Generating a new SSL certificate for OctoPi

John O'Shaughnessy edited this page Mar 7, 2017 · 1 revision

The OctoPi distribution includes a generic SSL certificate. It is better than nothing, but as this is a common certificate, it could be compromised. Listed below are instructions to generate your own SLL certificate that'll be used by OctoPrint and HAProxy.

# Open a root shell
sudo -i

# Change to the /etc/ssl directory, where certificates are stored.
cd /etc/ssl/

# Request a new self-signed certificate, with a 10-year expiration, and 4096-bit RSA key
# It will ask you a lot of questions for details to put in the certificate.
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout newcert.key -out newcert.crt

# Concatenate the new key and self-signed certificate into a single file the way HAProxy likes it
# Feel free to use a different name than 'snakeoil.pem' so long as you edit haproxy.cfg to match
cat newcert.crt newcert.key > snakeoil.pem

# Restart HAProxy so that the new certificate takes effect.
systemctl restart haproxy

# Leave the root shell and go back to normal.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.