Let’s Secure Our Cacti Web Portal with a Free SSL Certificate From LetsEncrypt

If you missed my previous article, in which I did walk you through installing Cacti Server on CentOS 9, you can read it here.

Today, let us focus on the task at hand, which is to clear this annoying “Not secure” warning in the address bar of our Cacti web portal, and we are going to accomplish this with a free SSL certificate from LetsEncrypt, a free and automated certificate authority (CA). The SSL certificate is what will change our connection from HTTP (“Not Secure”) to HTTPS (“Secure”); in other words, HTTP + SSL = HTTPS.

The ISP am setting this up for wants to extend Cacti Portal access to their clients so they can be able to view their bandwidth usage graphs. The sub-domain name is already setup, but it wouldn’t be wise to share with your clients a URL that will pop up the “Not Secure” warning! And hence the need to install SSL and setup HTTPS connection so the clients can see that nice little padlock in the address bar that reassures them that the “Connection is secure”. So, let’s dive in!

Prerequisites:

• Root/Sudo access to your Linux server installation
• A web service like Apache (HTTPD) or Nginx
• An internet connection to your Linux server
• A domain or sub-domain name pointing to your server public IP address

Note: am running all the commands as root, if you are not root, you will need sudo privileges to be able to execute these commands.

Step 1: Update your OS packages to the latest version.

It’s good practice to always update your Linux OS before adding any new packages or services because some new packages might not work well with obsolete OS components. It also helps to maintain the most recent security and bug patches in your system.

Step 2: Install the EPEL repo to the OS if you have not done so previously.

Certbot (the tool that helps you obtain and manage SSL certs from LetsEncrypt) is not available in the default CentOS 9 repo, so we need to add the EPEL repo before we can proceed to installing Certbot.

Step 3: Install Certbot from LetsEncrypt

As mentioned in step 2, Certbot is what will help us to download and manage SSL certificates from LetsEncrypt. Certbot works by using the ACME protocol, which is a standard for communicating with certificate authorities (CAs) and proving your control over a domain name. Certbot can run on your web server or on your own computer, and it can perform different types of challenges to verify your domain ownership, such as creating a file, modifying a DNS record, or answering a TLS request.

You can check your certbot installation with “certbot --version” command, this will return the version of certbot that has been installed on your server.

Step 4: Getting the SSL Certificate From LetsEncrypt

We can now use the Certbot tool to obtain a free SSL certificate from LetsEncrypt. Make sure you have an active internet connection and that you have configure the domain or subdomain and is reachable from the internet. For this example, I will use a subdomain “isp.fastnet.com”

As you can see in the screenshot above, we ran into some small issue “Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.”

In the error above, Certbot is complaining about not being able to bind to port 80 when trying to fetch the SSL certificates, and it’s true you can see that service “httpd” on our server is active and running, this caused the conflict with Certbot and we need to first stop “httpd” and then re-attempt Step 4. Use “systemctl stop httpd” to stop the Apache httpd webserver.

We have now successfully received the SSL certificate. Take note of the file locations for certificate and Key:

• Certificate is saved at: /etc/letsencrypt/live/ isp.fastnet.com/fullchain.pem
• Key is saved at:         /etc/letsencrypt/live/ isp.fastnet.com/privkey.pem

Step 5: Configure the webserver (Apache HTTPD) to use SSL certificate.

Before activating our SSL certificate, we need to install “mod_ssl” a module for Apache HTTPD server that provides support for SSL and TLS encryption and authentication. “mod_ssl” works by using OpenSSL library to implement the SSL and TLS protocols, which allow the server and the client to exchange cryptographic keys and certificates, and encrypt and decrypt the data. mod_ssl can also configure various aspects of the SSL and TLS connection, such as cipher suites, protocols, session caching, etc.

Having installed “mod_ssl”, navigate to the Apache configuration directory and edit the “ssl.conf” file to add the SSL certificate and key file PATHs.

Step 6: Start Apache HTTPD webservice and allow HTTPS service in the firewall rules.

If you have a “firewall” running on your server, make sure to allow access to HTTPS service on the public zone. For this example, we have FirewallD running on our server, and we had to add the https service in zone public and reload the firewall.

At this point, you are ready to test your HTTPS connection in the browser and the annoying “Not secure” warning should now be replaced by a nice “Secure” padlock icon.

Step 7: Renewing the certificate.

The SSL certificate from LetsEncrypt is always set to expire after 90 days (3 months), so you need to always renew it. However, you can automate this task using a cron-job.

In this article, we have successfully installed SSL certificate from LetsEncrypt to secure our cacti web portal from “Not Secure HTTP” to “Secure HTTPS“. The same procedure can work for any other web application running on Apache, next time we shall test this on Nginx server. If this article has been helpful, please feel free to share it with your fellow techies in your professional circles.