First of all, THANKS for all your hard work in creating such an amazing piece of software that "just works". I had no trouble spinning up an instance on Digital Ocean and a private ubuntu server on my own domain, but Amazon was another story, and only because I had both EC2 and VPS enabled and by default a EC2 instance gets spun up and not a VPS by your script, which then fails while applying security.
The problem, as mentioned by other users, is if we have our own domain and wish clients to access the server as https://hostname.domain.com then the invalid SSL cert warnings are a but disconcerting for newbie users accessing it. Hoping you are able to provide instructions on how to replace the self-signed SSL certs by a user-supplied SSL cert, private key and CA cert.
Thanks again!
Any reply? Anyone?
Once Streisand is installed, you can edit the nginx config files on the server to make it use a different certificate.
Thank you for responding.
Please don't take this the wrong way, but what I'm looking for are step-by-step instructions to do it ON Streisand, not a one-line comment to go and edit nginx conf. I've googled that extensively, experimented repeatedly and had to reset the vm snapshot 20+ times. The instructions available on the Internet are for a plain vanilla nginx install and do not work on streisand because of the way all the different components are setup and interacting - in ways that are not obvious to a non-expert linux user like me. So... a simple bullet list will suffice with steps - go here, edit this file, change this instruction, upload your certs here, name them this and reboot. THAT would be helpful.
Users can quickly install the server's certificate to avoid warnings. I want people to think of their servers as ephemeral and easy to replace/rebuild. Giving them a permanent domain name is heading in a different direction.
Having said that, here are the steps that you're after:
cat certificate.crt chain-bundle.crt > streisand.crt/etc/ssl/certs/streisand.crt is a solid choice for the combined certificate./etc/ssl/private/streisand.key is a great place to put a private key.chown root:root /etc/ssl/private/streisand.keychmod 640 /etc/ssl/private/streisand.key/etc/nginx/sites-available/streisand file.ssl_certificate /etc/ssl/certs/streisand.crt;ssl_certificate_key /etc/ssl/private/streisand.key;sudo service nginx restartThat should be it. Thanks for the positive feedback. I hope this helps.
Thank you SO much.. really appreciate the detailed help.
Most helpful comment
Users can quickly install the server's certificate to avoid warnings. I want people to think of their servers as ephemeral and easy to replace/rebuild. Giving them a permanent domain name is heading in a different direction.
Having said that, here are the steps that you're after:
cat certificate.crt chain-bundle.crt > streisand.crt/etc/ssl/certs/streisand.crtis a solid choice for the combined certificate./etc/ssl/private/streisand.keyis a great place to put a private key.chown root:root /etc/ssl/private/streisand.keychmod 640 /etc/ssl/private/streisand.key/etc/nginx/sites-available/streisandfile.ssl_certificate /etc/ssl/certs/streisand.crt;ssl_certificate_key /etc/ssl/private/streisand.key;sudo service nginx restartThat should be it. Thanks for the positive feedback. I hope this helps.