Securing Your Cumulus Campus Network Server with TLS Certificate

When you visit your Cumulus server with a web browser using HTTPS, you typically see security warnings. This guide shows you how to eliminate those warnings by setting up a proper TLS certificate from the LNU FTK Campus Certificate Authority. Once completed, you can access your server securely in any browser without "Your connection is not private" messages.

The process involves four steps:

  1. Understanding DNS Addresses
    • Learn how DNS names are generated
  2. Installing the Root CA on Your Server
    • Prepare your server to trust the CA
  3. Requesting a Certificate
    • Get a TLS certificate for your server
  4. Trusting the CA in Your Browser
    • Access your server without security warnings

Step 1: Understanding DNS Addresses in the Campus Network

In the Cumulus campus network, each virtual server automatically gets a DNS address based on its floating IP address.

How the DNS Name is Constructed

The DNS name follows this pattern:

<cloud><digit><number>.camp.lnu.se

  • <cloud> - cu for cumulus cloud
  • <digit> - Last digit of the 3rd octet from the floating IP
  • <number> - 4th octet, zero-padded to 3 digits
  • .camp.lnu.se - Domain suffix

Example

Floating IP: 172.27.63.14

  1. Take the last digit of the 3rd octet: 633
  2. Zero-pad the 4th octet: 14014
  3. Combine: cu3014.camp.lnu.se

Automating the Conversion

You can retrieve your server's DNS name automatically using OpenStack's metadata service:

This command:

  1. Fetches the server's floating IPv4 address
  2. Extracts the 3rd and 4th octets
  3. Formats them into the correct FQDN

You now know your server's DNS address.

Next step: Install the Root CA in your server.

Step 2: Installing the Root CA in Your Virtual Server

To request and use certificates, your server must first trust the LNU FTK Campus Root CA.

⚠️ Note: Python and SNAP applications have their own trust stores and may require separate configuration.

Prerequisites

  • Your virtual server has a floating IP address in the Cumulus campus network
  • You have sudo privileges on the server

Installation Steps (Ubuntu)

1. Download the Root CA certificate:

2. Update the system trust store:

3. Verify the installation:

Confirm the certificate was installed correctly:

Expected output:

Your server now trusts the LNU FTK Campus Root CA.

Next step: Request a certificate for your server.

Step 3: Requesting a Certificate for Your Server

Use the ACME (Automated Certificate Management Environment) protocol to automatically get a certificate for your server.

Prerequisites

  • Your server has a floating IP in the Cumulus campus network
  • The LNU FTK Campus Root CA 2025 is installed (see Step 2)
  • You have sudo privileges

Option A: Nginx or Apache

1. Install Certbot:

2. Request a certificate:

⚠️ Note: Your web server (nginx or apache) must be installed and running before requesting a certificate.

For Nginx:

For Apache: Replace --nginx with --apache in the command above.

What this does:

  • Uses the LNU FTK Campus CA endpoint (not Let's Encrypt)
  • Automatically retrieves your server's DNS name
  • Requests and installs the certificate
  • Configures your web server

For other configurations, see certbot instructions.

Option B: Caddy

Edit your Caddy configuration file (typically /etc/caddy/Caddyfile):

Replace cuXXXX with your actual DNS name from Step 1.

Your server now has a trusted TLS certificate.

Next step: Configure your browser to trust the CA.

Step 4: Trusting the CA in Your Browser

To access your server without security warnings, install the Root CA certificate in your browser's trust store.

4.1: Download the Root CA

  1. Download LNU_FTK_Campus_Root_CA_2025.crt
  2. Remember the download location (e.g., Downloads folder)

4.2: Import the Certificate

Choose your operating system and browser:

💻 macOS

Google Chrome / Safari (uses macOS Keychain)
  1. Locate the downloaded LNU_FTK_Campus_Root_CA_2025.crt file
  2. Double-click it → opens in Keychain Access
  3. Select System keychain when prompted
  4. Find LNU FTK Campus Root CA 2025 in the list
  5. Double-click it → expand Trust section
  6. Set When using this certificateAlways Trust
  7. Close the window (enter admin password if prompted)

Note: Both Chrome and Safari now trust this CA.

Mozilla Firefox (separate certificate store)
  1. Open Firefox
  2. Go to Settings (⚙️)
  3. Navigate to Privacy & SecurityCertificatesView Certificates
  4. Select the Authorities tab
  5. Click Import
  6. Select the downloaded Root CA file
  7. Check "Trust this CA to identify websites"
  8. Click OK

Note: Firefox uses its own certificate store, independent of macOS Keychain.

💻 Windows / Linux

Google Chrome
  1. Open Chrome
  2. Navigate to: chrome://certificate-manager/localcerts/usercerts
  3. Select the Local certificates tab
  4. Under Installed by you, click Import (Trusted Certificates)
  5. Browse to the downloaded Root CA file
  6. Click Open → Confirm the import
Mozilla Firefox
  1. Open Firefox
  2. Go to SettingsPrivacy & SecurityView Certificates
  3. Select the Authorities tab
  4. Click Import
  5. Choose the downloaded Root CA file
  6. Check "Trust this CA to identify websites"
  7. Click OK

Congratulations! Setup complete.

You can now access your Cumulus server securely using HTTPS without browser security warnings. The certificate is valid for your server's cuXXXX.camp.lnu.se address.

What's next? Visit your server in a web browser using https://cuXXXX.camp.lnu.se (replace XXXX with your actual server number from Step 1).

Troubleshooting

If you encounter issues:

  • Verify your server has a floating IP in the campus network
  • Ensure the Root CA is properly installed (Step 2)
  • Check that your web server is running before requesting certificates
  • Confirm you're using the correct DNS name from Step 1