Versions Compared

Old Version 35

changes.mady.by.user Roman Harmata

Saved on

compared with

New Version Current

changes.mady.by.user Roman Harmata

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Certificates management

Enabling certificates automatically creates /data/ssl folder with relevant files:

  • server.key - private key
  • server.crt - certificate signed by relevant CA (Let's Encrypt or in some cases TDS)
  • ca-bundle.crt - chain of root and intermediate certificates that signed server the certificateserver
  • fullchain.crt - chain of root, intermediate and server certificate (usually needed by Nginx)

You can optionally enable those certificate files when deploying server.

...

Self-managed PaaS applications (Gerrit, Jenkins, SonarQube) from TDS are automatically configured to use those certificate files.

...

Code Block
# Example of configuring recommended path to complete chain
grep 'ssl_certificate /' /etc/nginx/sites-available/*
sed -i 's#ssl_certificate /.*#ssl_certificate /data/ssl/chain.crtfullchain.crt;#' /etc/nginx/sites-available/*
sed -i 's#ssl_certificate_key /.*#ssl_certificate_key /data/ssl/server.key;#' /etc/nginx/sites-available/*
grep 'ssl_certificate /' /etc/nginx/sites-available/*

...

Code Block
# Preparing hook:
mkdir -p /data/ssl/hooks/
touch /data/ssl/hooks/nginx.sh
chmod +x /data/ssl/hooks/nginx.sh
echo '#!/bin/sh
cat /data/ssl/server.crt > /data/ssl/chainfullchain.crt
cat /data/ssl/ca-bundle.crt >> /data/ssl/chainfullchain.crt
systemctl restart nginx' > /data/ssl/hooks/nginx.sh
cat /data/ssl/hooks/nginx.sh

 # Finally executing the hook to verify that it works
/data/ssl/hooks/nginx.sh

...