SFTP Gateway Support

2.000.00

Azure Lets Encrypt

Background

SFTP Gateway 2.0 comes with a web admin interface for managing SFTP users and settings. This website is hosted on a local web server (Nginx).

The website uses a self-signed SSL certificate. This protects your web traffic out of the box. However, you will encounter SSL warnings each time you visit the site.

If you don't want invalid SSL certificate warnings, you will need to obtain a valid SSL certificate.

Using LetsEncrypt

The best free approach is to use LetsEncrypt, which provides free SSL certificates. These are Domain Validation (DV) level certs.

This article covers how to set up LetsEncrypt on Ubuntu 18 LTS. It provides step-by-step instructions for the initial set up.

Before you begin

Before you begin, you will need 3 pieces of information:

  • Domain: robtest.thorn.tech This domain has to be pointing to your public IP address prior to running LetsEncrypt.
  • IP address: 54.210.100.47 This should be a static IP, so it doesn't change each time you stop the VM.
  • Email: robert.chen@thorntech.com LetsEncrypt certs only last 90 days, so make sure your email address is valid to get the expiration warnings.
  • NSG Rules: Make sure that your NSG temporarily allows all traffic on port 80, so that DNS validation can occur. (Remember to restrict this again once you're done.)

Installation

These installation steps are based on the LetsEncrypt documentation:

https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx.html

Run the following commands to install LetsEncrypt.

sudo apt-get update
sudo apt-get -y install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot -y
sudo apt-get update
sudo apt-get -y install certbot python-certbot-nginx

Creating an SSL certificate

After you have run the above commands to install LetsEncrypt, you can generate the SSL certificate.

sudo certbot certonly --nginx

You will be taken through an interactive wizard. Respond with the information you gathered in the Before you begin section.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): robert.chen@thorntech.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): robtest.thorn.tech
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for robtest.thorn.tech
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/robtest.thorn.tech/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/robtest.thorn.tech/privkey.pem
   Your cert will expire on 2020-03-03. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Update your nginx conf file

If you see the Congratulations message, you should see some certificate files generated at the following location (based on your domain name):

/etc/letsencrypt/live/robtest.thorn.tech/

To use the certificate files, edit the following conf file:

/etc/nginx/sites-available/website.conf

Around lines 36-37, replace the following lines:

  ssl_certificate /etc/nginx/ssl/website.bundle.crt;
  ssl_certificate_key /etc/nginx/ssl/website.key;

With this:

  ssl_certificate /etc/letsencrypt/live/robtest.thorn.tech/cert.pem;
  ssl_certificate_key /etc/letsencrypt/live/robtest.thorn.tech/privkey.pem;

Note: your path will vary based on your domain name.

Finally, restart Nginx:

nginx -t && service nginx restart

Verify that it works by navigating to your domain via your web browser using HTTPS.

If all is well, you should see a valid SSL certificate.

Azure Create a Swap partitionModifying Network Security Group (NSG) rules