Difference between revisions of "Talk:Configure Zenoss for HTTPS/SSL"
Revision as of 19:24, 10 February 2014
nfigure Zenoss for HTTPSSwitch to the zenoss user (from root):
- su - zenossRun the following commands as the zenoss user.Create a directory in which to store certificate and key files:
$ mkdir /opt/zenoss/etc/sslChange into the new directory: $ cd /opt/zenoss/etc/sslCreate the server private key: $ openssl genrsa -des3 -out zenoss.key 1024Create the signing request: $ openssl req -new -key zenoss.key -out zenoss.csrRemove the pass phrase requirement: $ cp zenoss.key zenoss.key.orig $ openssl rsa -in zenoss.key.orig -out zenoss.keySign the certificate: $ openssl x509 -req -days 365 -in zenoss.csr -signkey zenoss.key -out zenoss.crtStop the Zenoss web server daemons: $ zenwebserver stopChange the ownership and permissions of the Ngnix executable so that it runs as the root user. Because /opt/zenoss/bin/ngnix is usually a symbolic link, the readlink command is used to get its actual location. Enter the password for the root user when prompted: $ su -c 'target="`readlink /opt/zenoss/bin/nginx`" && chown root:zenoss "$target" && chmod 04750 "$target"'Verify that the ownership and permissions of the Nginx executable are correct: $ ls -lL /opt/zenoss/bin/nginx The first part of the output should read -rwsr-x--- 1 root zenossEdit /opt/zenoss/etc/zenwebserver.conf to enable SSL and to refer to the SSL key and certificate files:Change useSSL False to useSSL TrueUncomment (remove the leading pound sign and space (“# ”) from) the sslport line, and optionally specify a different SSL port on which Ngnix should accept connectionsNote that the default value, 443, is the standard port for HTTPS connections.Uncomment the sslCert line; and, if necessary, update the full path to the SSL certificate fileUncomment the sslKey line; and, if necessary, update the full path to the SSL key fileStart the Zenoss web server daemons: $ zenwebserver startReconfigure the load balancer: $ zenwebserver configureReload the load balancer: $ zenwebserver reload Note: Depending on their browser security settings, users connecting to your Zenoss instance might encounter warning messages stating that the site's identity cannot be verified. These errors are generated by some browsers when a web server presents a self-signed certificate. These warnings can be eliminated by obtaining a signed certificate from a trusted CA.