SSL certificates

By default, Buddy self-hosted uses a self-signed SSL certificate. This article describes how to get and apply a custom-domain SSL certificate to replace the self-signed one.

Warning
All commands listed in the article must be run as root.

Purchasing the certificate

When you buy a certificate, you may be asked to provide a Certificate Signing Request (CSR) file. To generate such file, run this command and provide the requested data:

bash
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr$

This command creates two files:

  • domain.csr – a Certificate Signing Request (CSR)
  • domain.key – a private key used to set up the certificate. Make sure to keep it safe and never share it with other users.

Generating the PEM file

The purchased certificate consists of two types of files:

  • SSL certificate – a single file, usually named domain.crt or domain.pem
  • Intermediate certificate – one or more files, usually named ca.pem

Using these files, you must generate a PEM file that you can upload to Buddy.

To create a PEM file, run this command in the directory that contains all your certificate files:

bash
cat domain.crt ca.pem domain.key > full.pem$

If there is more than one intermediate certificate, the command looks like this:

bash
cat domain.crt ca.pem ca1.pem ca2.pem domain.key > full.pem$

Activating the certificate

After you generate the PEM file, you can set the SSL certificate in Buddy. You can do it through the UI or using the Buddy CLI.

Setting the certificate in Buddy UI

  1. Sign in to your Buddy self-hosted instance as admin.
  2. Go to the Self-Hosted Admin panel and switch to the Network tab.
  3. Click Upload new PEM file in the SSL Certificate section.
  4. Upload the generated PEM file.
  5. Click Save changes.

Image loading...Setting SSL certificate in Buddy UI

Setting the certificate with Buddy CLI

  1. Sign in to the server where Buddy self-hosted is installed.
  2. Run this command to enter instance configuration:

    bash
    buddy configure$
  3. Go to Custom domain SSL certificate.
  4. Press u & enter to update the certificate.
  5. Provide the absolute path to the full.pem file.
  6. Restart the application to apply changes.

Verifying the certificate

Once the certificate is set, it’s a good practice to scan it at ssllabs.com.

The page displays the contents of the certificate and informs if you need to download any missing parts. This may happen if your provider did not provide all required certificates or the certificates are invalid. In such case you have to copy the names of the certificates from sslabs and look them up in Google. This way you can easily find the missing intermediate certificates and paste them into a correct full.pem file.

A properly generated certificate should look like this:

Image loading...Properly generated SSL certificate

Restoring the default certificate

You can restore the default self-signed certificate through Buddy CLI:

  1. Sign in to the server where Buddy self-hosted is installed.
  2. Run this command to enter instance configuration:
bash
buddy configure$
  1. Go to Custom domain SSL certificate.
  2. Press c & enter to clear the certificate
  3. Restart the application to apply changes.

Using the Let’s Encrypt certificate

To use a free certificate by Let’s Encrypt certificate, follow these steps:

  1. Sign in to the machine where Buddy Enterprise is installed.
  2. Run this command to enter instance configuration:
bash
buddy configure$
  1. Go to Custom domain SSL certificate.
  2. Press l & enter to use Let’s Encrypt certificate
  3. Restart the application to apply changes.

Last modified on Sep 24, 2024