SSL/TLS Certificates¶
Secure your services with HTTPS. In TUKE Cloud you have two options.
-
Let's Encrypt
Automatic free certificates via DNS-01 validation.
Recommended for most cases.
-
Harika
Manual certificates for internal services.
Contact ssl@helpdesk.tuke.sk
Why SSL/TLS?¶
- Encryption
-
Protects communication from eavesdropping.
- Authentication
-
Client knows it's communicating with the correct server.
- HTTPS Standard
-
Browsers display warnings without certificates.
Let's Encrypt (DNS-01)¶
How It Works?¶
- Certbot requests TXT record
_acme-challenge.<domain> - TUKE DNS API automatically adds it
- Let's Encrypt verifies and issues certificate
DNS API Token
Each VM receives a unique token in the activation email. Token allows managing only TXT records for your VM.
Prerequisites¶
| Requirement | Description |
|---|---|
| Ubuntu/Linux VM | System with certbot |
| Webserver | Apache or Nginx |
| DNS API token | From VM activation email |
| Domain | *.virtual.cloud.tuke.sk |
Create Hook Scripts¶
auth-hook.sh - adding TXT record
Save to /usr/local/bin/auth-hook.sh:
#!/usr/bin/env bash
set -e
TOKEN="ENTER_YOUR_API_TOKEN_HERE"
CHALLENGE_NAME="_acme-challenge.${CERTBOT_DOMAIN}"
echo "Adding TXT record:"
echo "Domain: $CERTBOT_DOMAIN"
echo "Validation: $CERTBOT_VALIDATION"
echo "Name: $CHALLENGE_NAME"
curl -s -L -X POST -H "Content-Type: application/json" \
-d "{\"token\": \"$TOKEN\", \"domain\": \"$CERTBOT_DOMAIN\", \"name\": \"$CHALLENGE_NAME\", \"value\": \"$CERTBOT_VALIDATION\"}" \
https://dns-api.plesk.tuke.sk/index.php/dns/proxy/add_txt
sleep 3
cleanup-hook.sh - removing TXT record
Save to /usr/local/bin/cleanup-hook.sh:
#!/usr/bin/env bash
set -e
TOKEN="ENTER_YOUR_API_TOKEN_HERE"
DOMAIN="$CERTBOT_DOMAIN"
ZONE_SUFFIX="virtual.cloud.tuke.sk"
if [[ "$DOMAIN" != *".${ZONE_SUFFIX}" ]]; then
echo "Error: domain '$DOMAIN' does not end with '.$ZONE_SUFFIX'"
exit 1
fi
HOST="${DOMAIN%.$ZONE_SUFFIX}"
CHALLENGE_NAME="_acme-challenge.${HOST}"
echo "Removing TXT record: $CHALLENGE_NAME"
RESPONSE=$(curl -s -L -X POST \
https://dns-api.plesk.tuke.sk/index.php/dns/proxy/delete_txt \
-H "Content-Type: application/json" \
-d '{
"token": "'"${TOKEN}"'",
"domain": "'"${DOMAIN}"'",
"name": "'"${CHALLENGE_NAME}"'"
}'
)
if echo "$RESPONSE" | grep -q '"status":"success"'; then
echo "TXT record successfully removed."
else
echo "Error removing TXT record:"
echo "$RESPONSE"
exit 1
fi
Set permissions:
Issue Certificate¶
sudo certbot certonly \
--non-interactive \
--manual \
--preferred-challenges dns \
--manual-public-ip-logging-ok \
--manual-auth-hook /usr/local/bin/auth-hook.sh \
--manual-cleanup-hook /usr/local/bin/cleanup-hook.sh \
--deploy-hook "systemctl reload apache2" \
-d vra-ubuntu-server-0531.virtual.cloud.tuke.sk \
-d www.vra-ubuntu-server-0531.virtual.cloud.tuke.sk \
--email firstname.lastname@tuke.sk \
--agree-tos
Harika (Manual Certificates)¶
For internal services, testing environments, or special requirements.
How to Request¶
- Prepare your domain (FQDN) and certificate purpose
- Send email to ssl@helpdesk.tuke.sk
- Include domain name and usage purpose
- You'll receive
.crt,.keyand CA chain
Important Notices¶
Token Security
- DNS API token is unique to your VM
- Token must not be published or provided to others
- Scripts work only within
*.virtual.cloud.tuke.sk
Automatic Renewal
DNS-01 validation allows fully automating certificate renewal using cron job.
Method Comparison¶
| Let's Encrypt | Harika | |
|---|---|---|
| Price | Free | Free |
| Renewal | Automatic | Manual |
| Trust | Publicly trusted | TUKE only |
| HTTP access | Not required | Not required |
| Best for | Production services | Internal/testing |