-
Notifications
You must be signed in to change notification settings - Fork 260
Self signed SSL Certificates
- Introduction
- Generating a new certificate
- Adding additional IP addresses and/or domains
- Importing certificate into Chrome
For encrypting web traffic the script generates a self signed certificate. The advantages of a self signed certificate is that it is simple and free, with no 3rd party requirement, however it will need to be imported into any browsers you use to access your server.
If you use Chrome and your existing certificate no longer works, this is due to changes in Chrome in regards to how certificates are managed. Changes have been made to the main rtinst.sh script to incorporate these changes. For existing installations, you can rerun the latest version of the main script, or generate a new certificate, by following the instructions in the next section.
In section 4 there is a guide to importing certificates into Chrome. For other browsers there are plenty of guides online so if you need help, do a search.
You may need to generate a new certificate, if your existing certificate expires (takes 10 years to expire, so unlikely), or other factors like the updates to Chrome v. 58 make it necessary.
You can use the script rtsslcert to generate the certificates or do it manually, by following the following instructions.
Check config file exists:
ls /etc/ssl/ruweb.cnf
If it does not then create it:
sudo cp /etc/ssl/openssl.cnf /etc/ssl/ruweb.cnf
open it for editing:
sudo nano /etc/ssl/ruweb.cnf
and add the following to the end of the file, substitute in your servers IP address:
[ v3_ca ]
subjectAltName = @alt_names
[ alt_names ]
IP.1 = 123.123.123.123
Finally generate the certificate using the following command, substitute in your servers IP address:
sudo openssl req -x509 -nodes -days 3650 -subj /CN=123.123.123.123 -config /etc/ssl/ruweb.cnf -newkey rsa:2048 -keyout /etc/ssl/private/ruweb.key -out /etc/ssl/ruweb.crt
For additional IP addresses or domains, follow the instructions in the previous section, but when editing /etc/ssl/ruweb.cnf add in the additional addresses to the [ alt_names ] section:
[ alt_names ]
IP.1 = 123.123.123.123
IP.2 = 124.124.124.124
DNS.1 = example.com
DNS.2 = moreexample.com
DNS.3 = www.example.com
Load the rutorrent web page and you will see something like the following, show advanced if it is hidden, and proceed to the page.
Once you proceed your rutorrent window should open, click SHIFT-CTRL-i (or F12) and the developer tools console will open, select the security tab, and you should see something like this
Click on the view certificate button, and select the details tab, you should see something like this
click copy to file, click next and select Base-64 option
Save the certificate to a file
Now we have the certificate saved to a file we need to import it into the Chrome certificate store.
Click on the 3-dot settings, and select settings from the menu, at the bottom, click on show advanced settings, and under HTTPS/SSL click on "Manage certificates..."
Click on the "Trusted Root Certifications Authorities" tab
Click on import, and select the certificate file we created earlier. Select place all certificates in the following store
Then finish and accept the certificate.
Restart chrome, and you should now be able to load your server web pages, and see the nice green secure lock.
Like this