SFTP Gateway Support

3.0

Azure Lets Encrypt

Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.

Background

SFTP Gateway 2.001.x comes with a web admin interface for managing SFTP users and settings. This website is hosted on a local web server (Nginx).

The website uses a self-signed SSL certificate. This protects your web traffic out of the box. However, you will encounter SSL warnings each time you visit the site.

If you don't want invalid SSL certificate warnings, you will need to obtain a valid SSL certificate.

Using LetsEncrypt

The best free approach is to use LetsEncrypt, which provides free SSL certificates. These are Domain Validation (DV) level certs.

This article covers how to set up LetsEncrypt on CentOS 7. It provides step-by-step instructions for the initial set up.

Preparation

(1) In the Azure Portal, change the Public IP of your VM from Dynamic to Static

(2) Create a DNS entry (Host A record), which points your domain name to the public IP address of your VM. Allow some time for DNS to propagate.

(3) In the Azure Portal, open your Network Security Group's (NSG) port 80 to Any source. This is required for the validation step.

(4) SSH into your VM, and elevate your privileges to root:

sudo su

(5) Set the domain name on your Nginx conf file.

Edit /etc/nginx/conf.d/website.conf line 61, and replace the wildcard _ with your domain name. For example:

server_name robtest.thorn.tech;

(6) Restart Nginx to apply this change.

nginx -t && service nginx restart

Certbot installation

Run the following command to install LetsEncrypt.

yum install certbot-nginx -y

Run the certbot wizard

After you have run the above commands to install LetsEncrypt, you can generate the SSL certificate.

(1) Run this command:

certbot

You will be taken through an interactive wizard.

(2) Enter a valid email address:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): robert.chen@thorntech.com

(3) Agree to the Terms of Service:

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

(4) You don't need to share your email.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

(5) Select your domain. If it doesn't show up on the list, check your /etc/nginx/conf.d/website.conf file for the server_name directive.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: robtest.thorn.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

(6) LetsEncrypt will try to validate your server.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for robtest.thorn.tech
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/website.conf
No matching insecure server blocks listening on port 80 found.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://robtest.thorn.tech

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=robtest.thorn.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Validation and cleanup

Verify that it works by navigating to your domain via your web browser using HTTPS.

If all is well, you should see a valid SSL certificate.

On your NSG, don't forget to remove the port 80 rule that allowed traffic from Any source.

Azure Create a Swap partitionInstall SSL Certificate (GoDaddy)