You are here
roshkatetecson - Wed, 2020/04/15 - 17:32
Hi,
Just want to ask how can I renew the self-signed certificate of my Turnkey Gitlab applicance. The certificate is auto-renew when I access it via LAN IP, but if I access it via its hostname, the certificate is already expired.
Using Let's Encrypt is not an option for us since we're only using it internally.
Forum:
Hi there
Hmm, that seems weird. The default self signed cert that is generated at firsboot should be valid for many years... Regardless, it should be easy to regenerate a new one.
We include a convenience script 'turnkey-make-ssl-cert'. Hopefully it's help assists you to work out what options you might like to select:
# turnkey-make-ssl-cert --help turnkey-make-ssl-cert ver. 1.3 "Make server cert for TurnKey GNU/Linux appliance" Usage: turnkey-make-ssl-cert [-o|--out file] [-t|--template file] [-i|--ip] [-v|--verbose] [-f|--force-overwrite] FQDN .. [FQDN] Generate a certificate/key pair using the list of FQDNs. Usage: turnkey-make-ssl-cert [-d|--default] [-t|--template file] [-i|--ip] [-v|--verbose] [-f|--force-overwrite] Generate the default certificate/key pair, cert.crt, cert.key, using the hostname. Usage: turnkey-make-ssl-cert [-o|--out file] [-t|--template file] [-i|--ip] [-v|--verbose] [-f|--force-overwrite] [-w|--wild] domainName .. [domainName] Generate a wildcard certificate for the list of domains. Usage: turnkey-make-ssl-cert [-d|--default] [-t|--template file] [-i|--ip] [-v|--verbose] [-f|--force-overwrite] [-r|--csr] FQDN .. [FQDN] Generate an optional certificate signing request for the list of FQDNs. Usage: turnkey-make-ssl-cert [-h|--help] Display the help message and exit. Options: -h, --help Display this help message and exit -o, --out [/path/]file Write certificate to alternate location -d, --default Generate default certificate /etc/ssl/private/cert.pem -e, --expiry Set certificate expiry date default: 10y -r, --csr Generate a certificate signing request -w, --wild Generate wildcard certificate -t, --template file Use alternate template file default: /etc/ssl/turnkey.cnf -i, --ip Optionally include host ip addresses -v, --verbose Display generated certificate -f, --force-overwrite Overwrite existing certificate NOTE: You must be the superuser to run this script.To just regenerate the default cert that the appliance generates on firstboot:
Help for noob needed
Hi there
You shouldn't need to do anything. The default cert generated at firstboot should already be valid for 10 years. Although if you did want to generate a new one, then this should do the trick:
If you want something other than 10 years, add '--expiry EXPIRY' - where "EXPIRY" is an integer followed by d (days), m (months) or y (years). E.g. '20d' = 20 days, '5m' = 5 months, etc. As an explicit example, to generate a new cert that would expire in 6 months:
Note that that after generating a new cert, you will need to restart any services so they will load the new cert. On most appliances that will be just Apache and Webmin, but some servers have alternate services (All have Webmin). To restart Apache and Webmin:
Alternatively you could just reboot.
Thank you for fast reply. I
Add new comment