Menuka's Notion

In the level of virtual cloud network, I added the following firewall rules using Oracle Cloud dashboard to allow all TCP and UDP traffic.

<aside> ℹ️

Added rules

</aside>
After getting into the VPS, started executing commands with updating/upgrading packages first.
```
sudo apt update
sudo apt upgrade -y
```

Executed quick installation script

sudo bash -c "$(curl -sL <https://github.com/Gozargah/Marzban-scripts/raw/master/marzban.sh>)" @ install

Created a sudo user for web panel
```
marzban cli admin create --sudo
```
To obtain an SSL certificate, used this guide on https://gozargah.github.io/marzban/en/examples/issue-ssl-certificate

<aside> ℹ️

Since the page How to generate SSL is only available in Persian, I had use TWP - Translate Web Pages extension on Firefox to translate the page to English in real time.

</aside>

Installed acme.sh

curl <https://get.acme.sh> | sh -s email=**[email protected]**

To obtain certificates, executed the following commands.

export DOMAIN=**us1.mousepotato.net**

mkdir -p /var/lib/marzban/certs

~/.acme.sh/acme.sh \\
  --issue --force --standalone -d "$DOMAIN" \\
  --fullchain-file "/var/lib/marzban/certs/$DOMAIN.cer" \\
  --key-file "/var/lib/marzban/certs/$DOMAIN.cer.key"

It didn't work. Received the following output.

[Wed Apr 23 13:09:54 UTC 2025] Using CA: <https://acme.zerossl.com/v2/DV90>
[Wed Apr 23 13:09:54 UTC 2025] Standalone mode.
[Wed Apr 23 13:09:54 UTC 2025] Account key creation OK.
[Wed Apr 23 13:09:55 UTC 2025] No EAB credentials found for ZeroSSL, let's obtain them
[Wed Apr 23 13:09:56 UTC 2025] Registering account: <https://acme.zerossl.com/v2/DV90>
[Wed Apr 23 13:09:58 UTC 2025] Registered
[Wed Apr 23 13:09:59 UTC 2025] ACCOUNT_THUMBPRINT='NEVktLq8b48kW0HYJB4CE1jHJm4S7VbWKuSgOwZVv1Y'
[Wed Apr 23 13:09:59 UTC 2025] Creating domain key
[Wed Apr 23 13:09:59 UTC 2025] The domain key is here: /home/menukaonline/.acme.sh/us1.mousepotato.net_ecc/us1.mousepotato.net.key
[Wed Apr 23 13:09:59 UTC 2025] Single domain='us1.mousepotato.net'
[Wed Apr 23 13:10:05 UTC 2025] Getting webroot for domain='us1.mousepotato.net'
[Wed Apr 23 13:10:06 UTC 2025] Verifying: us1.mousepotato.net
[Wed Apr 23 13:10:06 UTC 2025] Standalone mode server
[Wed Apr 23 13:10:09 UTC 2025] Processing. The CA is processing your order, please wait. (1/30)
[Wed Apr 23 13:10:19 UTC 2025] Pending. The CA is processing your order, please wait. (2/30)
[Wed Apr 23 13:10:31 UTC 2025] Pending. The CA is processing your order, please wait. (3/30)
[Wed Apr 23 13:10:42 UTC 2025] Pending. The CA is processing your order, please wait. (4/30)
[Wed Apr 23 13:10:53 UTC 2025] Pending. The CA is processing your order, please wait. (5/30)
[Wed Apr 23 13:11:04 UTC 2025] Pending. The CA is processing your order, please wait. (6/30)
[Wed Apr 23 13:11:15 UTC 2025] Pending. The CA is processing your order, please wait. (7/30)
[Wed Apr 23 13:11:27 UTC 2025] Pending. The CA is processing your order, please wait. (8/30)
[Wed Apr 23 13:11:37 UTC 2025] Pending. The CA is processing your order, please wait. (9/30)
[Wed Apr 23 13:11:48 UTC 2025] Pending. The CA is processing your order, please wait. (10/30)
[Wed Apr 23 13:11:59 UTC 2025] Pending. The CA is processing your order, please wait. (11/30)
[Wed Apr 23 13:12:05 UTC 2025] The retryafter=86400 value is too large (> 600), will not retry anymore.
/home/menukaonline/.acme.sh/acme.sh: line 2579: kill: (6818) - No such process
[Wed Apr 23 13:12:05 UTC 2025] Please add '--debug' or '--log' to see more information.
[Wed Apr 23 13:12:05 UTC 2025] See: <https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh>

Since getting the certificate directly using acme.sh failed, continued with the next method: Get a domain certificate registered on Cloudflare . Since acme.sh is already installed, continued with the following command.

~/.acme.sh/acme.sh --issue -d **us1.mousepotato.net** --dns \\
 --yes-I-know-dns-manual-mode-enough-go-ahead-please

It returned the following DNS record which need to be added to Cloudflare as a TXT record.

[Wed Apr 23 13:15:15 UTC 2025] Using CA: <https://acme.zerossl.com/v2/DV90>
[Wed Apr 23 13:15:15 UTC 2025] Single domain='us1.mousepotato.net'
[Wed Apr 23 13:15:23 UTC 2025] Getting webroot for domain='us1.mousepotato.net'
[Wed Apr 23 13:15:24 UTC 2025] Add the following TXT record:
[Wed Apr 23 13:15:24 UTC 2025] Domain: '_acme-challenge.us1.mousepotato.net'
[Wed Apr 23 13:15:24 UTC 2025] TXT value: 'zv0Ok6Q9oZZG9T79MhNksPYvnrQrtrKaf_SmBp2G0R4'
[Wed Apr 23 13:15:24 UTC 2025] Please make sure to prepend '_acme-challenge.' to your domain
[Wed Apr 23 13:15:24 UTC 2025] so that the resulting subdomain is: _acme-challenge.us1.mousepotato.net
[Wed Apr 23 13:15:24 UTC 2025] Please add the TXT records to the domains, and re-run with --renew.
[Wed Apr 23 13:15:24 UTC 2025] Please add '--debug' or '--log' to see more information.
[Wed Apr 23 13:15:24 UTC 2025] See: <https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh>

I added the TXT record and continued with the following command.

~/.acme.sh/acme.sh --renew -d **us1.mousepotato.net** \\
  --yes-I-know-dns-manual-mode-enough-go-ahead-please

It worked and the files related to the certificate were stored here.

[Wed Apr 23 13:18:52 UTC 2025] Your cert is in: /home/menukaonline/.acme.sh/us1.mousepotato.net_ecc/us1.mousepotato.net.cer
[Wed Apr 23 13:18:52 UTC 2025] Your cert key is in: /home/menukaonline/.acme.sh/us1.mousepotato.net_ecc/us1.mousepotato.net.key
[Wed Apr 23 13:18:52 UTC 2025] The intermediate CA cert is in: /home/menukaonline/.acme.sh/us1.mousepotato.net_ecc/ca.cer
[Wed Apr 23 13:18:52 UTC 2025] And the full-chain cert is in: /home/menukaonline/.acme.sh/us1.mousepotato.net_ecc/fullchain.cer

I copied the full-chain file fullchain.cer and the key file us1.mousepotato.net.key to /var/lib/marzban/certs for ease of use because it is the location used for SSL files in the .env.
```
menukaonline@zoe:~$ ls /var/lib/marzban/certs/
fullchain.cer  us1.mousepotato.net.key
```
Next I referred Enabling SSL with Uvicorn section in the following page: Enabling SSL in Marzban. It is also in Persian, so I had to use the translation extension to translate the page to English.

I opened the .env file located at /opt/marzban/ with nano editor and added the following lines. Left the original values of the modified lines as comments.

UVICORN_HOST = "0.0.0.0"
# UVICORN_PORT = 8000
UVICORN_PORT = 443
# ALLOWED_ORIGINS=http://localhost,<http://localhost:8000>,<http://example.com>

## We highly recommend add admin using `marzban cli` tool and do not use
## the following variables which is somehow hard codded infrmation.
# SUDO_USERNAME = "admin"
# SUDO_PASSWORD = "admin"

# UVICORN_UDS: "/run/marzban.socket"
# UVICORN_SSL_CERTFILE = "/var/lib/marzban/certs/example.com/fullchain.pem"
UVICORN_SSL_CERTFILE = "/var/lib/marzban/certs/fullchain.cer"
# UVICORN_SSL_KEYFILE = "/var/lib/marzban/certs/example.com/key.pem"
UVICORN_SSL_KEYFILE = "/var/lib/marzban/certs/us1.mousepotato.net.key"
# UVICORN_SSL_CA_TYPE = "public"

# DASHBOARD_PATH = "/dashboard/"

XRAY_JSON = "/var/lib/marzban/xray_config.json"
# XRAY_SUBSCRIPTION_URL_PREFIX = "<https://example.com>"
XRAY_SUBSCRIPTION_URL_PREFIX = "<https://us1.mousepotato.net>"

After saving the edits, continued with the following command to restart the Marzban instance.
```
sudo marzban restart
```

Next, adjusted the firewall rules. (Not sure I did it correctly)

sudo -i
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
apt purge netfilter-persistent

Next, restarted the VPS for changes to take effect.
```
reboot
```
Now the web panel can be accessed via https://us1.mousepotato.net/dashboard/login/