Allow setting web certificates location in the config file

[damascene]

Some of us may want to use specific certificate for the web server for various reasons . one example is using the certificates generated by certbot instead of using the built in method: Those certficates are located at this location. /etc/letsencrypt/live/$domainname/

I think it would be useful to have a config option in MeshCentral settings file that specify location of the web certificates similar to the ones in Apache and Nginx

Files provided by certbot includes:

• privkey.pem: Private key for the certificate. This is what Apache needs for SSLCertificateKeyFile, and Nginx for ssl_certificate_key.

• fullchain.pem: All certificates, including server certificate (aka leaf certificate or end-entity certificate). The server certificate is the first one in this file, followed by any intermediates. This is what Apache >= 2.4.8 needs for SSLCertificateFile, and what Nginx needs for ssl_certificate. cert.pem and chain.pem (less common)

• cert.pem: contains the server certificate by itself, and chain.pem contains the additional intermediate certificate or certificates that web browsers will need in order to validate the server certificate. If you provide one of these files to your web server, you must provide both of them, or some browsers will show “This Connection is Untrusted” errors for your site, some of the time. - Apache < 2.4.8 needs these for SSLCertificateFile. and SSLCertificateChainFile, respectively. If you’re using OCSP stapling with Nginx >= 1.3.7, chain.pem should be provided as the ssl_trusted_certificate to validate OCSP responses.

For more information: https://certbot.eff.org/docs/using.html#where-are-my-certificates

[Ylianst]

Good request. For each of the 3 files above, could you view them with a text editor and provide the exact content of the file without the private Base64 data. For example, file privkey.pem contains

---this header---
(my cert data in base64)
---this footer---

Make sure the header and footers are exact and remove (put XXX) for any private data. I would like to create the same 3 files with my own certificate data, but exactly the same format as your files. That way, I can test that everything works.

[uldiseihenbergs]

On my system: privkey.pem -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----

fullchain.pem: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----

cert.pem: -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----

chain.pem: -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----

[Ylianst]

Perfect! Thanks!

[OutbackMatt]

I've gotten around this issue by using a symlinks from my lets encrypt live folders to the Meshcentral data folder

live folder is just symlinks anyway from the current certificate

[uldiseihenbergs]

@OutbackMatt to which files are you creating these symlinks? if i just copy all 4 files mentioned above to MC data folder, MC starts using them?

[OutbackMatt]

You only need the top two, privkey.pem and fullchain.pem I rename them to webserver-cert-private.key and webserver-cert-public.crt

I leave them in their default location, and use symlinks so that I don't need to copy the certificates every time they are replaced - it is all automatic