zulip/docs/production/ssl-certificates.md

# Installing SSL Certificates

To keep your communications secure, Zulip runs over HTTPS only.
You'll need an SSL/TLS certificate.

Fortunately, since about 2017, new options can make getting and
maintaining a genuine, trusted-by-browsers certificate no longer the
chore (nor expense) that it used to be.

## Manual install

If you already have an SSL certificate, just install (or symlink) its
files into place at the following paths:
* `/etc/ssl/private/zulip.key` for the private key
* `/etc/ssl/certs/zulip.combined-chain.crt` for the certificate.

Your certificate file should contain not only your own certificate but
its full chain, including any intermediate certificates used by your
CA.  See the [nginx documentation][nginx-chains] for details on what
this means and how to do it and test it.  If you're missing part of
the chain, your server may work with some browsers but not others.

[nginx-chains]: http://nginx.org/en/docs/http/configuring_https_servers.html#chains

## Certbot (recommended)

[Let's Encrypt](https://letsencrypt.org/) is a free, completely
automated CA launched in 2016 to help make HTTPS routine for the
entire Web.  Zulip offers a simple automation for
[Certbot](https://certbot.eff.org/), a Let's Encrypt client, to get
SSL certificates from Let's Encrypt and renew them automatically.

We recommend most Zulip servers use Certbot.  You'll want something
else if:
* you have an existing workflow for managing SSL certificates
  that you prefer;
* you need wildcard certificates (support from Let's Encrypt planned
  for [early 2018][letsencrypt-wildcard]); or
* your Zulip server is not on the public Internet. (In this case you
  can [still use Certbot][certbot-manual-mode], but it's less
  convenient; and you'll want to ignore Zulip's automation.)

[letsencrypt-wildcard]: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html
[certbot-manual-mode]: https://certbot.eff.org/docs/using.html#manual

### At initial Zulip install

To enable the Certbot automation when first installing Zulip, just
pass the `--certbot` flag when [running the install script][doc-install-script].

The `--hostname` and `--email` options are required when using
`--certbot`.  You'll need the hostname to be a real DNS name, and the
Zulip server machine to be reachable by that name from the public
Internet.

[doc-install-script]: ../production/install.html#step-2-install-zulip

### After Zulip is already installed

To enable the Certbot automation on an already-installed Zulip
server, run the following commands:
```
sudo -s  # If not already root
/home/zulip/deployments/current/scripts/setup/setup-certbot --hostname=HOSTNAME --email=EMAIL
```
where HOSTNAME is the domain name users see in their browser when
using the server (e.g., `zulip.example.com`), and EMAIL is a contact
address for the server admins.

### How it works

When the Certbot automation in Zulip is first enabled, by either
method, it creates an account for the server at the Let's Encrypt CA;
requests a certificate for the given hostname; proves to the CA that
the server controls the website at that hostname; and is then given a
certificate.  (For details, refer to
[Let's Encrypt](https://letsencrypt.org/how-it-works/).)

Then it records a flag in `/etc/zulip/zulip.conf` saying Certbot is in
use and should be auto-renewed.  A cron job checks that flag, then
checks if any certificates are due for renewal, and if they are (so
approximately once every 60 days), repeats the process of request,
prove, get a fresh certificate.


## Self-signed certificate

If you aren't able to use Certbot, you can generate a
self-signed SSL certificate.  This isn't suitable for production use
(because it's insecure, and because browsers and the Zulip apps will
complain that it's insecure), but may be convenient for testing.

To generate a self-signed certificate when first installing Zulip,
just pass the `--self-signed-cert` flag when
[running the install script][doc-install-script].

To generate a self-signed certificate for an already-installed Zulip
server, run the following commands:
```
sudo -s  # If not already root
/home/zulip/deployments/current/scripts/setup/generate-self-signed-cert HOSTNAME
```
where HOSTNAME is the domain name (or IP address) to use on the
generated certificate.
docs: Update documentation to recommend certbot. 2017-10-28 02:46:31 +02:00			`# Installing SSL Certificates`
docs: Update TOC in production to include SSL and email. This adds a few missing entries to the TOC, which hadn't made sense back when Zulip's ReadTheDocs didn't have the new collapsing feature. Tweaked by tabbott to also give the SSL certificates doc an appropriate title for its new role. 2017-11-18 12:56:32 +01:00
docs: Rewrite certbot discussion, to enjoy the new automation. This doesn't touch the main path through the install docs; that will see a broader rewrite soon as we make outbound email optional for a nascent server, make the hostname and admin email into mandatory installer flags, and then radically simplify the instructions by removing mandatory editing of `settings.py` and folding most of what's left into the installer. 2017-11-16 04:44:52 +01:00			`To keep your communications secure, Zulip runs over HTTPS only.`
docs: Update documentation to recommend certbot. 2017-10-28 02:46:31 +02:00			`You'll need an SSL/TLS certificate.`

docs: ssl-certificates: 2017 is no longer the present. Tweak this wording so it stays true and time-appropriate indefinitely. 2018-01-23 20:08:17 +01:00			`Fortunately, since about 2017, new options can make getting and`
			`maintaining a genuine, trusted-by-browsers certificate no longer the`
			`chore (nor expense) that it used to be.`
docs: Update documentation to recommend certbot. 2017-10-28 02:46:31 +02:00
			`## Manual install`

docs: Revise explanation of manual SSL cert install. Change a bit of prose to bullets. Also lead with the "If you ..." that helps readers skim past this section. 2017-12-13 04:49:21 +01:00			`If you already have an SSL certificate, just install (or symlink) its`
			`files into place at the following paths:`
			* `/etc/ssl/private/zulip.key` for the private key
			* `/etc/ssl/certs/zulip.combined-chain.crt` for the certificate.

prod docs: Call out more the need for a chained cert bundle. This is kind of easy to gloss over, especially with the framing as a "format"; surely if things work at all, the file format must have been right, right? It's really a bit more substantive than that; say so and also add a bit more description. 2018-04-16 20:29:19 +02:00			`Your certificate file should contain not only your own certificate but`
			`its full chain, including any intermediate certificates used by your`
			`CA. See the [nginx documentation][nginx-chains] for details on what`
			`this means and how to do it and test it. If you're missing part of`
			`the chain, your server may work with some browsers but not others.`

			`[nginx-chains]: http://nginx.org/en/docs/http/configuring_https_servers.html#chains`
docs: Rewrite certbot discussion, to enjoy the new automation. This doesn't touch the main path through the install docs; that will see a broader rewrite soon as we make outbound email optional for a nascent server, make the hostname and admin email into mandatory installer flags, and then radically simplify the instructions by removing mandatory editing of `settings.py` and folding most of what's left into the installer. 2017-11-16 04:44:52 +01:00
docs: Tighten sub-headings in SSL certs doc. What I really want is to give these sections nice stable slugs to put on the anchors and use as the URL fragment, independent of any wording tweaks on the text headings. But I don't think we have that feature with Markdown and our current docs infrastructure. At least for Certbot, the brevity helps make this heading clearer than the previous one. 2017-12-13 04:50:51 +01:00			`## Certbot (recommended)`
docs: Rewrite certbot discussion, to enjoy the new automation. This doesn't touch the main path through the install docs; that will see a broader rewrite soon as we make outbound email optional for a nascent server, make the hostname and admin email into mandatory installer flags, and then radically simplify the instructions by removing mandatory editing of `settings.py` and folding most of what's left into the installer. 2017-11-16 04:44:52 +01:00
			`[Let's Encrypt](https://letsencrypt.org/) is a free, completely`
			`automated CA launched in 2016 to help make HTTPS routine for the`
			`entire Web. Zulip offers a simple automation for`
			`[Certbot](https://certbot.eff.org/), a Let's Encrypt client, to get`
			`SSL certificates from Let's Encrypt and renew them automatically.`

			`We recommend most Zulip servers use Certbot. You'll want something`
			`else if:`
			`* you have an existing workflow for managing SSL certificates`
			`that you prefer;`
			`* you need wildcard certificates (support from Let's Encrypt planned`
docs: Update ETA for Let's Encrypt wildcard support. It's now January 2018, so we can delete this caveat, right? Not quite yet -- the original post we link to now has an update saying 2018-02-27. Let's make it less specific, in case the date changes again. 2018-01-23 18:15:03 +01:00			`for [early 2018][letsencrypt-wildcard]); or`
docs: Rewrite certbot discussion, to enjoy the new automation. This doesn't touch the main path through the install docs; that will see a broader rewrite soon as we make outbound email optional for a nascent server, make the hostname and admin email into mandatory installer flags, and then radically simplify the instructions by removing mandatory editing of `settings.py` and folding most of what's left into the installer. 2017-11-16 04:44:52 +01:00			`* your Zulip server is not on the public Internet. (In this case you`
			`can [still use Certbot][certbot-manual-mode], but it's less`
			`convenient; and you'll want to ignore Zulip's automation.)`

			`[letsencrypt-wildcard]: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html`
			`[certbot-manual-mode]: https://certbot.eff.org/docs/using.html#manual`

			`### At initial Zulip install`

			`To enable the Certbot automation when first installing Zulip, just`
docs: Link back to install step in SSL doc. 2017-12-13 05:13:34 +01:00			pass the `--certbot` flag when [running the install script][doc-install-script].
docs: Rewrite certbot discussion, to enjoy the new automation. This doesn't touch the main path through the install docs; that will see a broader rewrite soon as we make outbound email optional for a nascent server, make the hostname and admin email into mandatory installer flags, and then radically simplify the instructions by removing mandatory editing of `settings.py` and folding most of what's left into the installer. 2017-11-16 04:44:52 +01:00
			The `--hostname` and `--email` options are required when using
			`--certbot`. You'll need the hostname to be a real DNS name, and the
			`Zulip server machine to be reachable by that name from the public`
			`Internet.`

docs: Link back to install step in SSL doc. 2017-12-13 05:13:34 +01:00			`[doc-install-script]: ../production/install.html#step-2-install-zulip`

docs: Rewrite certbot discussion, to enjoy the new automation. This doesn't touch the main path through the install docs; that will see a broader rewrite soon as we make outbound email optional for a nascent server, make the hostname and admin email into mandatory installer flags, and then radically simplify the instructions by removing mandatory editing of `settings.py` and folding most of what's left into the installer. 2017-11-16 04:44:52 +01:00			`### After Zulip is already installed`

			`To enable the Certbot automation on an already-installed Zulip`
			`server, run the following commands:`
docs: Move SSL docs to a dedicated page. 2016-08-25 06:33:09 +02:00			```
docs: Rewrite certbot discussion, to enjoy the new automation. This doesn't touch the main path through the install docs; that will see a broader rewrite soon as we make outbound email optional for a nascent server, make the hostname and admin email into mandatory installer flags, and then radically simplify the instructions by removing mandatory editing of `settings.py` and folding most of what's left into the installer. 2017-11-16 04:44:52 +01:00			`sudo -s # If not already root`
			`/home/zulip/deployments/current/scripts/setup/setup-certbot --hostname=HOSTNAME --email=EMAIL`
docs: Move SSL docs to a dedicated page. 2016-08-25 06:33:09 +02:00			```
docs: Rewrite certbot discussion, to enjoy the new automation. This doesn't touch the main path through the install docs; that will see a broader rewrite soon as we make outbound email optional for a nascent server, make the hostname and admin email into mandatory installer flags, and then radically simplify the instructions by removing mandatory editing of `settings.py` and folding most of what's left into the installer. 2017-11-16 04:44:52 +01:00			`where HOSTNAME is the domain name users see in their browser when`
			using the server (e.g., `zulip.example.com`), and EMAIL is a contact
			`address for the server admins.`
docs: Move SSL docs to a dedicated page. 2016-08-25 06:33:09 +02:00
docs: Rewrite certbot discussion, to enjoy the new automation. This doesn't touch the main path through the install docs; that will see a broader rewrite soon as we make outbound email optional for a nascent server, make the hostname and admin email into mandatory installer flags, and then radically simplify the instructions by removing mandatory editing of `settings.py` and folding most of what's left into the installer. 2017-11-16 04:44:52 +01:00			`### How it works`
docs: Move SSL docs to a dedicated page. 2016-08-25 06:33:09 +02:00
docs: Rewrite certbot discussion, to enjoy the new automation. This doesn't touch the main path through the install docs; that will see a broader rewrite soon as we make outbound email optional for a nascent server, make the hostname and admin email into mandatory installer flags, and then radically simplify the instructions by removing mandatory editing of `settings.py` and folding most of what's left into the installer. 2017-11-16 04:44:52 +01:00			`When the Certbot automation in Zulip is first enabled, by either`
			`method, it creates an account for the server at the Let's Encrypt CA;`
			`requests a certificate for the given hostname; proves to the CA that`
			`the server controls the website at that hostname; and is then given a`
			`certificate. (For details, refer to`
			`[Let's Encrypt](https://letsencrypt.org/how-it-works/).)`
docs: Move SSL docs to a dedicated page. 2016-08-25 06:33:09 +02:00
docs: Rewrite certbot discussion, to enjoy the new automation. This doesn't touch the main path through the install docs; that will see a broader rewrite soon as we make outbound email optional for a nascent server, make the hostname and admin email into mandatory installer flags, and then radically simplify the instructions by removing mandatory editing of `settings.py` and folding most of what's left into the installer. 2017-11-16 04:44:52 +01:00			Then it records a flag in `/etc/zulip/zulip.conf` saying Certbot is in
			`use and should be auto-renewed. A cron job checks that flag, then`
			`checks if any certificates are due for renewal, and if they are (so`
			`approximately once every 60 days), repeats the process of request,`
			`prove, get a fresh certificate.`
docs: Move SSL docs to a dedicated page. 2016-08-25 06:33:09 +02:00

docs: Tighten sub-headings in SSL certs doc. What I really want is to give these sections nice stable slugs to put on the anchors and use as the URL fragment, independent of any wording tweaks on the text headings. But I don't think we have that feature with Markdown and our current docs infrastructure. At least for Certbot, the brevity helps make this heading clearer than the previous one. 2017-12-13 04:50:51 +01:00			`## Self-signed certificate`
docs: Move SSL docs to a dedicated page. 2016-08-25 06:33:09 +02:00
install docs: Document streamlined self-signed-cert flow. This is easy now, so make it known to admins who are looking for a fast path for a test install. Also totally cut the painfully complicated steps for generating a self-signed cert by hand. Anyone who actually wants that can find a hundred explanations on the Web, or can look at our script if they want to specifically mirror how we do it (which is mercifully much simpler than this.) 2018-01-24 02:54:23 +01:00			`If you aren't able to use Certbot, you can generate a`
			`self-signed SSL certificate. This isn't suitable for production use`
			`(because it's insecure, and because browsers and the Zulip apps will`
			`complain that it's insecure), but may be convenient for testing.`
docs: Move SSL docs to a dedicated page. 2016-08-25 06:33:09 +02:00
install docs: Document streamlined self-signed-cert flow. This is easy now, so make it known to admins who are looking for a fast path for a test install. Also totally cut the painfully complicated steps for generating a self-signed cert by hand. Anyone who actually wants that can find a hundred explanations on the Web, or can look at our script if they want to specifically mirror how we do it (which is mercifully much simpler than this.) 2018-01-24 02:54:23 +01:00			`To generate a self-signed certificate when first installing Zulip,`
			just pass the `--self-signed-cert` flag when
			`[running the install script][doc-install-script].`
docs: Move SSL docs to a dedicated page. 2016-08-25 06:33:09 +02:00
install docs: Document streamlined self-signed-cert flow. This is easy now, so make it known to admins who are looking for a fast path for a test install. Also totally cut the painfully complicated steps for generating a self-signed cert by hand. Anyone who actually wants that can find a hundred explanations on the Web, or can look at our script if they want to specifically mirror how we do it (which is mercifully much simpler than this.) 2018-01-24 02:54:23 +01:00			`To generate a self-signed certificate for an already-installed Zulip`
			`server, run the following commands:`
docs: Move SSL docs to a dedicated page. 2016-08-25 06:33:09 +02:00			```
install docs: Document streamlined self-signed-cert flow. This is easy now, so make it known to admins who are looking for a fast path for a test install. Also totally cut the painfully complicated steps for generating a self-signed cert by hand. Anyone who actually wants that can find a hundred explanations on the Web, or can look at our script if they want to specifically mirror how we do it (which is mercifully much simpler than this.) 2018-01-24 02:54:23 +01:00			`sudo -s # If not already root`
			`/home/zulip/deployments/current/scripts/setup/generate-self-signed-cert HOSTNAME`
docs: Move SSL docs to a dedicated page. 2016-08-25 06:33:09 +02:00			```
install docs: Document streamlined self-signed-cert flow. This is easy now, so make it known to admins who are looking for a fast path for a test install. Also totally cut the painfully complicated steps for generating a self-signed cert by hand. Anyone who actually wants that can find a hundred explanations on the Web, or can look at our script if they want to specifically mirror how we do it (which is mercifully much simpler than this.) 2018-01-24 02:54:23 +01:00			`where HOSTNAME is the domain name (or IP address) to use on the`
			`generated certificate.`