Talk:Configure Zenoss for HTTPS/SSL

From Zenoss Wiki
Jump to: navigation, search

Configure Zenoss for HTTPSSwitch to the zenoss user (from root):

  1. su - zenoss

Run the following commands as the zenoss user.Create a directory in which to store certificate and key files:

$ mkdir /opt/zenoss/etc/ssl

Change into the new directory:

$ cd /opt/zenoss/etc/ssl

Create the server private key:

$ openssl genrsa -des3 -out zenoss.key 1024

Create the signing request:

$ openssl req -new -key zenoss.key -out zenoss.csr

Remove the pass phrase requirement:

$ cp zenoss.key zenoss.key.orig

$ openssl rsa -in zenoss.key.orig -out zenoss.key

Sign the certificate:

$ openssl x509 -req -days 365 -in zenoss.csr -signkey zenoss.key -out zenoss.crt

Stop the Zenoss web server daemons:

$ zenwebserver

the ownership and permissions of the Ngnix executable so that it runs as the root user. Because /opt/zenoss/bin/ngnix is usually a symbolic link, the readlink command is used to get its actual location. Enter the password for the root user when prompted:

$ su -c 'target="`readlink /opt/zenoss/bin/nginx`" && chown root:zenoss "$target" && chmod 04750 "$target"'

Verify that the ownership and permissions of the Nginx executable are correct: $ ls -lL /opt/zenoss/bin/nginx

The first part of the output should read -rwsr-x--- 1 root zenoss

Edit /opt/zenoss/etc/zenwebserver.conf to enable SSL and to refer to the SSL key and certificate files:

Change useSSL False to useSSL TrueUncomment (remove the leading pound sign and space (“# ”) from) the sslport line, and optionally specify a different SSL port on which Ngnix should accept connectionsNote that the default value, 443, is the standard port for HTTPS connections.Uncomment the sslCert line; and, if necessary, update the full path to the SSL certificate fileUncomment the sslKey line; and, if necessary, update the full path to the SSL key fileStart the Zenoss web server daemons: $ zenwebserver start

Reconfigure the load balancer: $ zenwebserver configure

Reload the load balancer: zenwebserver reload

Note: Depending on their browser security settings, users connecting to your Zenoss instance might encounter warning messages stating that the site's identity cannot be verified. These errors are generated by some browsers when a web server presents a self-signed certificate. These warnings can be eliminated by obtaining a signed certificate from a trusted CA.