Greetings friends, a few weeks ago I was showing you everything we need to know about Veeam Backup for Microsoft Azure, in case you haven’t been paying attention, I’m posting the blog series here (in Spanish):
- Veeam anuncia Veeam Backup for Azure Free Edition
- Cómo Desplegar Veeam Backup for Azure – paso a paso
- Vistazo en profundidad al nuevo Veeam Backup for Azure – Creación de Políticas de Backup y Restauración
- Cómo conectar nuestro Veeam Backup & Replication a Veeam Backup for Azure
This whole series is very complete and I hope you like it. Today I bring you one more step on how to correctly secure our instance of Veeam Backup for Microsoft Azure.
To do this we will rely on Let’s Encrypt, the famous open-source project that allows us to generate free SSL certificates.
NOTE: This process is not officially supported by Veeam, and any consequence of following the steps incorrectly, or any incidence derived from these steps will leave us without support. We will have to deploy the appliance again, keep that in mind!
Installation of system requirements
To make it all work we’re going to need a couple of packages to do all this automatically:
- jq
- The necessary Let’s Encrypt packages
To install jq, we will launch the following command:
sudo apt-get install jq -y
Once we have jq, we will now install the Let’s Encrypt packages, which is as simple as launching the following:
cd /root curl https://get.acme.sh | sh
This will create the following directory with the following in it:
ls .acme.sh/ -lah total 240K drwx------ 8 root root 4.0K May 15 10:44 . drwx------ 5 root root 4.0K May 15 12:32 .. -rw-r--r-- 1 root root 345 May 15 12:33 account.conf -rwxr-xr-x 1 root root 193K May 15 09:36 acme.sh -rw-r--r-- 1 root root 78 May 15 09:36 acme.sh.env drwxr-xr-x 3 root root 4.0K May 15 10:44 ca drwxr-xr-x 2 root root 4.0K May 15 09:36 deploy drwxr-xr-x 2 root root 4.0K May 15 09:36 dnsapi -rw-r--r-- 1 root root 332 May 15 14:49 http.header drwxr-xr-x 2 root root 4.0K May 15 09:36 notify
We’re all set. Let’s move on to the next step.
Download, and configure the veeam_azure_ssl.sh script
I have created a script that what it really does is combine with the Let’s Encrypt Script, and install the SSL Certificate in Veeam Backup for Azure, which needs to be converted to .pfx in base64, but this does all the script, we will download it from here, I would put it in /root too, or in the same folder where we have downloaded Let’s Encrypt:
There are a few parameters to be set, but they are not difficult, let’s see them here:
- veeamDomain: This is the FQDN of your VBA, for example – vba.domain.com
- veeamSSLPassword: A password to encrypt the .pfx certificate
- veeamUsername: The user with access to the Veeam Backup for Microsoft Azure RESTFul API
- veeamPassword: The password for the user with access to the Veeam Backup for Microsoft Azure RESTFul API
- veeamBackupAzureServer: The Public IP of the Veeam Backup for Azure
# Configurations ## # Endpoint URL for login action veeamDomain="YOURVEEAMAZUREAPPLIANCEDOMAIN" veeamSSLPassword="YOURVEEAMSSLPASSWORD" #Introduce a password that will be use to merge the SSL into a .PFX veeamOutputPFXPath="/tmp/bundle.pfx" veeamOutputPFX64Path="/tmp/bundle64.pfx" veeamUsername="YOURVEEAMBACKUPUSER" veeamPassword="YOURVEEAMBACKUPPASS" veeamBackupAzureServer="https://YOURVEEAMBACKUPIP" veeamBackupAzurePort="443" #Default Port
Once we have everything filled in, we can exit the text editor and continue with the next step.
Launching Let’s Encrypt and getting a SSL certificate
Now that we have our script ready, and also Let’s Encrypt, it’s time to launch the Let’s Encrypt command, as you know, the command can be launched with several verification modes, in this case, I’m going to use Cloudflare, but it would also work with standalone, etc. See more here about the methods there are:
The script I created will look inside /root/.acme.sh/VUESTROFQDN, so as long as everything is in this directory, it will work, let’s see how I used Cloudflare.
cd /root export CF_Key="YOURCLOUDFLAREKEY" export CF_Email="[email protected]" # La direccion email que usamos en CloudFlare .acme.sh/acme.sh --issue -d YOURBA.DOMAIN.COM --dns dns_cf --reloadcmd "/root/veeam_azure_ssl.sh" --force
To know your Key de Cloudflare, here where you can find it
Once we launch this command well, we will be able to see a result similar to this:
[Fri May 15 12:32:56 UTC 2020] Single domain='vba.jorgedelacruz.es' [Fri May 15 12:32:56 UTC 2020] Getting domain auth token for each domain [Fri May 15 12:32:58 UTC 2020] Getting webroot for domain='vba.jorgedelacruz.es' [Fri May 15 12:32:58 UTC 2020] vba.jorgedelacruz.es is already verified, skip dns-01. [Fri May 15 12:32:58 UTC 2020] Verify finished, start to sign. [Fri May 15 12:32:58 UTC 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/86227111/3374114002 [Fri May 15 12:32:59 UTC 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03cdf9e2e3810f67828b5806004f56e8b0e2 [Fri May 15 12:33:00 UTC 2020] Cert success. -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgISA8354uOBD2eCi1gGAE9W6LDiMA0GCSqGSIb3DQEBCwUA [...] Jgesa5sqZUvhzhThEcnvA4+Kb7MWSvKbDtAv3RHR6mirxO3y5s9VeK4B1d+2ntcv /j6lh+tEJswilC9lWAoUS7T/IYIie19PRMn6klzDzzGFuaER -----END CERTIFICATE----- [Fri May 15 12:33:00 UTC 2020] Your cert is in /root/.acme.sh/vba.jorgedelacruz.es/vba.jorgedelacruz.es.cer [Fri May 15 12:33:00 UTC 2020] Your cert key is in /root/.acme.sh/vba.jorgedelacruz.es/vba.jorgedelacruz.es.key [Fri May 15 12:33:00 UTC 2020] The intermediate CA cert is in /root/.acme.sh/vba.jorgedelacruz.es/ca.cer [Fri May 15 12:33:00 UTC 2020] And the full chain certs is there: /root/.acme.sh/vba.jorgedelacruz.es/fullchain.cer [Fri May 15 12:33:00 UTC 2020] Run reload cmd: /root/veeam_azure_ssl.sh Your Veeam Backup for Azure SSL Certificate has been replaced with a valid Let's Encrypt one. Go to https://vba.jorgedelacruz.es [Fri May 15 12:33:00 UTC 2020] Reload success
And if everything has gone well, we will have the little message that tells us that we can go to our https://YOURFQDN, if we go we can finally see the next thing:
If we expand the SSL Certificate, we will be able to see which FQDN has assigned this SSL Certificate to us:
How to schedule the automated renewal to run every 90 days
These SSL Certificates expire every 90 days, so we can schedule it with the next command, and have a valid SSL certificate forever, as long as this scheduled task is executed:
* * */89 * * .acme.sh/acme.sh --issue -d VUESTROVBA.DOMINIO.COM --dns dns_cf --reloadcmd "/root/veeam_azure_ssl.sh" --force > /var/log/syslog
With this, we’d be all set. Leave comments and ideas in the comments. Thank you for reading it.
Leave a Reply