Adding Certificates to HTTPS

Administrators can add a certificate of their own generation to GroundWork Monitor 8.0.0 by placing it in the revproxy container and restarting nginx. This is done with a docker_cmd.sh entry point for the system. There's no need to go digging about in the containers for the right path. 

As certificates are keyed to a specific hostname (normally a fully-qualified domain name or FQDN), the name of the server has to match that of the generated certificate. That is, if you generated the certificate for the "common name" or "groundwork.example.com", then you have to change the name of the server to "groundwork.example.com", at least insofar as the response it gives when contacted. This can be done either separately or when loading a certificate. 

Changing the server name

To just change the name, you can do so with the following steps:

  1. Access the command line on your GroundWork server and change to the gw8 directory: 

    cd gw8
  2. Issue the following commands, substituting the name of your system for the example name here:

    TAG=$(grep '^TAG=' .env | sed 's/^TAG=//')
    docker run --rm -t \
        -v /var/run/docker.sock:/var/run/docker.sock \
        --name gw8 groundworkdevelopment/gw8:${TAG} \
        /src/docker_cmd.sh setServerName groundwork.example.com
  3. Restart the nginx process with the following command:

    docker-compose exec revproxy bash -c "/etc/init.d/nginx reload; nginx -t"

Load certificates    

To change the name AND load a certificate at the same time, follow the steps below. 

Prerequisites

You need the certificate key file, the certificate file, and any intermediate certificate files. You also need to know the precise common name you generated it for (unless you are using a wildcard cert, which is more forgiving). 

For example, if your key file is called "server.key", your cert file "server.crt" and your intermediate cert called "intermediate.pem", you can follow these steps:

  1. Transfer the certificate key and files to the server and place them in the gw8 directory.
  2. Access the command line on your GroundWork server and change to the gw8 directory: 

    cd gw8
  3. Issue the following commands, substituting in the names of your server and cert files for the examples provided:

    TAG=$(grep '^TAG=' .env | sed 's/^TAG=//')
    docker run --rm -t \
        -v ${PWD}:/mnt \
        -v /var/run/docker.sock:/var/run/docker.sock \
        --name gw8 groundworkdevelopment/gw8:${TAG} \
        /src/docker_cmd.sh loadCertificates groundwork.example.com \
        server.key server.crt intermediate.pem
  4. Restart the nginx process with the following command:

    docker-compose exec revproxy bash -c "/etc/init.d/nginx reload; nginx -t"
  5. Delete at least the key file from the server disk:

    rm server.key

Best practice would be to keep all the certificates and key files in an encrypted offline vault, and only temporarily transfer them around like this.

When you specify the cert names, don't include any path information. The command will look in the current directory for the files and pull them from there. If you see errors relating to the cert files not being found, this is most likely the cause. 

Related articles