guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sciUser <shulb...@securitycentric.net>
Subject Re: SSL
Date Wed, 16 Jan 2019 09:18:56 GMT
I am going to give a complete step-by-step instruction on how to get SSL on
guacamole running on CentOS7 build.  I really wish the Guacamole project
would have more instructions like this, it would help so many.

Steps as followed:

1. Login to your CentOS7 using SSH you will need root access
    - is you have sudo enabled issue the command *sudo -i* and the users
password
    - if you do not have sudo enabled for users (you should) issue the
command *su* then the root password
2. Navigate to */etc/nginx* issue the command* cd /etc/nginx*
3. Create a directory called ssl (lowercase) issue the command mkdir ssl
from /etc/nginx directory
4. Navigate in to ssl directory , issue the command *cd ssl*
5. Create another directory called *private*, issue the command *mkdir
private*
6. Use the following command to generate your new key csr files , issue the
command: *openssl req -new -newkey rsa:2048 -nodes -keyout
/etc/nginx/ssl/yourdomain_server.key -out /etc/nginx/ssl/yourdomain.csr*

Note1: /Replace yourdomain is YOUR OWN DOMAIN NAME./
Note2: follow the prompts, a description below of the prompts;

*Country Name:* Use the two-letter code without punctuation for country, for
example: US
 
*State or Province:* Spell out the state completely; do not abbreviate the
state or province name, for example: California, not CA
 
*Locality or City: *The Locality field is the city or town name, for
example: Eugene. Do not abbreviate. For example: Mountain View, not Mt. View
 
*Company:* If the company or department has an &, @, or any other symbol
using the shift key in its name, the symbol must be spelled out or omitted,
in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or
XY and Z Corporation.
 
*Organizational Unit:*  The Organizational Unit (OU) field is the name of
the department or organization unit making the request. To skip the OU
field, press Enter\Return on the keyboard.
 
*Common Name: *The Common Name is the Host + Domain Name. It looks like
"*www.company.com*" or "*company.com*" or Wildcard "**.company.com*"

*Support Email:* Enter in the email address of who is responsible for the
certificate,normally this is support or hostmaster@company.com

7. Do not enter in a password or additional company name when prompted. (
you will see it, so dont do it)

8. At this point you will need to copy the contents of the *yourdomain.csr*
file this is the pem code. 
Will look like this below, don't worry this is not a valid pem.  Then go to
your certificate authorities website and enter paste the /yourdomain.csr/
code in to the generator. This will very based on your providers interface.

9. You should get four (4) files from your certificate provider.
*    - TrustExternalCARoot.crt (root file)
    - USERTrustRSAAddTrust.crt (intermediate1 file)
    - RSADomainValidationSecureCA.crt (intermediate2 file)
    - YourDomain_com.crt (Domain file)*
10. You will need to create the following three files using the four files
from the provider and one file from the server.
11. Create your first bundle file using the following crt files, you can use
Notepad or vi or nano as your editors to paste these files in, you must do
them in order below. Name this file *yourdomain-bundle.crt* and it will be
located in the */etc/nginx/ssl* directory.
   
12. Create your private key with entire Trust chain, like before use
notepad, vi or nano as your editor, make sure to save this file as
*yourdomain_priv.key* in */etc/nginx/ssl/private/ *directory.


13. Because this is nginx I highly recommend generating a *dhparam.pem* file
use the following command:
*openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2046*  
Note: this may take up to 45 minutes to generate depending on your system
performance. Mine generated in 120 second or so.

14. Navigate to */etc/nginx/conf.d*
15. vi in to *guacamole_ssl.conf *make the following edits to the file as
seen below.

16. Exit and restart nginx using the following command: *systemctl restart
nginx*
17. The most important part is to secure all the files, make sure you are*
/etc/nginx* then issue the command: *chmod -R 600 ssl/**

Hope this helps some out there.

Thank You



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Mime
View raw message