Securing Your Filecloud Installation with a Wildcard Letsencrypt SSL Certificate

For this blog post, we will delve into the steps necessary to secure a FileCloud installation with a wildcard “Lets Encrypt” SSL Certificate and  Ubuntu 20.04 LTS on a multi-tenant site.

Install Certbot Package

To obtain the Let’s Encrypt SSL certificate, we will be required to install a Certbot package in the Ubuntu 20.04 LTS machine. This package can be installed from one of the default Ubuntu package repositories. The below command can help install the necessary packages.

apt install certbot python3-certbot-apache -y

Generate SSL Certificate

After the installation is complete, run the below command to generate the SSL certificate. This process is managed by the Apache plugin that comes with the certbot. In this case, we are going to install a wildcard certificate for the domain example.com. Since this is a wildcard certificate, we will need to manually generate the certificate using the certbot command. The command we are using is below:

root@fcsrv:~# certbot certonly –server https://acme-v02.api.letsencrypt.org/directory –manual –preferred-challenges dns -d ‘*.example.com’

Confirm (or Deny) Logging of IP Address

After running this command, it will ask to confirm if the machine IP can be logged for the SSL generation purpose. In this demo, we have selected Yes.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you’re running certbot in manual mode on a machine that is not

your server, please ensure you’re okay with that.

 

Are you OK with your IP being logged?

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

(Y)es/(N)o: Y

 

Then it will ask us to create a TXT record against the domain for which we need to have the SSL issued:

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Please deploy a DNS TXT record under the name

_acme-challenge.example.com with the following value:

 

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

Before continuing, verify the record is deployed.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

For security reasons, we have masked the record. After the verification is completed, the SSL can be found at

/etc/letsencrypt/live/example.com/

Configure Changes and Create Virtual Host Entry

The next step is to make the required changes in /etc/apache2/sites-available/default-ssl.conf. Since this is a multi-tenant installation, we must first create a separate virtual host entry. Below is the virtual host entry we created in the file default-ssl.conf:

<VirtualHost *:443>

# Admin email, Server Name (domain name) and any aliases
ServerAdmin xxx@xxxxxx
ServerName demo.example.com

# Index file and Document Root (where the public files are located)
DirectoryIndex index.php

DocumentRoot /var/www/html
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

</VirtualHost>

Run Configuration Test

After making the changes, it is advised to run an apache config test to make sure everything is configured correctly. The expected output should be:

root@fcsrv:/etc/apache2/sites-enabled# apachectl -t

Syntax OK

Restart the apache service and use any SSL verification site to make sure your SSL certificate has been installed correctly. For additional support, please contact our FileCloud Support Team.

 

Article written by Nandakumar Chitra Suresh