Veeam PN 2.1
User Guide

Install Free SSL Certificate on Veeam PN Appliance Host

During the installation, Veeam PN generates a self-signed certificate. To mitigate the risk of MITM attacks, you can obtain and install a free SSL certificate from Let's Encrypt.


All commands mentioned in this topic require root privileges.

To install the certificate, do the following:

  1. Open the console of Veeam PN appliance machine.
  • [VMware vSphere] Open the TTY console of the VM where Veeam PN appliance is deployed.
  • [Microsoft Azure] In PuTTY, use the Veeam PN appliance hostname to connect to the console.
  1. Add a PPA (Personal Package Archive) to the list of repositories and install Certbot:

apt-get update
apt-get install software-properties-common
add-apt-repository universe
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot python-certbot-apache

  1. Automatic obtaining of a certificate won't work on the VeeamPN setup. Thus, you must do the procedure manually. Run the following command to launch the manual plugin:

certbot certonly --manual

  1. Follow the instructions of the wizard:
  1. Enter your email address.
  2. Enter FQDN of the hub server.
  3. Select Y or N to select is it okay that you IP will be logged.
  1. After finishing the wizard, you will see the description of verification steps. Certbot will display the following:
  • A testing URL (for example: http://<domain_name_of_VeeamPN_hub>/.well-known/acme-challenge/XGqBCdZcx__vLZgZblxGbxIm1Vh9Wvy3w0yc54k).
  • Testing data that must be returned from the requested URL (for example: x__vLZgZblxGbxIm1Vh9F14Wmvy3w0yc54k.J7vHny3k6jqUUXoH0QfwwgRc93SudMY8Ddv)

To follow instructions from LetsEncrypt, open a second SSH console to the same VeeamPN server.

  1. In the second console, modify the http_redirector.conf file:
  1. Open the /etc/apache2/sites-enabled/http_redirector.conf file with a text editor.

nano /etc/apache2/sites-enabled/http_redirector.conf

  1. In the file content, add a place for files lookup under the /var/www/certbot line and comment 3 lines of original redirection instructions. See the example below:

<VirtualHost *:80>

DocumentRoot /var/www/certbot/

#    RewriteEngine On

#    RewriteCond %{HTTPS} off

#    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}


  1. Create a requested file for URL with requested data in it:
  1. Create a path for the testing URL (you only need to add the part after the domain name to /var/www/certbot/). Thus, you must create a directory for requested sample URL (see step 5):

mkdir -p /var/www/certbot/.well-known/acme-challenge/

  1. Create a requested file for URL with requested data in it:

echo '<data>' > <full path to file>/<requested filename>

In our example, it will be like the following:

echo 'x__vLZgZblxGbxIm1Vh9F14Wmvy3w0yc54k.J7vHny3k6jqUUXoH0QfwwgRc93SudMY8Ddv' > /var/www/certbot/.well-known/acme-challenge/XGqBCdZcx__vLZgZblxGbxIm1Vh9Wvy3w0yc54k

If the command returns the Access Denied code, do the following:

  1. Go to the /var/www/certbot/.well-known/acme-challenge/ directory and create an empty file.

cd /var/www/certbot/.well-known/acme-challenge/
touch XGqBCdZcx__vLZgZblxGbxIm1Vh9Wvy3w0yc54k

  1. Open the file with a text editor and the requested data.

nano XGqBCdZcx__vLZgZblxGbxIm1Vh9Wvy3w0yc54k

  1. Restart the Apache HTTP server.

apachectl restart

  1. In the first SSH console, press [Enter] to proceed the verification process.

The successful result should look like the following:

Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/<your FQDN of VeeamPN server>/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/<your FQDN of VeeamPN server>/privkey.pem

  1. Edit the veeampn-site.conf config file to change SSL certificates.

nano /etc/apache2/sites-enabled/veeampn-site.conf

In the veeampn-site.conf file, change the filenames for SSLCertificateFile and SSLCertificateKeyFile. Replace default filenames with the names of files obtained from Let's Encrypt (see the previous step):

  • Use full path to fullchain.pem for SSLCertificateFile
  • Use full path to privkey.pem for SSLCertificateKeyFile
  1. Edit the http_redirector.conf file to restore original HTTP to HTTPS redirection.
  1. Open the http_redirector.conf file using a text editor.

nano /etc/apache2/sites-enabled/http_redirector.conf

  1. Edit the file as shown in the example below.

<VirtualHost *:80>

    RewriteEngine On

    RewriteCond %{HTTPS} off

    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}


  1. Restart the Apache HTTP server.

apachectl restart


For detailed instructions, see:

This Document Help Center
User Guide
I want to report a typo

There is a misspelling right here:


I want to let the Veeam Documentation Team know about that.