For this blog post, we will delve into the steps necessary to secure a FileCloud installation with a wildcard “Lets Encrypt” SSL Certificate and Ubuntu 20.04 LTS on a multi-tenant site. Install Certbot Package To obtain the Let’s Encrypt SSL certificate, we will be required to install a Certbot package in the Ubuntu 20.04 LTS […]
For this blog post, we will delve into the steps necessary to secure a FileCloud installation with a wildcard "Lets Encrypt" SSL Certificate and Ubuntu 20.04 LTS on a multi-tenant site.
To obtain the Let’s Encrypt SSL certificate, we will be required to install a Certbot package in the Ubuntu 20.04 LTS machine. This package can be installed from one of the default Ubuntu package repositories. The below command can help install the necessary packages.
apt install certbot python3-certbot-apache -y
After the installation is complete, run the below command to generate the SSL certificate. This process is managed by the Apache plugin that comes with the certbot. In this case, we are going to install a wildcard certificate for the domain example.com. Since this is a wildcard certificate, we will need to manually generate the certificate using the certbot command. The command we are using is below:
root@fcsrv:~# certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.example.com'
After running this command, it will ask to confirm if the machine IP can be logged for the SSL generation purpose. In this demo, we have selected Yes.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Then it will ask us to create a TXT record against the domain for which we need to have the SSL issued:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
For security reasons, we have masked the record. After the verification is completed, the SSL can be found at
/etc/letsencrypt/live/example.com/
The next step is to make the required changes in /etc/apache2/sites-available/default-ssl.conf. Since this is a multi-tenant installation, we must first create a separate virtual host entry. Below is the virtual host entry we created in the file default-ssl.conf:
<VirtualHost *:443> # Admin email, Server Name (domain name) and any aliases ServerAdmin xxx@xxxxxx ServerName demo.example.com # Index file and Document Root (where the public files are located) DirectoryIndex index.php DocumentRoot /var/www/html <Directory /var/www/html> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine On SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 </VirtualHost>
After making the changes, it is advised to run an apache config test to make sure everything is configured correctly. The expected output should be:
root@fcsrv:/etc/apache2/sites-enabled# apachectl -t
Syntax OK
Restart the apache service and use any SSL verification site to make sure your SSL certificate has been installed correctly. For additional support, please contact our FileCloud Support Team.
Article written by Nandakumar Chitra Suresh