server osTicket configuration file to look as below:

$ cat /etc/httpd/conf.d/osticket.conf
<VirtualHost *:80>
ServerAdmin webmaster@Ibmimedia.com
DocumentRoot /var/www/osTicket/upload
ServerName osticket.Ibmimedia.com
ServerAlias www.osticket.Ibmimedia.com
<Directory /var/www/osTicket/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/log/httpd/osticket_error.log
CustomLog /var/log/httpd/osticket_access.log combined
</VirtualHost>

We then back up the HTTP config file:

$ sudo cp /etc/httpd/conf.d/osticket.conf{,.bak}

After that, we open the file for editing by running the below command.

$ sudo vim /etc/httpd/conf.d/osticket.conf

Into it we paste the below contents to update the configuration:

# osTicket configuration using Let's Encrypt SSL
<VirtualHost *:80>
ServerName osticket.Ibmimedia.com
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</virtualhost>
<VirtualHost *:443>
ServerAdmin webmaster@Ibmimedia.com
DocumentRoot /var/www/osTicket/upload
ServerName osticket.Ibmimedia.com
<Directory /var/www/osTicket/upload/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
ErrorLog /var/log/httpd/osticket_error.log
CustomLog /var/log/httpd/osticket_access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/osticket.Ibmimedia.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/osticket.Ibmimedia.com/privkey.pem
</VirtualHost>

Then we confirm configuration syntax is okay:

$ sudo /usr/sbin/httpd -t
Syntax OK

We then restart the webserver. Here is the command for it.

# Ubuntu / Debian

$ sudo a2enmod rewrite expires
$ sudo systemctl restart apache2

# CentOS / RHEL

$ sudo systemctl restart httpd

As a result, the service should return Running status:

$ systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Wed 2021-03-31 12:30:26 UTC; 8s ago
Docs: man:httpd.service(8)
Main PID: 9299 (httpd)
Status: "Started, listening on: port 443, port 80"
Tasks: 213 (limit: 11232)
Memory: 27.7M
CGroup: /system.slice/httpd.service
├─9299 /usr/sbin/httpd -DFOREGROUND
├─9301 /usr/sbin/httpd -DFOREGROUND
├─9302 /usr/sbin/httpd -DFOREGROUND
├─9303 /usr/sbin/httpd -DFOREGROUND
└─9304 /usr/sbin/httpd -DFOREGROUND
Mar 31 12:30:26 osticket.Ibmimedia.com systemd[1]: httpd.service: Succeeded.
Mar 31 12:30:26 osticket.Ibmimedia.com systemd[1]: Stopped The Apache HTTP Server.
Mar 31 12:30:26 osticket.Ibmimedia.com systemd[1]: Starting The Apache HTTP Server...
Mar 31 12:30:26 osticket.Ibmimedia.com systemd[1]: Started The Apache HTTP Server.
Mar 31 12:30:26 osticket.Ibmimedia.com httpd[9299]: Server configured, listening on: port 443, port 80

Then we run the below command to renew the certificate:

$ sudo /usr/bin/certbot renew

Step 3: Access osTicket Web Portal

We open osTicket web portal to confirm if the website is loaded with https.

If we click on the lock button then we can see if the connection is secure or not.

We can click on "More Information" to get more details about the certificate.

We can see the SSL details and confirm the installation of the SSL certificate.

[Need urgent assistance with Let's Encrypt SSL-related queries? – We're available 24*7. ]