-
Notifications
You must be signed in to change notification settings - Fork 69
Adding an SSL certificate
To create a self-signed certificate, follow the steps below. A self-signed certificate can be useful for testing and for internal applications. It provides the same level of security, but by default is not trusted by browsers because it is not generated by a recognized Certificate Authority.
Add this to your moonshine.yml:
:ssl: :self_signed: true
Save, commit, and deploy your app. That’s all there is to it. If you want all requests to be redirected and served over self-signed SSL, it would look like this:
:ssl: :only: true
To add a SSL certificate from a certificate authority, ssh into your server.
mkdir /home/rails/certs cd /home/rails/certs
The utility “openssl” is used to generate the key and CSR.
openssl genrsa -out mynewsite.key 2048
This command generates a 2048 bit RSA private key and stores it in the file mynewsite.key. Do not provide password when it prompts you for pass phrase. Leave it blank.
Generate a new certificate request:
sudo openssl req -new -key mynewsite.key -out mynewsite.csr
It will ask you to fill in a bunch of info that will need to match the info you provide your SSL provider (such as GoDaddy). The key one that you’ll want to pay attention to is Common Name. That needs to be your domain name (without the https://). You don’t need to include the ‘www’ usually. Next lets move these to a better location:
Once done, output your certificate request by doing this:
cat mynewsite.csr
Copy that and enter it when your SSL provider asks for it.
Once your SSL provider approves your SSL, they’ll provide you with one or two files. The first will be the certificate file and the second, if provided, will be the certificate chain file. For godaddy, they provide a zip file that contains two files: yourdomain.com.crt & gd_bundle.crt. Save these two files in a directory called certs on your local machine. Change into that directory and copy the files to your server by running this on your local machine:
scp * rails@yourserver:/home/rails/certs/
This should copy the files to /home/rails/certs/ on your server.
The final step is to update config/moonshine.yml, commit it to the git repo and deploy.
:ssl: :certificate_file: /home/rails/certs/yourdomain.com.crt :certificate_key_file: /home/rails/certs/mynewsite.key :certificate_chain_file: /home/rails/certs/gd_bundle.crt
The certificate_chain_file is only required if your certificate authority provided one, otherwise, leave out this line. Save & close this file. Next update your git repo.
git add config/moonshine.yml git commit -m "Updated moonshine config file with SSL info" git push
cap deploy
You can take advantage of the stage specific moonshine configuation files if you would like different SSL configurations on your staging and production servers. One common example is your staging server setup with self-signed certificate and a certificate from CA for production. To do this, in your rails directory:
mkdir -p config/moonshine touch config/moonshine/production.yml touch config/moonshine/staging.yml
Then, setup each stage as you would want in it’s respective config. In this example, we want a self-signed certificate on staging. We can configure this in config/moonshine/staging.yml:
:ssl: :self_signed: true
For production, however, we would like to use the certificate from a CA that we have. After we do the proper setup, as detailed in the previous section, we then update config/moonshine/production.yml with the following:
:ssl: :certificate_file: /home/rails/certs/yourdomain.com.crt :certificate_key_file: /home/rails/certs/mynewsite.key :certificate_chain_file: /home/rails/certs/gd_bundle.crt
Once you commited your changes to your git repository, you can deploy to apply your changes
git add config/moonshine git commit -m "Added production and staging SSL configs" git push cap staging deploy cap production deploy
- Link to possible SSL issuers
- Reference specific issuers’s documentation and tools
- Update recommended way of putting certificates on server (keep in version control and manage with moonshine, rather than scp)