Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

docs: Document scripts/setup/generate-self-signed-certs. 

And more generally clean up our non-LetsEncrypt SSL docs.

This should make it a bit easier to setup a Zulip server.
This commit is contained in:
Tim Abbott 2017-10-24 13:44:41 -07:00
parent 1b653409f4
commit 730c77c7df
2 changed files with 27 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
docs/ssl-certificates.md
View File

@ -42,12 +42,29 @@ renew with this command:
If you aren't able to use Let's Encrypt, you can generate a If you aren't able to use Let's Encrypt, you can generate a
self-signed ssl certificate. We recommend getting a real certificate self-signed ssl certificate. We recommend getting a real certificate
using Let's Encrypt over this approach because your browser (and some of using Let's Encrypt over this approach because browsers (and the the
the Zulip clients) will complain when connecting to your server that Zulip apps) will complain when connecting to your server that the
the certificate isn't signed. certificate isn't signed (for good reason: self-signed certificates
are a security risk!).
Run all of these commands as root. If you're not already logged in as root, use Run all the commands in this section as root. If you're not already
`sudo -i` to start an interactive root shell. logged in as root, use `sudo -i` to start an interactive root shell.
The quickest way to create a cert is to use the script we provide:
```
scripts/setup/generate-self-signed-certs zulip.example.com
```
from the root of your Zulip directory (replacing `zulip.example.com`
with the hostname of your server i.e. whatever you're going to set as
`EXTERNAL_HOST`).
#### Generating a self-signed cert manually
We also document the steps below if you want to create a cert
manually, which will offer you an opportunity to set your organization
name (etc.).
``` ```
apt-get install openssl apt-get install openssl
@ -55,6 +72,9 @@ openssl genrsa -des3 -passout pass:x -out server.pass.key 4096
openssl rsa -passin pass:x -in server.pass.key -out zulip.key openssl rsa -passin pass:x -in server.pass.key -out zulip.key
rm server.pass.key rm server.pass.key
openssl req -new -key zulip.key -out server.csr openssl req -new -key zulip.key -out server.csr
# The last step above will ask some questions interactively.
# Run these after answering the questions about your cert.
openssl x509 -req -days 365 -in server.csr -signkey zulip.key -out zulip.combined-chain.crt openssl x509 -req -days 365 -in server.csr -signkey zulip.key -out zulip.combined-chain.crt
rm server.csr rm server.csr
cp zulip.key /etc/ssl/private/zulip.key cp zulip.key /etc/ssl/private/zulip.key
@ -68,4 +88,4 @@ this will let you finish the installation process.
Finally, if you want to proceed with just an IP address, it is Finally, if you want to proceed with just an IP address, it is
possible to finish a Zulip installation that way; just set possible to finish a Zulip installation that way; just set
EXTERNAL_HOST to be the IP address. `EXTERNAL_HOST` to be the IP address.

2
scripts/lib/install
View File

@ -73,7 +73,7 @@ ZULIP_PATH="$(realpath $(dirname $0)/../..)"
# Handle issues around upstart on Ubuntu Xenial # Handle issues around upstart on Ubuntu Xenial
"$ZULIP_PATH"/scripts/lib/check-upstart "$ZULIP_PATH"/scripts/lib/check-upstart
# Try to handle missing SSL certificates early as well # Check for missing SSL certificates early as well
if [ "$PUPPET_CLASSES" = "zulip::voyager" ] && ! [ -e "/etc/ssl/private/zulip.key" ] || ! [ -e "/etc/ssl/certs/zulip.combined-chain.crt" ]; then if [ "$PUPPET_CLASSES" = "zulip::voyager" ] && ! [ -e "/etc/ssl/private/zulip.key" ] || ! [ -e "/etc/ssl/certs/zulip.combined-chain.crt" ]; then
set +x set +x
echo echo