Documentation Version: er2.0.28-docs-1.1

Enable HTTPS

This section covers the following topics:

Connect to HTTPS

If a valid SSL certificate has been installed on the Master Server, you will be automatically redirected to the HTTPS site when connected to the Web Console. See Automatic Redirects to HTTPS for more information.

To manually navigate to the HTTPS site, include https:// when entering the IP address, host name, or domain name with which you access the Web Console.

Your browser warns that the Web Console "uses an invalid security certificate". This is the self-signed SSL certificate that the Master Server generates on installation. Most browsers correctly treat self-signed certificates as invalid, but will allow security exceptions to be added.

The following instructions are for Firefox 51; most browsers will allow you to add security exceptions.

To force the browser to use HTTPS to connect to the Web Console, ask the browser to ignore the SSL certificate warning and to add a security exception when prompted:

  1. In your browser, click Advanced.
  2. Click Add Exception.
  3. In the Add Security Exception dialog box:
    1. Click Confirm Security Exception to proceed to the HTTPS site.
    2. Select Permanently store this exception to prevent your browser from displaying this warning for the Web Console again.

Automatic Redirects to HTTPS

To have the Web Console automatically redirect users to the HTTPS site, update the Master Server with a custom SSL certificate.

Custom SSL Certificates

To prevent your browser from displaying the security certificate warning when connecting to the Web Console, you must do either of the following:

Obtain Signed SSL Certificate

Obtain a new SSL certificate signed by a trusted CA by generating and submitting a Certificate Signing Request (CSR). This CSR is sent to the CA; the CA uses the details included in the CSR to generate a SSL certificate for the Master Server.

To generate a CSR, run as root on the Master Server console:

openssl req -new -key /var/lib/er2/ui/sslkey.pem -out /var/lib/er2/ui/er2-master.csr

openssl asks for the following information:

Prompt Answer
Country Name (2 letter code) [AU]: Your country's two letter country code (ISO 3166-1 alpha-2).
State or Province Name (full name) [Some-State]: State or province name.
Locality Name (eg, city) []: City name or name of region.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Name of organisation.
Organizational Unit Name (eg, section) []: Name of organisational department.
Common Name (e.g. server FQDN or YOUR name) []: Must be the fully qualified domain name of the Master Server.
Email Address []: Email address of contact person.
Please enter the following 'extra' attributes to be sent with your certificate request -
A challenge password []: Leave empty; do not enter any values.
An optional company name []: Leave empty; do not enter any values.
You must adequately answer the questions posed by each prompt (unless otherwise specified). The CA uses this information to generate the SSL certificate.
Make sure that the Common Name is the URL with which you access the Web Console. The Common Name depends on the URL you entered in your browser to access the Web Console:
- https://er-master/ – Common name is er-master.
- – Common name is

The openssl command generates a CSR file, er2-master.csr. Submit this CSR to your organisation's CA.

To move the CSR file out of the Master Server. See Use SCP to Move the CSR File.

To display the contents of the CSR file, run:

openssl x509 -in /var/lib/er2/ui/er2-master.csr -text -noout

Use SCP to Move the CSR File

To move the CSR file out of the Master Server and submit it to a CA, use the SCP protocol.

On the Master Server, start the OpenSSH server by running as root:

service sshd start

On Windows

Use a Windows SCP client such as WinSCP to connect to the Master Server via the SCP protocol.

  1. Start WinSCP.
  2. In the Login dialog box, enter the following:

    Field Value
    File protocol Select SCP.
    Host name Enter the hostname or IP address of the Master Server.
    Port number Default value is 22.
    User name Enter root.
    Password Enter the root password for the Master Server.
  3. Click Save.
  4. Click Login to connect to the Master Server.

Once connected, locate the CSR file on the Master Server and copy it to your Windows host. Submit the CSR file to your CA.

On Linux

On the Linux host that you want to copy the CSR file to, open the terminal and run:

# Where er-master is the host name or IP address of the Master Server.
scp root@er-master:/var/lib/er2/ui/er2-master.csr ./

This securely copies the CSR file (er2-master.csr) to your current directory. Once the file has been copied, submit the CSR file to your CA.

If you cannot connect to the Master Server via the SCP protocol, check that the OpenSSH server is running on the Master Server console. Run as root: service sshd start

Install the New SSL Certificate

When you receive your SSL certificate from the CA:

  1. Change the file name of the SSL certificate to: sslcert.pem.
  2. Move the SSL certificate to the /var/lib/er2/ui/ folder on the Master Server.
  3. Run as root: chmod 600 /var/lib/er2/ui/sslcert.pem

Restart the Web Console

Restart the Web Console:

  1. Find the pid of the ui process by running as root:
    ps aux | grep ui
    # Displays output similar to:
    # root xxxx 0.1 2.6 427148 13112 ? Ssl 16:22 0:00 /var/lib/er2/plugins/ui -c /var/lib/er2/ui.cfg -pid /var/lib/er2/ -fg -start
    # root 1495 0.0 0.1 103312 876 pts/0 S+ 16:22 0:00 grep ui

    # The pid of the ui process is xxxx.
  2. Kill the ui process; run as root:
    Running this command incorrectly may cause your system to stop working. Make sure that you run kill -9 on the correct pid.
    # where the pid of the ui process is xxxx.
    kill -9 xxxx

Self-Signed Certificates

Using self signed certificates for production environments is not recommended.

The Master Server can act as its own CA and issue self-signed SSL certificates.

To issue self-signed certificates, run as root on the Master Server Console:

  1. Create a configuration file subjectAltName.conf:
    touch subjectAltName.conf
  2. Open subJectAltName.conf in a text editor, and enter the following information:
    • SG is the ISO 3166-1 alpha-2 country code of your current location.
    • Organisation Name is the name of your organisation.
    • is the domain name with which you access the Master Server. This may be the host name or FQDN of your Master Server.

    default_bits = 2048
    prompt = no
    default_md = sha256
    req_extensions = req_ext
    distinguished_name = dn

    O=Organisation Name

    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = @alt_names

  3. Save subjectAltName.conf.
  4. Run:
    # Generate a new private key. openssl genrsa -out /var/lib/er2/ui/sslkey.pem 2048
    # Generates a new Certificate Signing Request `server.csr`.
    openssl req -new -key /var/lib/er2/ui/sslkey.pem -out /var/lib/er2/ui/server.csr -config subjectAltName.conf
    # Generates new SSL certificate.
    openssl x509 -req -days 365 -in /var/lib/er2/ui/server.csr -signkey /var/lib/er2/ui/sslkey.pem -out /var/lib/er2/ui/sslcert.pem -extensions req_ext -extfile subjectAltName.conf
    # Restrict permissions on the generated *.pem files.
    chmod 600 /var/lib/er2/ui/sslkey.pem
    chmod 600 /var/lib/er2/ui/sslcert.pem
  5. Restart the Web Console.
  6. Add a security exception to your web browser. See Connect to HTTPS.