NEMS Linux uses SSL (aka https) connections to secure your connection and the data you transmit and receive to and from your NEMS server.
This is accomplished using what is called a self-signed certificate. By nature, self-signed certificates are considered “untrusted” by your browser because, simply put, anyone can make them. It does not mean your connection is not encrypted or secure, but rather it means your browser cannot determine who created the certificate, and therefore cannot verify your security.
If you visit a web site, say google.com and received a warning that your connection is not secure, you should immediately stop what you're doing and not proceed. However, in the case of NEMS Linux, which is a local server on your network (not a “dot com” somewhere out on the web), you can safely trust the self-signed certificates and add an exception to your browser.
When you first deploy NEMS, a “default” certificate is included to help you get up and running. However, since this certificate is publicly available in the NEMS source code and img download, it is only used for your initial connection.
It can be a bit of a pain for novice users to setup SSL certificates, so like many other things with NEMS, I set out to make it easier, and wrote code to do so.
When running nems-init, you will be asked to fill in the following:
The rest has been fully automated for you. The certificate is generated, added to your NEMS configuration and from then on all services will use your newly-created self-signed certificate.
NEMS generates SHA256 certificates with a 2048 bit RSA key. These certificates are valid for 10 years from the date they are created. You can view your certificate's specs with nems-info.
Yeah, you've gotta be careful to enter everything meticulously during nems-init. If you mess up, you'll need to login as the user you created (as nemsadmin is now disabled) and run nems-init again. You'll notice a few “user already exists” errors as nems-init tries to create user settings, but that's not a problem.
Remember as you read this, every time you run nems-init, your entire configuration is wiped and started from a fresh install. Do not do this after you've setup your hosts/services, etc., without first taking a backup.
Your browser will warn you that the site is untrusted the first time you connect. It will also provide an “Advanced” option where you can “Add Exception”.
You need to remove the old certificates from your browser, restart the browser, and try again.
Check (and fix) the date and time on both your NEMS server and your computer. If either are incorrect, your system will be unable to connect.
NEMS has NTP installed, so as long as you set your locale correctly during nems-init, the time and date should be correct.