{"id":142730,"date":"2023-08-11T22:24:53","date_gmt":"2023-08-11T19:24:53","guid":{"rendered":"https:\/\/computingforgeeks.com\/?p=142730"},"modified":"2024-07-09T13:03:49","modified_gmt":"2024-07-09T10:03:49","slug":"secure-openproject-with-lets-encrypt-ssl-certificate","status":"publish","type":"post","link":"https:\/\/computingforgeeks.com\/secure-openproject-with-lets-encrypt-ssl-certificate\/","title":{"rendered":"How to Secure OpenProject with SSL (Let&#8217;s Encrypt Guide)"},"content":{"rendered":"\n<p><a href=\"https:\/\/www.openproject.org\/\" data-type=\"link\" data-id=\"https:\/\/www.openproject.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">OpenProject<\/a> is a powerful, free and open source software application that can be used for both classical and agile project management to support your team along the entire project life-cycle. In the past articles we had dived into the<a href=\"https:\/\/computingforgeeks.com\/?s=install+openproject\" data-type=\"link\" data-id=\"https:\/\/computingforgeeks.com\/?s=install+openproject\" target=\"_blank\" rel=\"noreferrer noopener\"> installations and configurations of OpenProject<\/a> on varying Linux distributions.<\/p>\n\n\n\n<p>The default installation of OpenProject uses Apache httpd server to serve web requests. At the time of the installation, you had the option of choosing to configure SSL, but if you skipped and OpenProject installation is on HTTP then this article will enable you to secure access through HTTPS.<\/p>\n\n\n\n<p>Before you proceed.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure you have a functional installation of OpenProject.<\/li>\n\n\n\n<li>That you installed and enabled Apache for use with OpenProject<\/li>\n\n\n\n<li>FQDN for OpenProject<\/li>\n\n\n\n<li>SSH access to OpenProject server with sudo privileges.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Install certbot tool<\/h2>\n\n\n\n<p>Login to your OpenProject server instance and install certbot command line tool. <a href=\"https:\/\/certbot.eff.org\/\" data-type=\"link\" data-id=\"https:\/\/certbot.eff.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Certbot<\/a> is an easy-to-use client that fetches a certificate from Let&#8217;s Encrypt. This installation assumes OpenProject is deployed on a server with public IPv4 address.<\/p>\n\n\n\n<p>If your installation of OpenProject is on a Private LAN, and DNS being handled by Cloudflare, check out the article below on how to generate Let&#8217;s Encrypt certificates for services in a private network.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/computingforgeeks.com\/lets-encrypt-on-private-network-using-cloudflare\/\" target=\"_blank\" rel=\"noreferrer noopener\">Generate Let\u2019s Encrypt SSL Certificate using Cloudflare on Private Network<\/a><\/li>\n<\/ul>\n\n\n\n<p>Use the following commands to install normal Certbot tools on your Linux system.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><em><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-purple-color\"># Ubuntu \/ Debian\n<\/mark><\/em>sudo apt update\nsudo apt-get install certbot\n\n<em><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-purple-color\"># Fedora\n<\/mark><\/em>sudo dnf install certbot -y\n\n<em><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-purple-color\"># CentOS \/ Rocky \/ AlmaLinux 8\n<\/mark><\/em>sudo dnf -y install epel-release\nsudo yum -y install certbot\n\n<em><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-purple-color\"># CentOS 7\n<\/mark><\/em>sudo yum -y install epel-release\nsudo yum -y install certbot<\/code><\/pre>\n\n\n\n<p>Confirm installation by checking the software version.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">certbot --version<\/mark>\ncertbot 2.1.0<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Generate Let&#8217;s Encrypt Certificate<\/h2>\n\n\n\n<p>Stop both Apache and OpenProject services.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl stop apache2 openproject<\/code><\/pre>\n\n\n\n<p>On RHEL based systems port <code>http<\/code> should be enabled in the firewall.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo firewall-cmd --add-service={http,https} --permanent\nsudo firewall-cmd --reload<\/code><\/pre>\n\n\n\n<p>Save domain name and email address that will receive certificate expiry warnings as variables.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>DOMAIN=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-pale-cyan-blue-color\">projects.example.com<\/mark>\nEMAIL=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">webmaster@example.com<\/mark><\/code><\/pre>\n\n\n\n<p>Use <code>certbot<\/code> command to make certificates generation request.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo certbot certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring<\/code><\/pre>\n\n\n\n<p>A success in generation will show output below. Take note of the Path to your Certificate and Key for use by OpenProject.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Saving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\nRequesting a certificate for projects.example.com\nWaiting 10 seconds for DNS changes to propagate\n\nSuccessfully received certificate.\nCertificate is saved at: \/etc\/letsencrypt\/live\/projects.example.com\/fullchain.pem\nKey is saved at:         \/etc\/letsencrypt\/live\/projects.example.com\/privkey.pem\nThis certificate expires on 2023-11-09.\nThese files will be updated when the certificate renews.\nCertbot has set up a scheduled task to automatically renew this certificate in the background.\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nIf you like Certbot, please consider supporting our work by:\n * Donating to ISRG \/ Let's Encrypt:   https:\/\/letsencrypt.org\/donate\n * Donating to EFF:                    https:\/\/eff.org\/donate-le\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<\/code><\/pre>\n\n\n\n<p>On Private networking environments, consider using Cloudflare for your Domain DNS: <a href=\"https:\/\/computingforgeeks.com\/lets-encrypt-on-private-network-using-cloudflare\/\" target=\"_blank\" rel=\"noreferrer noopener\">Generate Let\u2019s Encrypt SSL Certificate using Cloudflare on Private Network<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configure OpenProject to use Let&#8217;s Encrypt<\/h2>\n\n\n\n<p>OpenProject installation will use the following Apache configuration file if SSL configurations are not enabled.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-pale-pink-color\">sudo vim \/etc\/apache2\/sites-available\/openproject.conf<\/mark>\nInclude \/etc\/openproject\/addons\/apache2\/includes\/server\/*.conf\nIncludeOptional \/etc\/openproject\/addons\/apache2\/custom\/server\/*.conf\n\n&lt;VirtualHost *:80&gt;\n  ServerName projects.example.com\n  DocumentRoot \/opt\/openproject\/public\n\n  ProxyRequests off\n\n  Include \/etc\/openproject\/addons\/apache2\/includes\/vhost\/*.conf\n  IncludeOptional \/etc\/openproject\/addons\/apache2\/custom\/vhost\/*.conf\n\n  # Can't use Location block since it would overshadow all the other proxypass directives on CentOS\n  ProxyPass \/ http:\/\/127.0.0.1:6000\/ retry=0\n  ProxyPassReverse \/ http:\/\/127.0.0.1:6000\/\n&lt;\/VirtualHost&gt;<\/code><\/pre>\n\n\n\n<p>Modify the file to include SSL configurations. In this example we&#8217;re redirecting HTTP traffic to HTTPS. Change domain name to the one you&#8217;re using.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Include \/etc\/openproject\/addons\/apache2\/includes\/server\/*.conf\nIncludeOptional \/etc\/openproject\/addons\/apache2\/custom\/server\/*.conf\n\n&lt;VirtualHost *:80&gt;\n  ServerName <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-purple-color\">projects.example.com<\/mark>\n  RewriteEngine On\n  RewriteRule ^\/?(.*) https:\/\/%{SERVER_NAME}:443\/$1 &#91;R,L]\n&lt;\/VirtualHost&gt;\n\n&lt;VirtualHost *:443&gt;\n  ServerName <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-purple-color\">projects.example.com<\/mark>\n  DocumentRoot \/opt\/openproject\/public\n\n  ProxyRequests off\n\n  Include \/etc\/openproject\/addons\/apache2\/includes\/vhost\/*.conf\n  IncludeOptional \/etc\/openproject\/addons\/apache2\/custom\/vhost\/*.conf\n\n  # Can't use Location block since it would overshadow all the other proxypass directives on CentOS\n  ProxyPass \/ http:\/\/127.0.0.1:6000\/ retry=0\n  ProxyPassReverse \/ http:\/\/127.0.0.1:6000\/\n&lt;\/VirtualHost&gt;<\/code><\/pre>\n\n\n\n<p>If Virtual Host SSL config file doesn&#8217;t exist create one. Don&#8217;t forget to update SSL certificate and key paths.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-pale-pink-color\">sudo vim \/etc\/openproject\/addons\/apache2\/includes\/vhost\/ssl.conf<\/mark>\nSSLEngine On\nSSLCertificateFile \/<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">etc\/letsencrypt\/live\/projects.example.com\/fullchain.pem<\/mark>\nSSLCertificateKeyFile <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">\/etc\/letsencrypt\/live\/projects.example.com\/privkey.pem<\/mark>\nRequestHeader set X_FORWARDED_PROTO 'https'<\/code><\/pre>\n\n\n\n<p>Next edit the file below and turn <code>true<\/code> on both lines.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-pale-pink-color\">sudo vim \/etc\/openproject\/conf.d\/other<\/mark>\nexport OPENPROJECT_HTTPS=\"<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">true<\/mark>\"\nexport OPENPROJECT_HSTS=\"<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">true<\/mark>\"<\/code><\/pre>\n\n\n\n<p>Enable necessary modules for Apache web server<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo a2enmod ssl headers proxy_http rewrite<\/code><\/pre>\n\n\n\n<p>When done restart apache2 and openproject services.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart apache2 openproject<\/code><\/pre>\n\n\n\n<p>The status of both should show as <strong>running.<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-pale-pink-color\">systemctl status apache2 openproject<\/mark>\n<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-light-green-cyan-color\">\u25cf<\/mark> apache2.service - The Apache HTTP Server\n     Loaded: loaded (\/lib\/systemd\/system\/apache2.service; enabled; preset: enabled)\n     Active: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-green-cyan-color\">active (running)<\/mark> since Fri 2023-08-11 13:53:50 EAT; 9s ago\n       Docs: https:\/\/httpd.apache.org\/docs\/2.4\/\n    Process: 19457 ExecStart=\/usr\/sbin\/apachectl start (code=exited, status=0\/SUCCESS)\n   Main PID: 19462 (\/usr\/sbin\/apach)\n      Tasks: 56 (limit: 9476)\n     Memory: 58.5M\n        CPU: 252ms\n     CGroup: \/system.slice\/apache2.service\n             \u251c\u250019462 \/usr\/sbin\/apache2 -k start\n             \u251c\u250019463 \/usr\/sbin\/apache2 -k start\n             \u251c\u250019464 \/usr\/sbin\/apache2 -k start\n             \u2514\u250019465 \/usr\/sbin\/apache2 -k start\n\nAug 11 13:53:50 projects systemd&#91;1]: Starting apache2.service - The Apache HTTP Server...\nAug 11 13:53:50 projects systemd&#91;1]: Started apache2.service - The Apache HTTP Server.\n\n<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-light-green-cyan-color\">\u25cf<\/mark> openproject.service\n     Loaded: loaded (\/etc\/systemd\/system\/openproject.service; enabled; preset: enabled)\n     Active: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-green-cyan-color\">active (running)<\/mark> since Fri 2023-08-11 13:53:53 EAT; 6s ago\n   Main PID: 19522 (sleep)\n      Tasks: 1 (limit: 9476)\n     Memory: 176.0K\n        CPU: 1ms\n     CGroup: \/system.slice\/openproject.service\n             \u2514\u250019522 \/bin\/sleep infinity\n\nAug 11 13:53:53 projects systemd&#91;1]: Started openproject.service.<\/code><\/pre>\n\n\n\n<p>On your browser load OpenProject web interface and check certificate details.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"1024\" src=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2023\/08\/openproject-ssl-apache-1000x1024.png\" alt=\"\" class=\"wp-image-142812\" title=\"\" srcset=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2023\/08\/openproject-ssl-apache-1000x1024.png 1000w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2023\/08\/openproject-ssl-apache-293x300.png 293w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2023\/08\/openproject-ssl-apache-768x787.png 768w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2023\/08\/openproject-ssl-apache-696x713.png 696w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2023\/08\/openproject-ssl-apache-1068x1094.png 1068w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2023\/08\/openproject-ssl-apache-410x420.png 410w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2023\/08\/openproject-ssl-apache-356x364.png 356w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2023\/08\/openproject-ssl-apache.png 1074w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<p>Your OpenProject now has secure access using HTTPS and Let&#8217;s Encrypt SSL certificates. To learn more about OpenProject visit Project&#8217;s <a href=\"https:\/\/www.openproject.org\/docs\" target=\"_blank\" data-type=\"link\" data-id=\"https:\/\/www.openproject.org\/docs\" rel=\"noreferrer noopener\">official documentation pages<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>OpenProject is a powerful, free and open source software application that can be used for both classical and agile project management to support your team along the entire project life-cycle. In the past articles we had dived into the installations and configurations of OpenProject on varying Linux distributions. The default installation of OpenProject uses Apache &#8230; <a title=\"How to Secure OpenProject with SSL (Let&#8217;s Encrypt Guide)\" class=\"read-more\" href=\"https:\/\/computingforgeeks.com\/secure-openproject-with-lets-encrypt-ssl-certificate\/\" aria-label=\"Read more about How to Secure OpenProject with SSL (Let&#8217;s Encrypt Guide)\">Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":142812,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[299,50,75],"tags":[715,38721],"class_list":["post-142730","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-how-to","category-linux-tutorials","category-security","tag-openproject","tag-openproject-lets-encrypt"],"_links":{"self":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/142730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/comments?post=142730"}],"version-history":[{"count":0,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/142730\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media\/142812"}],"wp:attachment":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media?parent=142730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/categories?post=142730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/tags?post=142730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}