Skip to content

First login and hardening

Complete this checklist immediately after the public HTTPS endpoint is working. The installer creates one initial owner account and starts with destructive host actions disabled.

Sign in

Open:

https://control.example.com

For a standard fresh CDN installation, use:

Email: [email protected]
Password: the generated password printed by the installer

If the login page does not load, verify the local health endpoint first and then work through Reverse proxy and HTTPS.

1. Change the initial password

Go to Settings, find Change Password, and replace the generated password. New and reset passwords must:

  • contain at least 10 characters;
  • include English letters;
  • include numbers; and
  • include at least two special characters.

Use a unique password stored in a password manager.

2. Set up MFA

In Settings under Multi-Factor Auth:

  1. Select Set up MFA.
  2. Scan the QR code with an authenticator app, or enter the manual secret.
  3. Save every displayed recovery code offline.
  4. Enter the current authenticator code.
  5. Select Enable MFA.
  6. Sign out and confirm that you can sign in with both the authenticator and one recovery method.

Do not turn on the controller-wide Require MFA for login setting until at least one owner account has working MFA and its recovery codes have been stored safely. Once that policy is enabled, password-only login is blocked and MFA cannot be disabled while the policy remains active.

3. Add a passkey

Passkeys are optional, but they provide passwordless sign-in with local user verification. In Settings under Passkeys:

  1. Enter a recognizable passkey name.
  2. Enter your current password.
  3. Select Add passkey and approve the browser prompt.
  4. Sign out and test Use Passkey from the login page before treating it as a recovery path.

Register passkeys only from the final public HTTPS origin. A passkey created for one hostname cannot be used as though it belonged to another hostname.

See Security for Turnstile, the security entrance, passkey prerequisites, and account recovery guidance.

4. Confirm the public controller URL

Go to Settings and find Controller Settings. Confirm that Controller URL is:

https://control.example.com

This value is used when aseStack generates managed-agent enrollment scripts. If it is empty, aseStack infers the URL from the request and reverse-proxy headers. Saving the explicit public URL avoids producing an enrollment script with a loopback or internal hostname.

Leave the default agent token TTL at 2160h unless your rotation policy calls for a shorter lifetime. The UI displays the exact expiry for every new enrollment.

5. Verify the local managed server

The standard installer enrolls the controller host as a local managed server. Open Servers and check:

  • Server Inventory contains the local server;
  • its status becomes online after the first heartbeat;
  • Agent Readiness reports the available host preflights; and
  • Preflight can be queued and acknowledged.

If the server remains offline, check the local agent:

sudo systemctl status asestack-agent --no-pager
sudo journalctl -u asestack-agent -n 50 --no-pager
sudo /opt/asestack/bin/asestack-agent doctor

To add another host, continue to Enroll a managed server.

6. Keep guarded actions off initially

Controller and agent write paths are disabled by default. That includes guarded Docker actions, Docker exec, Nginx apply/disable/rollback, certificate issue/renew, file writes, database transfers, firewall changes, and malware scans.

Do not enable a controller-side command guard unless the corresponding managed-host action guard is also understood and the host preflight is ready. Test with a disposable workload first, confirm backups, and enable only the narrow action you need. The configuration reference lists the paired settings.

7. Check backup and update status

Confirm the local backup timer is enabled:

sudo systemctl status asestack-backup.timer --no-pager

A local backup on the same host is not a complete disaster-recovery plan. Arrange an independent off-host copy before placing important state on the controller.

Then review the running and available versions:

asestack version

See Update and CLI operations for routine service, log, repair, and update commands.

If the owner password is lost

Run the bundled recovery helper as root:

sudo /opt/asestack/deploy/reset-admin-password.sh

The helper backs up the user store, resets the configured admin owner, preserves the required ownership and mode, restarts aseStack, and prints the resulting email and password. Treat that output as sensitive, sign in, and change the password again from Settings.

Changing only ASESTACK_ADMIN_PASSWORD after the user store has been created does not overwrite an existing user's password. Use the reset helper for recovery.