Streisand: Custom SSL Certs

Created on 17 Apr 2016  路  5Comments  路  Source: StreisandEffect/streisand

First of all, THANKS for all your hard work in creating such an amazing piece of software that "just works". I had no trouble spinning up an instance on Digital Ocean and a private ubuntu server on my own domain, but Amazon was another story, and only because I had both EC2 and VPS enabled and by default a EC2 instance gets spun up and not a VPS by your script, which then fails while applying security.

The problem, as mentioned by other users, is if we have our own domain and wish clients to access the server as https://hostname.domain.com then the invalid SSL cert warnings are a but disconcerting for newbie users accessing it. Hoping you are able to provide instructions on how to replace the self-signed SSL certs by a user-supplied SSL cert, private key and CA cert.

Thanks again!

Most helpful comment

Users can quickly install the server's certificate to avoid warnings. I want people to think of their servers as ephemeral and easy to replace/rebuild. Giving them a permanent domain name is heading in a different direction.

Having said that, here are the steps that you're after:

  1. Ensure that your SSL certificate is in the right format.

    • Most SSL providers will give you the certificate and chain in two separate files. Unlike Apache, Nginx expects the certificate and chain bundle to be concatenated together into a single file:

      cat certificate.crt chain-bundle.crt > streisand.crt

    • The filenames will be different based on your provider.

  2. Copy the combined certificate and private key to the server.

    • /etc/ssl/certs/streisand.crt is a solid choice for the combined certificate.

    • /etc/ssl/private/streisand.key is a great place to put a private key.

  3. Ensure that the file permissions for the private key are set correctly.

    • chown root:root /etc/ssl/private/streisand.key

    • chmod 640 /etc/ssl/private/streisand.key

  4. Modify the Nginx configuration.

    • You will be modifying the /etc/nginx/sites-available/streisand file.

    • Change line 5 to read ssl_certificate /etc/ssl/certs/streisand.crt;

    • Change line 6 to read ssl_certificate_key /etc/ssl/private/streisand.key;

  5. Restart Nginx.

    • sudo service nginx restart

That should be it. Thanks for the positive feedback. I hope this helps.

All 5 comments

Any reply? Anyone?

Once Streisand is installed, you can edit the nginx config files on the server to make it use a different certificate.

Thank you for responding.

Please don't take this the wrong way, but what I'm looking for are step-by-step instructions to do it ON Streisand, not a one-line comment to go and edit nginx conf. I've googled that extensively, experimented repeatedly and had to reset the vm snapshot 20+ times. The instructions available on the Internet are for a plain vanilla nginx install and do not work on streisand because of the way all the different components are setup and interacting - in ways that are not obvious to a non-expert linux user like me. So... a simple bullet list will suffice with steps - go here, edit this file, change this instruction, upload your certs here, name them this and reboot. THAT would be helpful.

Users can quickly install the server's certificate to avoid warnings. I want people to think of their servers as ephemeral and easy to replace/rebuild. Giving them a permanent domain name is heading in a different direction.

Having said that, here are the steps that you're after:

  1. Ensure that your SSL certificate is in the right format.

    • Most SSL providers will give you the certificate and chain in two separate files. Unlike Apache, Nginx expects the certificate and chain bundle to be concatenated together into a single file:

      cat certificate.crt chain-bundle.crt > streisand.crt

    • The filenames will be different based on your provider.

  2. Copy the combined certificate and private key to the server.

    • /etc/ssl/certs/streisand.crt is a solid choice for the combined certificate.

    • /etc/ssl/private/streisand.key is a great place to put a private key.

  3. Ensure that the file permissions for the private key are set correctly.

    • chown root:root /etc/ssl/private/streisand.key

    • chmod 640 /etc/ssl/private/streisand.key

  4. Modify the Nginx configuration.

    • You will be modifying the /etc/nginx/sites-available/streisand file.

    • Change line 5 to read ssl_certificate /etc/ssl/certs/streisand.crt;

    • Change line 6 to read ssl_certificate_key /etc/ssl/private/streisand.key;

  5. Restart Nginx.

    • sudo service nginx restart

That should be it. Thanks for the positive feedback. I hope this helps.

Thank you SO much.. really appreciate the detailed help.

Was this page helpful?
0 / 5 - 0 ratings