Xrdp with Let’s Encrypt on Ubuntu 18.04

Estimated reading time: 1 min

Introduction

Xrdp is an open source Remote Desktop Protocol server which uses RDP to present a Graphic User Interface to the client. In this we will help you to setup and configure a xrdp server with Let’s Encrypt certificate.

Prerequisites

  • Root user or a user with root privileges

  • Working SSH connection on the server

Step 1 – Log in to your server

Open a terminal and log in to your server using SSH

ssh root@ip_address_or_domain

Step 2 – Install dependencies

apt-get install wget unzip curl socat git

Step 3 – Install Display Manager

If your server has already a display manager you can skip this step and proceed with step 4. In this article, we are installing Gnome since we have executed a test with Gnome. You are free to choose another display manager.

apt install gnome-session gdm3

Step 4 – Download automated Xrdp script

We are using a bash script written by Griffon he has written an automated installation script for Xrdp.

mkdir -p /tmp/xrdp
cd /tmp/
wget http://www.c-nergy.be/downloads/Std-Xrdp-Install-0.5.zip
unzip Std-Xrdp-Install-0.5.zip -d /tmp/xrdp
cd /tmp/xrdp

Step 5 – Make the script executable

chmod +x Std-Xrdp-Install-0.5.sh

Step 6 – Run the Xrdp script

The xrdp script accepts two parameters, -s yes will fix the sound redirection within the xrdp session and the -g yes will implement the sound redirection fix and gdm lock screen fix within the Xrdp session.

./Std-Xrdp-Install-0.5.sh -s yes -g yes

Step 7 – Create Xrdp user

adduser <username>

Step 8 – Add user to Xrdp group

usermod -G xrdp <username>

Step 9 – Reboot

Reboot the server to apply the new changes.

reboot

Step 10 – Test Xrdp

You should now be able to use RDP client to connect to your server. You should see a pop up with a certificate warning.
Certificate warning

Step 11 – Download Acme.sh

cd /tmp
git clone https://github.com/Neilpang/acme.sh.git

Step 12 – Advanced Installation

cd acme.sh
./acme.sh --install  --home /usr/local/acme.sh --certhome /var/www/letsencrypt/ --accountemail  "[email protected]"

Step 13 –  Issue a certificate

acme.sh --issue -d example.com -w /home/wwwroot/example.com

Step 14 – Configure Xrdp to use Let’s Encrypt certificate

Find the two lines certificate=& key_file= and edit these two lines with the path to the certificates which is issued in step 13.

nano /etc/xrdp/xrdp.ini
certificate=/usr/local/acme.sh/example.com/fullchain.cer key_file=/usr/local/acme.sh/example.com/example.com.key

Step 15 – Restart Xrdp

Restart the xrdp service to apply the changes.

systemctl restart xrdp

Step 16 – Login via Xrdp

Log in via RDP to your server, rdp should not show you any warning. If you get any certificate issue the configuration was not successful and it should be debugged.

Conclusion

Congratulations, you should now have a working Xrdp server with a Let’s Encrypt certificate.

Was this article helpful?
Dislike 4
Views: 21185

Reader Interactions

Comments

  1. Bart says

    Can't get the certificate part to work.
    The certifcate are generated, but xrdp isn't picking it up.
    While trying to follow these steps, i wasnt able to install to /usr/local/acme.sh
    Instead i used –install –home /home//.acme.sh.

    ls -l of the folder containing the certificates:
    -rw-rw-r– 1 ssl-cert 4399 okt 24 18:34 ca.cer
    -rw-r–r– 1
    ssl-cert 6737 okt 24 18:34 fullchain.cer
    -rw-r–r– 1
    ssl-cert 2338 okt 24 18:34 .freeddns.org.cer
    -rw-rw-r– 1 ssl-cert 572 okt 24 18:34 .freeddns.org.conf
    -rw-rw-r– 1 ssl-cert 1054 okt 24 18:33 .freeddns.org.csr
    -rw-rw-r– 1 ssl-cert 207 okt 24 18:33 .freeddns.org.csr.conf
    -rw-r—– 1 ssl-cert 1675 okt 24 17:28 .freeddns.org.key

    under xrdp.ini
    ;certificate=/home//.acme.sh/.freeddns.org/fullchain.cer
    ;key_file=/home//.acme.sh/.freeddns.org/.freeddns.org.key

    Any advise?

    • Yavuz Aydin says

      I would like to advise you under which user xrdp runs at. Most probably this is a permission issue. Also check logfiles. Unfortunately I'm unable to provide exact instructions as to which logfiles should be checked, these instructions are old.

Leave a Reply

Your email address will not be published. Required fields are marked *