Connecting the SSL certificate

SSL certificate is a digital document that confirms the authenticity of the website and ensures the security of the user's personal data. When using an SSL certificate, data is transmitted to the server via a secure protocol. An SSL certificate consists of a public key and a private key, and may also include a chain of certificates.

If the certificate was not specified when installing the platform, a self-signed SSL certificate will be connected to the platform. When opening the platform's web interface, a warning about a possible security threat will appear in the browser. To prevent this warning from appearing, connect an SSL certificate signed by a certificate authority to the platform.

You can purchase a certificate from any certificate issuing service or get a free one from Let's Encrypt. You can get a Let's Encrypt certificate through the platform interface. The platform interacts with Let's Encrypt using the acme.sh script.

A Let's Encrypt certificate is valid for 90 days and is automatically reissued before the expiration date. If you ordered a certificate through the platform interface, the platform will automatically start the renewal process before the certificate expires.

Managing certificates

To connect the certificate, in the right menu, click the icon → Global settings tab:

Click the Re-connect the certificate button.
To connect an issued SSL certificate:
1. Open the Add the issued SSL certificate tab.
2. Enter an arbitrary SSL certificate Name. The certificate will be displayed in the platform interface under this name.
3. Copy the contents of the SSL certificate public key in pem, crt, or cer format.
4. If the certificate contains a chain, copy its contents into the SSL certificate chain field. If the chain consists of two files, enter the intermediate certificate first, and then the root certificate from a new paragraph without a space.
5. Copy the contents of the SSL certificate Private key in key format.
6. Click the Connect certificate button. The platform will check if the private key matches the certificate. If the check is successful, the certificate will connect to the server.
To issue and connect a Let's Encrypt certificate:
1. Open the Let's Encrypt tab.
2. Enter the Domain of the server with the platform.
3. Enter the Admin's email. Notifications about the certificate status will be sent to this address.
4. Click the Connect certificate button. The platform will start the process of certificate obtaining.

If the certificate is successfully connected, the icon will appear in the SSL Certificate line. Some browsers require refreshing the page for this icon to appear.

If certificate issuance failed, the icon will be displayed next to the certificate name.

If the platform fails to automatically reissue the Let's Encrypt certificate, warning banners will appear in the interface. The first banner appears two weeks before the certificate expires, the second one — after the expiration date.

To connect another certificate, click the Reconnect the сertificate link and enter the certificate details.

To view information about the connected certificate, click the link in the SSL certificate line.

Example of certificate information

Connecting a certificate via API

Connect to the server with the platform via SSH.
Get the authorization token:
```
curl -k -X POST -H "accept: application/json" -H "Content-Type: application/json" 'https://domain.com/auth/v4/public/token' -d '{"email": "admin_email", "password": "admin_pass"}'
```
Comments to the command

domain.com — domain name or IP address of the server with the platform
admin_email — platform administrator's email
admin_pass — platform administrator's password

In response, you will get the message in the form:
Example of response in JSON
```
{
  "confirmed": true,
  "expires_at": null,
  "id": "6",
  "token": "4-e9726dd9-61d9-2940-add3-914851d2cb8a"
}
```
Save the received token value.
Run the command:
```
curl --insecure -H 'x-xsrf-token: <token>' -X POST https://example.com/nginxctl/v1/ssl -H 'accept: application/json' -H 'Content-Type: application/json'  -d '{"name":"<ssl_name>","certificate":"<ssl_cert>","ca_bundle":"<ssl_bundle>","private_key":"<ssl_private>"}'
```
Comments to the command

<token> — authorization token
example.com — domain name or IP address of the server with the platform
<ssl_name> — SSL certificate name
<ssl_cert> — SSL certificate public key
<ssl_bundle> — SSL certificate chain. Optional parameter
<ssl_private> — SSL certificate private key

Connecting a Windows Server certificate

To connect a certificate issued by an Enterprise Certificate Authority on a Windows Server:

Connect to the server with the platform via SSH.
Generate a certificate request:
1. Run the command:
```
openssl req -new -newkey rsa:2048 -nodes -keyout ssl.key -out ssl.csr
```
2. Enter the data to obtain the certificate. After entering the data, two files will be created in the current directory:
  - ssl.csr — the request file. The contents of this file will be needed when generating a certificate in the Certificate Authority;
  - ssl.key — private key. The contents of this file will be needed when connecting the certificate in the platform.
Issue the certificate in the Certificate Authority interface. See the Windows Server documentation for more information. Save the generated certificate in Base64 format.
Connect the certificate in the platform interface:
1. In the SSL certificate field, paste the contents of the issued certificate.
2. If you saved a certificate chain, paste its contents in the SSL certificate chain field.
3. In the Private key of SSL certificate field, paste the contents of the ssl.key file.

Diagnostics

Certificate issue logs are saved to the /var/log/nginxctl.log file in the input container on the platform server.