Install Free SSL Certificate on Veeam PN Appliance Host

During the installation, Veeam PN generates a self-signed certificate. To mitigate the risk of MITM attacks, you can obtain and install a free SSL certificate from Let's Encrypt.

If you have additional questions when installing the certificate, refer to Certbot instructions.

To install the certificate, do the following:

1. Open the console of Veeam PN appliance machine.

• [VMware vSphere] Open the TTY console of the VM where Veeam PN appliance is deployed.
• [Microsoft Azure] In PuTTY, use the Veeam PN appliance hostname to connect to the console.

2. Add a PPA (Personal Package Archive) to the list of repositories and install Certbot:

3. Automatic obtaining of a certificate won't work on the VeeamPN setup. Thus, you must do the procedure manually. Run the following command to launch the manual plugin:

4. Follow the instructions of the wizard:

1. Enter your email address.
2. Enter FQDN of the hub server.
3. Select Y or N to select is it okay that you IP will be logged.

5. After finishing the wizard, you will see the description of verification steps. Certbot will display the following:

• A testing URL (for example: http://<domain_name_of_VeeamPN_hub>/.well-known/acme-challenge/XGqBCdZcx__vLZgZblxGbxIm1Vh9Wvy3w0yc54k).
• Testing data that must be returned from the requested URL (for example: x__vLZgZblxGbxIm1Vh9F14Wmvy3w0yc54k.J7vHny3k6jqUUXoH0QfwwgRc93SudMY8Ddv)

To follow instructions from LetsEncrypt, open a second SSH console to the same VeeamPN server.

6. In the second console, modify the http_redirector.conf file:

1. Open the /etc/apache2/sites-enabled/http_redirector.conf file with a text editor.

2. In the file content, add a place for files lookup under the /var/www/certbot line and comment 3 lines of original redirection instructions. See the example below:

7. Create a requested file for URL with requested data in it:

1. Create a path for the testing URL (you only need to add the part after the domain name to /var/www/certbot/). Thus, you must create a directory for requested sample URL (see step 5):

2. Create a requested file for URL with requested data in it:

In our example, it will be like the following:

If the command returns the Access Denied code, do the following:

1. Go to the /var/www/certbot/.well-known/acme-challenge/ directory and create an empty file.

2. Open the file with a text editor and the requested data.

8. Restart the Apache HTTP server.

9. In the first SSH console, press [Enter] to proceed the verification process.

The successful result should look like the following:

10. Edit the veeampn-site.conf config file to change SSL certificates.

In the veeampn-site.conf file, change the filenames for SSLCertificateFile and SSLCertificateKeyFile. Replace default filenames with the names of files obtained from Let's Encrypt (see the previous step):

• Use full path to fullchain.pem for SSLCertificateFile
• Use full path to privkey.pem for SSLCertificateKeyFile

11. Edit the http_redirector.conf file to restore original HTTP to HTTPS redirection.

1. Open the http_redirector.conf file using a text editor.

2. Edit the file as shown in the example below.

12. Restart the Apache HTTP server.