Kasm Workspaces WebUI with Let's Encrypt SSL certificate

Kasm Workspaces provides browser-based access to on-demand containerized desktops and applications.

By default Kasm creates self-signed certificates that are used when connecting to the Web UI. Follow below steps to configure Kasm to use Lets's Encrypt free SSL certificate.

1. Install certbot.

#for Ubuntu 22.04 server
sudo apt-get install python3-certbot

2. Optional to allow ingress port 80 in iptables or any other rules (Oracle Cloud's VCN) as certbot require to register and renewal certificate via HTTP connection.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

3. Register a standalone Let's Encrypted free SSL certificate with a valid FQDN and email address.

sudo certbot certonly --standalone -d your.server.com -m email@server.com

4. Stop KASM service.

sudo /opt/kasm/bin/stop

5. Backup the default self-signed KASM SSL certificates.

for file in /opt/kasm/current/certs/kasm_nginx.*; do sudo mv $file $file.bak; done

6. Create symlink of the Lets's Encrypted SSL certificate to KASM certs directory. Remember to replace the FQDN with yours.

sudo ln -s /etc/letsencrypt/live/your.server.com/fullchain.pem /opt/kasm/current/certs/kasm_nginx.crt
sudo ln -s /etc/letsencrypt/live/your.server.com/privkey.pem /opt/kasm/current/certs/kasm_nginx.key

7. Start KASM service.

sudo /opt/kasm/bin/start

8. Double check the HTTPS certificate by access the KASM web console using the FQDN. 

9. Create certbot pre and post hooks script to restart KASM service during and after certificate auto renewal.

printf \#\!/bin/bash"\n"/opt/kasm/bin/stop | sudo tee /etc/letsencrypt/renewal-hooks/pre/stop_kasm.sh
printf \#\!/bin/bash"\n"/opt/kasm/bin/start | sudo tee /etc/letsencrypt/renewal-hooks/post/start_kasm.sh

10. Make both scripts executable. 

sudo chmod +x /etc/letsencrypt/renewal-hooks/{pre,post}/*kasm.sh

11. Test run certbot renewal to make sure the pre and post hook is working.

ubuntu@kasm:/opt/kasm/current/certs$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/your.server.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Hook 'pre-hook' ran with output:
 Stopping Kasm Services
Hook 'pre-hook' ran with error output:
 Container kasm_proxy  Stopping
 Container kasm_proxy  Stopped
 Container kasm_api  Stopping
 Container kasm_agent  Stopping
 Container kasm_share  Stopping
 Container kasm_api  Stopped
 Container kasm_share  Stopped
 Container kasm_redis  Stopping                  
 Container kasm_agent  Stopped
 Container kasm_manager  Stopping
 Container kasm_redis  Stopped                           
 Container kasm_manager  Stopped                                      
 Container kasm_db  Stopping
 Container kasm_db  Stopped
Simulating renewal of an existing certificate for your.server.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/your.server.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'post-hook' ran with output:
 Starting Kasm Services
Hook 'post-hook' ran with error output:
 Container kasm_redis  Created
 Container kasm_db  Created
 Container kasm_api  Created
 Container kasm_share  Created
 Container kasm_manager  Created
 Container kasm_agent  Created
 Container kasm_proxy  Created
 Container kasm_redis  Starting
 Container kasm_db  Starting
 Container kasm_redis  Started
 Container kasm_db  Started
 Container kasm_manager  Starting
 Container kasm_api  Starting
 Container kasm_share  Starting
 Container kasm_manager  Started
 Container kasm_agent  Starting
 Container kasm_share  Started
 Container kasm_api  Started
 Container kasm_agent  Started
 Container kasm_proxy  Starting
 Container kasm_proxy  Started
ubuntu@kasm:/opt/kasm/current/certs$