Skip to content

How to update Nginx certificate

compatibility note: (available in Maestro installation from version v24.38)

TeskaLabs LogMan.io installation comes with self-signed SSL certificates by default. You may want to change these to custom SSL certificates which also need to be renewed from time to time.

See how to generate CSR to your certificate authority.

Nginx certificate is stored in the Vault as nginx_certificate. Private key is stored in the Vault as nginx_private_key.

Set SSL certificate

To replace default self-signed certificates, provide both private key and certificate. First, place both files to the server. Then, send it through API to the Vault. Use these commands on any of the cluster nodes with ASAB Remote Control running:

curl -X PUT localhost:8891/vault/nginx_private_key --data-binary '@/absolute/path/to/private_key.pem'

curl -X PUT localhost:8891/vault/nginx_certificate --data-binary '@/absolute/path/to/certificate.pem'

To apply the new certificate, hit "Apply" button (or run ./gov.sh up in /opt/site) for each node with nginx service.

Renew SSL certificate

Having the certificate stored, run this command on any of the cluster nodes with ASAB Remote Control running:

curl -X PUT localhost:8891/vault/nginx_certificate --data-binary '@/absolute/path/to/certificate.pem'

To apply the new certificate, hit "Apply" button (or run ./gov.sh up in /opt/site) for each node with nginx service.

Troubleshooting

My certificate doesn't work. I want the default one back.

It may happen that after you upload custom SSL certificate, Nginx does not start due to some issues with the certificates and you lose access to the GUI. You can always let Maestro regenerate the self-signed certificate.

First, delete your custom certificate and key from the Vault:

curl -X DELETE localhost:8891/vault/nginx_private_key

curl -X DELETE localhost:8891/vault/nginx_certificate

Hit "Apply" button (or run ./gov.sh up in /opt/site) for each node with nginx service. When Maestro cannot find these items in the Vault, it generates them and you can start Nginx again.