Securing Your Cumulus Campus Network Server with TLS Certificate

When you visit your Cumulus server with a web browser using HTTPS, you typically see security warnings. This guide shows you how to eliminate those warnings by setting up a proper TLS certificate from the LNU FTK Campus Certificate Authority. Once completed, you can access your server securely in any browser without "Your connection is not private" messages.

The process involves four steps:

  1. Understanding DNS Addresses
    • Learn how DNS names are generated
  2. Installing the Root CA on Your Server
    • Prepare your server to trust the CA
  3. Requesting a Certificate
    • Get a TLS certificate for your server
  4. Configuring Automatic Certificate Renewal (Required)
    • Access your server without security warnings
  5. Trusting the CA in Your Browser
    • Access your server without security warnings

Step 1: Understanding DNS Addresses in the Campus Network

In the Cumulus campus network, each virtual server automatically gets a DNS address based on its floating IP address.

How the DNS Name is Constructed

The DNS name follows this pattern:

<cloud><digit><number>.camp.lnu.se

  • <cloud> - cu for cumulus cloud
  • <digit> - Last digit of the 3rd octet from the floating IP
  • <number> - 4th octet, zero-padded to 3 digits
  • .camp.lnu.se - Domain suffix

Example

Floating IP: 172.27.63.14

  1. Take the last digit of the 3rd octet: 633
  2. Zero-pad the 4th octet: 14014
  3. Combine: cu3014.camp.lnu.se

Automating the Conversion

You can retrieve your server's DNS name automatically using OpenStack's metadata service:

This command:

  1. Fetches the server's floating IPv4 address
  2. Extracts the 3rd and 4th octets
  3. Formats them into the correct FQDN

You now know your server's DNS address.

Next step: Install the Root CA in your server.

Step 2: Installing the Root CA in Your Virtual Server

To request and use certificates, your server must first trust the LNU FTK Campus Root CA.

⚠️ Note: Python and SNAP applications have their own trust stores and may require separate configuration.

Prerequisites

  • Your virtual server has a floating IP address in the Cumulus campus network
  • You have sudo privileges on the server

Installation Steps (Ubuntu)

1. Download the Root CA certificate:

2. Update the system trust store:

3. Verify the installation:

Confirm the certificate was installed correctly:

Expected output:

Your server now trusts the LNU FTK Campus Root CA.

Next step: Request a certificate for your server.

Step 3: Requesting a Certificate for Your Server

Use the ACME (Automated Certificate Management Environment) protocol to automatically get a certificate for your server.

Prerequisites

  • Your server has a floating IP in the Cumulus campus network
  • The LNU FTK Campus Root CA 2025 is installed (see Step 2)
  • You have sudo privileges

Option A: Nginx or Apache

1. Install Certbot:

2. Request a certificate:

⚠️ Note: Your web server (nginx or apache) must be installed and running before requesting a certificate.

For Nginx:

For Apache: Replace --nginx with --apache in the command above.

What this does:

  • Uses the LNU FTK Campus CA endpoint (not Let's Encrypt)
  • Automatically retrieves your server's DNS name
  • Requests and installs the certificate
  • Configures your web server

For other configurations, see certbot instructions.

Option B: Caddy

Edit your Caddy configuration file (typically /etc/caddy/Caddyfile):

Replace cuXXXX with your actual DNS name from Step 1.

Your server now has a trusted TLS certificate.

Next step: Make sure your certificate stays valid by setting up automatic renewal.

Step 4: Configuring Automatic Certificate Renewal

Certificates issued by the LNU FTK Campus Certificate Authority are short-lived (6–7 days). Therefore, automatic renewal is mandatory to avoid service interruptions.

When Certbot is installed via snap, automatic renewal is handled by a systemd timer. However, because an internal ACME CA is used, additional configuration is required.

How Automatic Renewal Works

  • Certbot is executed automatically by the systemd timer snap.certbot.renew.timer
  • The timer runs several times per day
  • Renewal occurs automatically when the certificate is close to expiration
  • No cron jobs or manual scripts are required

1. Configure Certbot for the Campus CA (One-time setup)

Certbot must be provided with:

  • the campus Root CA bundle
  • the internal ACME server URL

This is done using a systemd drop-in configuration.

1. Create a drop-in directory

2. Create the drop-in configuration file

Explanation:

  • REQUESTS_CA_BUNDLE Ensures Certbot trusts the LNU FTK Campus Root CA
  • CERTBOT_SERVER Points Certbot to the campus ACME endpoint instead of Let’s Encrypt

2. Reload systemd and test renewal

This runs the same renewal logic that the timer uses.

3. Verify automatic renewal is scheduled

Check that the systemd timer is active:

You should see output similar to:

This confirms that automatic renewal is enabled.

4. Verify renewal results

To check certificate status at any time:

To verify that a renewal actually occurred:

If the certificate is not close to expiration, Certbot will only perform a check. This is expected behavior.

Automatic renewal is now fully configured.

No further action is required. The certificate will be renewed automatically before it expires.

Next step: Configure your browser to trust the CA.

Step 5: Trusting the CA in Your Browser

To access your server without security warnings, install the Root CA certificate in your browser's trust store.

5.1: Download the Root CA

  1. Download LNU_FTK_Campus_Root_CA_2025.crt
  2. Remember the download location (e.g., Downloads folder)

5.2: Import the Certificate

Choose your operating system and browser:

💻 macOS

Google Chrome / Safari (uses macOS Keychain)
  1. Locate the downloaded LNU_FTK_Campus_Root_CA_2025.crt file
  2. Double-click it → opens in Keychain Access
  3. Select System keychain when prompted
  4. Find LNU FTK Campus Root CA 2025 in the list
  5. Double-click it → expand Trust section
  6. Set When using this certificateAlways Trust
  7. Close the window (enter admin password if prompted)

Note: Both Chrome and Safari now trust this CA.

Mozilla Firefox (separate certificate store)
  1. Open Firefox
  2. Go to Settings (⚙️)
  3. Navigate to Privacy & SecurityCertificatesView Certificates
  4. Select the Authorities tab
  5. Click Import
  6. Select the downloaded Root CA file
  7. Check "Trust this CA to identify websites"
  8. Click OK

Note: Firefox uses its own certificate store, independent of macOS Keychain.

💻 Windows / Linux

Google Chrome
  1. Open Chrome
  2. Navigate to: chrome://certificate-manager/localcerts/usercerts
  3. Select the Local certificates tab
  4. Under Installed by you, click Import (Trusted Certificates)
  5. Browse to the downloaded Root CA file
  6. Click Open → Confirm the import
Mozilla Firefox
  1. Open Firefox
  2. Go to SettingsPrivacy & SecurityView Certificates
  3. Select the Authorities tab
  4. Click Import
  5. Choose the downloaded Root CA file
  6. Check "Trust this CA to identify websites"
  7. Click OK

Congratulations! Setup complete.

You can now access your Cumulus server securely using HTTPS without browser security warnings. The certificate is valid for your server's cuXXXX.camp.lnu.se address.

What's next? Visit your server in a web browser using https://cuXXXX.camp.lnu.se (replace XXXX with your actual server number from Step 1).

Troubleshooting

If you encounter issues:

  • Verify your server has a floating IP in the campus network
  • Ensure the Root CA is properly installed (Step 2)
  • Check that your web server is running before requesting certificates
  • Confirm you're using the correct DNS name from Step 1