Can I use a crt/key file when setting up the SSL cert, all I can find is how-to export to crt/key from Windows pfx on Google.
Also does the Passbolt browser extension have a password generator on it like Lastpass does?
Thanks,
Hey @3GLighting NGINX is going to want a private key and a full chain cert.
SSL FAQs is here Passbolt Help | Troubleshoot SSL
There is a password generator with various options.
So where is the password generator located in the browser extension? I only see the search option, and browse by filter or groups.
I already have a wildcard SSL cert, so what’s the best practice for installing it? I see this link talking about have a FQDN SSL cert, not a wildcard one.
There is a Create New button:
Best practice is to follow the guides. Outside of that you’ll likely have additional errors. Also, outside of the guide you are beginning to customize settings and configurations - not that we discourage that, but it’s not a passbolt thing and more of how to use NGINX.
If you move your TLS files to the same location as existing ones and rename them to match, it should accept them. The NGINX *.conf files reference the locations of the TLS files.
If I rerun the NGINX again and go the auto route that will set up SSL cert in Lets Encrypt right? Is that a fairly straight forward process or do I need to worry about anything?
I don’t see anyone demonstrating this process on YT so I am not sure. I just figure if it’s going to be easier than converting my wildcard SSL cert and getting it installed, I might was well look at doing it through Let’s Encrypt using the servers FQDN.
Thanks,
@3GLighting Yes, you could reconfigure to use Let’s Encrypt and automate it. This works well for passbolt instances that are public facing and have port 80 open (LE docs).
It is possible to use your own certs. I think recently I am learning that some aspects of the healthcheck are not accommodating to wildcard certs. Like here Version Mismatch on Debian - #6 by clayton
I have not used wildcard certs, and do use Let’s Encrypt but it’s not automated through the app because one instance is not public-facing. So there are many options.
Can Let’s Encrypt be used for internal servers only and not public facing?
Yes but not with certbot. The acme protocol can also be used to utilize the API for domain management that some domain providers offer.
ref ACME Client Implementations - Let's Encrypt
ref GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
And how do I restart NGINX again?
To test config: sudo nginx -t
To restart service: sudo service nginx reload
So let me clarify our network like so many doesn’t block ports internally, we allow all traffic outside. Do I still need to use something else to do Let’s Encrypt?
In this scenario, the only way I know to automate the use of LE certs is to use the domain manager API approach with the 2nd acme link above.
As LE will not be able to make a call to your internal only instance, it needs some way to verify you control the domain. With the API approach, you provide the acme client on your server the credentials to create a temporary TXT record in your DNS settings (so maybe I should say DNS manager and not domain manager).
In this protocol, it’s all outgoing calls.