Skip to main content
SSHepherd Documentation
< All Topics
Print

Creating the SSHepherd® C3 Server SSL Certificate

Quick Start: Create your SSHepherd® certificates using Let’s Encrypt

Install SSHepherd® using the provided install script with the Let’s Encrypt option to allow Let’s Encrypt to generate and manage your certificates.

If you have an existing certificate and won’t be using Let’s Encrypt, advance to the next section to verify your certificate and make any necessary changes.

If you have an existing domain and certificate

In order to install the SSHepherd® C3 Server, you will need a passwordless certificate file, in .PEM format, and a passwordless .KEY file, in .PEM format. Depending on your certificate file, you may need to add the intermediate certificates to it using a few simple commands. This section will guide you through verifying your certificate file and making any necessary changes.

Verify your certificate

Begin by verifying your SSL certificate.

Run the following openssl command (replace <certificate file name> with the name of your cert file:

openssl verify <certificate file name>

Example: openssl verify mycert.pem

If the command returns something similar to the error below, you will need to add additional certificates to your certificate file.

CN = mydomain.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error mycert.pem: verification failed

Most issuers have bundles, and the filename will usually contain the word “bundle”. You will need to append the contents of your “bundle” certificate file to your certificate file used with SSHepherd®.

Combining certificate files

Example linux command:

cat mycert.pem CA_Bundle.pem > combined.pem

To verify the new combined.pem file:

openssl verify -untrusted <( { openssl x509 >/dev/null; cat; } < combined.pem ) <(openssl x509 < combined.pem)

If done correctly, the above command should return something like:

/dev/fd/62: OK

If so, your certificate file is now ready to use for your SSHepherd® C3 Server Install (you want to use combined.pem going forward).

What if I completed the C3 server install using an unsupported certificate file?

If you complete the install using an unsupported certificate file, you will be unable to create your initial administrator user account and will see a SSL error instead. Fortunately, you can resolve this by creating a combined certificate file using the steps above, and then run the following commands to remove the old certificate and import the new combined certificate on your C3 server.

These commands will remove the old certificate and import the new certificate:

Microk8s

Note: Replace $keyFile and $crtFile with your actual file names.

microk8s kubectl -n sshepherd delete secret aks-ingress-tls

microk8s kubectl -n sshepherd create secret tls aks-ingress-tls --key $keyFile --cert $crtFile

After the above commands are complete, run the install command again (Step 9 in the C3 install guide):

$ ./shepserver-microk8s.sh <hostname> <crt file> <unencrypted key file> <registry host> <registry user> <registry password>

Azure AKS

Note: Replace $keyFile and $crtFile with your actual file names.

kubectl -n sshepherd delete secret aks-ingress-tls

kubectl -n sshepherd create secret tls aks-ingress-tls --key $keyFile --cert $crtFile

After the above commands are complete, run the install command again (Step 6 in the C3 install guide):

$ ./shepserver-microk8s.sh <hostname> <crt file> <unencrypted key file> <registry host> <registry user> <registry password>

In This Article