Install Free SSL Certificate on Veeam PN Appliance Host

In this article

    During the installation, Veeam PN generates a self-signed certificate. To mitigate the risk of MITM attacks, you can obtain and install a free SSL certificate from Let's Encrypt.

    If you have additional questions when installing the certificate, refer to Certbot instructions.


    All commands mentioned in this topic require root privileges.

    To install the certificate, do the following:

    1. Open the console of Veeam PN appliance machine.
    • [VMware vSphere] Open the TTY console of the VM where Veeam PN appliance is deployed.
    • [Microsoft Azure] In PuTTY, use the Veeam PN appliance hostname to connect to the console.
    1. Add a PPA (Personal Package Archive) to the list of repositories and install Certbot:

    apt-get update
    apt-get install software-properties-common
    add-apt-repository universe
    add-apt-repository ppa:certbot/certbot
    apt-get update
    apt-get install certbot python-certbot-apache

    1. Automatic obtaining of a certificate won't work on the VeeamPN setup. Thus, you must do the procedure manually. Run the following command to launch the manual plugin:

    certbot certonly --manual

    1. Follow the instructions of the wizard:
    1. Enter your email address.
    2. Enter FQDN of the hub server.
    3. Select Y or N to select is it okay that you IP will be logged.
    1. After finishing the wizard, you will see the description of verification steps. Certbot will display the following:
    • A testing URL (for example: http://<domain_name_of_VeeamPN_hub>/.well-known/acme-challenge/XGqBCdZcx__vLZgZblxGbxIm1Vh9Wvy3w0yc54k).
    • Testing data that must be returned from the requested URL (for example: x__vLZgZblxGbxIm1Vh9F14Wmvy3w0yc54k.J7vHny3k6jqUUXoH0QfwwgRc93SudMY8Ddv)

    To follow instructions from LetsEncrypt, open a second SSH console to the same VeeamPN server.

    1. In the second console, modify the http_redirector.conf file:
    1. Open the /etc/apache2/sites-enabled/http_redirector.conf file with a text editor.

    nano /etc/apache2/sites-enabled/http_redirector.conf

    1. In the file content, add a place for files lookup under the /var/www/certbot line and comment 3 lines of original redirection instructions. See the example below:

    <VirtualHost *:80>

    DocumentRoot /var/www/certbot/

    #    RewriteEngine On

    #    RewriteCond %{HTTPS} off

    #    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}


    1. Create a requested file for URL with requested data in it:
    1. Create a path for the testing URL (you only need to add the part after the domain name to /var/www/certbot/). Thus, you must create a directory for requested sample URL (see step 5):

    mkdir -p /var/www/certbot/.well-known/acme-challenge/

    1. Create a requested file for URL with requested data in it:

    echo '<data>' > <full path to file>/<requested filename>

    In our example, it will be like the following:

    echo 'x__vLZgZblxGbxIm1Vh9F14Wmvy3w0yc54k.J7vHny3k6jqUUXoH0QfwwgRc93SudMY8Ddv' > /var/www/certbot/.well-known/acme-challenge/XGqBCdZcx__vLZgZblxGbxIm1Vh9Wvy3w0yc54k

    If the command returns the Access Denied code, do the following:

    1. Go to the /var/www/certbot/.well-known/acme-challenge/ directory and create an empty file.

    cd /var/www/certbot/.well-known/acme-challenge/
    touch XGqBCdZcx__vLZgZblxGbxIm1Vh9Wvy3w0yc54k

    1. Open the file with a text editor and the requested data.

    nano XGqBCdZcx__vLZgZblxGbxIm1Vh9Wvy3w0yc54k

    1. Restart the Apache HTTP server.

    apachectl restart

    1. In the first SSH console, press [Enter] to proceed the verification process.

    The successful result should look like the following:

    Congratulations! Your certificate and chain have been saved at:

       /etc/letsencrypt/live/<your FQDN of VeeamPN server>/fullchain.pem

       Your key file has been saved at:

       /etc/letsencrypt/live/<your FQDN of VeeamPN server>/privkey.pem

    1. Edit the veeampn-site.conf config file to change SSL certificates.

    nano /etc/apache2/sites-enabled/veeampn-site.conf

    In the veeampn-site.conf file, change the filenames for SSLCertificateFile and SSLCertificateKeyFile. Replace default filenames with the names of files obtained from Let's Encrypt (see the previous step):

    • Use full path to fullchain.pem for SSLCertificateFile
    • Use full path to privkey.pem for SSLCertificateKeyFile
    1. Edit the http_redirector.conf file to restore original HTTP to HTTPS redirection.
    1. Open the http_redirector.conf file using a text editor.

    nano /etc/apache2/sites-enabled/http_redirector.conf

    1. Edit the file as shown in the example below.

    <VirtualHost *:80>

        RewriteEngine On

        RewriteCond %{HTTPS} off

        RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}


    1. Restart the Apache HTTP server.

    apachectl restart