Sysadmin Guide

Using your own SSL Certificate


If you have an SSL Certificate obtained from a certificate authority, you can upload this to your server for use within Deskpro.

The following instructions apply to installations that have used our one-line installer, or our Virtual Machine images.

You will need to upload two files, the SSL certificate itself and the private key you used to generated the signing request for the certificate.

You will need to add the files to a directory on your server, /etc/ssl/certs/ or /etc/ssl/private for example. This can be done by creating a text file and pasting the content of your certificate and private key in.

Once you have your certificate and key on the server, you'll need to modify the following file:-

/etc/nginx/conf.d/deskpro.conf

The following changes need to be made

Original File

server {
listen 80;
server_name _;

## Config options for nginx + TLS. These settings are from [1], and provide
## a strong cipher list for yout server, although old browsers might be
## unable to access the helpdesk. If your install needs to be accessible
## by old browsers, please consult [1] for the adequate cipher lists.
##
## [1] <https://cipherli.st/>

# listen 443 ssl;

# ssl_certificate /path/to/certificate.crt;
# ssl_certificate_key /path/to/certificate.key;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_prefer_server_ciphers on;
# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
# ssl_session_cache shared:SSL:10m;
# ssl_stapling on; # Requires nginx >= 1.3.7
# ssl_stapling_verify on; # Requires nginx => 1.3.7

Modified File

server {
    listen 80 default_server;

    server_name _;
    return 301 https://$host$request_uri;

}

    ## Config options for nginx + TLS. These settings are from [1], and provide
    ## a strong cipher list for yout server, although old browsers might be
    ## unable to access the helpdesk. If your install needs to be accessible
    ## by old browsers, please consult [1] for the adequate cipher lists.
    ##
    ## [1] https://cipherli.st/

server {

    listen 443 ssl default_server;

    ssl_certificate /etc/ssl/certs/helpdeskcert.pem;
    ssl_certificate_key /etc/ssl/certs/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7

This will active your SSL and force all traffic on your helpdesk via HTTPS

Below is a template which can be copy and pasted from the top of the file to just before the following comment:-

# add_header X-Content-Type-Options nosniff;

    server {
        listen 80 default_server;
    
        server_name _;
        return 301 https://$host$request_uri;
    
    }
    
        ## Config options for nginx + TLS. These settings are from [1], and provide
        ## a strong cipher list for yout server, although old browsers might be
        ## unable to access the helpdesk. If your install needs to be accessible
        ## by old browsers, please consult [1] for the adequate cipher lists.
        ##
        ## [1] https://cipherli.st/
    
    server {
    
        listen 443 ssl default_server;
    
        ssl_certificate PATH TO CERTIFICATE FILE;
        ssl_certificate_key PATH TO PRIVATE KEY FILE;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
        ssl_session_cache shared:SSL:10m;
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7

Finally, you'll need to restart the Web Server using:

service nginx restart

Remember to change your URL in your helpdesk admin to reflect HTTPS:// so that links are updated in your service and e-mails accordingly.

Comments (0)

Add a comment

Add a comment

You need to log in before you can submit a comment.

Need a password reminder?