Overview
In this article, we'll show how we can configure the SSL certificates in ACSIA. In particular, we'll show:
- The prerequisites and some knowledge base
- How to install and renew the SSL certificates if you retrieved them from a CA (Certification Authority)
- How to install the SLL certificates if you retrieved them from Let's Encrypt
- How to renew the certificates if you retrieved them from Let's Encrypt
Prerequisites and knowledge base
Prerequisites
ACSIA SOS is installed on this Linux distribution:
- Ubuntu 20.04
Here the distribution requires:
- Full SSH root access or a user with
sudo
privileges. - A valid domain name pointed to your server's IP address. We'll call it
[yourdomain]
along this article.
The certificates must be in the.pem
format.
If you retrieved your certificates from a CA and have them in other formats, you can use the following procedure to convert them, for example, from.pcks12
to .pem
:
$ openssl pkcs12 -in certificatename.pfx -out [my_certificate.pem]
where [my_certificate.pem]
is the name of your certificate in the .pem
format.
Knowledge base
Here we'll describe the procedures regarding SLL certificates in case you retrieved them from a CA or in case you retrieved them from Let's Encypt.
The difference between them, is that Let's Encrypt is a free service and this needs, for example, to renew the certificates every three months.
In case, instead, you'd like to use a CA, the certificates are provided by an Authority and last some years.
How to install and renew the SSL certificates if you retrieved them from a CA
Step 1: switch to ACSIA user
$ sudo su - acsia
This command is needed to see the certificates. Without it, you can't see them.
Step 2: get permission to see the certificate
You have to get the path where your certificate is. If we call it [file-path-directory]
, then type:
$ sudo chmod -R 755 [file-path-directory
]
to get the permissions to see the certificates.
Then, you have to get the path where your private key is. If we call it [key-path-directory]
, then type:
$ sudo chmod -R 755 [key-path-directory
]
Step 3: stop Nginx port 80
We must be sure that port 80 is free of use by typing the following:
$ sudo docker ps
After this, we have to stop the process of Docker doing this:
$ sudo docker stop nginx
Step 4: deploy the certificates
Now, we can proceed with the deployment phase. Execute the following command:
$ acsia_deploy_ssl_certs --certificate [file-path-directory]/[my_certificate.pem] --key [key-path-directory]/privkey.pem --domain [yourdomain]
Where:
-
[my_certificate.pem]
is the name of your certificate. -
[file-path-directory]
is the path where[my_certificate.pem]
is located. -
[key-path-directory]
is the path where the private key is located. -
[yourdomain]
is your domain name.
Step 5: restart ACSIA
Finally, restart ACSIA:
$ acsia_stack_restart
How to install the SLL certificates if you retrieve them from Let's Encrypt
Step 1: switch to ACSIA user
$ sudo su - acsia
Step 2: stop Nginx port 80
We must be sure that port 80 is free of use by typing the following:
$ sudo docker ps
After this, we have to stop the process of Docker doing this:
$ sudo docker stop nginx
Step 3: install certboot
$ sudo snap install --classic certbot
Step 4: create the certificate
$ sudo certbot certonly -d[yourdomain]
Where [yourdomain]
is your domain name.
Step 5: get the permissions of the directories /etc/etsencrypt/live
and /etc/letsencrypt/archive
$ sudo chmod -R 755 /etc/letsencrypt/live
$ sudo chmod -R 755 /etc/letsencrypt/archive
Step 6: deploy the certificates
Now, we can proceed with the deployment phase. Execute the following command:
$ acsia_deploy_ssl_certs --certificate /etc/letsencrypt/live/[yourdomain]/fullchain.pem --key /etc/letsencrypt/live/[yourdomain]/privkey.pem --domain [yourdomain]
Where[yourdomain]
is your domain name.
Step 7: restart ACSIA
$ acsia_stack_restart
How to renew the SLL certificates if you retrieve them from Let's Encrypt
To force the renewal of the certificates retrieved with Let's Encrypt, meaning we can renew them before they actually arrive at the end date, we can type the following commands:
Step 1: stop Nginx port 80
$ sudo docker stop nginx
Step 2: force renewal of the certificates
$ sudo certbot certonly --force-renew -d [yourdomain]
where [yourdomain]
is your domain name.
Step 3: switch to ACSIA user
$ sudo su - acsia
Step 4: deploy the certificates
$ acsia_deploy_ssl_certs --certificate /etc/letsencrypt/live/[yourdomain]/fullchain.pem --key /etc/letsencrypt/live/[yourdomain]/privkey.pem --domain [yourdomain]
where [yourdomain]
is your domain name.
Step 5: restart ACSIA
$ acsia_stack_restart