2017-10-28 02:46:31 +02:00
|
|
|
# Installing SSL Certificates
|
2017-11-18 12:56:32 +01:00
|
|
|
|
2017-11-16 04:44:52 +01:00
|
|
|
To keep your communications secure, Zulip runs over HTTPS only.
|
2017-10-28 02:46:31 +02:00
|
|
|
You'll need an SSL/TLS certificate.
|
|
|
|
|
2018-01-23 20:08:17 +01:00
|
|
|
Fortunately, since about 2017, new options can make getting and
|
|
|
|
maintaining a genuine, trusted-by-browsers certificate no longer the
|
|
|
|
chore (nor expense) that it used to be.
|
2017-10-28 02:46:31 +02:00
|
|
|
|
|
|
|
## Manual install
|
|
|
|
|
2017-12-13 04:49:21 +01:00
|
|
|
If you already have an SSL certificate, just install (or symlink) its
|
|
|
|
files into place at the following paths:
|
|
|
|
* `/etc/ssl/private/zulip.key` for the private key
|
|
|
|
* `/etc/ssl/certs/zulip.combined-chain.crt` for the certificate.
|
|
|
|
|
2018-04-16 20:29:19 +02:00
|
|
|
Your certificate file should contain not only your own certificate but
|
2018-10-04 01:00:59 +02:00
|
|
|
its **full chain, including any intermediate certificates** used by
|
|
|
|
your CA. See the [nginx documentation][nginx-chains] for details on
|
|
|
|
what this means. If you're missing part of the chain, your server may
|
|
|
|
work with some browsers, but not others and not the Zulip Android app.
|
2018-04-16 20:29:19 +02:00
|
|
|
|
|
|
|
[nginx-chains]: http://nginx.org/en/docs/http/configuring_https_servers.html#chains
|
2017-11-16 04:44:52 +01:00
|
|
|
|
2018-10-04 01:00:59 +02:00
|
|
|
### Testing
|
|
|
|
|
|
|
|
Just trying in a browser is not an adequate test, because some
|
|
|
|
browsers ignore errors that others don't.
|
|
|
|
|
|
|
|
Two good tests include:
|
|
|
|
|
|
|
|
* If your server is accessible from the public Internet, use the [SSL
|
|
|
|
Labs tester][ssllabs-tester]. Be sure to check for "Chain issues";
|
|
|
|
if any, your certificate file is missing intermediate certificates.
|
|
|
|
|
|
|
|
* Alternatively, run a command like `curl -SsI https://zulip.example.com`
|
|
|
|
(using your server's URL) from a machine that can reach your server.
|
|
|
|
Make sure that on the same machine, `curl -SsI
|
|
|
|
https://incomplete-chain.badssl.com` gives an error; `curl` on some
|
|
|
|
machines, including Macs, will accept incomplete chains.
|
|
|
|
|
|
|
|
[ssllabs-tester]: https://www.ssllabs.com/ssltest/analyze.html
|
|
|
|
|
2017-12-13 04:50:51 +01:00
|
|
|
## Certbot (recommended)
|
2017-11-16 04:44:52 +01:00
|
|
|
|
|
|
|
[Let's Encrypt](https://letsencrypt.org/) is a free, completely
|
|
|
|
automated CA launched in 2016 to help make HTTPS routine for the
|
|
|
|
entire Web. Zulip offers a simple automation for
|
|
|
|
[Certbot](https://certbot.eff.org/), a Let's Encrypt client, to get
|
|
|
|
SSL certificates from Let's Encrypt and renew them automatically.
|
|
|
|
|
|
|
|
We recommend most Zulip servers use Certbot. You'll want something
|
|
|
|
else if:
|
|
|
|
* you have an existing workflow for managing SSL certificates
|
|
|
|
that you prefer;
|
|
|
|
* you need wildcard certificates (support from Let's Encrypt planned
|
2018-01-23 18:15:03 +01:00
|
|
|
for [early 2018][letsencrypt-wildcard]); or
|
2017-11-16 04:44:52 +01:00
|
|
|
* your Zulip server is not on the public Internet. (In this case you
|
|
|
|
can [still use Certbot][certbot-manual-mode], but it's less
|
|
|
|
convenient; and you'll want to ignore Zulip's automation.)
|
|
|
|
|
|
|
|
[letsencrypt-wildcard]: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html
|
|
|
|
[certbot-manual-mode]: https://certbot.eff.org/docs/using.html#manual
|
|
|
|
|
|
|
|
### At initial Zulip install
|
|
|
|
|
|
|
|
To enable the Certbot automation when first installing Zulip, just
|
2017-12-13 05:13:34 +01:00
|
|
|
pass the `--certbot` flag when [running the install script][doc-install-script].
|
2017-11-16 04:44:52 +01:00
|
|
|
|
|
|
|
The `--hostname` and `--email` options are required when using
|
|
|
|
`--certbot`. You'll need the hostname to be a real DNS name, and the
|
|
|
|
Zulip server machine to be reachable by that name from the public
|
|
|
|
Internet.
|
|
|
|
|
2018-10-20 10:11:46 +02:00
|
|
|
If you need to configure a multiple domain certificate, you can generate
|
|
|
|
one as described in the section below after installing Zulip.
|
|
|
|
|
2019-04-06 02:58:44 +02:00
|
|
|
[doc-install-script]: ../production/install.html#step-2-install-zulip
|
2017-12-13 05:13:34 +01:00
|
|
|
|
2017-11-16 04:44:52 +01:00
|
|
|
### After Zulip is already installed
|
|
|
|
|
|
|
|
To enable the Certbot automation on an already-installed Zulip
|
|
|
|
server, run the following commands:
|
2016-08-25 06:33:09 +02:00
|
|
|
```
|
2017-11-16 04:44:52 +01:00
|
|
|
sudo -s # If not already root
|
2018-10-20 10:11:46 +02:00
|
|
|
/home/zulip/deployments/current/scripts/setup/setup-certbot --email=EMAIL HOSTNAME [HOSTNAME2...]
|
2016-08-25 06:33:09 +02:00
|
|
|
```
|
2017-11-16 04:44:52 +01:00
|
|
|
where HOSTNAME is the domain name users see in their browser when
|
|
|
|
using the server (e.g., `zulip.example.com`), and EMAIL is a contact
|
2018-10-20 10:11:46 +02:00
|
|
|
address for the server admins. Additional hostnames can also be
|
|
|
|
specified to issue a certificate for multiple domains.
|
2016-08-25 06:33:09 +02:00
|
|
|
|
2017-11-16 04:44:52 +01:00
|
|
|
### How it works
|
2016-08-25 06:33:09 +02:00
|
|
|
|
2017-11-16 04:44:52 +01:00
|
|
|
When the Certbot automation in Zulip is first enabled, by either
|
|
|
|
method, it creates an account for the server at the Let's Encrypt CA;
|
|
|
|
requests a certificate for the given hostname; proves to the CA that
|
|
|
|
the server controls the website at that hostname; and is then given a
|
|
|
|
certificate. (For details, refer to
|
|
|
|
[Let's Encrypt](https://letsencrypt.org/how-it-works/).)
|
2016-08-25 06:33:09 +02:00
|
|
|
|
2017-11-16 04:44:52 +01:00
|
|
|
Then it records a flag in `/etc/zulip/zulip.conf` saying Certbot is in
|
|
|
|
use and should be auto-renewed. A cron job checks that flag, then
|
|
|
|
checks if any certificates are due for renewal, and if they are (so
|
|
|
|
approximately once every 60 days), repeats the process of request,
|
|
|
|
prove, get a fresh certificate.
|
2016-08-25 06:33:09 +02:00
|
|
|
|
|
|
|
|
2017-12-13 04:50:51 +01:00
|
|
|
## Self-signed certificate
|
2016-08-25 06:33:09 +02:00
|
|
|
|
2018-01-24 02:54:23 +01:00
|
|
|
If you aren't able to use Certbot, you can generate a
|
|
|
|
self-signed SSL certificate. This isn't suitable for production use
|
|
|
|
(because it's insecure, and because browsers and the Zulip apps will
|
|
|
|
complain that it's insecure), but may be convenient for testing.
|
2016-08-25 06:33:09 +02:00
|
|
|
|
2018-01-24 02:54:23 +01:00
|
|
|
To generate a self-signed certificate when first installing Zulip,
|
|
|
|
just pass the `--self-signed-cert` flag when
|
|
|
|
[running the install script][doc-install-script].
|
2016-08-25 06:33:09 +02:00
|
|
|
|
2018-01-24 02:54:23 +01:00
|
|
|
To generate a self-signed certificate for an already-installed Zulip
|
|
|
|
server, run the following commands:
|
2016-08-25 06:33:09 +02:00
|
|
|
```
|
2018-01-24 02:54:23 +01:00
|
|
|
sudo -s # If not already root
|
|
|
|
/home/zulip/deployments/current/scripts/setup/generate-self-signed-cert HOSTNAME
|
2016-08-25 06:33:09 +02:00
|
|
|
```
|
2018-01-24 02:54:23 +01:00
|
|
|
where HOSTNAME is the domain name (or IP address) to use on the
|
|
|
|
generated certificate.
|
2018-12-25 11:39:15 +01:00
|
|
|
|
|
|
|
After replacing the certificates, you need to reload `nginx` by
|
|
|
|
running the following as `root`:
|
|
|
|
```
|
|
|
|
service nginx reload
|
|
|
|
```
|