Lets Encrypt is a free SSL issuer which allows you to install certificates on your server for use with Deskpro.

These Instructions are for CentOS 7 and Red Hat, where the CentOS 7 / Red Hat Automated Installer has been used.

The server that Deskpro is installed to will require a live internet connection and domain name resolving to your installation.

1. Download Certbot

$ wget https://dl.eff.org/certbot-auto
 copy

1. Make Certbot executable

$ chmod a+x certbot-auto
 copy

1. Run the Certbot Script (run from within the same directory as you downloaded Certbot to.

$ sudo ./certbot-auto --nginx --nginx yourhelpdesk.com
 copy

1. The script will process, and you'll be presented with the following output. The "Unable to install certificate" warning is to be expected, as we will need to complete some manual configuration in order to complete the setup.

   - Unable to install the certificate
    - Congratulations! Your certificate and chain have been saved at:
      /etc/letsencrypt/live/yourhelpdesk.com/fullchain.pem
      Your key file has been saved at:
      /etc/letsencrypt/live/yourhelpdesk.com/privkey.pem
      Your cert will expire on 2018-12-23. To obtain a new or tweaked
      version of this certificate in the future, simply run certbot again
      with the "certonly" option. To non-interactively renew *all* of
      your certificates, run "certbot renew"
    - Your account credentials have been saved in your Certbot
      configuration directory at /etc/letsencrypt. You should make a
      secure backup of this folder now. This configuration directory will
      also contain certificates and private keys obtained by Certbot so
      making regular backups of this folder is ideal.
 copy

Copy the following lines into a temporary file such as Notepad, as you'll need them in the next configuration stage:-

/etc/letsencrypt/live/yourhelpdesk.com/fullchain.pem ← This is your SSL Certificate

/etc/letsencrypt/live/yourhelpdesk.com/privkey.pem ← This is your private key

Next, you'll need to modify the following file:-

_/etc/nginx/conf.d/deskpro.conf _ The following changes need to be made:

Original File

server {
listen 80;
server_name _;

## Config options for nginx + TLS. These settings are from [1], and provide
## a strong cipher list for yout server, although old browsers might be
## unable to access the helpdesk. If your install needs to be accessible
## by old browsers, please consult [1] for the adequate cipher lists.
##
## [1] <https://cipherli.st/>

# listen 443 ssl;

# ssl_certificate /path/to/certificate.crt;
# ssl_certificate_key /path/to/certificate.key;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_prefer_server_ciphers on;
# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
# ssl_session_cache shared:SSL:10m;
# ssl_stapling on; # Requires nginx >= 1.3.7
# ssl_stapling_verify on; # Requires nginx => 1.3.7
 copy

Modified File

server {
    listen 80 default_server;

    server_name _;
    return 301 https://$host$request_uri;

}

    ## Config options for nginx + TLS. These settings are from [1], and provide
    ## a strong cipher list for yout server, although old browsers might be
    ## unable to access the helpdesk. If your install needs to be accessible
    ## by old browsers, please consult [1] for the adequate cipher lists.
    ##
    ## [1] https://cipherli.st/

server {

    listen 443 ssl default_server;

    ssl_certificate /etc/letsencrypt/live/yourhelpdesk.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourhelpdesk.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
 copy

This will active your SSL and force all traffic on your helpdesk via HTTPS

Below is a template which can be copy and pasted from the top of the file to just before the following comment:-

#add_header X-Content-Type-Options nosniff;

    server {
        listen 80 default_server;
    
        server_name _;
        return 301 https://$host$request_uri;
    
    }
    
        ## Config options for nginx + TLS. These settings are from [1], and provide
        ## a strong cipher list for yout server, although old browsers might be
        ## unable to access the helpdesk. If your install needs to be accessible
        ## by old browsers, please consult [1] for the adequate cipher lists.
        ##
        ## [1] https://cipherli.st/
    
    server {
    
        listen 443 ssl default_server;
    
        ssl_certificate PATH TO CERTIFICATE FILE FROM THE CERTBOT INSTALLER;
        ssl_certificate_key PATH TO PRIVATE KEY FROM THE CERTBOT INSTALLER;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
        ssl_session_cache shared:SSL:10m;
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
 copy

Finally, you'll need to restart the Web Server using:

service nginx restart
 copy