ACSIA Help Center

How To Configure SSL Certificates in ACSIA

Federico Trotta
Federico Trotta
  • Updated

Overview

In this article, we'll show how we can configure the SSL certificates in ACSIA. In particular, we'll show:

  • The prerequisites and some knowledge base
  • How to install and renew the SSL certificates if you retrieved them from a CA (Certification Authority)
  • How to install the SLL certificates if you retrieved them from Let's Encrypt
  • How to renew the certificates if you retrieved them from Let's Encrypt

Prerequisites and knowledge base

Prerequisites

ACSIA XDR Plus is installed on this Linux distribution:

  • Ubuntu 20.04

Here the distribution requires:

  • Full SSH root access or a user with sudo privileges.
  • A valid domain name pointed to your server's IP address. We'll call it [yourdomain] along this article.

 

The certificates must be in the.pem format.

If you retrieved your certificates from a CA and have them in other formats, you can use the following procedure to convert them, for example, from.pcks12 to .pem:

$ openssl pkcs12 -in certificatename.pfx -out [my_certificate.pem]

where [my_certificate.pem] is the name of your certificate in the .pem format.

 

Knowledge base

Here we'll describe the procedures regarding SLL certificates in case you retrieved them from a CA or in case you retrieved them from Let's Encypt.

The difference between them, is that Let's Encrypt is a free service and this needs, for example, to renew the certificates every three months.

In case, instead, you'd like to use a CA, the certificates are provided by an Authority and last some years.


How to install and renew the SSL certificates if you retrieved them from a CA

Step 1: switch to ACSIA user

$ sudo su - acsia

This command is needed to see the certificates. Without it, you can't see them.

 

Step 2: get permission to see the certificate

You have to get the path where your certificate is. If we call it [file-path-directory], then type:

$ sudo chmod -R 755 [file-path-directory]

to get the permissions to see the certificates.

 

Then, you have to get the path where your private key is. If we call it [key-path-directory], then type:

$ sudo chmod -R 755 [key-path-directory]

 

Step 3: stop Nginx port 80

We must be sure that port 80 is free of use by typing the following:

$ sudo docker ps


After this, we have to stop the process of Docker doing this:

$ sudo docker stop nginx

 

Step 4: deploy the certificates

Now, we can proceed with the deployment phase. Execute the following command:

$ acsia_deploy_ssl_certs --certificate [file-path-directory]/[my_certificate.pem] --key [key-path-directory]/privkey.pem --domain [yourdomain]

Where:

  •  [my_certificate.pem]is the name of your certificate.
  • [file-path-directory]is the path where [my_certificate.pem] is located.
  • [key-path-directory]is the path where the private key is located.
  • [yourdomain]is your domain name.

 

Step 5: restart ACSIA

Finally, restart ACSIA:

$ acsia_stack_restart
When you need to renew the certificates retrieved from a CA, you have to repeat this procedure from the beginning.

How to install the SLL certificates if you retrieve them from Let's Encrypt

Step 1: switch to ACSIA user

$ sudo su - acsia

 

Step 2: stop Nginx port 80

We must be sure that port 80 is free of use by typing the following:

$ sudo docker ps


After this, we have to stop the process of Docker doing this:

$ sudo docker stop nginx

 

Step 3: install certboot

$ sudo snap install --classic certbot

 

Step 4: create the certificate

$ sudo certbot certonly -d [yourdomain]

Where [yourdomain] is your domain name.

 

Step 5: get the permissions of the directories /etc/etsencrypt/live and /etc/letsencrypt/archive

$ sudo chmod -R 755 /etc/letsencrypt/live

$ sudo chmod -R 755 /etc/letsencrypt/archive

 

Step 6: deploy the certificates

Now, we can proceed with the deployment phase. Execute the following command:

$ acsia_deploy_ssl_certs --certificate /etc/letsencrypt/live/[yourdomain]/fullchain.pem --key /etc/letsencrypt/live/[yourdomain]/privkey.pem --domain [yourdomain] 

Where[yourdomain]is your domain name.

 

Step 7: restart ACSIA

$ acsia_stack_restart

How to renew the SLL certificates if you retrieve them from Let's Encrypt

To force the renewal of the certificates retrieved with Let's Encrypt, meaning we can renew them before they actually arrive at the end date, we can type the following commands:

 

Step 1: stop Nginx port 80

$ sudo docker stop nginx

 

Step 2: force renewal of the certificates

$ sudo certbot certonly --force-renew -d [yourdomain]

where [yourdomain]is your domain name.

 

Step 3: switch to ACSIA user

$ sudo su - acsia

 

Step 4: deploy the certificates

$ acsia_deploy_ssl_certs --certificate /etc/letsencrypt/live/[yourdomain]/fullchain.pem --key /etc/letsencrypt/live/[yourdomain]/privkey.pem --domain [yourdomain] 

where [yourdomain]is your domain name.

 

Step 5: restart ACSIA

$ acsia_stack_restart