Generating an SSL Certificate on your GroundWork Server
Using SSL certificates is no longer an option, it's a requirement. Modern browsers now object to http-only sites, and even self-signed certs are getting harder to use, with anti-virus programs denying access to sites they can't verify (and rightfully so). Your GroundWork server comes with a self-signed certificate automatically generated, so it is using SSL out of the box, but there's no reason you can't use a "real", verifiable CA certificate if you have one, and skip all those self-signed exceptions. If you don't have one, the Let's Encrypt project (https://letsencrypt.org/) can make one for you for free. Here's how.
Also, check out a related blog posting here fas fa-blog
Your Groundwork server has to be resolvable at a hostname on a public domain.
This doesn't mean it has to have a public IP address, just that you need to get the address when you ask DNS for it using the fully qualified domain name (FQDN). For example, if your server has IP address of 192.168.1.23, and your domain is example.com, then you can add an A record to that address for gwos01.example.com to your DNS. It won't be reachable, but DNS will work.
You need to be able to (at least temporarily) add a TXT record to your domain's public DNS.
This is how Let's Encrypt verifies that you control the domain, and so have the right to ask for a certificate of a host on that domain. It has to be public so Let's Encrypt's servers can access it.
- You need superuser (sudo) access to your GroundWork host to install software (like git and python), unless you have certbot already installed
It's a good idea to log in to your DNS provider and get ready to add a TXT record for your domain now.
If necessary, install git. For example on RHEL or CentOS:
sudo yum update && sudo yum upgrade -y sudo yum install gitCODE
Clone the repo for letsencrypt:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencryptCODE
Ask Let's Encrypt's certbot to issue the cert (e.g., for gwos01.example.com):
cd /opt/letsencrypt sudo -H ./letsencrypt-auto -d gwos01.example.com --manual --preferred-challenges dns certonlyCODE
This will probably install several packages, including python, etc. Also, sudo might ask you for your user password if it has been long enough since you last used sudo.
Accept the prompts, including that for logging your IP:
The process will pause:
with a request to place a TXT type record in your public DNS for the domain you are asking for a cert for, e.g., example.com. The TXT record looks something like this:
Add this record to your DNS using the procedure your DNS server or provider provides. For example, at the registrar gandi.net, the DNS record would look like this:
Once the DNS TXT record is saved, go back to the console and click Enter. The verification should complete and give you a success message:
Next, copy the fullchain.pem and key to your gw8 folder, (e.g., if gw8 is under /home/gwuser):
cp /etc/letsencrypt/live/gwos01.example.com/fullchain.pem ~gwuser/gw8/ cp /etc/letsencrypt/live/gwos01.example.com/privkey.pem ~gwuser/gw8/CODE
Add the privkey.pem and the fullchain.pem to the GroundWork 8 instance, using the procedure Adding Certificates to HTTPS.
Log in to GroundWork Monitor 8 using your browser to confirm the valid certificate. You're done!