Skip to main content
Closed environment (HTB/VL/PG — no DNS): Skip this page entirely. A self-signed certificate with your redirector’s public IP as the Subject Alternative Name is generated automatically at deploy time. Agents and the connectivity test script work over both HTTP and HTTPS using the IP directly. Proceed to Run the connectivity test.
For open-environment deployments with a registered domain, you need a trusted TLS certificate so that implants can connect over HTTPS without disabling certificate verification. Certbot obtains a free Let’s Encrypt certificate and updates the Apache HTTPS configuration automatically. Prerequisites: DNS must be propagated before running Certbot. Complete Step 1.6 — Point domain to redirector and verify the domain resolves to your redirector’s Elastic IP before continuing.

Step 1 — SSH to the redirector

Choose one of the three access methods:
Linux / macOS:
ssh -i rs-rsa-key.pem admin@<REDIR_PUBLIC_IP>
Windows (PowerShell):
ssh -i ".\rs-rsa-key.pem" admin@<REDIR_PUBLIC_IP>
Replace <REDIR_PUBLIC_IP> with the value from terraform output deployment_info under the APACHE REDIRECTOR section.

Step 2 — Run Certbot

Once logged in to the redirector, run Certbot with the Apache plugin: 
sudo certbot --apache -d yourdomain.tld
Replace yourdomain.tld with the value you set for redirector_domain in terraform.tfvars.

Step 3 — Complete the Certbot prompts

Certbot walks through a short interactive setup:
1

Email address

Enter an email address for urgent renewal notices and security alerts from Let’s Encrypt.
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): you@youremail.com
2

Accept the Terms of Service

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf. You must agree
in order to register with the ACME server. Do you agree?
(Y)es/(N)o: Y
3

EFF newsletter (optional)

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation?
(Y)es/(N)o: N
This is optional and has no effect on the certificate.

Step 4 — Verify the output

A successful run produces output like this: 
Account registered.
Requesting a certificate for yourdomain.tld

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yourdomain.tld/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/yourdomain.tld/privkey.pem
This certificate expires on 2026-05-27.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for yourdomain.tld to /etc/apache2/sites-enabled/redirector-https.conf
Congratulations! You have successfully enabled HTTPS on https://yourdomain.tld
Certbot does the following automatically:
  • Updates /etc/apache2/sites-enabled/redirector-https.conf to reference the new certificate paths
  • Adds an HTTP → HTTPS rewrite in the HTTP VirtualHost
  • Configures a systemd timer (certbot.timer) for automatic renewal before expiry

Step 5 — Exit and verify

Exit the SSH session: 
exit
Verify the full stack with the connectivity test script. You can run it from any session on the redirector: 
sudo /home/admin/test_redirector.sh
The Active VirtualHosts section should show both :80 and :443 for your domain. To inspect the VirtualHost configuration directly: 
sudo apache2ctl -S
Expected output: 
*:443                  yourdomain.tld (/etc/apache2/sites-enabled/redirector-https.conf:1)
*:80                   yourdomain.tld (/etc/apache2/sites-enabled/redirector-http.conf:1)
If Certbot fails with a challenge error, confirm that your DNS A record points to the redirector’s Elastic IP and that the record has fully propagated. The certificate cannot be issued until Let’s Encrypt can reach the redirector over HTTP on port 80 using the domain name.

Build docs developers (and LLMs) love

Get started for freeTalk to us