vps header 1200x200

5.3 Hestia Control Panel Installation Checklist

There are still a few tasks we need to complete before we install the Hestia Control Panel on our VMM VPS or CanHost VPS. In this chapter, we will review some of the most important tasks.

#1 VMM VPS only...Make sure that Apache is not installed on our home computer.
Hestia will install its own version of Apache server into your VMM. There can be problems if there are two versions of Apache on the same computer. So, if you have Apache server installed on your home computer, delete it before installing Hestia. If you are installing Hestia on a CanHost VPS, there is no problem with keeping Apache server on your home computer.

#2 VMM VPS Only: Make sure our VPS has a bridge connection and that the bridge connection has an active slave connection.
As we explained previously, by default VMM uses a NAT connection that hides your VPS. NAT prevents Hestia from seeing your VPS. You therefore need to create a bridge connection before you install your VMM VPS. Here is what the Bridge connection looks like:


This is not a concern with a CanHost VPS.

#3 Install Debian on a VMM VPS or CanHost VPS
As we have explained in prior articles, Hestia works best with a Debian server. We have previously explained how to install Debian 10 on a VPS with VMM. When you order a CanHost VPS, just specify that you want Debian 10 and they will install it on your VPS for you.

#4 Make sure our VPS has a static IP address assigned to it
With VMM, turn on and log into your VPS and type ip addr. You may have to type ip addr 2 to 3 times before the IP shows up. With a CanHost VPS, be sure to turn on your VPS in the CanHost Account panel. It will automatically use your primary CanHost static IP address.

#5 Log into User SSH session
Use the static ip determined above to log into an SSH session.

With VMM, if the VMM user name is the same as your home computer user name, then open a terminal and type:


With CanHost, open a terminal on your home computer and type:

ssh your-canhost-user-name@your-canhost-ip

#6 VMM VPS Only: Add the static IP to your home computer etc hosts file.
This is needed when using fake domain names for sandbox testing. It will allow your browser to find your VMM VPS. When NOT in an SSH session, open your home computer terminal and copy paste: sudo nano /etc/hosts

Add example.com ns04

to home computer /etc/hosts file:


Type Control plus o then Enter to save the file. Then type Control plus x to close the file.

This step is not needed with a real domain name on a real VPS.

#7 Create a password for the root user
This is very important whether you have a VMM VPS or a CanHost VPS. While your VMM or CanHost VPS is running, SSH in to your VPS with home terminal. For example,

ssh username@primary-ip>

Copy paste sudo passwd root

Enter your sudo user password. Then add a root password typing it twice. The terminal will reply with: password updated successfully

#8 Change SSH Config File to Permit Root Login
This is also very important whether you have a VMM VPS or a CanHost VPS. To change your ssh configuration file, copy paste:

sudo nano /etc/ssh/sshd_config

Then press Enter. Use the down arrow to scroll down to the line PermitRootLogin. Then change the value from no to yes.

Then click Control plus o, then Enter to save the file. Then Control plus x to close the file. To make the new setting take effect, restart the ssh service:

sudo systemctl restart sshd.service

Then log out of the ssh session but leave the server on by typing the word exit.

#9 Start a VPS SSH session as root
Close the user ssh session with exit. Then close the home terminal. Then open your home computer terminal again and copy paste:

ssh root@xxx.xxx.xxx.xxx

Enter your root password. Note that the terminal prompt now says root@ns1.

#10 Install and configure Midnight Commander on your VMM or CanHost VPS

Many beginners have trouble understanding what they are doing when entering commands into the terminal. You will learn faster if you have a visual File Manager to make changes on your VPS. We will therefore install the best File Manager, called Midnight Commander (mc) on our VPS by copying and pasting the following command:

apt-get install mc

Once Midnight Commander is installed, type mc. Here is the initial interface when opening Midnight Commander on a server:


Change the background to a lighter color
By default, MC comes with light letters on a dark background. However, using dark letters on a light background is both easier to read and easier to see on screen shots. Therefore the first thing you should do after installing MC is to change the background color. To do this, click Options, Appearance. The default skin is called Default. Press Enter to see more options. Click Gray, Green Purple (in a server, you would need to use the up or down arrows to select it). Then press Enter. Then press OK.


Hide the Midnight Commander Hint Line
There is a Hint Line at the bottom of the page telling you to press Control plus o to change the screen from MC to the Terminal and back again. Try this to see how it works. (Note: sometimes this command does not work. Another option is to use the File menu and click Exit. Then type mc to bring back the MC screen). You can focus more by getting rid of the Hint Line. To do this, click Options, Layout. Uncheck the Hintbar Visible box. Then click OK. Then click File Exit to close MC.

#11 Confirm Fully Qualified Domain Name
Before we install the Hestia Control Panel, we need to set up a Fully Qualified Domain Name. While in a root SSH session, edit the /etc/hosts file by typing: nano /etc/hosts

Here is what a FQDN looks like on VMM:


Here is what your FQDN looks like on a CanHost VPS:


CanHost has correctly set up the FQDN. Press Control plus x to close this file. Then type exit to exit your SSH session. Then close the terminal.

#14 CanHost VPS Only: Add DNS Zone Records
Before we create our VPS server, we need to open Port 8083 (which is used by Hestia to log into their control pane. We also need to add several records to our website DNS Zone file with Canhost (which is both our VPS host and our website domain registrar). Log into your Canhost Account.

14.1 Open Port 8083
Submit a ticket to Canhost asking them to open port 8083 for your VPS primary IP address so you can log into your Hestia Control Panel. This only takes a few minutes.

14.2 Create Private Servers ns1 and ns2
From your Canhost account Home page, click Domains. Then select your VPS domain name and in the far right column, use the arrow to choose Manage Domain. Then click Private Name Servers.


Call the Nameserver ns1 and copy paste your CanHost VPS Primary IP address. Then click Save Changes. Then repeat for ns2.

14.3 Create and Edit A Records
Then click Manage DNS. Then DNS Manager. Then find your VPS domain name. Then click the Edit Zone pencil to see the Zone Table.


There will be about 10 records in the table. This includes 4 Canhost Name Servers and several A records. Note that all of the A records convert a name into an IP address. We need to add more records. We need an A record for ns1 and an A record for ns2. We also need a CNAME record and 2 CAA records. To add an A record, click Add Record:


For name, type ns1. For type, select A. A new box will appear. Copy and paste your VPS primary IP address.


Click Add Record. Then repeat the above to add an A Record for ns2.

14.4 Change CanHost IP addresses to Your Own VPS IP Addresses

Here is the top of Canhost:


The ns1 and ns2 records are correct. However, the @ record on on Canhost points to the Canhost server IP. We need to change this. Also change webmail IP address to point to the VPS IP. To change an existing A record to a different A record, you first need to delete the existing A record. Then click Add new Record. Then type in the name of the record and type in your VPS primary IP address.

14.5 Change mail and www to CNAME records
CNAME records are used to point one name to a different name (for example, point www to collegeintheclouds.com). CNAME records can only be added to a subdomain that is not currently using A records. A CNAME record can only be created on a subdomain. This means the root record (example.com) cannot be a CNAME record and must always be an A record. To change an A record to a CNAME record (for www), you first need to delete the A record. Then click Add new Record.


Delete the current @ and mail A records and create new A records pointing to my VPS IP.


14.6 Add CAA Records

As we explained earlier, CAA records are extremely important for security reasons as well as making it easier to get a free Lets Encrypt SSL certificate.

There are 6 Components of a CAA record


The type is CAA.

The name is your main website domain name. There should technically be a dot at the end of the domain name. For example, collegeintheclouds.com.

The CAA will apply to all sub-domains.

The flags are normally set for 0.

Tags control the issuance of DNS records. There are three tag levels: the issue tag, the issuewild tag, and the iodef tag.The issue tag authorizes a single certificate authority to issue an SSL certificate, other than Wildcard SSLs, for a domain name and its subdomains. The issuewild tag will authorize a single Certificate Authority to issue Wildcard SSL certificates for a domain name and its subdomains. The iodef tag will provide information about any requests for invalid certificates. This can help the domain holder as it gives communication (made via mail) about a certificate request that has failed the CAA check and help diagnose errors that cause failure.

Value (CA domain name) usually appears between two parentheses, and is the domain name for the Certificate Authority you want to issue SSL certificates. For example, letsencrypt.org.

TTL... stands for Time to Live. It’s the amount of time in seconds, which a server should keep your CAA records in its cache.

How to Create a CAA Record

Select your domain name. Click Manage DNS. Click Add Record. Click Type and select CAA. Now enter your CAA record details, Name, Flags, Tag, Value, TTL and save it.

Let’s Encrypt domain name for CAA is letsencrypt.org

0 issue “letsencrypt.org" is the typical definition.

That allows Letsencrypt to create non-wildcard and wildcard-certificates Create both issue and issuewild CAA records.

CAA Example
Name: collegeintheclouds.com.
Flag: 0
Tag: issue (then make second CAA record with the tag issuewild
Target: letsencrypt.org


After both CAA records have been added, your Records table will look like this:


When you are done adding and changing records, scroll to the bottom of the page and click Save Changes. Then log out of your Canhost account and close your web browser. Note that it may take several hours for these new records to become active on the internet.

#15 Validate your CAA and DNS Records
There are many ways to validate you CAA and DNS records. Using your terminal, you can check using the dig command.

dig caa yourwebsite.com

Ping the Static IP and FQDN on your home computer.

Note: Your VPS must be running for ping command to work. Copy paste either the ip address or the domain name:

ping -c 3

ping -c 3 ns04.example.com

You can also test online using the DNS CAA Tester online tool.


You can also test sub-domains such as ns1.collegeintheclouds.com


After installing Hestia, you can also check the link to webmail.collegeintheclouds.com with

Test your mail domain at https://ssl-tools.net/mailservers 1

#16 Install and Configure Hestia Control Panel

Open a terminal on your home computer and begin an SSH session as a root user with:

ssh root@xxx.xxx.xxx.xxx

Before we install Hestia, we should uninstall the CSF firewall installed by Canhost when they installed Debian 10. The CSF firewall is not needed with Hestia because Hestia comes with its own firewall called Fail2ban and CSF firewall might interfer with the Hestia firewall. To install CSF, copy paste the following commands into the SSH terminal:

cd /etc/csf

This will change the folder location to the CSF folder. Then:
sh uninstall.sh

Then return to the root folder with:

cd /

We then need to update the server and install the ca-certificate package with the following command:

apt-get update && apt-get install ca-certificates

As a precaution, we will also update the Hestia SSH Keys

apt-get install gnupg2

Update the Hestia signing key with this command:

wget -qO - https://gpg.hestiacp.com/deb_signing.key | sudo apt-key add -

The terminal should reply OK. Then copy paste this command from the home page of hestiacp.com. to download the Hestia installer:

wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install/hst-install.sh

Run the HestiaCP installation script.
Here is the default install script:

bash hst-install.sh

To install Hestia CP without ClamAV, and therefore save 1 GB of RAM, uses a slightly different bash script:

bash hst-install.sh --clamav no

The above command is the normal install script followed by a single space followed by two dashes followed by clamav and another space and then the word no. Then press Enter. This screen will appear:


You will be prompted to answer three questions.

Do you want to continue? Type Y and press Enter.

Admin Email address? Enter your ProtonMail secure email address. Then press Enter.

Fully Qualified Domain Name? Type ns1.yourdomainname.com. Then press Enter. It will then take about 10 minutes to install Hestia on your server.


The installation will end with: Press any key to continue... But do not press a key. Instead scroll up the page and copy paste this long password into a Writer document:

Admin URL: https://ns1.collegeintheclouds.com:8083

Username: admin

Password: X0JlkBC0VtiNvfrs

Then scroll back down the page and press Enter. Then close the terminal. The server will restart. You do not need to log into the server. Instead, open a browser and copy paste the Hestia URL:


If the Hestia install program did not accept your email address, you may get this warning screen: Warning Potential Security Risk Ahead. Click Advanced. It will note we are using a self-signed certificate. Click Accept the risk.

Click Advanced. Then click Accept Risk. The Hestia Control Panel Log in screen will appear:


For username, type admin. For password, copy and paste the complex password:


Congratulations! You now know how to install a free and extremely secure VPS Control Panel.

What's Next?
In the next article, we will review how to configure Hestia and create a new user. For now, click on the arrow in the upper right corner of the screen to log out of Hestia. Then close your browser window. Then, if using VMM, turn off your VPS. Then close VMM. If using CanHost, leave your server on! We are just getting started.