Archive

Please reload

Tags

Please reload

How To: Replacing the default certificate

June 16, 2020

Some of our users prefer to use a certificate generated from their own organization. It increases the chain of trust, and it is easy for Pia Software to support this. We ship our product with a signed certificate from Let's Encrypt that automatically renews itself periodically.

 

The Flow Logs Viewer runs an nginx web server on top of Ubuntu. 

 

Digital Ocean provides a great tutorial on SSL Setup end-to-end in case you want to understand the steps in more detail:

 

https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-centos-7

 

Here are some abbreviated steps to help you modify our existing nginx installation with your own certificate:

 

Step 1:

If applicable, SCP your desired certificate onto the box:

$ scp *.pem ubuntu@<your public ip>:/tmp

 

Step 2:

SSH into the box:

$ ssh ubuntu@<your public ip>

 

Step 3:

Move the certificate into an appropriate location and change permissions on it:

$ sudo mkdir /etc/ssl/certs/

$ sudo mv /tmp/*.pem /etc/ssl/certs/

$ sudo chown -R root:root /etc/ssl/certs/
$ sudo chmod -R 600 /etc/ssl/certs/

 

Step 4:

Modify nginx.conf to point to your new certificates, taking a backup first:

$ sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak

$ sudo vi /etc/nginx/nginx.conf

 

remove the following four lines:

ssl_certificate /etc/letsencrypt/live/viewer.piasoftware.net/fullchain.pem; 
ssl_certificate_key /etc/letsencrypt/live/viewer.piasoftware.net/privkey.pem; 
include /etc/letsencrypt/options-ssl-nginx.conf; 
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 

 

If there is any confusion about the ssl_certificate and ssl_certificate_key , please see the link to Digital Ocean above to generate it.

 

Add these lines and insert the path to your certificate:

ssl_certificate /etc/ssl/certs/<path to your certificate>

ssl_certificate_key /etc/ssl/certs/<path to your certificate key file>

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES256+ECDHE';

 

Save and exit vi with:

ESC + :wq

 

Step 5:

Check the configuration file for errors:

$ sudo nginx -t

 

This will check the config file for errors and give you an opportunity to fix them before restarting nginx and potentially making content unavailable

 

Step 6:

Modify application.rb configuration file:

$ vi /home/ubuntu/flowlogviewer/current/config/application.rb

on line 29, change config.use_bundled_cert to:

config.use_bundled_cert = true

 

Save and exit vi with: ESC + :wq

 

Step 7:
Restart nginx and flowlogsviewer:

$ sudo systemctl restart nginx

$ sudo systemctl restart flowlogviewer.target

 

Step 8:

Browse to your instance and verify proper certificate setup with your browser:

hit:

https://<your public ip>

Please reload

Recent Posts

Please reload

pia@piasoftware.net

(804) 5050PIA

(804) 505-0742

  • Pia Software on LinkedIn
  • Pia Software on Twitter
  • PiaSoftware on Facebook

©2017 BY PIA SOFTWARE.  All rights reserved.