We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
letsencrypt cert for admin panel with install
letsencrypt cert for admin panel with install
I believe the fact that VestaCP does not install an SSL certificate by default should be treated more like a defect then a feature enhancement. I know the team has limited bandwidth and there are many features in the backlog. But I believe this issue should have a higher priority than something like wildcard Let's Encrypt support.
My thoughts:
My thoughts:
- The admin website is installed forcing https, which it should! But the lack of SSL certificate is at the root (no pun intended) of this issue
- This presents a horrible user experience. The installation of VestaCP is admirable, clean and easy. However, the next step, logging into admin immediately presents a security error to the user and requiring work-around what is essentially a security flaw.
- It is a security issue. Having user's ignore the SSL warning presents the opportunity for a man-in-the-middle attack that could collect passwords. Also having users routinely ignoring SSL warnings is a horrible practice that desensitizes people to security awareness.
- The lack of a certificate is difficult to remedy. There are no out-of-the-box means of setting up a Let's Encrypt certificate for the admin site.
- Ideal and straightforward solution setup a Let's Encrypt certificate automatically for the admin app as part of the installation. If an administrator has an existing certificate they would prefer to use, they can easily access the admin site securely and add it there.
Re: letsencrypt cert for admin panel with install
I know that it would be great to have a valid ssl cert on default innstallation. but as now, you can create the cert easy after install: viewtopic.php?f=10&t=17353
I think the biggest problem is that you need a valid hostname including correct dns settings to create a lets encrypt cert. Vesta installs by default a self signed cert, so the connection is secure already.
Until now, I think a valid cert is set on right position for after the vestacp installation. Otherwise, the dns settings and hostname arent set properly, it will fail during the installation script.
This is my my point of viiew and does not reflect with the vesta core team.
I think the biggest problem is that you need a valid hostname including correct dns settings to create a lets encrypt cert. Vesta installs by default a self signed cert, so the connection is secure already.
Until now, I think a valid cert is set on right position for after the vestacp installation. Otherwise, the dns settings and hostname arent set properly, it will fail during the installation script.
This is my my point of viiew and does not reflect with the vesta core team.
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: letsencrypt cert for admin panel with install
@mericson
You are quite wrong in most of your understanding of SSL and Security.
1. But the lack of SSL certificate
Who says ? There is a "self-Signed" SSL Certificate installed, which enables https encrypted communication right from the start. It is as secure as a paid SSL certificate, just without insurance and signing... take it easy!
2 & 3. VestaCP is intended for personal server management, not for reselling so about user 'personal' experience, it is just a one time - two extra clicks to whitelist this https site. It is not a public facing service that hundreds of people will visit daily.
4 & 5. You don't really know how an SSL certificate is issued in the first place...do you ? As ScIT already explained, you need a valid FQDN with a Valid DNS A Record as your hostname to get this issued. Many won't bother with this. If you really want this, you can configure a domain inside Vesta, get its SSL issued and apply it to VestaCP ... its a 5 min job once you learn it! Many detailed tutorials about this on our forum already.
So I believe get your facts and learn the right things before jumping to conclusions about security and other things... there is a long way to go. Happy learning :)
You are quite wrong in most of your understanding of SSL and Security.
1. But the lack of SSL certificate
Who says ? There is a "self-Signed" SSL Certificate installed, which enables https encrypted communication right from the start. It is as secure as a paid SSL certificate, just without insurance and signing... take it easy!
2 & 3. VestaCP is intended for personal server management, not for reselling so about user 'personal' experience, it is just a one time - two extra clicks to whitelist this https site. It is not a public facing service that hundreds of people will visit daily.
4 & 5. You don't really know how an SSL certificate is issued in the first place...do you ? As ScIT already explained, you need a valid FQDN with a Valid DNS A Record as your hostname to get this issued. Many won't bother with this. If you really want this, you can configure a domain inside Vesta, get its SSL issued and apply it to VestaCP ... its a 5 min job once you learn it! Many detailed tutorials about this on our forum already.
So I believe get your facts and learn the right things before jumping to conclusions about security and other things... there is a long way to go. Happy learning :)