ZeroTier/ztncui
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added instructions for generating TLS certs

Browse Source
This commit is contained in:
Key Networks 2017-12-30 11:06:57 +08:00
parent 49a3319e58
commit 234c68a4d1
2 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
README.md
View File

@ -6,6 +6,9 @@ Screenshots can be seen at [key-networks.com](https://key-networks.com).
## Getting Started ## Getting Started
### Note
Relative directory references below are relative to the ztncui directory.
### Prerequisites ### Prerequisites
* ztncui is a [node.js](https://nodejs.org) [Express](https://expressjs.com) application that requires [node.js](https://nodejs.org) v8 or higher. * ztncui is a [node.js](https://nodejs.org) [Express](https://expressjs.com) application that requires [node.js](https://nodejs.org) v8 or higher.
@ -128,6 +131,52 @@ HTTPS_HOST=12.34.56.78
``` ```
If HTTPS_HOST is not specified, but HTTPS_PORT is specified, then the app will listen for HTTPS requests on all interfaces. If HTTPS_HOST is not specified, but HTTPS_PORT is specified, then the app will listen for HTTPS requests on all interfaces.
###### TLS Certificate
For HTTPS you obviously need a TLS (SSL) certificate and private key pair. There are a few options:
1. Generate a self-signed certificate as follows:
```shell
cd etc/tls
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privkey.pem -out fullchain.pem
```
Fill in the required details as prompted.
The advantage of this option is that it is quick and easy to generate the certificate / private key pair. The disadvantage is that your web browser will give you a warning that it cannot verify the certificate. You can override this warning and make a temporary exception.
2. Buy a certificate:
You will need to store the private key as `etc/tls/privkey.pem` and the full certificate chain as `etc/tls/fullchain.pem`. They need to be in PEM format.
3. Get a free certificate from Letsencrypt.org:
a. Install certbot by following the instructions at certbot.eff.org:
i. For "Software" select "None of the above".
ii. For "System" select your OS.
iii. Follow the instructions to install certbot on your system.
b. Use certbot to generate a certificate in webroot mode from the root of the ztncui directory:
```shell
certbot --webroot -w public -d [network_controller_fqdn]
```
Where **[network_controller_fqdn]** is the FQDN that resolves back to the address of the machine running the ZeroTier network controller and ztncui.
If certbot runs successfully, it should give you the location of your certificate, which should be something like:
```
/etc/letsencrypt/live/[network_controller_fqdn]/fullchain.pem
```
c. Make soft links from etc/tls to the certificate and private key under /etc/letsencrypt/live:
```shell
cd etc/tls
ln -s /etc/letsencrypt/live/[network_controller_fqdn]/fullchain.pem
ln -s /etc/letsencrypt/live/[network_controller_fqdn]/privkey.pem
```
###### Test HTTPS access
Once you have a certificate at `etc/tls/fullchain.pem` and private key at `etc/tls/privkey.pem`, you should be able to access ztncui over HTTPS on the port specified by HTTPS_PORT.
##### 9. Remote access via SSH ##### 9. Remote access via SSH
###### SSH tunnel from Linux / Unix / macOS client ###### SSH tunnel from Linux / Unix / macOS client
An SSH tunnel can be established with: An SSH tunnel can be established with:

2
public/.well-known/acme-challenge/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
*
!.gitignore