Posted on Leave a comment

Encrypting VMDashboard with Let’s Encrypt

As a security recommendation, it is always a good practice to encrypt the data sent across the Internet. You can encrypt both your VMDashboard connection as well as the VNC console connection to your virtual machines.

With the Apache web server on Ubuntu you can enable HTTPS traffic using the following command:
sudo a2enmod ssl

If you are using a domain name, you can use a Certificate Authority such as Let’s Encrypt to create a free validated SSL certificate. To get started we will need to create an Apache site configuration file for your domain. I will using the domain server1.vmdashboard.org for this example. The new config file should end with the .conf extension and be located in the /etc/apache2/sites-available/ directory. To create a new file for your domain use the following command, and be sure to change the domain name:
sudo nano /etc/apache2/sites-available/server1.vmdashboard.org.conf

We will just be adding just the minimum information in the configuration file. The first line below <VirtualHost *:80> tells Apache that this configuration file will be used for HTTP traffic. When we configure Let’s Encrypt, the HTTPS  connection (port 443) will be configured automatically.  The second line ServerName server1.vmdashboard.org tells Apache what domain name it should be listening for to apply this configuration. The third line DocumentRoot /var/www/html/vmdashboard/ indicates the root location of the web site files and that should be the filepath for your files.

<VirtualHost *:80>
ServerName server1.vmdashboard.org
DocumentRoot /var/www/html/vmdashboard/
</VirtualHost>

Once you add the above information to the configuration file and save it, we will then need to enable the configuration file in Apache using the a2ensite command. To do that run the following command, be sure to use your domain name:
sudo a2ensite server1.vmdashboard.org

When Apache is only used for the VMDashboard it would be a good idea to disable the default configuration file that comes with the install of Apache. To do that use the command:
sudo a2dissite 000-default.conf

You will need to restart/reload the Apache web server to apply the configuration changes. Use the following command:
sudo systemctl reload apache2

To automate the Let’s Encrypt certificate using Apache we will need to install the python-certbot-apache package. Use the following command:
sudo apt install python-certbot-apache

To create the SSL Certificate and Apache configuration file run the following command, changing your domain name. You will be asked for an email address and you will be given an option to either redirect all traffic to the HTTPS protocol or not.
sudo certbot --apache -d server1.vmdashboard.org

Now login to your VM Dashboard. Go to the settings page and add the location of the Let’s Encrypt certificate file and key file and submit your changes. Below is the location created for server1.vmdashboard.org

Certificate file: /etc/letsencrypt/live/server1.vmdashboard.org/fullchain.pem
Key file: /etc/letsencrypt/live/server1.vmdashboard.org/privkey.pem

The permissions for the certificates are tied to the root user. There will need to be a permission change on the /etc/letsencrypt/live folder as well as /etc/letsencrypt/archive. We can change the permission to 755 (rwxr-xr-x) to allow the VMDashoard to be able to read the information. Run the following commands:
sudo chmod 755 /etc/letsencrypt/live
sudo chmod 755 /etc/letsencrypt/archive

You can either decide to restart your server or restart the python process tied to noVNC to apply the certificate and key files. If you decide to restart the service you should be able to determine which process id (PID) is using port 6080. Use the following command:
sudo netstat -tulpn | grep 6080

Then after determining the PID number, kill the process. For example, if it was PID 1386, I would use the command:
sudo kill 1386

Now logout and login to the VMDashboard to restart the VNC connection and the new certificate should be applied.

Leave a Reply

Your email address will not be published. Required fields are marked *