Squirro ships with an nginx web server. For the HTTPS connection to that server it generates self-signed SSL certificate. That certificate will trigger warnings for users and is not trusted the Squirro Toolbox either. To fix those issues, an SSL certificate should be ordered through the official channels.
Generate a Certificate Signing Request (CSR) using the openssl command line. As root execute the following commands:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
The command will run through a number of questions, that you can answer as follows:
Common Name: The fully qualified domain name without protocol of the server you want to secure with the certificate (e.g. squirro.example.com)
Organization: The full name of your organisation
Organization Unit (OU): Name of your department
City or Locality: The city where your organisation is located
State or Province: The state or province of your organisation
Country: The official two-letter country code (e.g. CH, UK, US) of the organisation
server.csr file is submitted to the certificate authority as the certificate request.
Once the certificate authority is done, you will receive a SSL certificate. Once that has been received store the key as
Then you need to change the nginx configuration to use the new server SSL certificate instead of the default one. This is done by editing the file
/etc/nginx/conf.d/ssl.inc. Change the values of
ssl_certificate_key to point to the new certificate and key files:
If a passphrase is required for the certificate key, that can be stored into a separate file (readable only by the root user) and the following directive must be then added with the full path of the file:
One these changes have been saved, run the following commands to restart nginx and have the changes take affect:
systemctl reload nginx
nginx -t command validates the nginx configuration file. If the certificate has been saved incorrectly or the configuration has any errors, then the
nginx -t command will output an error.