User Tools

Site Tools



self-signed-certs

NEMS SSL and Self-Signed Certificates

My browser warns, "Your connection is not secure". Why?

NEMS Linux uses SSL (aka https) connections to secure your connection and the data you transmit and receive to and from your NEMS server.

This is accomplished using what is called a self-signed certificate. By nature, self-signed certificates are considered “untrusted” by your browser because, simply put, anyone can make them. It does not mean your connection is not encrypted or secure, but rather it means your browser cannot determine who created the certificate, and therefore cannot verify your security.

If you visit a web site, say google.com and received a warning that your connection is not secure, you should immediately stop what you're doing and not proceed. However, in the case of NEMS Linux, which is a local server on your network (not a “dot com” somewhere out on the web), you can safely trust the self-signed certificates and add an exception to your browser.

Where do the NEMS Self-Signed Certificates come from?

When you first deploy NEMS, a “default” certificate is included to help you get up and running. However, since this certificate is publicly available in the NEMS source code and img download, it is only used for your initial connection.

It can be a bit of a pain for novice users to setup SSL certificates, so like many other things with NEMS, I set out to make it easier, and wrote code to do so.

When running nems-init, you will be asked to fill in the following:

  • Country Code - This is your 2-digit country code. US for United States of America, or CA for Canada, for example.
  • Province/State - The textual representation of your province/state. For me, this is: Ontario
  • Your City - The textual name of your city. For me, this is: Barrie
  • Company Name or Your Name - Like all other fields for your cert, you have to fill this in. So if you don't have a company, just use your name, or make something up.
  • Your email address - Your complete email address. This will not be shared, but is required to generate a self-signed certificate.

The rest has been fully automated for you. The certificate is generated, added to your NEMS configuration and from then on all services will use your newly-created self-signed certificate.

What type of certificate is created?

NEMS generates SHA256 certificates with a 2048 bit RSA key. These certificates are valid for 10 years from the date they are created. You can view your certificate's specs with nems-info.

I screwed up while entering the information for my cert. How do I go back?

Yeah, you've gotta be careful to enter everything meticulously during nems-init. If you mess up, you'll need to login as the user you created (as nemsadmin is now disabled) and run nems-init again. You'll notice a few “user already exists” errors as nems-init tries to create user settings, but that's not a problem.

Remember as you read this, every time you run nems-init, your entire configuration is wiped and started from a fresh install. Do not do this after you've setup your hosts/services, etc., without first taking a backup.

Now that I have self-signed certs, how do I connect to NEMS?

Your browser will warn you that the site is untrusted the first time you connect. It will also provide an “Advanced” option where you can “Add Exception”.

I added a permanent exception, then reinstalled or upgraded NEMS, and now I can't connect.

You need to remove the old certificates from your browser, restart the browser, and try again.

It's still not working.

Check (and fix) the date and time on both your NEMS server and your computer. If either are incorrect, your system will be unable to connect.

NEMS has NTP installed, so as long as you set your locale correctly during nems-init, the time and date should be correct.

self-signed-certs.txt · Last modified: 2017/11/08 14:03 by Robbie Ferguson