Alfresco SSL Site Certificate Installation

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
andybarzyk
Active Member

Alfresco SSL Site Certificate Installation

I am running the community version of Afresco 5 on windows. I used the exe installer.

I have created a public cert and imported both the public ssl cert and the intermediate CA cert into the live trustsore and keystore. I have been reading documentation for several days and cannot find anywhere that describes how to make the Alfresco Share actually start using the new public cert.

Why is this rocket science???

Where is the cert identified???

Any help would be much appreciated.

6 Replies
angelborroy
Expert

Re: Alfresco SSL Site Certificate Installation

Hope this helps: Configuring Alfresco SSL certificates | Programming and So 

Software Engineer in Alfresco Search Team.
andybarzyk
Active Member

Re: Alfresco SSL Site Certificate Installation

Thanks for the reply. I have from the beginning generated public certs from letsencrypt.org with the subject name for my public site. I can't figure out how to make the alfresco website use that public certificate. I ran the script and replaced the built-in certs with new self-signed ones  -- the new cert show up on the website but it's still not trusted because it's for "Alfresco Repository" instead of my public site's URL. My cert with the public url for a subject name is in the stores but the site will not use it.

What tells Alfresco which cert to use?

andybarzyk
Active Member

Re: Alfresco SSL Site Certificate Installation

In your documentation to import the public cert:

The simplest is to rename that issued certificates as ssl.repo.crt for Alfresco side and ssl.repo.client.crt for SOLR side and then copy both them to CERTIFICATE_HOME folder set in generate_keystores.sh script. After that, comment or remove any line starting with "$JAVA_HOME/bin/keytool" and execute the script.

If I comment out everything starting with "$JAVA_HOME/bin/keytool" the script does nothing but set some environmental variables and tries the copy the files that it did not generate.. all the keystores and truststores...

sorry but i'm really lost here...

angelborroy
Expert

Re: Alfresco SSL Site Certificate Installation

First thing is that I'm never using this approach to provide SSL to Alfresco. Usually, I configure an Apache HTTPd or NGINX in front of Alfresco Tomcat and I include my SSL certificates in this HTTP server.

Anyway, if you want to configure your certificates using Tomcat, just create the stores and certificates described in the post by hand or by using Axel Faust‌ script (included also in the post). 

Sorry, but I'm afraid I cannot be clearer at this point.

Software Engineer in Alfresco Search Team.
p_bodnar
Active Member

Re: Alfresco SSL Site Certificate Installation

Andrew Barzyk‌, the first thing to realize is that the SSL certificates you work with according to the Alfresco documentation are for internal communication of Alfresco repository with Solr (and vice versa). From your original question though, it looks like you want just to add a certificate to your Tomcat (or to an Apache proxy as mentioned by Angel Borroy) in a general way, so that clients (browsers) communicate with your Share application via SSL.

BTW If you let clients access Alfresco / Share only via a proxy like Apache, which is a recommended installation, you don't need to bother with the Alfresco-Solr certificates anymore provided that you block access to the Solr application and Alfresco Solr webscripts URLs by the proxy. This and more stuff around Solr is not quite clear from the official Alfresco documentation, IMO, so I don't wonder that one can get confused from it all...

andybarzyk
Active Member

Re: Alfresco SSL Site Certificate Installation

Thanks guys, I gave up trying to install public certs on Alfresco and fired

up a Ubuntu/Squid reverse proxy -- everyone was right the proxy was the way

to go. I multi-honed it and threw the public interface in the DMZ. I now

have a proxy that can do header-checking for multiple sites! Thanks to

everyone!