Using Custom SSL Certificate for cnMaestro On Premises Server with a workaround

Following KB article explains about Using Custom SSL Certificate for cnMaestro On Premises Server with a workaround until it is officially supported by the cnMaestro server itself.  This is  tried by one of the customers and he has send the steps on how to do it . please be cautious while trying with your own SSL certificate as Cambium cnMaestro does not officially support using custom certificates .

Get logged into the console of your on-premises cnMaestro, either through your VM system or via SSH.  (which IIRC you have to enable first, I believe by removing /etc/init/ssh.override then "service ssh start" but I don't remember 100%)   As far as console text editing, you're on your own... ;) If you're not familiar with linux/unix editors it can be tricky.  Personally, I can't work day to day without Midnight Commander (file manager), which includes a fullscreen editor that I usually use since it's already installed on most systems I administer - if you want to try it out install it with "sudo apt-get install mc", then 'sudo mc -e filename' will start straight in the editor opening the named file.  For many the easiest built-in editor to use is probably "nano" - menu across the bottom tells you what ctrl- keys do what.  Just use "sudo nano filename", make your changes, then ctrl-x, y, enter to exit and save.

Your own previously-sourced certificate

(for us, we have a paid wildcard certificate for our domain that I used)

Place your .crt and .key files in the /etc/nginx/ssl folder.  HOW you get them there is up to you - you can use scp or sftp, or cut/paste, or whatever approach works for you.  Now edit /etc/nginx/conf.d/default.conf and duplicate the following two lines:

ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key;

Then comment one pair out, (# character first on line) and edit the other pair to reflect the filenames you used for your .crt and .key files, and save.

Finally, restart the web server with:

sudo service nginx restart

and you should be good to go.

Using letsencrypt.org free SSL certificates

(tested on our server as I composed this post, except for autorenewal)

Run these three commands:

sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot python-certbot-nginx

It will pull in and install about 25 packages.

Edit (as root) the /etc/nginx/conf.d/default.conf file - change the server_name to your server's FQDN (we'll say cnm.mydomain.com for the examples)

server_name _; server_name cnm.mydomain.com;

and I recommend duplicating these two lines:

ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key;

and then commenting one pair out.  (# character first on line) (certbot will edit these two lines in-place, this keeps the originals for reference and restoration, otherwise refer back here or try "certbot --nginx rollback" if you need to go back to the built-in certificate)  Save the changes.

Then run:

sudo certbot -nginx -d cnm.mydomain.com

and work your way through the questions.


It will remember your selections in certbot's own /etc folder, which is also where it will put the new certificate files.  The changes it automatically makes in /etc/nginx/conf.d/default.conf will end up like:

ssl_certificate /etc/letsencrypt/live/cnm.mydomain.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/cnm.mydomain.com/privkey.pem; # managed by Certbot

You should now have a working 90-day SSL certificate for your FQDN installed and working, test it to be sure, after restarting web server with:

sudo service nginx restart

Assuming that it works as expected, you'll need to set it up to automatically renew the certificate, which expires every 90 days.  To do this (also as root) create the file /etc/cron.daily/letsencrypt with the following content:

#!/bin/sh

/usr/bin/certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

This will run once daily (midnight per system clock) and if the certificate needs renewed it will handle it.  Make sure the file is executable with:

chmod u+x /etc/cron.daily/letsencrypt

Enjoy, let me know if I've mistyped or misinformed here, or if renewal fails.  (I've only set up a server with a letsencrypt cert a few days ago, apache2, and the cnMaestro nginx just now, so I've never seen it renew yet)

You'll need to redo all of this after a new VM image release, and likely will need to re-edit /etc/nginx/conf.d/default.conf after even simpler package-based updates to change the system name and the cert and key files.  (in the past they've wiped that config file back to default)  But package-based updating should leave the autorenew cronjob intact, and the certificates themselves, and will certainly leave the certbot program and its config. (which remembers your settings/selections when you first requested the certificate)  It's probably a good idea to copy the default.conf file (NOT in that same folder, ideally somewhere off the VM entirely) to a backup somewhere once you get it working the first time.

Wanted to add that for the letsencrypt approach you will want to back up the certificate and key file, and the /etc/certbot config folder, before performing a full-VM update.  Then you'd need to run the three commands to install certbot again on the 'new' VM, restore the backed-up /etc/certbot and cert/key files, make the edits to the nginx config and redo the cron job.