We already have articles that discussed on the installation of osTicket system on CentOS 8 and Ubuntu Linux systems. In the installation guides Apache web server was configured to serve osTicket system over insure HTTP protocol.

If target audience of osTicket system is the general public, accessing over the internet, then there is a need to secure the applications using SSL/TLS. In this guide we will explain all the steps required to secure osTicket installation using free Let’s Encrypt SSL Certificates.

We’ll use the Certbot to request for SSL certificates from Let’s Encrypt Certificate Authority. The tool is not available by default and will need to be installed manually.

Step 1: Install certbot certificate generation tool

Install certbot on Ubuntu /Debian:

# Install certbot on Ubuntu /Debian
sudo apt update

# Apache
sudo apt-get install python-certbot-apache

# Nginx
sudo apt-get install python-certbot-nginx

Install certbot on CentOS 8 / CentOS 7:

On a CentOS system run either of the following commands:

# CentOS 8
## For Apache
sudo yum -y install python3-certbot-apache

## For Nginx
sudo yum -y install python3-certbot-nginx

# CentOS 7
## For Apache
sudo yum -y install python2-certbot-apache

## For Nginx
sudo yum -y install python2-certbot-nginx

Step 2: Update osTicket Apache Configurations

Modify and run the next command which would obtain a single certificate using the /var/www/osTicket/upload webroot directory.

sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.computingforgeeks.com

Where:

  • /var/www/osTicket/upload is osTicket webroot
  • osticket.computingforgeeks.com is domain with valid DNS A record pointing to hosting server

Enter an email address used for urgent renewal and security notices:

$ sudo certbot certonly --webroot -w /var/www/osTicket/upload -d osticket.computingforgeeks.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [email protected]

Read and Accept terms of service:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Optionally agree to share your email address with the Electronic Frontier Foundation:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.

Let’s Encrypt certificate generation process should begin:

Requesting a certificate for osticket.computingforgeeks.com and www.osticket.computingforgeeks.com
Performing the following challenges:
http-01 challenge for osticket.computingforgeeks.com
http-01 challenge for www.osticket.computingforgeeks.com
Using the webroot path /var/www/osTicket/upload for all unmatched domains.
Waiting for verification...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for osticket.computingforgeeks.com
Subscribe to the EFF mailing list (email: [email protected]).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/osticket.computingforgeeks.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/osticket.computingforgeeks.com/privkey.pem
   Your certificate will expire on 2021-06-27. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Update Web Server osTicket configuration file to look like this:

Original web server configuration file for osTicket:

$ cat /etc/httpd/conf.d/osticket.conf
<VirtualHost *:80>
     ServerAdmin [email protected]
     DocumentRoot /var/www/osTicket/upload
     ServerName osticket.computingforgeeks.com
     ServerAlias www.osticket.computingforgeeks.com
     <Directory /var/www/osTicket/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted
     </Directory>

     ErrorLog /var/log/httpd/osticket_error.log
     CustomLog /var/log/httpd/osticket_access.log combined
</VirtualHost>

Backup http config file:

sudo cp /etc/httpd/conf.d/osticket.conf{,.bak}

Open the file for editing:

sudo vim /etc/httpd/conf.d/osticket.conf

Paste and modify below contents to update the configuration:

# osTicket configuration using Let's Encrypt SSL
<VirtualHost *:80>
        ServerName osticket.computingforgeeks.com
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</virtualhost>
<VirtualHost *:443>
        ServerAdmin [email protected]
        DocumentRoot /var/www/osTicket/upload
        ServerName osticket.computingforgeeks.com
        <Directory /var/www/osTicket/upload/>
	  Options Indexes FollowSymLinks MultiViews
	  AllowOverride All
 	  Order allow,deny
	  allow from all
          Require all granted
        </Directory>
        ErrorLog  /var/log/httpd/osticket_error.log
        CustomLog /var/log/httpd/osticket_access.log combined
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/osticket.computingforgeeks.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/osticket.computingforgeeks.com/privkey.pem
</VirtualHost>

Confirm configuration syntax is okay:

$ sudo /usr/sbin/httpd -t
Syntax OK

Restart httpd or apache2 service depending on your operating system

# Ubuntu / Debian
$ sudo a2enmod rewrite expires
$ sudo systemctl restart apache2

# CentOS / RHEL
$ sudo systemctl restart httpd

Service should return Running status:

$ systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
           └─php-fpm.conf
   Active: active (running) since Mon 2021-03-29 12:30:26 UTC; 8s ago
     Docs: man:httpd.service(8)
 Main PID: 9299 (httpd)
   Status: "Started, listening on: port 443, port 80"
    Tasks: 213 (limit: 11232)
   Memory: 27.7M
   CGroup: /system.slice/httpd.service
           ├─9299 /usr/sbin/httpd -DFOREGROUND
           ├─9301 /usr/sbin/httpd -DFOREGROUND
           ├─9302 /usr/sbin/httpd -DFOREGROUND
           ├─9303 /usr/sbin/httpd -DFOREGROUND
           └─9304 /usr/sbin/httpd -DFOREGROUND

Mar 29 12:30:26 osticket.computingforgeeks.com systemd[1]: httpd.service: Succeeded.
Mar 29 12:30:26 osticket.computingforgeeks.com systemd[1]: Stopped The Apache HTTP Server.
Mar 29 12:30:26 osticket.computingforgeeks.com systemd[1]: Starting The Apache HTTP Server...
Mar 29 12:30:26 osticket.computingforgeeks.com systemd[1]: Started The Apache HTTP Server.
Mar 29 12:30:26 osticket.computingforgeeks.com httpd[9299]: Server configured, listening on: port 443, port 80

For Nginx configuration check the osTicket Nginx recipe.

Certificates renewal:

 $ sudo /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/osticket.computingforgeeks.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/osticket.computingforgeeks.com/fullchain.pem expires on 2021-06-27 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

For automated renewals via cron use

# Ubuntu / Debian
$ sudo /usr/bin/certbot renew --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"

# CentOS
$ sudo /usr/bin/certbot renew --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"

Step 3: Access osTicket Web Portal

Open osTicket web portal to confirm if website is loaded with https.

Install osTicket CentOS 8 04

If you click on the lock button it will tell you the connection to the site is secure.

Install osTicket CentOS 8 06

Click on “More Information” to get more details about the certificate.

Install osTicket CentOS 8 05

Your osTicket installation is now secured with Let’s Encrypt SSL certificate. We hope this guide was helpful

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

LEAVE A REPLY

Please enter your comment!
Please enter your name here