SSL Certificates and Nginx - Appsembler

Help & How-to

Your comprehensive knowledge base for Open edX, Tahoe LMS, and Virtual Labs. Dive into in-depth documentation, tutorials, troubleshooting guides, and best practices to help with your integration of Appsembler's products.

SSL Certificates and Nginx

Variables to include in server-vars.yml

	NGINX_ENABLE_SSL: true
	NGINX_SSL_CERTIFICATE: "/path/to/STAR.example.com-bundle.crt"
	NGINX_SSL_KEY: "/path/to/STAR.example.com.key"
	NGINX_SET_X_FORWARDED_HEADERS: True #True if not behind load balancer
	EDXAPP_LMS_NGINX_PORT: 80
	EDXAPP_LMS_SSL_NGINX_PORT: 443
	EDXAPP_LMS_PREVIEW_NGINX_PORT: 80
	EDXAPP_CMS_NGINX_PORT: 80
	EDXAPP_CMS_SSL_NGINX_PORT: 443

	nginx_sites:
	  - cms
	  - lms
	  - forum
	  - ora
	  - xqueue

	nginx_default_sites:
	  - lms

	COMMON_HTPASSWD_USER: "user"
	COMMON_HTPASSWD_PASS: "pass"
	COMMON_ENABLE_BASIC_AUTH: True

	#if not using the default studio.example.com and instead edxstudio.example.com

CMS_HOSTNAME: '~^((stage|prod)-)?studio.*' #for redirect within nginx

Chaining Certificates

If using multiple .crt files, combine them into a single certificate:

e.g.:

cat STAR.example.com.crt STAR.example.com-intermediate.crt >> STAR.example.com-bundled.crt

Configuring Nginx with Ansible

Run the nginx role. This is a long command because it requires default port numbers and locations from a bunch of different roles. Make sure to specify server-vars.yml as the last included file so that it can overwrite all default variables.

ansible-playbook ./run_role.yml -vvvv -i “localhost,” -c local -e role=nginx
-e@/edx/app/edx_ansible/edx_ansible/playbooks/roles/edxapp/defaults/main.yml
-e@/edx/app/edx_ansible/edx_ansible/playbooks/roles/forum/defaults/main.yml -e@/edx/app/edx_ansible/edx_ansible/playbooks/roles/xqueue/defaults/main.yml -e@/edx/app/edx_ansible/edx_ansible/playbooks/roles/certs/defaults/main.yml -e@/edx/app/edx_ansible/server-vars.yml -e'{“nginx_sites”:[“lms”, “cms”]}’ -e'{“nginx_default_sites”: [“lms”]}’

Customer should provide a wildcard SSL certificate *.learning.example.com with a Subject Alternative Name (SAN) for learning.example.com.

The wildcard will cover:

studio.learning.example.com

preview.learning.example.com

and the SAN covers:

learning.example.com

Generating a CSR.

Use the website:
https://www.digicert.com/easy-csr/openssl.htm

and provide the required information:

e.g.

Common Name: example.com

Organization: NodeRabbit Inc.

Department: Appsembler

City: Cambridge

State/Province: Massachusetts

Country: USA

Key Size: 2048

then the page will spit out a command like:

openssl req -new -newkey rsa:2048 -nodes -out example_com.csr -keyout example_com.key -subj “/C=US/ST=Massachusetts/L=Cambridge/O=NodeRabbitInc./OU=Appsembler/CN=example.com”

Run this command in a terminal with OpenSSL installed and it will spit out two files:

example_com.csr (certificate)

example_com.key (private key)

When providing the CSR file to the CA, be sure to ask for SAN that covers the subdomains (in this case: *.example.com)

Note:

all certs from now on (1/1/16) should be generated using the -sha256 flag instead. something about future compatibility and chrome not complaining. change the above example to:

openssl req -new -newkey rsa:2048 -nodes -out example_com.csr -keyout example_com.key -subj “/C=US/ST=Massachusetts/L=Cambridge/O=NodeRabbitInc./OU=Appsembler/CN=example.com” -sha256