Introduction

In this article, we will demonstrate how to generate/regenerate SSL Certificates Signed by a Certificate Authority, such as ZeroSSL and Let's Encrypt, for your web-based services hosted by your Seedbox, such as Torrent Clients, Resilio, Thinlinc, SeedboxCP, and many others.

Both CA-signed and self-signed certificates provide the same level of encryption (and security) between you and the server. It's just that when you're using a self-signed certificate, you’re essentially vouching for your own identity. It’s like writing “I have graduated” on a piece of paper and considering it your official graduation certificate. While you might be excellent in your academics, people aren’t going to trust your self-created certificate! They’d want the document to be issued and signed by an official institution such as a college or university.

We've been using self-signed certificates up to this point, but now we want to up the ante and give you peace of mind while also avoiding the annoying "Insecure page" browser error.

From now on, we'll use the CA-signed SSL certificates provided by ZeroSSL/Let's Encrypt, which are essentially the ones generated using the first method i.e. easy-ssl and the links will look like this

https://45-154-86-108.a.seedbox.vip

+ /${ALL_OTHER_APPS}. See section 1.

Let's first cover the basics:

  • What is an SSL certificate?

    SSL certificates are what enable websites to move from HTTP to HTTPS, which is more secure. An SSL certificate is a data file hosted in a website's origin server. SSL certificates make SSL/TLS encryption possible, and they contain the website's public key and the website's identity, along with related information. Devices attempting to communicate with the origin server will reference this file to obtain the public key and verify the server's identity. The private key is kept secret and secure.

  • What is SSL?

    SSL, more commonly called TLS, is a protocol for encrypting Internet traffic and verifying server identity. Any website with an HTTPS web address uses SSL/TLS. See What is SSL? and What is TLS? to learn more.

  • Self-signed vs CA-signed certificates

    The difference between a CA certificate and a self-signed certificate is the issuer of the certificate. A self-signed certificate is created, signed, and issued by the subject of the certificate (the entity it is issued to), while a CA certificate is created, signed, and issued by a third party called a certificate authority (CA) that is authorized to validate the identity of the applicant. A CA certificate signed by a publicly trusted CA can build trust among the website visitors, and therefore, it is used to validate public websites.

We're currently using two methods to obtain the CA-signed SSL Certificates we use.

1. Directly from ZeroSSL or Let's Encrypt

The first method that we use to obtain a CA-signed SSL certificate, which is generated either by ZeroSSL or Let's Encrypt, is by our easy-ssl script.

These certs are always generated at seedbox deployment on the new templates.

By default, the certificate is expiring after 90 days from the generation date, but we've added a cronjob to renew it automatically, on the newer templates.

Keep in mind that the cronjob to renew it will only be removed if you will generate the second certificate using easy-ssl-v2.

If you have an older template like Ubuntu 16.04, we highly recommend upgrading to the latest by reinstalling/upgrading your Seedbox.

You can manually generate or renew this certificate by easily running this script.

Note: This certificate is available on all our Ubuntu templates i.e. from 16.04 to the latest.

Log in via SSH and run:

sudo easy-ssl

Along with the new certificate, you also get these new access links for your services.

You can as well add any other services/ports after the let's encrypt template link, like the examples below.

You can now access your server using this URL:
https://45-154-86-108.a.seedbox.vip

You can access your Rutorrent using this URL:
https://45-154-86-108.a.seedbox.vip/rutorrent

You can access your Deluge using this URL:
https://45-154-86-108.a.seedbox.vip/deluge

You can access your Resilio using this URL:
https://45-154-86-108.a.seedbox.vip:8888

To access ThinLinc Remote Desktop you can use this URL:
https://45-154-86-108.a.seedbox.vip:300

You can access your Plex using this URL:
https://plex-45-154-86-108.a.seedbox.vip

2. Certbot

The second method that we use to obtain a CA-signed SSL certificate is by using cerbot.

Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.

Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate is. Certbot and Let’s Encrypt can automate away the pain and let you turn on and manage HTTPS with simple commands. Using Certbot and Let's Encrypt is free, so there’s no need for a hefty payment.

These certificates are not generated by default at deployment. So as of now, if you'd like to use one, you have to manually generate it yourself. This certificate is also expiring after 90 days from the generation date, but it's also being renewed automatically. You don't have to worry about renewing it at all.

You can generate this certificate by easily running our script for this.

Note: The certificate it's only available on our Ubuntu 20.04 or newer templates.

Log in via SSH and run:

sudo easy-ssl-v2

Normally, the certbot utility fetches a certificate from Let’s Encrypt, but here we're using it to retrieve the certificates from ZeroSSL due to these limitations. So don't mind the messages you see down below, they are automated and inaccurate.

Along with this ZeroSSL certificate you also get new access links for your services:

Specifically, in our setup, if you want to use this certificate over the first one, at generation, the cronjob to renew the first one is being removed, so just remember that once this one is generated the first certificate will have to be renewed manually once in 90 days.

You can as well add any other services/ports after the let's encrypt template link, like the examples below.

You can now access your server using this URL:
https://45-154-86-108.my.seedbox.vip

You can access your Rutorrent using this URL:
https://45-154-86-108.my.seedbox.vip/rutorrent

You can access your Deluge using this URL:
https://45-154-86-108.my.seedbox.vip/deluge

You can access your Resilio using this URL:
https://45-154-86-108.my.seedbox.vip:8888

To access ThinLinc Remote Desktop you can use this URL:
https://45-154-86-108.my.seedbox.vip:300

You can access your Plex using this URL:
https://plex-45-154-86-108.my.seedbox.vip

I don't know what to do next...

If you need any assistance, let us know by opening a chat in the bottom-right corner of your screen. We're here to help 😄

Did this answer your question?