Versions Compared

Old Version 10

changes.mady.by.user Patrice Neff

Saved on

compared with

New Version Current

changes.mady.by.user Nathan Gosse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

Squirro ships with an nginx web server. For the HTTPS connection to that server it generates self-signed SSL certificate. That certificate will trigger warnings for users and is not trusted the Squirro Toolbox either. To fix those issues, an SSL certificate should be ordered through the official channels.

Table of Contents

Table of Contents
minLevel1
maxLevel7
outlinetrue
excludeTable of Contents

Generate CSR

Generate a Certificate Signing Request (CSR) using the openssl command line. As root execute the following commands:

Code Block
languagebash
cd /etc/nginx/ssl
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Enter Details

The command will run through a number of questions, that you can answer as follows:

  • Common Name: The fully qualified domain name without protocol of the server you want to secure with the certificate (e.g. squirro.example.com)

  • Organization: The full name of your organisation

  • Organization Unit (OU): Name of your department

  • City or Locality: The city where your organisation is located

  • State or Province: The state or province of your organisation

  • Country: The official two-letter country code (e.g. CH, UK, US) of the organisation

Submit

The server.csr file is submitted to the certificate authority as the certificate request.

Installing Certificate

Once the certificate authority is done, you will receive a SSL certificate. Once that has been received store the key as /etc/nginx/ssl/server.crt.

Then you need to change the nginx configuration to use the new server SSL certificate instead of the default one. This is done by editing the file /etc/nginx/conf.d/ssl.inc. Change the values of ssl_certificate and ssl_certificate_key to point to the new certificate and key files:

/etc/nginx/conf.d/ssl.inc
Code Block
languagetext
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

…

Passphrase

If a passphrase is required for the certificate key, that can be stored into a separate file (readable only by the root user) and the following directive must be then added with the full path of the file:

/etc/nginx/conf.d/ssl.inc
Code Block
languagetext
ssl_password_file /var/lib/nginx/ssl_passwords.txt;

…

Applying Changes

One these changes have been saved, run the following commands to restart nginx and have the changes take affect:

Code Block
nginx -t
systemctl reload nginx

The nginx -t command validates the nginx configuration file. If the certificate has been saved incorrectly or the configuration has any errors, then the nginx -t command will output an error.This page can now be found at SSL Certificates on the Squirro Docs site.