on-premises real SSL certificate

I've previously complained that new updates forced me to rediscover how I'd customized the SSL certificate for our on-premises cnMaestro.   And I posted an 'Ideas' suggestion to allow us an easy way to add our own signed certificates.  But until user leisser asked today in a comment on the ideas post, I hadn't posted what I did, nor considered using letsencrypt.org's handy free certificate system.  Let's address both.

For either approach, the first step is the same:  Get logged into the console of your on-premises cnMaestro, either through your VM system or via SSH.  (which IIRC you have to enable first, I believe by removing /etc/init/ssh.override then "service ssh start" but I don't remember 100%)   As far as console text editing, you're on your own... ;) If you're not familiar with linux/unix editors it can be tricky.  Personally, I can't work day to day without Midnight Commander (file manager), which includes a fullscreen editor that I usually use since it's already installed on most systems I administer - if you want to try it out install it with "sudo apt-get install mc", then 'sudo mc -e filename' will start straight in the editor opening the named file.  For many the easiest built-in editor to use is probably "nano" - menu across the bottom tells you what ctrl- keys do what.  Just use "sudo nano filename", make your changes, then ctrl-x, y, enter to exit and save.

Your own previously-sourced certificate

(for us, we have a paid wildcard certificate for our domain that I used)

Place your .crt and .key files in the /etc/nginx/ssl folder.  HOW you get them there is up to you - you can use scp or sftp, or cut/paste, or whatever approach works for you.  Now edit /etc/nginx/conf.d/default.conf and duplicate the following two lines:

ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

Then comment one pair out, (# character first on line) and edit the other pair to reflect the filenames you used for your .crt and .key files, and save.

Finally, restart the web server with:

sudo service nginx restart

and you should be good to go.

Using letsencrypt.org free SSL certificates

(tested on our server as I composed this post, except for autorenewal)

Run these three commands:

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-nginx

It will pull in and install about 25 packages.

Edit (as root) the /etc/nginx/conf.d/default.conf file - change the server_name to your server's FQDN (we'll say cnm.mydomain.com for the examples)

  server_name _;

server_name cnm.mydomain.com;

and I recommend duplicating these two lines:

ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

and then commenting one pair out.  (# character first on line) (certbot will edit these two lines in-place, this keeps the originals for reference and restoration, otherwise refer back here or try "certbot --nginx rollback" if you need to go back to the built-in certificate)  Save the changes.

Then run: (edited to correct '--nginx' instead of '-nginx')

sudo certbot --nginx -d cnm.mydomain.com

and work your way through the questions.


It will remember your selections in certbot's own /etc folder, which is also where it will put the new certificate files.  The changes it automatically makes in /etc/nginx/conf.d/default.conf will end up like:

ssl_certificate /etc/letsencrypt/live/cnm.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cnm.mydomain.com/privkey.pem; # managed by Certbot

You should now have a working 90-day SSL certificate for your FQDN installed and working, test it to be sure, after restarting web server with:

sudo service nginx restart

Assuming that it works as expected, you'll need to set it up to automatically renew the certificate, which expires every 90 days.  To do this (also as root) create the file /etc/cron.daily/letsencrypt with the following content:

#!/bin/sh

/usr/bin/certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

This will run once daily (midnight per system clock) and if the certificate needs renewed it will handle it.  Make sure the file is executable with:

chmod u+x /etc/cron.daily/letsencrypt

Enjoy, let me know if I've mistyped or misinformed here, or if renewal fails.  (I've only set up a server with a letsencrypt cert a few days ago, apache2, and the cnMaestro nginx just now, so I've never seen it renew yet)

You'll need to redo all of this after a new VM image release, and likely will need to re-edit /etc/nginx/conf.d/default.conf after even simpler package-based updates to change the system name and the cert and key files.  (in the past they've wiped that config file back to default)  But package-based updating should leave the autorenew cronjob intact, and the certificates themselves, and will certainly leave the certbot program and its config. (which remembers your settings/selections when you first requested the certificate)  It's probably a good idea to copy the default.conf file (NOT in that same folder, ideally somewhere off the VM entirely) to a backup somewhere once you get it working the first time.

j

8 Likes

Wanted to add that for the letsencrypt approach you will want to back up the certificate and key file, and the /etc/certbot config folder, before performing a full-VM update.  Then you'd need to run the three commands to install certbot again on the 'new' VM, restore the backed-up /etc/certbot and cert/key files, make the edits to the nginx config and redo the cron job.

j

Hi

I have couple of open tickets with Cambium support, but nothing cleared yet regarding ssl cert using lets encrypt.

Hope will get some answers soon

Leisser

I noticed the first time I fired up 1.6 on-premises that it isn't happy with the certbot/LetsEncrypt certificate being installed.  SSL works correctly, but the cnMaestro webUI page to View certificate gives an error.  ("Error    An error has occurred during loading server certificate.")  At the very least it should be capable of recognizing that a valid certificate has already been installed, even if it doesn't overtly support LetsEncrypt.  (Ideally, I'd like to see the ability to run certbot from the webUI and have it auto-renew instead of needing to edit nginx config, install certbot, manually run the first time, then manually set up auto-renewal)

j

Has anyone managed to get this working?

I can't get LetsEncrypt to issue a certificate becasue it's not publically accessable. (It's a wifi login portal...)

I notice the latest version of cnMaestro seems to support custom SSL certs, but no options for LetsEncrypt, also it doesn't includ ethe country in the CSR, so, well, it doesn't actually work.

Wonderful guide.  Worked flawlessly and all of the steps were perfect!

Letsencrypt worked out of the box for me with zero issue.