By default, the connection to the Runecast Analyzer web interface is secured using a self-signed SSL certificate. We recommend replacing it with a CA-signed certificate. After you obtain the certificate in the PEM format, you can replace the default one by following the steps below:
Info: Runecast Analyzer supports X.509 certificates in the PEM format to encrypt session information sent over SSL connection.
- If SSH access is not enabled, please see section How to enable SSH access.
- Initiate SSH session to Runecast Analyzer.
- Login with
- In the directory
/etc/runecast/cert, rename the existing certificates:
sudo mv rc2.crt orig.rc2.crt sudo mv rc2.key orig.rc2.key
- Copy the new certificate and key to
- from the appliance initiate file transfer:
sudo scp <username>@<remoteHost>:/location/<your file>.crt /etc/runecast/cert/<your file>.crt sudo scp <username>@<remoteHost>:/location/<your file>.key /etc/runecast/cert/<your file>.key
- as an alternative, you can copy the certificate files to Runecast Analyzer using SCP client. In this case, you will not be able to upload them directly to
/etc/runecast/cert/directory. Initially, they can be placed in the
/tmpdirectory and then moved with elevated privileges:
sudo mv /tmp/<your file>.crt /etc/runecast/cert/<your file>.crt sudo mv /tmp/<your file>.key /etc/runecast/cert/<your file>.key
- In the directory
/etc/runecast/certrename the new certificate and key to
sudo mv <your file>.crt rc2.crt sudo mv <your file>.key rc2.key
- The copy process of the certificate files to Runecast Analyzer may not assign the proper permissions. Please review them by using the following command:
ls -la /etc/runecast/cert/
- If the permissions on your new certificate files are not
root:rctomcatrun the commands below:
sudo chown root:rctomcat rc2.crt sudo chown root:rctomcat rc2.key sudo chmod 640 rc2.crt sudo chmod 640 rc2.key
- If your key is password-protected, add the password into
/etc/runecast/nginx/ssl_passwords.txtfile using the following command:
echo "<password>" | sudo tee /etc/runecast/nginx/ssl_passwords.txt
- Restart the nginx service:
sudo systemctl restart nginx
Tip: If after performing the steps the certificate is still untrusted in the browser, make sure:
- The certificate contains the SAN field.
- The certificate
.crtfile includes all the intermediate certificate authorities certificates. The file should start with the appliance certificate.
Note: If after changing the certificate and restarting nginx the daemon fails to start, review the file permissions (step 8). If the certificate is password protected, make sure you set the password (step 9).