[Tutorial] Added guide to setting up Let's Encrypt SSL certificate on unique port on Hestia Control Panel with Netcup KVM

community-tutorials/hestiacp-add-lets-encrypt-unique-port/01-en.md

@@ -0,0 +1,190 @@
+---
+title: Set up/proxy redirect, a Let's Encrypt SSL/HTTPS Certificate for a unique port with Hestia Control Panel on netcup.
+description: Learn to set up or proxy redirect, a Let's Encrypt SSL/HTTPS Certificate on unique port (example 4545) with Hestia Control Panel on netcup KVM.
+level: intermediate/advanced
+updated_at: 2025-10-11
+slug: netcup-lets-encrypt-unique-port-hosting-using-hestia-control-panel
+author_name: vdbhb59
+author_url: https://github.com/vdbhb59
+author_image: https://avatars.githubusercontent.com/u/60728004
+author_bio: Songs & Books 4ever
+tags: [lets-encrypt, unique-port, reverse-proxy, ssl, https]
+netcup_product_url: https://www.netcup.eu/bestellen/produkt.php?produkt=3691
+language: en
+available_languages: en
+---
+
+# Introduction
+
+In this tutorial, I will guide you through the process of setting up a let's encrypt ssl/https certificate (reverse proxy) on a unique port other than 80/443, example **port:4545** on the root server for hosting using Hestia Control Panel (See installation URL given under prerequisites below). Hestia Control Panel is a popular open source web server control panel that simplifies the management of your website, email accounts, databases, and other hosting-related tasks. This tutorial is compatible with both VPS and Root Server offerings by netcup.
+
+Assumptions:
+* You already have a sub-domain setup and the requisite service installed at the specified http port (example - `http://sd1.domain.tld:4545`).
+* You have the sub-domain setup with **SSL/HTTPS (443)** setup (example - `https://sd1.domain.tld`)
+* You have bare minimum knowledge of terminal, web servers, vhosts, reverse proxy.
+
+The reading time of this tutorial is about 35 minutes; implementation will take approximately 60-70 minutes.
+
+## Background
+
+The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain browser-trusted certificates without any human intervention. This is accomplished by running an ACME client on a web server. To know more, visit [Let's Encrypt](https://letsencrypt.org/how-it-works/). This also forms a part for use in Nginx reverse proxy configuration.
+
+[Forgejo](https://forgejo.org/) is a self-hosted lightweight software forge (simple software project management). Easy to install and low maintenance, it just does the job.
+
+In the world of open-source software, the story of how a project is governed is often as important as the code itself. Forgejo is a powerful testament to this fact. It is a “soft fork” of [Gitea](https://about.gitea.com/), created by a community of users and contributors to ensure that the project’s future remains in the hands of a non-profit, community-driven organization.
+
+Born out of concerns following the creation of a for-profit company to manage Gitea, Forgejo’s mission is to be a truly free and open-source software (FOSS) forge, managed under the stewardship of the Codeberg e.V. non-profit. It is technically very similar to Gitea, but philosophically, it represents a commitment to community ownership and non-commercial governance.
+
+Since Forgejo by default/design runs on port 4545 and many other projects also default to port 4545, I chose a different port (example 4545 here). This helps me keep it running in the background without conflicting with other applications. This was necessary for 2 more reasons:
+
+* Clean url everytime
+  Example instead having to type or visit `https://git.example.com:4545` every time, I will have a cleaner url as `https://git.example.com`.
+* Issue an HTTPS/SSL/TLS enabled URL and enjoy the higher level of security.
+  Visitors & users of my site would also know they are safe.
+
+# Prerequisites
+
+- A server from netcup with latest Ubuntu 20.04/22.04/LTS; Debian 10/11/12/LTS or later installed (see the below URL) - use minimal mode of installation, also called clean installation. [Installation Tutorial](https://community.netcup.com/en/tutorials/netcup-root-server-hosting-using-hestia-control-panel)
+- A registered domain name
+- Access to your server
+
+# Step 1: Update your system
+
+Before we begin, it's essential to ensure that your system is up-to-date. Log in to your server via SSH as the root user and run the following command:
+
+For Ubuntu/Debian:
+
+```
+apt update && apt upgrade -y
+```
+
+# Step 2: Add the necessary changes to the service (example git)
+
+```
+username@serverip:port
+```
+
+I created a normal subdomain at normal 80/443 ports with LE SSL generated.
+Then in the git app.ini (**/etc/git/app.in**) file, added this under **[server]**
+
+```
+nano /etc/git/app.ini
+--------------
+[server]
+ENABLE_ACME = enable
+HTTPS_PORT = 4545 ssl
+ROOT_URL = https://git.domain.tld
+-------------- **(save changes to the file by typing CTRL+X simultaneously)**
+CTRL+X
+Y
+Enter
+```
+
+Then under nginx.conf (**$HESTIADATA\conf\web\git.domain.tld\nginx.conf**) I added
+
+```
+nano /$HESTIADATA\conf\web\git.domain.tld\nginx.conf
+--------------
+ location / {
+     client_max_body_size 4096M;
+     proxy_pass http://localhost:4545;
+     proxy_set_header Connection $http_connection;
+     proxy_set_header Upgrade $http_upgrade;
+     proxy_set_header Host $host;
+     proxy_set_header X-Real-IP $remote_addr;
+     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+     proxy_set_header X-Forwarded-Proto $scheme;
+-------------- **(save via)**
+CTRL+X
+Y
+Enter
+```
+
+Then under apache2.conf (**$HESTIADATA\conf\web\git.domain.tld\apach2.conf**) I added
+
+```
+nano /$HESTIADATA\conf\web\git.domain.tld\apache2.conf
+--------------
+     ProxyPreserveHost On
+     ProxyRequests off
+     AllowEncodedSlashes NoDecode
+     ProxyPass / http://localhost:4545/ nocanon
+-------------- **(save via)**
+CTRL+X
+Y
+Enter
+```
+
+Then under apache2.ssl.conf (**$HESTIADATA\conf\web\git.domain.tld\apache2.ssl.conf**) I added
+
+```
+nano /$HESTIADATA\conf\web\git.domain.tld\apach2.ssl.conf
+--------------
+ < VirtualHost git.domain.tld:8443 https >
+*****************************
+*****************************
+    ProxyPreserveHost On
+     ProxyRequests off
+     AllowEncodedSlashes NoDecode
+     ProxyPass / http://localhost:4545/ nocanon
+-------------- **(save via)**
+CTRL+X
+Y
+Enter
+```
+
+I also enabled the following to ensure the proxy works:
+
+```
+ a2enmod proxy
+ a2enmod proxy_http
+ a2enmod proxy_balancer
+ a2enmod proxy_wstunnel
+ systemctl restart apache2
+```
+
+Then I restarted all services
+
+```
+ systemctl restart apache2
+ systemctl restart nginx
+ systemctl start git.service
+```
+
+I got the help from these:
+
+[APache SSL Long Record Error](https://stackoverflow.com/a/42206383)
+
+[Let's Encrypt SSL Certificate](https://www.reddit.com/r/forgejo/comments/1ar9j72/comment/kqudf1t/)
+
+[Gitea Reverse Proxy - Apache HTTPD](https://docs.gitea.com/administration/reverse-proxies#apache-httpd)
+
+[Gitea Reverse Proxy - General Conf](https://docs.gitea.com/administration/reverse-proxies#general-configuration)
+
+[Gitea Reverse Proxy - NGINX](https://docs.gitea.com/administration/reverse-proxies#nginx)
+
+# Conclusion
+
+Awesome! You've successfully set up a let's encrypt certificate on a unique port other than the usual ones used 443/8443. Specifially port 3000 used by forge systems (gitea, forgejo, etc.,)
+# Licence
+
+[MIT](https://github.com/netcup-community/community-tutorials/blob/main/LICENSE)
+
+Copyright (c) 2025 netcup
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicence, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+# Contributor's Certificate of Origin
+By making a contribution to this project, I certify that:
+
+ 1) The contribution was created in whole or in part by me and I have the right to submit it under the licence indicated in the file; or
+
+ 2) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate licence and I have the right under that licence to submit that work with modifications, whether created in whole or in part by me, under the same licence (unless I am permitted to submit under a different licence), as indicated in the file; or
+
+ 3) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.
+
+ 4) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the licence(s) involved.

community-tutorials/netcup-root-server-hosting-using-hestia-control-panel/01-en.md

@@ -2,14 +2,14 @@
 title: Set Up a Web Server Using Hestia Control Panel on netcup
 description: Learn how to set up a Root Server for hosting using Hestia Control Panel on netcup.
 level: beginner
-updated_at: 2024-11-18
+updated_at: 2025-10-11
 slug: netcup-root-server-hosting-using-hestia-control-panel
 author_name: vdbhb59
 author_url: https://github.com/vdbhb59
 author_image: https://avatars.githubusercontent.com/u/60728004
 author_bio: Songs & Books 4ever
 tags: [root, hosting, hestia-control-panel, netcup, debian, ubuntu, LTS-only]
-netcup_product_url: https://www.netcup.com/en/server/root-server/rs-1000-g11-iv-12m
+netcup_product_url: https://www.netcup.com/en/server/root-server/rs-2000-g12-iv-12m
 language: en
 available_languages: en
 ---
@@ -22,7 +22,7 @@ The reading time of this tutorial is about 15 minutes; implementation will take
 
 # Prerequisites
 
-- A Root Server from netcup with latest Ubuntu 20.04/22.04 (LTS); Debian 10/11/12 or later installed (see the below URL) - use minimal mode of installation, also called clean installation. [Requirement Details](https://hestiacp.com/docs/introduction/getting-started.html#requirements)
+- A Root Server from netcup with latest Ubuntu 20.04/22.04 (LTS); Debian 11/12 or later installed (see the below URL) - use minimal mode of installation, also called clean installation. [Requirement Details](https://hestiacp.com/docs/introduction/getting-started.html#requirements)
 - Please note latest Hestia Control Panel only supports the latest versions of the above OS. To know more visit:
 [Supported OS](https://hestiacp.com/docs/introduction/getting-started.html#supported-operating-systems)
 - A registered domain name (optional)
@@ -40,7 +40,7 @@ apt update && apt upgrade -y
 
 # Step 2: Install Hestia Control Panel
 
-To install Hestia Control Panel, you'll first need to install the installation script. Run the following commands to download and to execute the installation script:
+To install Hestia Control Panel, you'll first need to download the installation script. Run the following commands to download and to execute the installation script:
 
 ```
 cd ~ && wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install/hst-install.sh && bash hst-install.sh
@@ -49,9 +49,9 @@ cd ~ && wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install
 > If the download fails due to an SSL validation error, please be sure you've installed the ca-certificate package on your system - you can do this with the following command: `apt-get update && apt-get install ca-certificates`
 
 > **Info**
-> To install with custom commands, use the script generator: [Script Generator](https://gabizz.github.io/hestiacp-scriptline-generator/)
+> To install with custom commands, use the script generator: [Script Generator](https://hestiacp.com/install)
 
-Possible options to use in the command are:
+Possible options to use in the command are: list also available [here](https://hestiacp.com/docs/introduction/getting-started.html#list-of-installation-options)
 ```
 -a, --apache Install Apache [yes | no] default: yes
 -w, --phpfpm Install PHP-FPM [yes | no] default: yes
@@ -60,22 +60,24 @@ Possible options to use in the command are:
 -j, --proftpd Install ProFTPD [yes | no] default: no
 -k, --named Install BIND [yes | no] default: yes
 -m, --mysql Install MariaDB [yes | no] default: yes
--M, --mysql8 Install Mysql8 [yes | no] default: no
+-M, --mysql8 Install MySQL 8 [yes | no] default: no
 -g, --postgresql Install PostgreSQL [yes | no] default: no
 -x, --exim Install Exim [yes | no] default: yes
 -z, --dovecot Install Dovecot [yes | no] default: yes
 -Z, --sieve Install Sieve [yes | no] default: no
 -c, --clamav Install ClamAV [yes | no] default: yes
 -t, --spamassassin Install SpamAssassin [yes | no] default: yes
--i, --iptables Install Iptables [yes | no] default: yes
--b, --fail2ban Install Fail2ban [yes | no] default: yes
+-i, --iptables Install iptables [yes | no] default: yes
+-b, --fail2ban Install Fail2Ban [yes | no] default: yes
 -q, --quota Filesystem Quota [yes | no] default: no
+-W, --webterminal Web Terminal [yes | no] default: no
 -d, --api Activate API [yes | no] default: yes
 -r, --port Change Backend Port default: 8083
 -l, --lang Default language default: en
 -y, --interactive Interactive install [yes | no] default: yes
 -s, --hostname Set hostname
 -e, --email Set admin email
+-u, --username Set admin user
 -p, --password Set admin password
 -D, --with-debs Path to Hestia debs
 -f, --force Force installation
@@ -84,7 +86,7 @@ Possible options to use in the command are:
 
 An example of an updated command to run the script:
 ```
-cd ~ && wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install/hst-install.sh && bash hst-install.sh --apache yes --phpfpm yes --multiphp yes --vsftpd yes --port '8083' --hostname 'DOMAIN-HERE' --email 'EMAIL-HERE' --password 'PASSWORD-HERE' --lang 'en' --force
+cd ~ && wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install/hst-install.sh && bash hst-install.sh --hostname 'examplepanel.domain.tld' --username 'admin' --email 'workingmail@domain.tld' --password 'strong&complexpasswordhere' --multiphp '8.2,8.3,8.4' --postgresql yes --sieve yes --webterminal yes --force
 ```
 
 Follow the on-screen instructions to complete the installation. The installation process may take some time. Once it's complete, the Hestia Control Panel will be installed on your system.
@@ -111,8 +113,8 @@ On the dashboard, click the "Add User" button; fill out the fields; click the "S
 
 To switch to the new user, hover over the user you want to login as; click the login as icon (`-]`) on the right of the user’s name and email; you are now logged in as the user. As such, any action you perform will be done as this user.
 
- **Info**
- Never run a web or mail domain with the admin user - by default, the admin user has elevated privileges. This can pose a security threat to your server!
+> **Info**
+> Never run a web or mail domain with the admin user - by default, the admin user has elevated privileges. This can pose a security threat to your server!
 
 # Step 5: Set up your domain