SSL Certificates#

Introduction#

Squirro ships with an nginx web server. For the HTTPS connection to that server it generates self-signed SSL certificate. That certificate will trigger warnings for users and is not trusted the Squirro Toolbox either. To fix those issues, an SSL certificate should be ordered through the official channels.

Generate CSR#

Generate a Certificate Signing Request (CSR) using the openssl command line. As root execute the following commands:

cd /etc/nginx/ssl
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Enter Details#

The command will run through a number of questions, that you can answer as follows:

  • Common Name: The fully qualified domain name without protocol of the server you want to secure with the certificate (e.g. squirro.example.com)

  • Organization: The full name of your organisation

  • Organization Unit (OU): Name of your department

  • City or Locality: The city where your organisation is located

  • State or Province: The state or province of your organisation

  • Country: The official two-letter country code (e.g. CH, UK, US) of the organisation

Submit#

The server.csr file is submitted to the certificate authority as the certificate request.

Installing Certificates#

Once the certificate authority is done, you will receive a SSL certificate. Once that has been received store the key as /etc/nginx/ssl/server.crt.

Then you need to change the nginx configuration to use the new server SSL certificate instead of the default one. This is done by editing the file /etc/nginx/conf.d/ssl.inc. Change the values of ssl_certificate and ssl_certificate_key to point to the new certificate and key files:

/etc/nginx/conf.d/ssl.inc#

ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

…

Passphrase#

If a passphrase is required for the certificate key, that can be stored into a separate file (readable only by the root user) and the following directive must be then added with the full path of the file:

/etc/nginx/conf.d/ssl.inc#

ssl_password_file /var/lib/nginx/ssl_passwords.txt;

…

Applying Changes#

One these changes have been saved, run the following commands to restart nginx and have the changes take affect:

nginx -t
systemctl reload nginx

The nginx -t command validates the nginx configuration file. If the certificate has been saved incorrectly or the configuration has any errors, then the nginx -t command will output an error.