How To: Replacing the default certificate
Some of our users prefer to use a certificate generated from their own organization. It increases the chain of trust, and it is easy for Pia Software to support this. We ship our product with a signed certificate from Let's Encrypt that automatically renews itself periodically.
The Flow Logs Viewer runs an nginx web server on top of Ubuntu.
Digital Ocean provides a great tutorial on SSL Setup end-to-end in case you want to understand the steps in more detail:
Here are some abbreviated steps to help you modify our existing nginx installation with your own certificate:
Step 1:
If applicable, SCP your desired certificate onto the box:
$ scp *.pem ubuntu@<your public ip>:/tmp
Step 2:
SSH into the box:
$ ssh ubuntu@<your public ip>
Step 3:
Move the certificate into an appropriate location and change permissions on it:
$ sudo mkdir /etc/ssl/certs/
$ sudo mv /tmp/*.pem /etc/ssl/certs/
$ sudo chown -R root:root /etc/ssl/certs/ $ sudo chmod -R 600 /etc/ssl/certs/
Step 4:
Modify nginx.conf to point to your new certificates, taking a backup first:
$ sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
$ sudo vi /etc/nginx/nginx.conf
remove the following four lines:
ssl_certificate /etc/letsencrypt/live/viewer.piasoftware.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/viewer.piasoftware.net/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
If there is any confusion about the ssl_certificate and ssl_certificate_key , please see the link to Digital Ocean above to generate it.
Add these lines and insert the path to your certificate:
ssl_certificate /etc/ssl/certs/<path to your certificate>
ssl_certificate_key /etc/ssl/certs/<path to your certificate key file>
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES256+ECDHE';
Save and exit vi with:
ESC + :wq
Step 5:
Check the configuration file for errors:
$ sudo nginx -t
This will check the config file for errors and give you an opportunity to fix them before restarting nginx and potentially making content unavailable
Step 6:
Modify application.rb configuration file:
$ vi /home/ubuntu/flowlogviewer/current/config/application.rb
on line 29, change config.use_bundled_cert to:
config.use_bundled_cert = true
Save and exit vi with: ESC + :wq
Step 7: Restart nginx and flowlogsviewer:
$ sudo systemctl restart nginx
$ sudo systemctl restart flowlogviewer.target
Step 8:
Browse to your instance and verify proper certificate setup with your browser:
hit:
https://<your public ip>