Someone asked on r/Linuxadmin about setting up Let’s Encrypt certificates on the vestaCP admin panel and because I sought a solution for this before and also increased the security of my vestaCP panel by doing additional tweaks I’ve decided to write this article in order to help out all of you that run vestaCP and require a higher security profile for it.
First and foremost we’ll dive into setting up Let’s Encrypt for the hostname(s) running for the vestaCP panel. To do that just access the admin panel, select the “web domain” under the admin username and click on Edit:
Once inside the editing page make sure that you have all hostnames you’re using setup as aliases, including the www. alias for the main domain/hostname and that they also show in the DNS zone correctly.
Then if everything is setup correctly for the aliases just scroll down on the editing page and enable SSL with Let’s Encrypt, then Save the new settings:
This will generate a SSL certificate for the main domain/hostname and all it’s aliases and restart vestaCP to inherit the new SSL certificate. Next if you will visit your hostname and aliases via standard HTTPS in your browser you should see them to be covered by the Let’s Encrypt certificate further, however this does not make the SSL work automatically on port 8083 which is where vestaCP runs.
To make it work we need to edit the /usr/local/vesta/nginx/conf/nginx.conf file and replace the following lines:
You can replace the resolver IP’s above with two of your choice as I used Google’s DNS resolver IP’s for reference.
Now if your server is private just like my own and should not be access by anyone else except yourself then you can go a little paranoid when setting up access for vestaCP and you can set IP restrictions to block all access to the vestaCP panel except from your own IP.
To do that locate the following code (which is right below the SSL certificate directives):
Remember to replace 188.8.131.52 with your own IP and feel free to add as many allow rules as you wish in order to allow multiple IP’s.
Also create a 403 page and replace https://www.somedomain.com/forbidden.html with your own URL to the page where all the failed queries should be redirected. If you wish you can create a page that would capture the IP’s and referring queries for your documentation.
That would be all, if any of you has some more or better ideas please let me know.