Certificates management in TDS allows you to easily enable automated SSL/TLS certicates deployment and renewals.
Project certificates view allows you to list and manage SSL/TLS certificates in your project.
In server settings view it allows you to configure certificate and DNS settings.
Enabling certificates creates /data/ssl folder with relevant files:
You can optionally enable those certificate files when deploying server.
Self-managed PaaS applications (Gerrit, Jenkins, SonarQube) from TDS are automatically configured to use those certificate files.
You can also create hooks if you want to execute some commands after new certificate is deployed. Typically it is restart of some service. Also you can use hooks which can be automatically executed after each new certificate deploy - look for more in Certificatedeploymenthooks chapter.
In server settings view it allows you to configure certificate and DNS settings.
There is multiple features available:
Project certificates view allows you to list and manage SSL/TLS certificates in your project.
You can get there by opening particular portal project, then opening "Certificates" menu.
Every certificate shows its usage/assignment on servers and domains or subject alternative names (SANs) that it is applicable for.
We utilise Let's Encrypt CA for automated signing in most of the cases, however in some cases own certificates need to be deployed. You can add/import custom certificates here and use them on servers.
For that purpose you can go to your project >> Certificates and then click (+) button to add new custom certificate.
There you can usually see:
This needs to be clean without extra new lines, spaces and it needs to concatenate CA certificates exactly in chain of trust:
Sometimes there can be following differences:
Generally reload of httpd/apache2 is called during each certificates update. However in some cases we must various extra operations.
For that purpose hooks folder has been introduced with following default value:
CERT_HOOKS_LOCATION=/data/ssl/hooks
As soon as there is anything executable present in hooks folder, it is automatically executed. Remember to handle also httpd/apache2 restart yourself as regular certificate update script skips apache restarts in cases when hooks are used.
If you like you can override hooks path by providing CERT_HOOKS_LOCATION variable in /data/configs/tdscertdeploy.conf config file.
Create following file which will make sure your certificates will not be touched:
mkdir -p /data/configs touch /data/configs/tdscertdeploy.conf |
Content of file:
CERT_AUTO_DEPLOY=false |
To get certificates deployed automatically again during next renewal periods, just remove that file and automated certificate deployment will work.
Hooks shall be bash scripts made executable and placed in folder /data/ssl/hooks folder. It will be automatically executed every time when new certificate is deployed.
You can place as many scripts into hooks folder as you like, they are executed in alphabetical order.
For Nginx web server it is recommended to have server certificate and intermediate certificates bundled in file configured by "ssl_certificate" directive:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
Example of setting of correct certificate path in nginx files:
# Example of configuring recommended path to complete chain grep 'ssl_certificate /' /etc/nginx/sites-available/* sed -i 's#ssl_certificate /.*#ssl_certificate /data/ssl/fullchain.crt;#' /etc/nginx/sites-available/* sed -i 's#ssl_certificate_key /.*#ssl_certificate_key /data/ssl/server.key;#' /etc/nginx/sites-available/* grep 'ssl_certificate /' /etc/nginx/sites-available/* |
This is recommended setup verified by users:
# Preparing hook: mkdir -p /data/ssl/hooks/ touch /data/ssl/hooks/nginx.sh chmod +x /data/ssl/hooks/nginx.sh echo '#!/bin/sh cat /data/ssl/server.crt > /data/ssl/fullchain.crt cat /data/ssl/ca-bundle.crt >> /data/ssl/fullchain.crt systemctl restart nginx' > /data/ssl/hooks/nginx.sh cat /data/ssl/hooks/nginx.sh # Finally executing the hook to verify that it works /data/ssl/hooks/nginx.sh |