SolusVM Letsencrypt certificate – Steps to secure your SolusVM server
Anything exposed to the internet is likely to be attacked.
So, it’s important to have a secure communication channel. And, SSL certificates play a great role in securing websites and control panels.
At Bobcares, we help server owners install SSL certificates on their websites and control panels as part of our Server Administration Services.
Today, let’s discuss how our Support Engineers install Letsencrypt certificate on a SolusVM server.
Solusvm Letsencrypt certificate – What’s this & Why it’s needed?
First, let’s get an idea on Letsencrypt certificate and why it’s needed.
When the web server communicates with the browser, the data transfer takes place in an unencrypted channel. In other words, this communication channel is highly insecure, and an attacker can easily grab the sensitive information. That’s where SSL certificate plays it’s role. It encrypts the whole communication channel.
Server owners can now use Letsencrypt certificates to secure their websites and control panels like SolusVM. These are free SSL certificates that secure the communication channel. However, Letsencrypt certificates should be renewed every 90 days.
Now, let’s see why Letsencrypt is needed for SolusVM control panel. With an invalid SSL certificate on the SolusVM master, the client will receive insecure SSL warning when they access the SolusVM control panel. So, SSL certificate is critical for SolusVM control panel.
Solusvm Letsencrypt certificate – How to install it?
Now, let’s see how our Dedicated Engineers install Letsencrypt certificate on a SolusVM server.
1) Verify the hostname of the server
Firstly, our Support Engineers verify that the SolusVM server has a valid hostname. Otherwise, we can’t fetch the SSL certificate for the hostname.
We always suggest customers to set a Fully Qualified Domain Name(FQDN) for their servers. In addition to that, we confirm the hostname has a valid A record. In other words, the server hostname should resolve properly. For instance, we use the dig command to confirm the hostname has valid A records.
2) Install Letsencrypt certificate
Installing Letsencrypt certificate on a SolusVM server involves a series of steps. Our Support Engineers commonly use ACME script(Automatic Certificate Management Environment) or Certbot utility to install Letsencrypt certificate on a SolusVM master server. Let’s see both cases in detail.
a) Using ACME
Here are the steps to install and renew Letsencrypt on SolusVM server using ACME script.
i) Install ACME script
Firstly, our Support Experts download and install the ACME script on the server. This script is available in repositories like Github.
For example, on Linux servers, we use the wget or curl command to download and install the ACME script.
wget -O - https://get.acme.sh | sh curl https://get.acme.sh | sh
This installs the script on the user account and adds an alias as well. Most importantly, we logout from the current SSH session and login again to update the shell path.
In addition to that, this script checks for folder .verification in the location /usr/local/solusvm/www. So, our Support Experts ensure that this folder is created and have proper permissions.
ii) Request SSL certificate
The next step is to issue the SSL certificate using this ACME script. This script validates the domain over an http connection. For example, we use the below command to get the SSL certificate.
acme.sh --issue -d server.hostname.com -w /usr/local/solusvm/www/.verification
Here, replace server.hostname with the hostname of the SolusVM master server.
iii) Install SSL certificate
The next step is to install the Letsencrypt certificate on the SolusVM master server. Our Support Engineers install it using the below script.
acme.sh --installcert -d server.hostname.com --keypath /usr/local/svmstack/nginx/ssl/ssl.key --fullchainpath /usr/local/svmstack/nginx/ssl/ssl.crt
This will install the SSL certificate and private key to the location /usr/local/svmstack/nginx/ssl/.
Further, we restart the web server and the sshwebsocket, and then generate the ssl.pem file using the below command.
acme.sh --reloadcmd "service svmstack-nginx restart; /usr/local/svmstack/sshwebsocket/quit; /usr/local/svmstack/sshwebsocket/port_check; cd /usr/local/svmstack/nginx/ssl && cat ssl.key ssl.crt > ssl.pem"
iv) Setup a cron for auto renewal
The Letsencrypt certificate needs renewal every 90 days. However, this acme.sh script setup a cron job to automatically renew any certificates on the server. Our Support Engineers verify that the below cron job is added in the server using crontab -e command.
0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null
b) Using Certbot utility
Alternatively, our Support Experts sometimes use Certbot client to install and renew Letsencrypt certificates on Linux servers. Let’s see how we use it for installing Letsenrypt certificates.
i) Install Certbot
Firstly, our Support Engineers install Certbot client on the server. This is usually available in the EPEL repository. So, we first configure EPEL respositry and install Certbot client. For example, on CentOS servers, we install it using the below command.
yum install certbot
Similarly, on Ubuntu servers, we install certbot using the below command.
apt-get install certbot
ii) Create SSL certificate
Secondly, our Support Engineers create the certificate file using the below command.
certbot certonly --webroot -w /usr/local/solusvm/www/ -d server.hostname.com
Here, give the path of the document root after -w and the SolusVM hostname after -d.
Here, Certbot creates a folder named .well-known/acme-challenge in the document root. The Letsencrypt validation server makes HTTP requests to this directory to ensure that DNS is correctly pointing to the server where Certbot is running. Once this is complete, a new SSL certificate will be generated.
Finally, we combine the certificate and private key in one file.
iii) Install SSL certificate
Further, we update the server configuration to use the new certificate. Here, we make sure that the server hostname, document root, SSL certificate, CA bundle, etc. are intact. Also, we restart the web server to reflect these changes.
Moreover, we also re-configure the server configuration to redirect all non-https traffic to https site.
iv) Cron for Certificate renewal
Letsencrypt certificate is valid for 90 days. So, frequent renewal is needed for these certificates. Our Support Experts always advise customers to set up cron jobs to automatically renew SSL certificates. We can renew Letsencrypt certificates using the below command.
This will renew all the certificates that will expire in less than 30 days. So, our Server Experts configure cron jobs to run this command at frequent intervals.
[Need help in installing Letsencrypt certificate on your SolusVM server? Our Server Experts can help you here.]
In short, installing Letsencrypt certificate on SolusVM involves a series of steps. Today, we’ve discussed how our Dedicated Support Engineers install Letsencrypt certificate on a SolusVM master server.