mirror of https://github.com/zulip/zulip.git
docs: Document scripts/setup/generate-self-signed-certs.
And more generally clean up our non-LetsEncrypt SSL docs. This should make it a bit easier to setup a Zulip server.
This commit is contained in:
Tim Abbott
parent
1b653409f4
commit
730c77c7df
|
|
@ -42,12 +42,29 @@ renew with this command:
|
|||
|
||||
If you aren't able to use Let's Encrypt, you can generate a
|
||||
self-signed ssl certificate. We recommend getting a real certificate
|
||||
using Let's Encrypt over this approach because your browser (and some of
|
||||
the Zulip clients) will complain when connecting to your server that
|
||||
the certificate isn't signed.
|
||||
using Let's Encrypt over this approach because browsers (and the the
|
||||
Zulip apps) will complain when connecting to your server that the
|
||||
certificate isn't signed (for good reason: self-signed certificates
|
||||
are a security risk!).
|
||||
|
||||
Run all of these commands as root. If you're not already logged in as root, use
|
||||
`sudo -i` to start an interactive root shell.
|
||||
Run all the commands in this section as root. If you're not already
|
||||
logged in as root, use `sudo -i` to start an interactive root shell.
|
||||
|
||||
The quickest way to create a cert is to use the script we provide:
|
||||
|
||||
```
|
||||
scripts/setup/generate-self-signed-certs zulip.example.com
|
||||
```
|
||||
|
||||
from the root of your Zulip directory (replacing `zulip.example.com`
|
||||
with the hostname of your server i.e. whatever you're going to set as
|
||||
`EXTERNAL_HOST`).
|
||||
|
||||
#### Generating a self-signed cert manually
|
||||
|
||||
We also document the steps below if you want to create a cert
|
||||
manually, which will offer you an opportunity to set your organization
|
||||
name (etc.).
|
||||
|
||||
```
|
||||
apt-get install openssl
|
||||
|
|
@ -55,6 +72,9 @@ openssl genrsa -des3 -passout pass:x -out server.pass.key 4096
|
|||
openssl rsa -passin pass:x -in server.pass.key -out zulip.key
|
||||
rm server.pass.key
|
||||
openssl req -new -key zulip.key -out server.csr
|
||||
|
||||
# The last step above will ask some questions interactively.
|
||||
# Run these after answering the questions about your cert.
|
||||
openssl x509 -req -days 365 -in server.csr -signkey zulip.key -out zulip.combined-chain.crt
|
||||
rm server.csr
|
||||
cp zulip.key /etc/ssl/private/zulip.key
|
||||
|
|
@ -68,4 +88,4 @@ this will let you finish the installation process.
|
|||
|
||||
Finally, if you want to proceed with just an IP address, it is
|
||||
possible to finish a Zulip installation that way; just set
|
||||
EXTERNAL_HOST to be the IP address.
|
||||
`EXTERNAL_HOST` to be the IP address.
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ ZULIP_PATH="$(realpath $(dirname $0)/../..)"
|
|||
# Handle issues around upstart on Ubuntu Xenial
|
||||
"$ZULIP_PATH"/scripts/lib/check-upstart
|
||||
|
||||
# Try to handle missing SSL certificates early as well
|
||||
# Check for missing SSL certificates early as well
|
||||
if [ "$PUPPET_CLASSES" = "zulip::voyager" ] && ! [ -e "/etc/ssl/private/zulip.key" ] || ! [ -e "/etc/ssl/certs/zulip.combined-chain.crt" ]; then
|
||||
set +x
|
||||
echo
|
||||
|
|
|
|||
Loading…
Reference in New Issue