Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Adding an SSL certificate

bparanj edited this page · 11 revisions

Self-signed

To create a self-signed certificate, follow the steps below. A self-signed certificate can be useful for testing and for internal applications. It provides the same level of security, but by default is not trusted by browsers because it is not generated by a recognized Certificate Authority.

Add this to your moonshine.yml:

:ssl:
  :self_signed:  true

Save, commit, and deploy your app. That’s all there is to it. If you want all requests to be redirected and served over self-signed SSL, it would look like this:

:ssl:
  :only: true

Certificate from a CA

To add a SSL certificate from a certificate authority, ssh into your server.

mkdir /home/rails/certs
cd /home/rails/certs

The utility “openssl” is used to generate the key and CSR.

openssl genrsa -out mynewsite.key 2048

This command generates a 2048 bit RSA private key and stores it in the file mynewsite.key. Do not provide password when it prompts you for pass phrase. Leave it blank.

Generate a new certificate request:

sudo openssl req -new -key mynewsite.key -out mynewsite.csr

It will ask you to fill in a bunch of info that will need to match the info you provide your SSL provider (such as GoDaddy). The key one that you’ll want to pay attention to is Common Name. That needs to be your domain name (without the https://). You don’t need to include the ‘www’ usually. Next lets move these to a better location:

Once done, output your certificate request by doing this:

cat mynewsite.csr

Copy that and enter it when your SSL provider asks for it.

Once your SSL provider approves your SSL, they’ll provide you with one or two files. The first will be the certificate file and the second, if provided, will be the certificate chain file. For godaddy, they provide a zip file that contains two files: yourdomain.com.crt & gd_bundle.crt. Save these two files in a directory called certs on your local machine. Change into that directory and copy the files to your server by running this on your local machine:

scp * rails@yourserver:/home/rails/certs/

This should copy the files to /home/rails/certs/ on your server.

The final step is to update config/moonshine.yml, commit it to the git repo and deploy.

:ssl:
  :certificate_file: /home/rails/certs/yourdomain.com.crt
  :certificate_key_file: /home/rails/certs/mynewsite.key
  :certificate_chain_file: /home/rails/certs/gd_bundle.crt

The certificate_chain_file is only required if your certificate authority provided one, otherwise, leave out this line. Save & close this file. Next update your git repo.

git add config/moonshine.yml
git commit -m "Updated moonshine config file with SSL info"
git push
cap deploy

Multi-stage SSL Certificates

You can take advantage of the stage specific moonshine configuation files if you would like different SSL configurations on your staging and production servers. One common example is your staging server setup with self-signed certificate and a certificate from CA for production. To do this, in your rails directory:

mkdir -p config/moonshine
touch config/moonshine/production.yml
touch config/moonshine/staging.yml

Then, setup each stage as you would want in it’s respective config. In this example, we want a self-signed certificate on staging. We can configure this in config/moonshine/staging.yml:

:ssl:
  :self_signed: true

For production, however, we would like to use the certificate from a CA that we have. After we do the proper setup, as detailed in the previous section, we then update config/moonshine/production.yml with the following:

:ssl: 
  :certificate_file: /home/rails/certs/yourdomain.com.crt
  :certificate_key_file: /home/rails/certs/mynewsite.key
  :certificate_chain_file: /home/rails/certs/gd_bundle.crt

Once you commited your changes to your git repository, you can deploy to apply your changes

git add config/moonshine
git commit -m "Added production and staging SSL configs"
git push

cap staging deploy
cap production deploy

TODO

  • Link to possible SSL issuers
  • Reference specific issuers’s documentation and tools
  • Update recommended way of putting certificates on server (keep in version control and manage with moonshine, rather than scp)
Something went wrong with that request. Please try again.