Jeff Wilson's picture
Hi, are there any docs that I can follow that will help me replace the reverse proxy nginx self signed cert in an app appliance like (the new) mattermost? I've looked and I can't find anything. Any helpful direction would be very appreciated! Thanks!
Forum: 
Jeremy Davis's picture

First up, it's probably being aware that TurnKey is based on Debian, so often instructions that apply to Debian should apply to TurnKey as well. However, in the case of SSL certs that's not quite the case as we do tweak things a bit there.

The default certificate that all SSL TurnKey services use (e.g. webservers, Webshell & Webmin) can be found at /etc/ssl/private/cert.pem (and the key at /etc/ssl/private/cert.key). They are put together is a very specific way so that they work with all the different services that may use the same certs.

If you wish to use free Let's Encrypt certificates, then Confconsole has a Let's Encrypt plugin that can do that for you. That will replace the default certs that I noted above and the same cert should work with all HTTPS endpoints on your server. Note that it will only work if your domain already resolves to your server IP and port 80 needs to be publicly accessible. It's perhaps also worth noting, that this should "just work" in v16.0+ appliances, but older v15.x appliances have a number of issues. There are fixes for the issues, but you are advised to use the v16.0 appliance if possible.

Alternatively, if you have a thrid party cert that you'd like to use, so long as they are the correct format and you put them together the same as the default ones, you can replace those and all the services should leverage the updated cert and SSL should "just work" without browser warnings.

However, if you have third party certs and are in a rush and just want to replace the certificate (and key) for Nginx then that's possible too. You can put your third party certificates wherever you want (although /etc/ssl/private is a good place IMO) and then update the paths in /etc/nginx/include/ssl by default they are:

ssl_certificate      /etc/ssl/private/cert.pem;
ssl_certificate_key  /etc/ssl/private/cert.key;

I hope that helps...

Add new comment