How To: Replacing the default certificate

Some of our users prefer to use a certificate generated from their own organization. It increases the chain of trust, and it is easy for Pia Software to support this. We ship our product with a signed certificate from Let's Encrypt that automatically renews itself periodically.

The Flow Logs Viewer runs an nginx web server on top of Ubuntu.

Digital Ocean provides a great tutorial on SSL Setup end-to-end in case you want to understand the steps in more detail:

https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-centos-7

Here are some abbreviated steps to help you modify our existing nginx installation with your own certificate:

Step 1:

If applicable, SCP your desired certificate onto the box:

$ scp *.pem ubuntu@<your public ip>:/tmp

Step 2:

SSH into the box:

$ ssh ubuntu@<your public ip>

Step 3:

Move the certificate into an appropriate location and change permissions on it:

$ sudo mkdir /etc/ssl/certs/

$ sudo mv /tmp/*.pem /etc/ssl/certs/

$ sudo chown -R root:root /etc/ssl/certs/ $ sudo chmod -R 600 /etc/ssl/certs/

Step 4:

Modify nginx.conf to point to your new certificates, taking a backup first:

$ sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak

$ sudo vi /etc/nginx/nginx.conf

remove the following four lines:

ssl_certificate /etc/letsencrypt/live/viewer.piasoftware.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/viewer.piasoftware.net/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

If there is any confusion about the ssl_certificate and ssl_certificate_key , please see the link to Digital Ocean above to generate it.

Add these lines and insert the path to your certificate:

ssl_certificate /etc/ssl/certs/<path to your certificate>

ssl_certificate_key /etc/ssl/certs/<path to your certificate key file>

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES256+ECDHE';

Save and exit vi with:

ESC + :wq

Step 5:

Check the configuration file for errors:

$ sudo nginx -t

This will check the config file for errors and give you an opportunity to fix them before restarting nginx and potentially making content unavailable

Step 6:

Modify application.rb configuration file:

$ vi /home/ubuntu/flowlogviewer/current/config/application.rb

on line 29, change config.use_bundled_cert to:

config.use_bundled_cert = true

Save and exit vi with: ESC + :wq

Step 7: Restart nginx and flowlogsviewer:

$ sudo systemctl restart nginx

$ sudo systemctl restart flowlogviewer.target

Step 8:

Browse to your instance and verify proper certificate setup with your browser:

hit:

https://<your public ip>

#howto