Home Explore Help
Register Sign In
oleg
/
ztncui
mirror of https://github.com/key-networks/ztncui.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Added instructions for generating TLS certs

Key Networks 7 years ago
parent
49a3319e58
commit
234c68a4d1
2 changed files with 51 additions and 0 deletions
Split View Show Diff Stats
  1. 49 0
      README.md
  2. 2 0
      public/.well-known/acme-challenge/.gitignore

+ 49 - 0
README.md
View File 

@@ -6,6 +6,9 @@ Screenshots can be seen at [key-networks.com](https://key-networks.com).
 
 
 ## Getting Started
 
 
+### Note
 
+Relative directory references below are relative to the ztncui directory.
 
+
 
 ### Prerequisites
 
 * ztncui is a [node.js](https://nodejs.org) [Express](https://expressjs.com) application that requires [node.js](https://nodejs.org) v8 or higher.
 
 
@@ -128,6 +131,52 @@ HTTPS_HOST=12.34.56.78
 
 ```
 
 If HTTPS_HOST is not specified, but HTTPS_PORT is specified, then the app will listen for HTTPS requests on all interfaces.
 
 
+###### TLS Certificate
 
+For HTTPS you obviously need a TLS (SSL) certificate and private key pair.  There are a few options:
 
+
 
+1. Generate a self-signed certificate as follows:
 
+   ```shell
 
+   cd etc/tls
 
+   openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privkey.pem -out fullchain.pem
 
+   ```
 
+   Fill in the required details as prompted.
 
+
 
+   The advantage of this option is that it is quick and easy to generate the certificate / private key pair.  The disadvantage is that your web browser will give you a warning that it cannot verify the certificate.  You can override this warning and make a temporary exception.
 
+
 
+2. Buy a certificate:
 
+
 
+   You will need to store the private key as `etc/tls/privkey.pem` and the full certificate chain as `etc/tls/fullchain.pem`.  They need to be in PEM format.
 
+
 
+3. Get a free certificate from Letsencrypt.org:
 
+
 
+      a. Install certbot by following the instructions at certbot.eff.org:
 
+
 
+        i.   For "Software" select "None of the above".
 
+        ii.  For "System" select your OS.
 
+        iii. Follow the instructions to install certbot on your system.
 
+
 
+      b. Use certbot to generate a certificate in webroot mode from the root of the ztncui directory:
 
+      ```shell
 
+      certbot --webroot -w public -d [network_controller_fqdn]
 
+      ```
 
+      Where **[network_controller_fqdn]** is the FQDN that resolves back to the address of the machine running the ZeroTier network controller and ztncui.
 
+
 
+      If certbot runs successfully, it should give you the location of your certificate, which should be something like:
 
+      ```
 
+      /etc/letsencrypt/live/[network_controller_fqdn]/fullchain.pem
 
+      ```
 
+
 
+      c. Make soft links from etc/tls to the certificate and private key under /etc/letsencrypt/live:
 
+      ```shell
 
+      cd etc/tls
 
+      ln -s /etc/letsencrypt/live/[network_controller_fqdn]/fullchain.pem
 
+      ln -s /etc/letsencrypt/live/[network_controller_fqdn]/privkey.pem
 
+      ```
 
+
 
+###### Test HTTPS access
 
+Once you have a certificate at `etc/tls/fullchain.pem` and private key at `etc/tls/privkey.pem`, you should be able to access ztncui over HTTPS on the port specified by HTTPS_PORT.
 
+
 
+
 
 ##### 9. Remote access via SSH
 
 ###### SSH tunnel from Linux / Unix / macOS client
 
 An SSH tunnel can be established with:

+ 2 - 0
public/.well-known/acme-challenge/.gitignore
View File 

@@ -0,0 +1,2 @@
 
+*
 
+!.gitignore